CILogon Pre-Pilot Work - Jenkins

From PDP/Grid Wiki
Revision as of 13:18, 4 August 2015 by Tamasb@nikhef.nl (talk | contribs) (Created page with "= Introduction = [http://www.cilogon.org/ CILogon] is an open source project used to provide secure access to different services from the grid infrastructure. It uses the [ht...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Introduction

CILogon is an open source project used to provide secure access to different services from the grid infrastructure. It uses the Myproxy OAuth2 flow in order to retrieve client certificates/proxies from a Myproxy Certificate Authority. These retrieved credentials are then meant to be used in the authentication procedure for further interaction with grid services.

AARC is a European research and collaboration project which explores the possible future generation of authentication and authorization methods used in the grid world. CILogon is a candidate AAI component within this project. This document is the starting point of a piloting work on CILogon which will eventually evolve into a larger scale demonstration of the capabilities of this software product.

We used Jenkins together with OpenStack to build an automatically deploying CILogon instance. Jenkins VM Image templates are used to boot VMs with relevant software installed on it, while separate Jenkins jobs are used to carry out different stages of the service deployment. The following sections contain a brief overview of the structure of these Jenkins jobs together with a short description of their function. For more information consult the local jenkins instance.

Myproxy-OAuth2 server

The Myproxy-OAuth2 server, together with the myproxy-server set up as a Certificate Authority is used to provide user certificates for different OAuth2 clients (portals).

		        ---
myproxy-server  --------|  myproxy-server.simpleCA
			|
			|	~ This task sets up the myproxy-server as a Certificate Authority using SimpleCA.
			|	It creates a new self signed CA, a host certificate and a service certificate
			|	(for myrpoxy-server) using the: 'grid-ca-create' 'grid-cert-request' and 
			|	'grid-ca-sign' commands. 
			|
			|
			|  myproxy-server.pam.useradd
			|
			|	~ Adds a local UNIX account that will be used to PAM authentication through the			|
			|	myproxy-server (in this sense myproxy-server becomes an IdP). This will later
			|	be replaced by a more suitable authentication method with an IdP like shib IdP
			|	
			|	~ myproxy-server creates user certificates for users by matching authenticated
			|	users' name against an entry from the grid-mapfile. Therefore, an entry is added
			|	into the grid-mapfile with the name of the newly created user.
			|
			|
			|  myproxy-server.restart
			|
			|	~ Restarts the myproxy-server
			|
			---


		        ---
myproxy-oauth2  --------|  myproxy-oauth2.prerequisites
			| 
			|	~ Sets up the local environment in which the cilogon server will be run:	 
			|	  - set up SSL in tomcat
			|	  - install java 1.8
			|	  - install java mail
			|	  - install jsse and globus-ssl-proxies (jglobus-core)
			|
			| 
			|  myproxy-oauth2.deploy
			|
			|	~ Downloads the latest tagged version of the CILogon oauth2 server and copies the
			| 	oauth2.war into the tomcat container
			|
			|
			|  myproxy-oauth2.configure 
			|
			|	~ Configures the oauth2 server with a simple setup using file storage as backend.
			|	Every relevant server information is kept under /usr/www/server
			|  
			| 
			|  myproxy-oauth2.restart
			|
			|  	~ Restarts tomcat
			|
			---

		
			   myproxy-oauth2.approve-clients

				~ Automatically approves every pending client registration request.

Shibboleth IdP

We used a machine template configured with Shibboleth IdP v3 and Tomcat 7. The machine template installs both shibboleth IdP and tomcat in their default location and takes care of having the right environmental variables set. The jobs used below are meant to be used with this template to further configure the IdP.

		        ---
shibboleth.idp  --------|  shibboleth.idp.setup
			|
			|	~ This task is meant to configure an already installed shibboleth + tomcat node by:
			|	
			|	~ It creates a hostcert/hostkey pair and configures tomcat to use this for enabling
			|	  SSL on port 443.
			|
			|	~ Configure shibboleth attribute release (attribute-release.xml) with a set of attributes
			|         definitions (eduPersonPrincipalName,uid,cn,mail)
			|
			|	~ Configure shibboleth attribute filter (attribute-filter.xml) to release the attributes
			|	  defined above to any SP.
			|	
			|
			|  shibboleth.idp.ldap.setup
			|
			|	~ Installs and configures OpenLDAP 
			|	
			|	~ Configures LDAP to be used as backend for the IdP by filling in the shibboleth LDAP 
			|	  configuration file (ldap.properties)
			|
			|	~ Loads relevant LDAP schemas (including eduPerson 201310)
			|
			|
			|   shibboleth.idp.ldap.add-user
			|
			|	~ Adds a dummy user account for testing into LDAP. Makes sure that the dummy account has every
			|	  relevant field which is required later on by the shibboleth attribute-releas.xml (uid,cn,mail)
			|
			|
			|   shibboleth.idp.restart
			|
			|	~ Restarts the shibboleth IdP service container (tomcat)
			|
			---

			    shibboleth.idp.register-metadata

				~ Automatically discover the Shibboleth SP running insinde Jenkins and registers its metadata