Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new approach for trust #745

Merged
merged 18 commits into from
Oct 2, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGES_NEXT_RELEASE
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
- Add: new approach to handle trust auth (urbo-deployer#868)
AlvaroVega marked this conversation as resolved.
Show resolved Hide resolved
- Remove: field "authentication" support in update action
AlvaroVega marked this conversation as resolved.
Show resolved Hide resolved
- Remove: config.authentication (along with related env vars PERSEO_AUTHENTICATION_*)
- Add: allow use expandVar with JSON objects (#703)
- Add: apply expandVar with JSON.parse to all fields of all actions (sms, smpp, email, post, update) (#746)
- Fix: check domain before access domain
Expand Down
5 changes: 0 additions & 5 deletions bin/perseo
Original file line number Diff line number Diff line change
Expand Up @@ -102,11 +102,6 @@ function loadConfiguration() {
'PERSEO_NOTICES_PATH',
'PERSEO_RULES_PATH',
'PERSEO_CAST_TYPES',
'PERSEO_AUTHENTICATION_HOST',
'PERSEO_AUTHENTICATION_PORT',
'PERSEO_AUTHENTICATION_USER',
'PERSEO_AUTHENTICATION_PASSWORD',
'PERSEO_AUTHENTICATION_SERVICE',
'PERSEO_MAX_RULES_BY_CORR',
'PERSEO_CHECK_NON_SIGNAL_BY_API'
];
Expand Down
11 changes: 0 additions & 11 deletions config.js
Original file line number Diff line number Diff line change
Expand Up @@ -157,17 +157,6 @@ config.pep = {
URL: 'http://pep-endpoint:1026'
};

/**
* Authorization endpoint
*/
config.authentication = {
host: 'keystone',
port: '5001',
user: 'user',
password: 'password',
service: 'admin_domain'
};

/**
* Collections
* @type {String}
Expand Down
25 changes: 25 additions & 0 deletions configTrust.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
'use strict';

/**
* List of pre-configured trusts
*/
var configTrust = {};

configTrust.trusts = [
{
host: 'keystone',
port: '5001',
id: 'trust1',
user: 'user1',
password: 'password',
service: 'domain1'
},
{
host: 'keystone',
port: '5001',
id: 'trust2',
user: 'user2',
password: 'password2',
service: 'domain2'
}
];
30 changes: 14 additions & 16 deletions docs/API/plain_rules.md
Original file line number Diff line number Diff line change
Expand Up @@ -396,23 +396,21 @@ the Perseo configuration). The `parameters` map includes the following fields:
- UPDATE: update attributes, asumming they exist (otherwise the update operation fails at CB)
- DELETE: delete attributes (or the entity itself if the attributes list is empty)
- trust: optional, trust for getting an access token from Auth Server which can be used to get to a Context Broker
behind a PEP. A trust is a way of Keystone to allow an user (trustor) delegates a role to another user (trustee) for
a subservice. Complete info could be found at:
- [Trusts concept](https://docs.openstack.org/keystone/stein/user/trusts)
- [Trusts API](https://docs.openstack.org/keystone/stein/api_curl_examples.html#post-v3-os-trust-trusts)
- [Trust token flow example](./trust_token.md)
- authentication: optional, authentication (host, port, user, password and service) configuration values that will be
used by updateAction rule (instead of default authentication defined by configuration) which will be used when a
trust token should be negotiated. i.e.:
```json
"authentication": {
"host": "ext-keystone",
"port": 5001,
"user": "mycepuser",
"password": "myceppassword",
"service": "mycepuserservice"
}
behind a PEP. This trust is indexed by `id` in a configuration file named configTrust.js which has the following
format which describe full client credentials including idm endpoint:

```
configTrust.trusts = [
{
host: 'keystone',
port: '5001',
id: 'trust1',
user: 'user1',
password: 'password',
service: 'domain1'
}
```

- service: optional, service that will be used by updateAction rule instead of current event service. In this case,
externalCBUrl or configured Orion PEP URL will be used instead of Orion URL, and then no token for auth will be
negotiated.
Expand Down
102 changes: 0 additions & 102 deletions docs/API/trust_token.md

This file was deleted.

Loading