SlideShare a Scribd company logo

Building Your Own IoT Platform using FIWARE GEis

Download as PPTX, PDF
FIWARE
FIWARE

This document provides a comprehensive guide on how to build a secure IoT platform using FIWARE GEIs within a container-based environment, specifically using Docker. It details the architecture, setup steps for various components like MongoDB and Orion Context Broker, and emphasizes the implementation of a security layer through identity management and authorization systems. The document serves as a practical resource for developers looking to integrate IoT solutions with enhanced security measures.

Internet
1 of 41
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Building your own IoT platform using FIWARE GEis José Manuel Cantera Fonseca Technological Expert. Data Chapter. josemanuel.canterafonseca@telefonica.com
Introduction Talk Objectives Illustrate how a secured IoT platform instance can be implemented using FIWARE GEis on a container-based environment (Docker) Understand how to set up a security layer on top of a Context Broker Learn how to configure all the components at the different layers
TargetArchitectureusingfiware securitystack Context Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN IoT platform Infrastructure I9 I8 IoT Devices Open Data Sources
Getting started A basic context broker set up 4
BasicData&Controlbrokersetup Data & Control Broker (Orion) mongoDB Application (Data Consumer) NGSIv2NGSIv2 Data ingestion Internet / VPN Operator Infrastructure I8 IoT Devices Open Data Sources
Step1.-MongoDB(I) mongoDB is the NoSQL database used to store context data mongoDB is properly packaged as a docker container Use mongoDB 3.2 docker container Prepare a folder to store mongoDB data Ex. $HOME/data/mongo Run mongoDB $ docker run --name mongo -v $HOME/data/mongo:/data/db -d -h mongo -p 27017:27017 mongo:3.2
Step1.-mongoDB(II) $ docker ps -a to list running containers aa075751485b mongo:3.2 "/entrypoint.sh mongo" 5 seconds ago Up 4 seconds 0.0.0.0:27017->27017/tcp mongo run mongo client application to check everything is ok You might need to install it https://docs.mongodb.com/v3.2/tutorial/install-mongodb-on-ubuntu/ $ apt-get install mongodb-org-shell $ mongo> show dbs Or you can directly connect to the container
Step2.-Orioncontextbroker(I) Orion is an implementation of the “Data and Context Broker” An open source project hosted by the FIWARE OSS https://github.com/fiware/context.Orion (License Affero GPL v3.0) properly packaged as a docker container running on CentOS 6 Orion uses mongoDB as the data storage For running Orion … $ docker run --name orion -d -p 1026:1026 --link mongo -h orion fiware/orion:1.4.1 -dbhost mongo $ docker ps -a
STEP2.-OrionContextbroker(II) $ curl -s localhost:1026/version | python -mjson.tool { "orion" : { "version" : "1.4.1", "uptime" : "0 d, 0 h, 1 m, 17 s", "git_hash" : "905d5fa58ace7fa4f14330ddc982b41cf9b30be6", "compile_time" : "Mon Oct 10 15:06:02 UTC 2016", "compiled_by" : "root", "compiled_in" : "b99744612d0b" } } $ mongo > show dbs > use orion Now a DB named “orion” should appear if everything is ok db.getCollectionNames() [ "entities" ] curl -s localhost:1026/v2/entities | python -mjson.tool
Step3.-Let’saddsomeentitiestoorion(I) $ curl localhost:1026/v2/entities -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, "barometricPressure": { "value": 720, "type": "Number" }, "dateObserved": { "value": "2016-10-18T11:08:20.228Z", "type": "DateTime" }, "source": { "value": "http://www.aemet.es", "type": "URL" } } EOF
Step3.-Let’saddsomeentitiestoorion(II) $ curl localhost:1026/v2/entities?options=keyValues | python -mjson.tool [ { "barometricPressure": 720, "dateObserved": "2016-10-18T11:08:20.00Z", "id": "WeatherObserved-6789", "source": "http://www.aemet.es", "temperature": 23, "type": "WeatherObserved" } ] $ mongo > use orion switched to db orion > db.entities.find({}) { "_id" : { "id" : "WeatherObserved-6789", "type" : "WeatherObserved", "servicePath" : "/" }, "attrNames" : [ "temperature", "barometricPressure", "dateObserved", "source" ], "attrs" : { "temperature" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 23, "mdNames" : [ ] }, "barometricPressure" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 720, "mdNames" : [ ] }, "dateObserved" : { "type" : "DateTime", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 1476788900, "mdNames" : [ ] }, "source" : { "type" : "URL", "creDate" : 1476789680, "modDate" : 1476789680, "value" : "http://www.aemet.es", "mdNames" : [ ] } }, "creDate" : 1476789680, "modDate" : 1476789680 }
Step4.-Multitenancy (I) Orion Context Broker is multitenant Logical databases isolated, each one containing data from different organizations or domains Tenant is a “service” in FIWARE terminology. Aka a “Domain” in OpenStack terminology A tenant can be composed by multiple child sub- tenants “subservice” in FIWARE terminology Aka a “Project” in OpenStack terminology
Step4.-Multitenancy (II) The way to address tenants are HTTP headers Fiware-Service : <<Tenant_Name>> Fiware-Servicepath: <<Subservice_Name>> Subtenants follow a hierarchical structure and there is a default subtenant, root one (‘/’) Example: Fiware-service: weather Fiware-servicepath: /Spain A pair (service, subservice) is used for security
Step4.-Multitenancy (III) TENANT="Fiware-Service:$1" SUBSERVICE="Fiware-ServicePath:/$2" curl localhost:1026/v2/entities --header $TENANT --header $SUBSERVICE -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, …… } EOF ● Creating an entity in a (tenant , subtenant)
