2 Documentation Test suite: Authentication Support for Keystone
4 ... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc. bringing the benefits of a centralized / unified user management framework.
6 ... As a first step, It shall be possible to authenticate users against Keystone by using passwords provided by the users.
8 Suite Teardown Cleanup Suite
12 Library OperatingSystem
13 Library RequestsLibrary
14 Resource ../../../libraries/Utils.robot
15 Resource ../../../libraries/TemplatedRequests.robot
16 Resource ../../../libraries/KarafKeywords.robot
17 Resource ../../../libraries/ClusterManagement.robot
18 Resource ../../../variables/Variables.robot
19 Resource ../../../libraries/AAA/DockerKeystone.robot
24 Successful Authentication Including Domain
25 [Documentation] *Test Case: Successful Authentication with user@domain/password credentials*
29 ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain
30 ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one
32 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
33 ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS}
34 Log ${resp}\n${resp.headers}\n${resp.content}
35 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
37 Successful Authentication Without Domain
38 [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included*
42 ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered
43 ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one
45 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
46 ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS}
47 Log ${resp}\n${resp.headers}\n${resp.content}
48 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
50 Unsuccessful Authentication Wrong User
51 [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials*
55 ... - Create an HTTP session with ODL as an invalid user
56 ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone
58 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
59 ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS}
63 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
65 UnSuccessful Authentication Without Domain
66 [Documentation] *Test Case: UnSuccessful Authentication without domain*
71 ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered
72 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials
74 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
75 ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS}
79 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
81 Unsuccessful Authentication Wrong Domain
82 [Documentation] *Test Case: UnSuccessful Authentication with wrong domain*
88 ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain
89 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn"
91 ... Note: Also for troubleshooting purposes keystone debug files are dumped
93 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_WRONG_DOM} headers=${HEADERS}
94 ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS}
98 ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/nginx-access.log"
100 ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/uwsgi-keystone-admin.log"
102 ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/nginx-error.log"
104 ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/uwsgi-keystone-public.log"
106 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
110 [Documentation] The steps included in the Initialization phase are:
112 ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone
114 ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone
116 ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration
118 ... - Provision Keystone: Populate keystone database with the needed users and roles
120 ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication
121 ${TOOLS_SYSTEM_NAME} Run Command On Remote System ${TOOLS_SYSTEM_IP} hostname -f user=${TOOLS_SYSTEM_USER} password=${TOOLS_SYSTEM_PASSWORD}
123 Configure AAA In Controller ${TOOLS_SYSTEM_NAME}
126 Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json
127 Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME}
130 [Documentation] Destoy keystone container
131 Set Domain To False ${domain} ${HEADERS_TOKEN}
132 Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
133 Destroy Docker Keystone
135 Configure AAA In Controller
136 [Arguments] ${TOOLS_SYSTEM_NAME}
137 [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings:
141 ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
142 ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357
143 ... keystoneAuthRealm.sslVerification = true
145 ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm
150 ... - aaa-cert-config.xml:
151 ... <use-config>true</use-config>
153 ... <tls-protocols>TLSv1.2</tls-protocols>
154 ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied
155 ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied
156 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path}
157 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path}
158 ${result} Run Command On Controller cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path}
159 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path}
160 ${result} Run Command On Controller cmd=sed -ie '/^\\/operations\\/aaa-cert-rpc/d' ${shiro_path}
161 ${result} Run Command On Controller cmd=sed -ie 's/<use-config>.*/<use-config>true<\\/use-config>/g' ${cert_path}
162 ${result} Run Command On Controller cmd=sed -ie 's/<tls-protocols.*/<tls-protocols>TLSv1.2<\\/tls-protocols>/g' ${cert_path}
163 ${result} Run Command On Controller cmd=cat ${shiro_path}
165 ${result} Run Command On Controller cmd=cat ${cert_path}
167 ${result} Run Command On Controller cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts
168 ${result} Run Command On Controller cmd=cat /etc/hosts
172 [Documentation] As CSC_user provision:
174 ... - User "sdnadmin"
175 ... - Role "admin" to "sdnadmin" user in "sdn" domain
176 ${result} Create Keystone session ${TOOLS_SYSTEM_IP}
178 Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json
179 ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE}
181 &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json
182 Set Suite Variable ${HEADERS_TOKEN} ${HEADERS}
183 ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN}
184 Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json
185 ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE}
186 Set Suite Variable ${domain} ${domain_local}
187 Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json
188 ${normalized_file}= OperatingSystem.Normalize Path ${CREATE_USERS_FILE}
189 ${output} OperatingSystem.Run sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE}
190 ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE}
191 Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN}
194 [Documentation] Controller restart is needed in order the new shiro.ini config takes effect
195 ClusterManagement.ClusterManagement_Setup
196 Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
197 Start_Single_Member 1 wait_for_sync=False timeout=120
198 Wait Until Keyword Succeeds 30x 5s Get Controller Modules
200 Get Controller Modules
201 [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence
202 Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
203 ${resp} = RequestsLibrary.Get_Request session1 ${MODULES_API}
204 BuiltIn.Log ${resp.content}
205 BuiltIn.Should_Be_Equal ${resp.status_code} ${200}
206 BuiltIn.Should_Contain ${resp.content} ietf-restconf