From eee7aae36d1d97143194caa79f1dacaaa27897b1 Mon Sep 17 00:00:00 2001 From: Ursicio Martin Date: Fri, 3 Mar 2017 10:11:50 +0100 Subject: [PATCH] AAA: Keystone Authentication Change-Id: I7d6713fc789d669c9dc8bfe3134b072da9145eb9 Signed-off-by: Ursicio Martin --- csit/libraries/AAA/DockerKeystone.robot | 133 +++++++++++ csit/libraries/TemplatedRequests.robot | 2 + .../aaa/keystone/010__keystone_authn.robot | 206 ++++++++++++++++++ csit/suites/aaa/keystone/start_keystone.sh | 32 +++ csit/testplans/aaa-keystone.txt | 3 + csit/variables/Variables.robot | 7 + csit/variables/aaa/create-domain.json | 7 + csit/variables/aaa/create-token.json | 18 ++ csit/variables/aaa/create-user.json | 9 + csit/variables/aaa/patch-domain.json | 6 + csit/variables/aaa/put-keystone-cert.json | 6 + 11 files changed, 429 insertions(+) create mode 100644 csit/libraries/AAA/DockerKeystone.robot create mode 100644 csit/suites/aaa/keystone/010__keystone_authn.robot create mode 100755 csit/suites/aaa/keystone/start_keystone.sh create mode 100644 csit/testplans/aaa-keystone.txt create mode 100644 csit/variables/aaa/create-domain.json create mode 100644 csit/variables/aaa/create-token.json create mode 100644 csit/variables/aaa/create-user.json create mode 100644 csit/variables/aaa/patch-domain.json create mode 100644 csit/variables/aaa/put-keystone-cert.json diff --git a/csit/libraries/AAA/DockerKeystone.robot b/csit/libraries/AAA/DockerKeystone.robot new file mode 100644 index 0000000000..48f302387b --- /dev/null +++ b/csit/libraries/AAA/DockerKeystone.robot @@ -0,0 +1,133 @@ +*** Settings *** +Documentation DockerKeystone library. This library is useful to deal with Openstack Keystone service which provides API client authentication. +... +... It consists of three main groups of keywords: +... +... - Start/Stop keystone node in SYSTEM TOOLS VM: +... - Run Docker Keystone +... - Destroy Docker Keystone +... +... - Provision keystone node: +... - Create Keystone session +... - Get Keystone Token +... - Create Keystone Domain +... - Create Keystone User in a Domain +... - Set Domain To False +... - Get Admin Role Id +... - Grant Admin Role +... - Delete Keystone Domain +... +... - Provision ODL node for secure communication with Keystone node: +... - Set Keystone Certificate into ODL +Library SSHLibrary +Library RequestsLibrary + +*** Variables *** + +*** Keywords *** +Get Keystone Token + [Arguments] ${TOOLS_SYSTEM_NAME} ${CREATE_TOKEN_FILE} + [Documentation] Get Keystone token for a particular user and domain + Set Suite Variable ${CREATE_TOKEN_URI} /v3/auth/tokens/ + ${body} OperatingSystem.Get File ${CREATE_TOKEN_FILE} + Log ${HEADERS} + ${resp}= RequestsLibrary.Post Request session_keystone ${CREATE_TOKEN_URI} data=${body} headers=${HEADERS} allow_redirects=${true} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + ${token} Get From Dictionary ${resp.headers} x-subject-token + [Return] ${token} + +Create Keystone session + [Arguments] ${TOOLS_SYSTEM_NAME} + [Documentation] Create a https session with Keystone for provisioning new domains, users, projects ... + Log ${HEADERS} + Create Session session_keystone https://${TOOLS_SYSTEM_NAME}:35357 auth=${AUTH_ADMIN_SDN} headers=${HEADERS} debug=3 + +Create Keystone Domain + [Arguments] ${HEADERS} ${CREATE_DOMAIN_FILE} + [Documentation] Provision a domain in Keystone + Set Suite Variable ${CREATE_DOMAIN_URI} /v3/domains/ + ${body} OperatingSystem.Get File ${CREATE_DOMAIN_FILE} + ${resp} RequestsLibrary.Post Request session_keystone ${CREATE_DOMAIN_URI} data=${body} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + ${domain_id} Convert To String ${resp.json()['domain']['id']} + [Return] ${domain_id} + +Create Keystone User in a Domain + [Arguments] ${HEADERS} ${CREATE_USERS_FILE} + [Documentation] Provision an user associated to a domain in \ Keystone + Set Suite Variable ${CREATE_USERS_URI} /v3/users/ + ${body} OperatingSystem.Get File ${CREATE_USERS_FILE} + ${resp} RequestsLibrary.Post Request