Step4.-Multitenancy (IV) $mongo > show dbs local 0.000GB orion 0.000GB orion-example_a 0.000GB orion-london 0.000GB orion-weather 0.000GB There will be as many databases as tenants available “orion” is the DB which stores data in the default tenant DB name is “orion-” + <<tenant_name>> To query data of a tenant just issue regular NGSIv2 requests using Fiware-Service and Fiware-Servicepath headers
Deeping dive Adding a security layer to the data & control broker 16
TargetArchitectureusingfiwaresecuritystack Data & Control Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN Operator Infrastructure I9 I8 IoT Devices Open Data Sources
Step4.-Securitystack-preparation Security stack uses MySQL to store configuration data $ docker run --name mysql -d -p 3306:3306 -h mysql -v $HOME/data/mysql:/var/lib/mysql -e "MYSQL_ROOT_PASSWORD=gsma" -e "MYSQL_DATABASE=keypass" -e "MYSQL_USER=keypass" -e "MYSQL_PASSWORD=keypass" mysql:5.5 Check that everything is ok. Above command creates a database named “keypass” used later. $ docker exec -it mysql bash mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
Step4.1.-keystone(I) Keystone is an open source project hosted by OpenStack OSS Community https://github.com/openstack/keystone (Apache 2.0 license) Keystone is an Identity Manager service capable of storing information about domains, project, users, groups or roles Keystone is in charge of generating tokens which can be used to get access to services requiring credentials For this exercise we will be using a keystone image
Step4.1.-keystone(II) Running keystone $ docker run --name keystone -d -p 5001:5001 --link mysql -h keystone telefonicaiot/fiware-keystone-spassword -dbhost mysql -default_pwd 4pass1w0rd -mysql_pwd gsma Sanity check operations $ docker logs keystone $ docker exec -it keystone bash (to open a shell session on the container) $ curl -s -S http://localhost:5001/v3 | python -mjson.tool Once we have a keystone instance up and running different REST requests can be issued http://developer.openstack.org/api-ref/identity/v3/index.html
$ docker exec -it mysql bash root@mysql:/# mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | keystone | | mysql | | performance_schema | +--------------------+ mysql> use keystone; Step4.1.-keystone(II-B) show tables; +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | migrate_version | | policy | | project | | region | | role | | service | | spassword | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ Checking keystone has created its database properly
Step4.1.-keystone(III) Remember: Fiware-Service → Domain in Keystone Fiware-Servicepath → Project in Keystone A developer will register in Keystone as user in a domain <-> Developer can get access to the data offered by the corresponding FIWARE service (tenant) We will later show how this works in practice
Step4.1.-keystone(IV) List all domains curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/domains/ | python - mjson.tool { "domains": [ { "enabled": true, "id": "8b883aaa740e4d75b91095eaa550b35c", "links": { "self": "http://localhost:5001/v3/domains/8b883aaa740e4d75b91095eaa550b35c" }, "name": "admin_domain" }, { "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "enabled": true, "id": "default", "links": { "self": "http://localhost:5001/v3/domains/default" }, "name": "Default" } ]
Step4.1.-keystone(V) List all users curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/users/ | python - mjson.tool "users": [ { "description": "Cloud service", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "02cd3dbb6ceb48eb92588c7885bbcc1f", "links": { "self": "http://localhost:5001/v3/users/02cd3dbb6ceb48eb92588c7885bbcc1f" }, "name": "pep" }, { "description": "Cloud administrator", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "177cf5a4d12e4f85b7b65cbcac6d9697", "links": { "self": "http://localhost:5001/v3/users/177cf5a4d12e4f85b7b65cbcac6d9697" }, "name": "cloud_admin" }
Step4.1.-keystone(VI) Get a token for the cloud_admin user curl localhost:5001/v3/auth/tokens -s -S --header 'Content-Type: application/json' -d @- <<EOF { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "cloud_admin", "domain": { "name": "admin_domain" }, "password": "4pass1w0rd" } } } } } EOF HTTP/1.1 201 Created X-Subject-Token: 19e200834a3f4e149c7f4033a003a8f4
Step4.2.-keypass.-authPDP(I) keypass is an implementation of the FIWARE Authorization PDP (Policy Decision Point) Keypass is an open source project hosted at https://github.com/telefonicaid/fiware-keypass License is Apache 2.0 It complies with XACML (eXtensible Access Control Markup Language) v3.0. It provides an API to get authorization decisions based on authorization policies
Step4.2.-keypass.-AuthPDP(II) Running keypass $ docker run --name keypass -d -p 7070:7070 -h keypass --link mysql telefonicaiot/fiware- keypass -dbhost mysql $ docker logs keypass $ curl --header 'Fiware-Service: dummy' localhost:7070/version 1.2.1
Step4.3.-Steelskin.-PEPproxy (I) Steelskin is an implementation of the FIWARE PEP (Policy Enforcement Point) Steelskin is an open source project hosted at https://github.com/telefonicaid/fiware-pep-steelskin License is Affero GPL 3.0 A proxy which ensures that only authorized users are able to perform requests against the Data & Control Broker https://github.com/telefonicaid/fiware-pep-steelskin#-rules-to-determine-the- context-broker-action-from-the-request
Step4.3.-Steelskin.-PEPproxy (II) Running: $ docker run -d --name pep -p 1027:1026 --link orion --link keystone --link keypass -e LOG_LEVEL=DEBUG -e AUTHENTICATION_HOST=keystone -e AUTHENTICATION_PORT=5001 -e ACCESS_HOST=keypass -e ACCESS_PORT=7070 -e TARGET_HOST=orion -e TARGET_PORT=1026 -e PROXY_USERNAME=pep -e PROXY_PASSWORD=4pass1w0rd telefonicaiot/fiware-pep-steelskin $ docker logs pep $ docker exec -it pep bash → $ curl localhost:11211/version { "version": "1.2.0-next", "port":1026 }
