pep-proxy connection

[joansrios]

welcome i'm trying to deploy the security layer in orion context broken using idm and pep-proxy but i have a problem with the pep proxy using docker compose:

version: "2"
networks:
  fiware:
    driver: bridge
services:
# Base de datos Orion
  mongodb:
    image: mongo:3.4.7
    hostname: mongodb
    container_name: mongodb
    expose:
      - "27017"
    ports:
      - "27018:27017"
    command: --smallfiles
    networks:
      - fiware
# GE encargado de la publicación y suscripción
  orion:
    image: fiware/orion:latest
    hostname: orion
    container_name: orion
    links: 
      - mongodb
    expose:
      - "1026"
    ports:
      - "1026:1026"
    volumes:
      - "./data/db/mongo:/data/db:rw" 
    command: -dbhost mongodb
    networks:
      - fiware
# GE encargada de la persistencia de datos
  cygnus:
    image: fiware/cygnus-ngsi:latest
    hostname: cygnus
    container_name: cygnus
    volumes:
      - "./config/cygnus/agent.conf:/opt/apache-flume/conf/agent.conf:rw"
      - "./config/cygnus/grouping_rules.conf:/opt/apache-flume/conf/grouping_rules.conf:rw"
    links:
      - mysql-cygnus
    expose:
      - "5050"
      - "8081"
    ports:
      - "5050:5050"
      - "8081:8081"
    environment:
      - CYGNUS_MYSQL_HOST=mysql-cygnus
      - CYGNUS_MYSQL_PORT=3306
      - CYGNUS_MYSQL_USER=root
      - CYGNUS_MYSQL_PASS=fiware
      - CYGNUS_LOG_LEVEL=INFO
    networks:
      - fiware
# Base de datos para historicos
  mysql-cygnus:
    image: mysql
    hostname: mysql-cygnus
    container_name: mysql-cygnus 
    expose:
      - "3306"
    ports:
      - "3306:3306"
    environment:
      - MYSQL_ROOT_PASSWORD=fiware
    volumes:
      - "./data/db/mysql:/var/lib/mysql:rw"
    networks:
      - fiware
# GE de control de acceso 
  authzforce:
     image: fiware/authzforce-ce-server:release-5.4.1
     hostname: authzforce
     container_name: authzforce
     expose:
         - "8080" 
     ports: 
         - "8080:8080"
# GE encargado de la administración de seguridad
  keyrock:
    image: fiware/idm:latest
    hostname: keyrock
    container_name: keyrock
    volumes:
        - "./config/idm/keystone.db:/keystone/keystone.db:rw"
        - "./config/idm/local_settings.py:/horizon/openstack_dashboard/local/local_settings.py:rw"
        - "./config/idm/keystone.conf:/keystone/etc/keystone.conf:rw"
    links:
        - orion
    expose:  
        - "5000"
        - "8000"
    ports:
        - "5000:5000"
        - "8000:8000"
    networks:
        - fiware
# GE encargado del redireccionamiento
  pepwilma:
    image: ging/fiware-pep-proxy
    hostname: pepwilma
    container_name: pepwilma
    volumes:
        - "./config/pepproxy/config.js:/opt/fiware-pep-proxy/config.js:rw"
    links:
        - keyrock
        - orion
        - authzforce
    volumes_from:
        - keyrock
    expose:
        - "80"
    ports:
        - "80:80"
    networks:
- fiware

I can't continue because pep proxy shows an error when i make the request to: (without specifying a port)

using this config.js:

got this error:

ERROR: Server - Caught exception: SyntaxError: Unexpected token E

can you share an updated method about how to configure pep proxy
thanks to all for your help

[zabuTNT]

I integrate succesfully pep+orion+idm using this slides: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma (But I don't use "cygnus" and docker-compose for this). I cloned pep-wilma from the repo.

About your pep settings they appear correct to me. But I use 127.0.0.1 instead of localhost, maybe try to change this.

I'm not a docker-compose expert, are you sure that is correct the link of keyrock with orion and not with pep?

keyrock:
....
    links:
        - orion

You should print the wilma received message from idm as a log to understand where is the error editing idm.js in pep-proxy, before the JSON parsing

https://github.com/ging/fiware-pep-proxy/blob/66ae73fdde604eff35398c3b706d2e1f2a4c1f06/lib/idm.js#L80

[joansrios]

@zabuTNT yes, i follow those slides, as you can see in the next repository:

and this is my keyrock app:

Although not if the shipping URL is without especific a port, and my postman request are ok.

i will try to follow your suggestion

[joansrios]

@zabuTNT got this error:

I will try to install pep proxy out of the docker-compose file

[zabuTNT]

If it say Connection Refused pep and idm can't comunicate. Change the hostnames in pep settings from "localhost" to the "hostname" assigns to your keyrock and orion containers in your docker compose.

From docker compose docs: https://docs.docker.com/compose/networking/

Each container can now look up the hostname web or db and get back the appropriate container’s IP address. For example, web’s application code could connect to the URL postgres://db:5432 and start using the Postgres database. [...] Within the web container, your connection string to db would look like postgres://db:5432, and from the host machine, the connection string would look like postgres://{DOCKER_IP}:8001.

In fact you still did this for orion and cygnus with the commands/env:

-dbhost mongodb

and

- CYGNUS_MYSQL_HOST=mysql-cygnus

You have to do the same thing in pep settings. Use the hostname, not localhost.

[joansrios]

@zabuTNT i did and got this:

the problem persist although i think that the communication is ready... now i need to find the authzforce solution, thanks

[zabuTNT]

@RiosQ yes, it seems that now connection works.

pep asks to keyrock and then to AZF.

The response is a 404 from AZF as you can read in pep code: https://github.com/ging/fiware-pep-proxy/blob/ac9532c537f196ee21d0b9375e192ba425027510/controllers/root.js#L56

so it's not a connection issue. I never used it, but from the message it seems that you have to create a domain for the application with that id. Maybe do you forgot to create it? Or with a different id?

[joansrios]

Sorry for the replies @zabuTNT, But do you have an example without authzforce, in the Config. js of pepproxy when i disable it, fails:

config.azf = {
    enabled: true,     //TESTES: reativar
    host: 'authzforce', //usar o nome do container (o --link cria a entrada no hosts)
    port: 8080,
    path: '/authzforce/domains/',
    custom_policy: undefined, // use undefined to default policy checks (HTTP verb + path).
    protocol: 'http'
};

[zabuTNT]

This is my config in pep for AZF (disable, default values)

config.azf = {
    enabled: false,
    protocol: 'https',
    host: 'auth.lab.fiware.org',
    port: 6019,
    custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
};

[joansrios]

@zabuTNT thanks man, for any reason, when the authzforce container was present in the docker-compose file, disable it was not an option then i only coment that part.