session_keystone ${CREATE_USERS_URI} data=${body} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + ${user_id} Convert To String ${resp.json()['user']['id']} + [Return] ${user_id} + +Grant Admin Role + [Arguments] ${domain} ${user} ${roleid} ${HEADERS} + [Documentation] Grant a role to an user in a domain in \ Keystone + Set Suite Variable ${GRANT_ADMIN_ROLE_URI} /v3/domains/${domain}/users/${user}/roles/${roleid} + ${resp} RequestsLibrary.Put Request session_keystone ${GRANT_ADMIN_ROLE_URI} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Get Admin Role Id + [Arguments] ${HEADERS} + [Documentation] Get admin role id from Keystone + Set Suite Variable ${GET_ADMIN_ROLE_URI} /v3/roles?name=admin + ${resp}= RequestsLibrary.Get Request session_keystone ${GET_ADMIN_ROLE_URI} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + ${admin_role_id} Convert To String ${resp.json()['roles'][0]['id']} + Log ${admin_role_id} + [Return] ${admin_role_id} + +Run Docker Keystone + [Documentation] Run Keystone in a docker container hosted in the SYSTEM TOOL server and define "CSC_user" and "CSC_user_no_admin" users, the former with "admin" role and the latter with "user" role + ${output} SSHLibrary.Open_Connection ${TOOLS_SYSTEM_IP} timeout=20s + Utils.Flexible_Controller_Login + SSHLibrary.Put File ${CURDIR}/../../suites/aaa/keystone/start_keystone.sh + SSHLibrary.Execute Command ./start_keystone.sh + Wait Until Keyword Succeeds 10x 15 Check Keystone Log File For String GET + SSHLibrary.Execute Command docker exec -t keystone bash -c "source openrc;openstack user create --password cscuser CSC_user;openstack user set --project admin CSC_user;openstack role add --project admin --user CSC_user admin;openstack role add --domain default --user CSC_user admin;openstack user list" + SSHLibrary.Execute Command docker exec -t keystone bash -c "source openrc;openstack user create --password cscusernoadmin CSC_user_no_admin;openstack user set --project admin CSC_user_no_admin;openstack role add --project admin --user CSC_user_no_admin user;openstack user list" + [Return] ${output} + +Destroy Docker Keystone + [Documentation] Destroy keystone container and remove mysql database + ${output} SSHLibrary.Execute Command docker stop keystone;docker rm keystone return_stdout=True return_stderr=True return_rc=True + ${output} SSHLibrary.Execute Command sudo rm -rf /var/lib/mysql/ return_stdout=True return_stderr=True return_rc=True + [Return] ${output} + +Set Domain To False + [Arguments] ${domain} ${HEADERS} + [Documentation] Disable domain in keystone + Set Suite Variable ${PATCH_DOMAIN_URI} /v3/domains/${domain} + Set Suite Variable ${PATCH_DOMAIN_FILE} ${CURDIR}/../../variables/aaa/patch-domain.json + ${body} OperatingSystem.Get File ${PATCH_DOMAIN_FILE} + ${resp} RequestsLibrary.Patch Request session_keystone ${PATCH_DOMAIN_URI} data=${body} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Delete Keystone Domain + [Arguments] ${domain} ${HEADERS} + [Documentation] Delete domain in \ Keystone + Set Suite Variable ${DELETE_DOMAIN_URI} /v3/domains/${domain} + ${resp} RequestsLibrary.Delete Request session_keystone ${DELETE_DOMAIN_URI} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Set Keystone Certificate into ODL + [Arguments] ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME} + [Documentation] Install Keystone Certificate into ODL + SSHLibrary.Get File ${USER_HOME}${/}keystone_cert.pem ${USER_HOME}${/}key_cert.pem + ${keystone_certificate} ${rc} SSHLibrary.Execute Command cat keystone_cert.pem|grep -v CERTIFICATE|tr -d '\n' return_stdout=True return_stderr=False return_rc=True + Create Session session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS} + Set Suite Variable ${PUT_CERTIFICATE_URI} /restconf/operations/aaa-cert-rpc:setNodeCertifcate + ${normalized_file}= OperatingSystem.Normalize Path ${PUT_KEYSTONE_CERT_FILE} + ${output} OperatingSystem.Run sed -i 's#\"node-cert\".