Step4.3.-Steelskin.-PEPproxy(III) Remember: Given an HTTP Request (x-auth-token, fiware- service, fiware-servicepath) First PEP queries keystone to validate the auth token and obtain (user, domain, role in project) Then, PEP queries keypass to obtain the authorization policies for the role in question A match between subject policies and the requested operation is done If the requested operation is allowed, the HTTP request is forwarded to the Data & Control Broker If not a non-authorized error is raised curl localhost:1027/v2/entities
STEP5.-Usingthemalltogether $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d18f7dbe7f75 telefonicaiot/fiware-pep-steelskin "/bin/sh -c bin/pepPr" 16 minutes ago Up 16 minutes 11211/tcp, 0.0.0.0:1027->1026/tcp pep 7e1853f0e2c4 telefonicaiot/fiware-keypass "/opt/keypass/keypass" 45 minutes ago Up 45 minutes 0.0.0.0:7070-7071->7070-7071/tcp keypass c4f6ab6c390f telefonicaiot/fiware-keystone-spassword "/opt/keystone/keysto" About an hour ago Up About an hour 0.0.0.0:5001->5001/tcp keystone 5bf5d7e8b284 mysql:5.5 "docker-entrypoint.sh" 18 hours ago Up 18 hours 0.0.0.0:3307->3306/tcp mysql 6c63cee20ae2 fiware/orion:1.4.1 "/usr/bin/contextBrok" 24 hours ago Up 24 hours 0.0.0.0:1026->1026/tcp orion 4f1d9298fb70 mongo:3.2 "/entrypoint.sh mongo" 24 hours ago Up 24 hours 0.0.0.0:27017->27017/tcp mongo
Step5.1.-Orchestratortotherescue Manual provision of configurations of the three security components can be cumbersome TEF has developed an open source project (named orchestrator) that helps to provide security configurations https://github.com/telefonicaid/orchestrator License is Affero GPL 3.0 It can be instantiated as a service but there are some useful scripts which can be used https://github.com/telefonicaid/orchestrator/blob/master/SCRIPTS.md
Step5.2.-configuringaservice(tenant) $ git clone https://github.com/telefonicaid/orchestrator $ cd orchestrator $ pip install -r requirements.txt $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewService.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd weatherdata "Weather Data" weather_admin weather_admin_PWD http localhost 7070 Checking that everything went ok ./orchestrator/commands/printServices.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd
Step5.3.-configuringaSub-service $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewSubService.py http localhost 5001 weatherdata weather_admin weather_admin_PWD "Spain" "Weather in Spain" Checking that everything went ok ./orchestrator/commands/printSubServices.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we have a pair (Fiware-Service, Fiware-Servicepath) → (‘weatherdata’, ‘/Spain`) We can check that we can get access to data 1/ obtain a token for the `weather_admin’ user Ex. `5bb5c6e310814b93a01d74385fe52bef` 2/ issue a GET request through the PEP proxy curl localhost:1027/v2/entities --header 'Fiware-Service:weatherdata' --header 'Fiware-Servicepath:
Step5.4.-addingadeveloperwithconsumerpermissions $ ./orchestrator/commands/createNewServiceUser.py http localhost 5001 weatherdata weather_admin weather_admin_PWD developer1 developer1_PWD Checking that everything went ok ./orchestrator/commands/printServiceUsers.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we need to assign the role “SubServiceCustomer” to the user ‘developer1’ ./orchestrator/commands/assignRoleSubServiceUser.py http localhost 5001 weatherdata Spain weather_admin weather_admin_PWD SubServiceCustomer developer1 Checking that everything went ok ./orchestrator/commands/listSubServiceRoleAssignments.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Spain True Now ‘developer1’ is able to query weather data on the sub-service ‘Spain’. However he cannot provide data as his role is ‘SubServiceCustomer’
Step5.5.-gettingaccesstodatawith‘developer1’ (I) First of all a token must be obtained . Then : $ curl -s -S localhost:1027/v2/entities --header 'Fiware-service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' | python -mjson.tool [ { "barometricPressure": { "metadata": {}, "type": "Number", "value": 720 }, "dateObserved": { "metadata": {}, "type": "DateTime", "value": "2016-10-18T11:08:20.00Z" }, "id": "WeatherObserved-6789", "type": "WeatherObserved" } ]
Step5.5.-gettingaccesstodatawith‘developer1’ (II) An attempt to create a new entity on (weatherdata,/Spain) will fail curl localhost:1027/v2/entities -s -S --header 'Content-Type: application/json' --header 'Fiware- Service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' -d @- <<EOF { "id": "WeatherObserved-4567", …. } EOF { "name": "ACCESS_DENIED", "message": "The user does not have the appropriate permissions to access the selected action" } Developer will need to be assigned the role ‘SubServiceAdmin’ in order to be able to post new data
What’shappeningbehindthescenes A set of predefined policies have been pre-populated to the ‘keypass’ database docker exec -it mysql mysql --user=keypass --password=keypass mysql> use keypass; select policy from Policies; Relevant policies are https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-customer.xml https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-admin.xml
Andfinally... Remember to remove old docker containers (exited) $ docker rm <container> You should only expose the IdM (for tokens) and the PEP Proxy (ports) to the developer Ensure the mounted volumes for database data have enough space for the data to be stored Remember, you can open a shell session on a container $ docker exec -it <<container_name> bash And then get access to the logs, databases, local services, ….
Questions 40
Thank you! http://fiware.org Follow @FIWARE on Twitter

