CILogon Pre-Pilot Work - Jenkins
Introduction
We used Jenkins together with OpenStack to build an automatically deploying CILogon instance. Jenkins VM Image templates are used to boot VMs with relevant software installed on it, while separate Jenkins jobs are used to carry out different stages of the service deployment. The following sections contain a brief overview of the structure of these Jenkins jobs together with a short description of their function. For more information consult the local jenkins instance.
Myproxy-OAuth2 server
The Myproxy-OAuth2 server, together with the myproxy-server set up as a Certificate Authority is used to provide user certificates for different OAuth2 clients (portals).
--- myproxy-server --------| myproxy-server.simpleCA | | ~ This task sets up the myproxy-server as a Certificate Authority using SimpleCA. | It creates a new self signed CA, a host certificate and a service certificate | (for myrpoxy-server) using the: 'grid-ca-create' 'grid-cert-request' and | 'grid-ca-sign' commands. | | | myproxy-server.pam.useradd | | ~ Adds a local UNIX account that will be used to PAM authentication through the | | myproxy-server (in this sense myproxy-server becomes an IdP). This will later | be replaced by a more suitable authentication method with an IdP like shib IdP | | ~ myproxy-server creates user certificates for users by matching authenticated | users' name against an entry from the grid-mapfile. Therefore, an entry is added | into the grid-mapfile with the name of the newly created user. | | | myproxy-server.restart | | ~ Restarts the myproxy-server | --- --- myproxy-oauth2 --------| myproxy-oauth2.prerequisites | | ~ Sets up the local environment in which the cilogon server will be run: | - set up SSL in tomcat | - install java 1.8 | - install java mail | - install jsse and globus-ssl-proxies (jglobus-core) | | | myproxy-oauth2.deploy | | ~ Downloads the latest tagged version of the CILogon oauth2 server and copies the | oauth2.war into the tomcat container | | | myproxy-oauth2.configure | | ~ Configures the oauth2 server with a simple setup using file storage as backend. | Every relevant server information is kept under /usr/www/server | | | myproxy-oauth2.restart | | ~ Restarts tomcat | --- myproxy-oauth2.approve-clients ~ Automatically approves every pending client registration request.
Shibboleth IdP
We used a machine template configured with Shibboleth IdP v3 and Tomcat 7. The machine template installs both shibboleth IdP and tomcat in their default location and takes care of having the right environmental variables set. The jobs used below are meant to be used with this template to further configure the IdP.
--- shibboleth.idp --------| shibboleth.idp.setup | | ~ This task is meant to configure an already installed shibboleth + tomcat node by: | | ~ It creates a hostcert/hostkey pair and configures tomcat to use this for enabling | SSL on port 443. | | ~ Configure shibboleth attribute release (attribute-release.xml) with a set of attributes | definitions (eduPersonPrincipalName,uid,cn,mail) | | ~ Configure shibboleth attribute filter (attribute-filter.xml) to release the attributes | defined above to any SP. | | | shibboleth.idp.ldap.setup | | ~ Installs and configures OpenLDAP | | ~ Configures LDAP to be used as backend for the IdP by filling in the shibboleth LDAP | configuration file (ldap.properties) | | ~ Loads relevant LDAP schemas (including eduPerson 201310) | | | shibboleth.idp.ldap.add-user | | ~ Adds a dummy user account for testing into LDAP. Makes sure that the dummy account has every | relevant field which is required later on by the shibboleth attribute-releas.xml (uid,cn,mail) | | | shibboleth.idp.restart | | ~ Restarts the shibboleth IdP service container (tomcat) | --- shibboleth.idp.register-metadata ~ Automatically discover the Shibboleth SP running insinde Jenkins and registers its metadata