*#\"node-cert\"\: \"${keystone_certificate}\",#g' ${PUT_KEYSTONE_CERT_FILE} + ${output} OperatingSystem.Run sed -i 's#\"node-alias\".*#\"node-alias\"\: \"${TOOLS_SYSTEM_NAME}\"#g' ${PUT_KEYSTONE_CERT_FILE} + ${body_cert} OperatingSystem.Get File ${PUT_KEYSTONE_CERT_FILE} + ${resp} RequestsLibrary.Post Request session_admin ${PUT_CERTIFICATE_URI} data=${body_cert} headers=${HEADERS} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Check Keystone Log File For String + [Arguments] ${string} + ${status} SSHLibrary.Execute Command docker exec -t keystone bash -c "grep ${string} /var/log/nginx-access.log" + Log ${status} + BuiltIn.Should Contain ${status} ${string} diff --git a/csit/libraries/TemplatedRequests.robot b/csit/libraries/TemplatedRequests.robot index b2706bd5b7..5ecee1af26 100644 --- a/csit/libraries/TemplatedRequests.robot +++ b/csit/libraries/TemplatedRequests.robot @@ -117,6 +117,8 @@ Variables ${CURDIR}/../variables/Variables.py @{DATA_VALIDATION_ERROR} ${500} @{DELETED_STATUS_CODE} ${404} # List of integers, not strings. Used by DELETE if the resource may be not present. @{NO_STATUS_CODES} +@{ALLOWED_DELETE_STATUS_CODES} ${200} ${201} ${204} ${404} # List of integers, not strings. Used by DELETE if the resource may be not present. +@{UNAUTHORIZED_STATUS_CODES} ${401} # List of integers, not strings. Used in Keystone Authentication when the user is not authorized to use the requested resource. @{KEYS_WITH_BITS} op # the default list with keys to be sorted when norm_json libray is used # TODO: Add option for delete to require 404. diff --git a/csit/suites/aaa/keystone/010__keystone_authn.robot b/csit/suites/aaa/keystone/010__keystone_authn.robot new file mode 100644 index 0000000000..3dbaf387bf --- /dev/null +++ b/csit/suites/aaa/keystone/010__keystone_authn.robot @@ -0,0 +1,206 @@ +*** Settings *** +Documentation Test suite: Authentication Support for Keystone +... +... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc. bringing the benefits of a centralized / unified user management framework. +... +... As a first step, It shall be possible to authenticate users against Keystone by using passwords provided by the users. +Suite Setup Init Suite +Suite Teardown Cleanup Suite +Test Timeout +Library SSHLibrary +Library Collections +Library OperatingSystem +Library RequestsLibrary +Resource ../../../libraries/Utils.robot +Resource ../../../libraries/TemplatedRequests.robot +Resource ../../../libraries/KarafKeywords.robot +Resource ../../../libraries/ClusterManagement.robot +Resource ../../../variables/Variables.robot +Resource ../../../libraries/AAA/DockerKeystone.robot + +*** Variables *** + +*** Test Cases *** +Successful Authentication Including Domain + [Documentation] *Test Case: Successful Authentication with user@domain/password credentials* + ... + ... Steps: + ... + ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain + ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one + [Tags] + Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS} + ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS} + Log ${resp}\n${resp.headers}\n${resp.content} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Successful Authentication Without Domain + [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included* + ... + ... Steps: + ... + ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered + ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one + [Tags] include + Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS} + ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS} + Log ${resp}\n${resp.headers}\n${resp.content} + Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code} + +Unsuccessful Authentication Wrong User + [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials* + ... + ... Steps: + ... + ... - Create an HTTP session with ODL as an invalid user + ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone + [Tags] + Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS} + ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS} + Log ${resp} + Log ${resp.headers} + Log ${resp.content} + Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code} + +UnSuccessful Authentication Without Domain + [Documentation] *Test Case: UnSuccessful Authentication without domain* + ... + ... Steps: + ... + ... + ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered + ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials + [Tags] + Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS} + ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS} + Log ${resp} + Log ${resp.headers} + Log ${resp.content} + Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code} + +Unsuccessful Authentication Wrong Domain + [Documentation] *Test Case: UnSuccessful Authentication with wrong domain* + ... + ... Steps: + ... + ... Steps: + ... + ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain + ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn" + ... + ... Note: Also for troubleshooting purposes keystone debug files are dumped + [Tags] + Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_WRONG_DOM} headers=${HEADERS} + ${resp}= RequestsLibrary.Post Request session /restconf/operations/aaa-cert-rpc:getODLCertificate headers=${HEADERS} + Log ${resp} + Log ${resp.headers} + Log ${resp.content} + ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/nginx-access.log" + Log ${output} + ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/uwsgi-keystone-admin.log" + Log ${output} + ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/nginx-error.log" + Log ${output} + ${output} SSHLibrary.Execute Command docker exec -t keystone bash -c "cat /var/log/uwsgi-keystone-public.log" + Log ${output} + Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code} + +*** Keywords *** +Init Suite + [Documentation] The steps included in the Initialization phase are: + ... + ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone + ... + ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone + ... + ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration + ... + ... - Provision Keystone: Populate keystone database with the needed users and roles + ... + ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication + ${TOOLS_SYSTEM_NAME} Run Command On Remote System ${TOOLS_SYSTEM_IP} hostname -f user=${TOOLS_SYSTEM_USER} password=${TOOLS_SYSTEM_PASSWORD} + Run Docker Keystone + Configure AAA In Controller ${TOOLS_SYSTEM_NAME} + Restart Controller + Provision Keystone + Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json + Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME} + +Cleanup Suite + [Documentation] Destoy keystone container + Set Domain To False ${domain} ${HEADERS_TOKEN} + Delete Keystone Domain ${domain} ${HEADERS_TOKEN} + Destroy Docker Keystone + +Configure AAA In Controller + [Arguments] ${TOOLS_SYSTEM_NAME} + [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings: + ... + ... - shiro.ini: + ... + ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm + ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357 + ... keystoneAuthRealm.sslVerification = true + ... + ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm + ... + ... + ... + ... + ... - aaa-cert-config.xml: + ... true + ... + ... TLSv1.2 + ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied + ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied + ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path} + ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path} + ${result} Run Command On Controller cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path} + ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path} + ${result} Run Command On Controller cmd=sed -ie '/^\\/operations\\/aaa-cert-rpc/d' ${shiro_path} + ${result} Run Command On Controller cmd=sed -ie 's/.