More Related Content

What's hot (20)

PDF
Az 900 Session 3 Security, privacy, compliance, trust, pricing, SLA and Lifec...
AzureEzy1
 
PDF
Session 1 - Introduction to i4Trust Data Spaces, building blocks, and roles |...
FIWARE
 
PPTX
FIWARE Wednesday Webinars - How to Design DataModels
FIWARE
 
PDF
FIWARE Training: JSON-LD and NGSI-LD
FIWARE
 
PPTX
Azure storage
Raju Kumar
 
PDF
Red Hat OpenShift Container Platform Overview
James Falkner
 
PDF
SQream DB, GPU-accelerated data warehouse
NAVER Engineering
 
PDF
FIWARE Training: IoT and Legacy
FIWARE
 
PDF
Data persistency (draco, cygnus, sth comet, quantum leap)
Fernando Lopez Aguilar
 
PDF
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
PPTX
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
Fwdays
 
PDF
PySpark Best Practices
Cloudera, Inc.
 
PPTX
FIWARE and Smart Data Models
Fernando Lopez Aguilar
 
PPTX
Microsoft Azure Technical Overview
gjuljo
 
PDF
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE
 
PDF
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
PDF
Data Security at Scale through Spark and Parquet Encryption
Databricks
 
PPTX
Cloud Oracle
Fran Navarro
 
PPTX
Data Engineering A Deep Dive into Databricks
Knoldus Inc.
 
PDF
Unified Big Data Processing with Apache Spark (QCON 2014)
Databricks
 
Az 900 Session 3 Security, privacy, compliance, trust, pricing, SLA and Lifec...
AzureEzy1
 
Session 1 - Introduction to i4Trust Data Spaces, building blocks, and roles |...
FIWARE
 
FIWARE Wednesday Webinars - How to Design DataModels
FIWARE
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE
 
Azure storage
Raju Kumar
 
Red Hat OpenShift Container Platform Overview
James Falkner
 
SQream DB, GPU-accelerated data warehouse
NAVER Engineering
 
FIWARE Training: IoT and Legacy
FIWARE
 
Data persistency (draco, cygnus, sth comet, quantum leap)
Fernando Lopez Aguilar
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
Anton Grishko "Multi-cloud with Google Anthos, Kubernetes and Istio. How to s...
Fwdays
 
PySpark Best Practices
Cloudera, Inc.
 
FIWARE and Smart Data Models
Fernando Lopez Aguilar
 
Microsoft Azure Technical Overview
gjuljo
 
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE
 
GitOps with Amazon EKS Anywhere by Dan Budris
Weaveworks
 
Data Security at Scale through Spark and Parquet Encryption
Databricks
 
Cloud Oracle
Fran Navarro
 
Data Engineering A Deep Dive into Databricks
Knoldus Inc.
 
Unified Big Data Processing with Apache Spark (QCON 2014)
Databricks
 

Viewers also liked (20)

PPTX
Welcome to the 1st FIWARE Summit
FIWARE
 
PPTX
How to Contribute to FIWARE
FIWARE
 
PDF
What, Why and What for FIWARE?
forumvirium
 
PDF
An introduction to the IoTC
Newell Thompson
 
PPT
X-GSN in OpenIoT SummerSchool
Jean-Paul Calbimonte
 
PPTX
symbIoTe - AIOTI Open Day @ NDC, 08 Feb 2016, Athens, Greece
symbiote-h2020
 
PDF
IoT Platforms Interoperability and the symbIoTe Vision
symbiote-h2020
 
PDF
Semantic Interoperability as Key to IoT Platform Federation
symbiote-h2020
 
PPTX
IoT on the Edge
FIWARE
 
PDF
Interoperability with Standardless IoT (Global IoT Day Wien)
David Janes
 
PPTX
Spanish AgriFood Cooperatives
FIWARE
 
PPTX
IoT Platform Meetup - Oracle
Filip Kolář
 
PPTX
FIWARE: the best is yet to come
FIWARE
 
PPTX
The Future of IoT: Why We Need the Open Interconnect Consortium
Samsung Open Source Group
 
PPTX
Introduction to FIWARE Open Ecosystem
Fernando Lopez Aguilar
 
PDF
Oies_IoT_Platform_Selection_Services_2017
Francisco Maroto
 
PPTX
The FIWARE Marketplace
FIWARE
 
PPTX
Creating end-to-end IoT applications with Eclipse Kura & Solair IoT Platform
Solair
 
PDF
Internet of Things (IoT) and Google
Abdullah Çetin ÇAVDAR
 
PPTX
IoT World Forum Press Conference - 10.14.2014
Bessie Wang
 
Welcome to the 1st FIWARE Summit
FIWARE
 
How to Contribute to FIWARE
FIWARE
 
What, Why and What for FIWARE?
forumvirium
 
An introduction to the IoTC
Newell Thompson
 
X-GSN in OpenIoT SummerSchool
Jean-Paul Calbimonte
 
symbIoTe - AIOTI Open Day @ NDC, 08 Feb 2016, Athens, Greece
symbiote-h2020
 
IoT Platforms Interoperability and the symbIoTe Vision
symbiote-h2020
 
Semantic Interoperability as Key to IoT Platform Federation
symbiote-h2020
 
IoT on the Edge
FIWARE
 
Interoperability with Standardless IoT (Global IoT Day Wien)
David Janes
 
Spanish AgriFood Cooperatives
FIWARE
 
IoT Platform Meetup - Oracle
Filip Kolář
 
FIWARE: the best is yet to come
FIWARE
 
The Future of IoT: Why We Need the Open Interconnect Consortium
Samsung Open Source Group
 
Introduction to FIWARE Open Ecosystem
Fernando Lopez Aguilar
 
Oies_IoT_Platform_Selection_Services_2017
Francisco Maroto
 
The FIWARE Marketplace
FIWARE
 
Creating end-to-end IoT applications with Eclipse Kura & Solair IoT Platform
Solair
 
Internet of Things (IoT) and Google
Abdullah Çetin ÇAVDAR
 
IoT World Forum Press Conference - 10.14.2014
Bessie Wang
 
Ad

Similar to Building Your Own IoT Platform using FIWARE GEis (20)

PDF
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
PPTX
FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca
 
PPTX
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Codemotion
 
PDF
Bring your infrastructure under control with Infrastructor
Stanislav Tiurikov
 
PPT
Fiware io t_ul20_cpbr8
FIWARE
 
PDF
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
PPTX
Simple docker hosting in FIWARE Lab
Fernando Lopez Aguilar
 
PDF
Nko workshop - node js crud & deploy
Simon Su
 
PDF
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
PDF
Do you know what your drupal is doing? Observe it!
Luca Lusso
 
PDF
Hopping in clouds - phpuk 17
Michele Orselli
 
PDF
Weave Your Microservices with Istio
All Things Open
 
PDF
All Things Open 2019 weave-services-istio
Lin Sun
 
PDF
Ato2019 weave-services-istio
Lin Sun
 
PPTX
Capture, record, clip, embed and play, search: video from newbie to ninja
Vito Flavio Lorusso
 
PPTX
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
PDF
Strata London 2018: Multi-everything with Apache Pulsar
Streamlio
 
PDF
FIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE
 
PDF
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
PDF
Build Your Own CaaS (Container as a Service)
HungWei Chiu
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
FIWARE Primer - Learn FIWARE in 60 Minutes
Federico Michele Facca
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
Codemotion
 
Bring your infrastructure under control with Infrastructor
Stanislav Tiurikov
 
Fiware io t_ul20_cpbr8
FIWARE
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Chris Bailey
 
Simple docker hosting in FIWARE Lab
Fernando Lopez Aguilar
 
Nko workshop - node js crud & deploy
Simon Su
 
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
Do you know what your drupal is doing? Observe it!
Luca Lusso
 
Hopping in clouds - phpuk 17
Michele Orselli
 
Weave Your Microservices with Istio
All Things Open
 
All Things Open 2019 weave-services-istio
Lin Sun
 
Ato2019 weave-services-istio
Lin Sun
 
Capture, record, clip, embed and play, search: video from newbie to ninja
Vito Flavio Lorusso
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Strata London 2018: Multi-everything with Apache Pulsar
Streamlio
 
FIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
Chris Bailey
 
Build Your Own CaaS (Container as a Service)
HungWei Chiu
 
Ad

More from FIWARE (20)

PPTX
Behm_Herne_NeMo_akt.pptx
FIWARE
 
PDF
Katharina Hogrebe Herne Digital Days.pdf
FIWARE
 
PPTX
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
FIWARE
 
PPTX
Behm_Herne_NeMo.pptx
FIWARE
 
PPTX
Evangelists + iHubs Promo Slides.pptx
FIWARE
 
PPTX
Lukas Künzel Smart City Operating System.pptx
FIWARE
 
PPTX
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
FIWARE
 
PPTX
Dennis Wendland_The i4Trust Collaboration Programme.pptx
FIWARE
 
PPTX
Ulrich Ahle_FIWARE.pptx
FIWARE
 
PPTX
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
FIWARE
 
PDF
Water Quality - Lukas Kuenzel.pdf
FIWARE
 
PPTX
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
FIWARE
 
PPTX
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FIWARE
 
PPTX
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
FIWARE
 
PPTX
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
FIWARE
 
PDF
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
FIWARE
 
PDF
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FIWARE
 
PPTX
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
FIWARE
 
PPTX
WE_LoRaWAN _ IoT.pptx
FIWARE
 
PPTX
EU Opp_Clara Pezuela - German chapter.pptx
FIWARE
 
Behm_Herne_NeMo_akt.pptx
FIWARE
 
Katharina Hogrebe Herne Digital Days.pdf
FIWARE
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
FIWARE
 