*/true<\\/use-config>/g' ${cert_path} + ${result} Run Command On Controller cmd=sed -ie 's/TLSv1.2<\\/tls-protocols>/g' ${cert_path} + ${result} Run Command On Controller cmd=cat ${shiro_path} + Log ${result} + ${result} Run Command On Controller cmd=cat ${cert_path} + Log ${result} + ${result} Run Command On Controller cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts + ${result} Run Command On Controller cmd=cat /etc/hosts + Log ${result} + +Provision Keystone + [Documentation] As CSC_user provision: + ... - Domain "sdn" + ... - User "sdnadmin" + ... - Role "admin" to "sdnadmin" user in "sdn" domain + ${result} Create Keystone session ${TOOLS_SYSTEM_IP} + Log ${result} + Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json + ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE} + Log ${HEADERS} + &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json + Set Suite Variable ${HEADERS_TOKEN} ${HEADERS} + ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN} + Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json + ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE} + Set Suite Variable ${domain} ${domain_local} + Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json + ${normalized_file}= OperatingSystem.Normalize Path ${CREATE_USERS_FILE} + ${output} OperatingSystem.Run sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE} + ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE} + Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN} + +Restart Controller + [Documentation] Controller restart is needed in order the new shiro.ini config takes effect + ClusterManagement.ClusterManagement_Setup + Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1 + Start_Single_Member 1 wait_for_sync=False timeout=120 + Wait Until Keyword Succeeds 30x 5s Get Controller Modules + +Get Controller Modules + [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence + Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS} + ${resp} = RequestsLibrary.Get_Request session1 ${MODULES_API} + BuiltIn.Log ${resp.content} + BuiltIn.Should_Be_Equal ${resp.status_code} ${200} + BuiltIn.Should_Contain ${resp.content} ietf-restconf diff --git a/csit/suites/aaa/keystone/start_keystone.sh b/csit/suites/aaa/keystone/start_keystone.sh new file mode 100755 index 0000000000..e74f8e1641 --- /dev/null +++ b/csit/suites/aaa/keystone/start_keystone.sh @@ -0,0 +1,32 @@ +#/bin/bash + +set -x + +docker pull clearlinux/keystone + +# set a couple of useful env. vars +YOUR_HOST=`hostname -f` +MYSQL_DATA_DIR=/var/lib/mysql/ +echo "$YOUR_HOST" +# generate certificates +echo "START Artifact Generation" +CERT_PATH=`pwd` +CERT_NAME=keystone_cert +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout keystone_key.pem \ + -out $CERT_NAME.pem -subj "/CN=$YOUR_HOST" +echo "END Artifact Generation" + + +echo "START Starting Container" +# start the container +docker run -d -it --name keystone -p 5000:5000 -p 35357:35357 \ + -h $YOUR_HOST \ + -e IDENTITY_HOST="$YOUR_HOST" \ + -e KEYSTONE_ADMIN_PASSWORD="secret" \ + -v $MYSQL_DATA_DIR:/var/lib/mysql \ + -v `pwd`/keystone_cert.pem:/etc/nginx/ssl/keystone_cert.pem \ + -v `pwd`/keystone_key.pem:/etc/nginx/ssl/keystone_key.pem \ + clearlinux/keystone + + +echo "END Starting Container" diff --git a/csit/testplans/aaa-keystone.txt b/csit/testplans/aaa-keystone.txt new file mode 100644 index 0000000000..39efc02ee5 --- /dev/null +++ b/csit/testplans/aaa-keystone.txt @@ -0,0 +1,3 @@ +# Place the suites in run order: +integration/test/csit/suites/aaa/keystone + diff --git a/csit/variables/Variables.robot b/csit/variables/Variables.robot index 6e62cb8f51..5f6d6637e2 100644 --- a/csit/variables/Variables.robot +++ b/csit/variables/Variables.robot @@ -28,6 +28,13 @@ ${ALERTFIELDCONTENTRULERECORD} /restconf/config/alertrule:alertFieldContentRu ${ALERTFIELDVALUERULERECORD} /restconf/config/alertrule:alertFieldValueRuleRecord # FIXME: Move to a separate Centinel-related Resource and add description. ${ALERTMESSAGECOUNTRULERECORD} /restconf/config/alertrule:alertMessageCountRuleRecord/ # FIXME: Move to a separate Centinel-related Resource and add description. @{AUTH} admin admin # Authentication tuple for accessing