Behm_Herne_NeMo.pptx
FIWARE
 
Evangelists + iHubs Promo Slides.pptx
FIWARE
 
Lukas Künzel Smart City Operating System.pptx
FIWARE
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
FIWARE
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
FIWARE
 
Ulrich Ahle_FIWARE.pptx
FIWARE
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
FIWARE
 
Water Quality - Lukas Kuenzel.pdf
FIWARE
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
FIWARE
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
FIWARE
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
FIWARE
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
FIWARE
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
FIWARE
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
FIWARE
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
FIWARE
 
WE_LoRaWAN _ IoT.pptx
FIWARE
 
EU Opp_Clara Pezuela - German chapter.pptx
FIWARE
 

Recently uploaded (20)

PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PPTX
法国巴黎第二大学本科毕业证{Paris 2学费发票Paris 2成绩单}办理方法
Taqyea
 
PPTX
04 Output 1 Instruments & Tools (3).pptx
GEDYIONGebre
 
PPTX
Lec15_Mutability Immutability-converted.pptx
khanjahanzaib1
 
PDF
FutureCon Seattle 2025 Presentation Slides - You Had One Job
Suzanne Aldrich
 
PDF
Digital burnout toolkit for youth workers and teachers
asociatiastart123
 
PPTX
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
PDF
BRKSP-2551 - Introduction to Segment Routing.pdf
fcesargonca
 
PPTX
PHIPA-Compliant Web Hosting in Toronto: What Healthcare Providers Must Know
steve198109
 
PPTX
Metaphysics_Presentation_With_Visuals.pptx
erikjohnsales1
 
PDF
Enhancing Parental Roles in Protecting Children from Online Sexual Exploitati...
ICT Frame Magazine Pvt. Ltd.
 
PPTX
Networking_Essentials_version_3.0_-_Module_3.pptx
ryan622010
 
PDF
Top 10 Testing Procedures to Ensure Your Magento to Shopify Migration Success...
CartCoders
 
PPTX
西班牙巴利阿里群岛大学电子版毕业证{UIBLetterUIB文凭证书}文凭复刻
Taqyea
 
PPTX
Orchestrating things in Angular application
Peter Abraham
 
PPTX
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
PDF
BRKAPP-1102 - Proactive Network and Application Monitoring.pdf
fcesargonca
 
PDF
BRKACI-1003 ACI Brownfield Migration - Real World Experiences and Best Practi...
fcesargonca
 
PPTX
Softuni - Psychology of entrepreneurship
Kalin Karakehayov
 
DOCX
Custom vs. Off-the-Shelf Banking Software
KristenCarter35
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
法国巴黎第二大学本科毕业证{Paris 2学费发票Paris 2成绩单}办理方法
Taqyea
 
04 Output 1 Instruments & Tools (3).pptx
GEDYIONGebre
 
Lec15_Mutability Immutability-converted.pptx
khanjahanzaib1
 
FutureCon Seattle 2025 Presentation Slides - You Had One Job
Suzanne Aldrich
 
Digital burnout toolkit for youth workers and teachers
asociatiastart123
 
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
BRKSP-2551 - Introduction to Segment Routing.pdf
fcesargonca
 
PHIPA-Compliant Web Hosting in Toronto: What Healthcare Providers Must Know
steve198109
 
Metaphysics_Presentation_With_Visuals.pptx
erikjohnsales1
 
Enhancing Parental Roles in Protecting Children from Online Sexual Exploitati...
ICT Frame Magazine Pvt. Ltd.
 
Networking_Essentials_version_3.0_-_Module_3.pptx
ryan622010
 
Top 10 Testing Procedures to Ensure Your Magento to Shopify Migration Success...
CartCoders
 
西班牙巴利阿里群岛大学电子版毕业证{UIBLetterUIB文凭证书}文凭复刻
Taqyea
 
Orchestrating things in Angular application
Peter Abraham
 
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
BRKAPP-1102 - Proactive Network and Application Monitoring.pdf
fcesargonca
 
BRKACI-1003 ACI Brownfield Migration - Real World Experiences and Best Practi...
fcesargonca
 
Softuni - Psychology of entrepreneurship
Kalin Karakehayov
 
Custom vs. Off-the-Shelf Banking Software
KristenCarter35
 

Building Your Own IoT Platform using FIWARE GEis

  • 1. Building your own IoT platform using FIWARE GEis José Manuel Cantera Fonseca Technological Expert. Data Chapter. [email protected]
  • 2. Introduction Talk Objectives Illustrate how a secured IoT platform instance can be implemented using FIWARE GEis on a container-based environment (Docker) Understand how to set up a security layer on top of a Context Broker Learn how to configure all the components at the different layers
  • 3. TargetArchitectureusingfiware securitystack Context Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN IoT platform Infrastructure I9 I8 IoT Devices Open Data Sources
  • 4. Getting started A basic context broker set up 4
  • 5. BasicData&Controlbrokersetup Data & Control Broker (Orion) mongoDB Application (Data Consumer) NGSIv2NGSIv2 Data ingestion Internet / VPN Operator Infrastructure I8 IoT Devices Open Data Sources
  • 6. Step1.-MongoDB(I) mongoDB is the NoSQL database used to store context data mongoDB is properly packaged as a docker container Use mongoDB 3.2 docker container Prepare a folder to store mongoDB data Ex. $HOME/data/mongo Run mongoDB $ docker run --name mongo -v $HOME/data/mongo:/data/db -d -h mongo -p 27017:27017 mongo:3.2
  • 7. Step1.-mongoDB(II) $ docker ps -a to list running containers aa075751485b mongo:3.2 "/entrypoint.sh mongo" 5 seconds ago Up 4 seconds 0.0.0.0:27017->27017/tcp mongo run mongo client application to check everything is ok You might need to install it https://docs.mongodb.com/v3.2/tutorial/install-mongodb-on-ubuntu/ $ apt-get install mongodb-org-shell $ mongo> show dbs Or you can directly connect to the container
  • 8. Step2.-Orioncontextbroker(I) Orion is an implementation of the “Data and Context Broker” An open source project hosted by the FIWARE OSS https://github.com/fiware/context.Orion (License Affero GPL v3.0) properly packaged as a docker container running on CentOS 6 Orion uses mongoDB as the data storage For running Orion … $ docker run --name orion -d -p 1026:1026 --link mongo -h orion fiware/orion:1.4.1 -dbhost mongo $ docker ps -a
  • 9. STEP2.-OrionContextbroker(II) $ curl -s localhost:1026/version | python -mjson.tool { "orion" : { "version" : "1.4.1", "uptime" : "0 d, 0 h, 1 m, 17 s", "git_hash" : "905d5fa58ace7fa4f14330ddc982b41cf9b30be6", "compile_time" : "Mon Oct 10 15:06:02 UTC 2016", "compiled_by" : "root", "compiled_in" : "b99744612d0b" } } $ mongo > show dbs > use orion Now a DB named “orion” should appear if everything is ok db.getCollectionNames() [ "entities" ] curl -s localhost:1026/v2/entities | python -mjson.tool
  • 10. Step3.-Let’saddsomeentitiestoorion(I) $ curl localhost:1026/v2/entities -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, "barometricPressure": { "value": 720, "type": "Number" }, "dateObserved": { "value": "2016-10-18T11:08:20.228Z", "type": "DateTime" }, "source": { "value": "http://www.aemet.es", "type": "URL" } } EOF
  • 11. Step3.-Let’saddsomeentitiestoorion(II) $ curl localhost:1026/v2/entities?options=keyValues | python -mjson.tool [ { "barometricPressure": 720, "dateObserved": "2016-10-18T11:08:20.00Z", "id": "WeatherObserved-6789", "source": "http://www.aemet.es", "temperature": 23, "type": "WeatherObserved" } ] $ mongo > use orion switched to db orion > db.entities.find({}) { "_id" : { "id" : "WeatherObserved-6789", "type" : "WeatherObserved", "servicePath" : "/" }, "attrNames" : [ "temperature", "barometricPressure", "dateObserved", "source" ], "attrs" : { "temperature" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 23, "mdNames" : [ ] }, "barometricPressure" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 720, "mdNames" : [ ] }, "dateObserved" : { "type" : "DateTime", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 1476788900, "mdNames" : [ ] }, "source" : { "type" : "URL", "creDate" : 1476789680, "modDate" : 1476789680, "value" : "http://www.aemet.es", "mdNames" : [ ] } }, "creDate" : 1476789680, "modDate" : 1476789680 }
  • 12. Step4.-Multitenancy (I) Orion Context Broker is multitenant Logical databases isolated, each one containing data from different organizations or domains Tenant is a “service” in FIWARE terminology. Aka a “Domain” in OpenStack terminology A tenant can be composed by multiple child sub- tenants “subservice” in FIWARE terminology Aka a “Project” in OpenStack terminology
  • 13. Step4.-Multitenancy (II) The way to address tenants are HTTP headers Fiware-Service : <<Tenant_Name>> Fiware-Servicepath: <<Subservice_Name>> Subtenants follow a hierarchical structure and there is a default subtenant, root one (‘/’) Example: Fiware-service: weather Fiware-servicepath: /Spain A pair (service, subservice) is used for security
  • 14. Step4.-Multitenancy (III) TENANT="Fiware-Service:$1" SUBSERVICE="Fiware-ServicePath:/$2" curl localhost:1026/v2/entities --header $TENANT --header $SUBSERVICE -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, …… } EOF ● Creating an entity in a (tenant , subtenant)
  • 15. Step4.-Multitenancy (IV) $mongo > show dbs local 0.000GB orion 0.000GB orion-example_a 0.000GB orion-london 0.000GB orion-weather 0.000GB There will be as many databases as tenants available “orion” is the DB which stores data in the default tenant DB name is “orion-” + <<tenant_name>> To query data of a tenant just issue regular NGSIv2 requests using Fiware-Service and Fiware-Servicepath headers