ODL RESTCONF server. TODO: Migrate most suites to TemplatedRequests, then chose a more descriptive name. +@{AUTH_SDN} sdnadmin sdnsdn # Authentication tuple for accessing ODL RESTCONF server with Keystone Authentication +@{AUTH_SDN_DOMAIN} sdnadmin@sdn sdnsdn # Authentication tuple for accessing ODL RESTCONF server with Keystone Authentication +@{AUTH_SDN_WRONG_DOM} sdnadmin@wrong sdnsdn # Authentication tuple for accessing ODL RESTCONF server with Keystone Authentication +@{AUTH_INVALID} invaliduser invinvuser # Authentication tuple for accessing ODL RESTCONF server with Keystone Authentication +@{AUTH_CSC_SDN} CSC_user cscuser # Authentication tuple for accessing Keystone API server +@{AUTH_CSC_NO_ADMIN} CSC_user_no_admin cscusernoadmin # Authentication tuple for accessing Keystone API server +@{AUTH_ADMIN_SDN} admin secret # Authentication tuple for accessing Keystone API server ${AUTH_TOKEN_API} /oauth2/token # FIXME: Move to a separate AAA-related Resource and add description. ${BGP_TOOL_PORT} 17900 # Tool side of BGP communication listens on this port. ${BGPCEP_LOG_LEVEL} ${DEFAULT_BGPCEP_LOG_LEVEL} # Some suites temporarily override org.opendaylight.bgpcep Karaf log level to this value. diff --git a/csit/variables/aaa/create-domain.json b/csit/variables/aaa/create-domain.json new file mode 100644 index 0000000000..b77d52a953 --- /dev/null +++ b/csit/variables/aaa/create-domain.json @@ -0,0 +1,7 @@ +{ + "domain": { + "description": "SDN Domain", + "enabled": true, + "name": "sdn" + } +} diff --git a/csit/variables/aaa/create-token.json b/csit/variables/aaa/create-token.json new file mode 100644 index 0000000000..2e2dfd6327 --- /dev/null +++ b/csit/variables/aaa/create-token.json @@ -0,0 +1,18 @@ +{ + "auth": { + "identity": { + "methods": [ + "password" + ], + "password": { + "user": { + "domain": { + "name": "Default" + }, + "name": "CSC_user", + "password": "cscuser" + } + } + } + } +} diff --git a/csit/variables/aaa/create-user.json b/csit/variables/aaa/create-user.json new file mode 100644 index 0000000000..48cdfcab69 --- /dev/null +++ b/csit/variables/aaa/create-user.json @@ -0,0 +1,9 @@ +{ + "user": { + "name": "sdnadmin", + "description": "SDN administrator", + "domain_id": "832166ddaaaf4b0ba662659aa1818019", + "enabled": true, + "password": "sdnsdn" + } +} diff --git a/csit/variables/aaa/patch-domain.json b/csit/variables/aaa/patch-domain.json new file mode 100644 index 0000000000..5d05e088fa --- /dev/null +++ b/csit/variables/aaa/patch-domain.json @@ -0,0 +1,6 @@ +{ + "domain": { + "enabled": false, + "name": "sdn" + } +} diff --git a/csit/variables/aaa/put-keystone-cert.json b/csit/variables/aaa/put-keystone-cert.json new file mode 100644 index 0000000000..05c9d2093c --- /dev/null +++ b/csit/variables/aaa/put-keystone-cert.json @@ -0,0 +1,6 @@ +{ + "input": { + "node-cert": "MIIDDTCCAfWgAwIBAgIJALi4vXDiQVMvMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNVBAMMEmVjZXVqbW0tVmlydHVhbEJveDAeFw0xNzAyMjIwODQwMzlaFw0xODAyMjIwODQwMzlaMB0xGzAZBgNVBAMMEmVjZXVqbW0tVmlydHVhbEJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6Y2OtwfXGudgYrD1no0IuE/nzi59HAiUP/kuPLOkuMU5DPUTn01L7OVSvujEEoSAjBVuBJCSThRzZ53PrwsqdCLe4iHmwUfAVUXSBznfW9g4EElnGkGty9IdqCXx0gITdVw8IWhjvfjZ7qTe8pVbFw+Hkj8qAYx3hA9lGoUDEn9OoFUP7HsrsjzU/V/XfFLnTQuy1bfdiA1izjkZdbFgcNpij4m4KZevSbw8Tsw/fnfKlwZwDvBO3CkmvO6L+woCHHcdUsmH2pg2IZtBxvtHaGmr8kyUPHu5PI52WZcOPotpPEZRtj1KNjiE5n2iXtf4biXOKiiTFrG5AvmRWj6U0CAwEAAaNQME4wHQYDVR0OBBYEFERDG2Y0MJbvAr7bdvQW+sj49Mw8MB8GA1UdIwQYMBaAFERDG2Y0MJbvAr7bdvQW+sj49Mw8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMH37glds5isPWI7Das+N2fqy/cNa5leyqVWFItTFj3TspFXBI7wGz5EsEB5+G4i43wU2DMXQsBIK74sgJ/apXWwzhwDgfyI1dBlf2tXBNif7Za1qPpgg0bbICbJlyu7sDlsE0WPQGPYtVSK2SGRw/QbTHCtoiTxM+1Kw9ehYh3KQhdeazR315j/uD1stbK0RHUb0M2tHYbPRwhWWXXpfSEuJW5p3pkp/42UQr5AGxN+pADhunQ6gdwrb3PpA+Ln7A5bKdV4ylmRtDlHPdrU/FGhyUMT3YPixPLtRz0zpncHLQ2At2FMAS1QeOhvnjYYcEWOjqlA30b7qFP2gY91s2A=", + "node-alias": "eceujmm-VirtualBox" + } + } -- 2.36.6