  • 16. Deeping dive Adding a security layer to the data & control broker 16
  • 17. TargetArchitectureusingfiwaresecuritystack Data & Control Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN Operator Infrastructure I9 I8 IoT Devices Open Data Sources
  • 18. Step4.-Securitystack-preparation Security stack uses MySQL to store configuration data $ docker run --name mysql -d -p 3306:3306 -h mysql -v $HOME/data/mysql:/var/lib/mysql -e "MYSQL_ROOT_PASSWORD=gsma" -e "MYSQL_DATABASE=keypass" -e "MYSQL_USER=keypass" -e "MYSQL_PASSWORD=keypass" mysql:5.5 Check that everything is ok. Above command creates a database named “keypass” used later. $ docker exec -it mysql bash mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
  • 19. Step4.1.-keystone(I) Keystone is an open source project hosted by OpenStack OSS Community https://github.com/openstack/keystone (Apache 2.0 license) Keystone is an Identity Manager service capable of storing information about domains, project, users, groups or roles Keystone is in charge of generating tokens which can be used to get access to services requiring credentials For this exercise we will be using a keystone image
  • 20. Step4.1.-keystone(II) Running keystone $ docker run --name keystone -d -p 5001:5001 --link mysql -h keystone telefonicaiot/fiware-keystone-spassword -dbhost mysql -default_pwd 4pass1w0rd -mysql_pwd gsma Sanity check operations $ docker logs keystone $ docker exec -it keystone bash (to open a shell session on the container) $ curl -s -S http://localhost:5001/v3 | python -mjson.tool Once we have a keystone instance up and running different REST requests can be issued http://developer.openstack.org/api-ref/identity/v3/index.html
  • 21. $ docker exec -it mysql bash root@mysql:/# mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | keystone | | mysql | | performance_schema | +--------------------+ mysql> use keystone; Step4.1.-keystone(II-B) show tables; +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | migrate_version | | policy | | project | | region | | role | | service | | spassword | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ Checking keystone has created its database properly
  • 22. Step4.1.-keystone(III) Remember: Fiware-Service → Domain in Keystone Fiware-Servicepath → Project in Keystone A developer will register in Keystone as user in a domain <-> Developer can get access to the data offered by the corresponding FIWARE service (tenant) We will later show how this works in practice
  • 23. Step4.1.-keystone(IV) List all domains curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/domains/ | python - mjson.tool { "domains": [ { "enabled": true, "id": "8b883aaa740e4d75b91095eaa550b35c", "links": { "self": "http://localhost:5001/v3/domains/8b883aaa740e4d75b91095eaa550b35c" }, "name": "admin_domain" }, { "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "enabled": true, "id": "default", "links": { "self": "http://localhost:5001/v3/domains/default" }, "name": "Default" } ]
  • 24. Step4.1.-keystone(V) List all users curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/users/ | python - mjson.tool "users": [ { "description": "Cloud service", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "02cd3dbb6ceb48eb92588c7885bbcc1f", "links": { "self": "http://localhost:5001/v3/users/02cd3dbb6ceb48eb92588c7885bbcc1f" }, "name": "pep" }, { "description": "Cloud administrator", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "177cf5a4d12e4f85b7b65cbcac6d9697", "links": { "self": "http://localhost:5001/v3/users/177cf5a4d12e4f85b7b65cbcac6d9697" }, "name": "cloud_admin" }
  • 25. Step4.1.-keystone(VI) Get a token for the cloud_admin user curl localhost:5001/v3/auth/tokens -s -S --header 'Content-Type: application/json' -d @- <<EOF { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "cloud_admin", "domain": { "name": "admin_domain" }, "password": "4pass1w0rd" } } } } } EOF HTTP/1.1 201 Created X-Subject-Token: 19e200834a3f4e149c7f4033a003a8f4
  • 26. Step4.2.-keypass.-authPDP(I) keypass is an implementation of the FIWARE Authorization PDP (Policy Decision Point) Keypass is an open source project hosted at https://github.com/telefonicaid/fiware-keypass License is Apache 2.0 It complies with XACML (eXtensible Access Control Markup Language) v3.0. It provides an API to get authorization decisions based on authorization policies
  • 27. Step4.2.-keypass.-AuthPDP(II) Running keypass $ docker run --name keypass -d -p 7070:7070 -h keypass --link mysql telefonicaiot/fiware- keypass -dbhost mysql $ docker logs keypass $ curl --header 'Fiware-Service: dummy' localhost:7070/version 1.2.1
  • 28. Step4.3.-Steelskin.-PEPproxy (I) Steelskin is an implementation of the FIWARE PEP (Policy Enforcement Point) Steelskin is an open source project hosted at https://github.com/telefonicaid/fiware-pep-steelskin License is Affero GPL 3.0 A proxy which ensures that only authorized users are able to perform requests against the Data & Control Broker https://github.com/telefonicaid/fiware-pep-steelskin#-rules-to-determine-the- context-broker-action-from-the-request
  • 29. Step4.3.-Steelskin.-PEPproxy (II) Running: $ docker run -d --name pep -p 1027:1026 --link orion --link keystone --link keypass -e LOG_LEVEL=DEBUG -e AUTHENTICATION_HOST=keystone -e AUTHENTICATION_PORT=5001 -e ACCESS_HOST=keypass -e ACCESS_PORT=7070 -e TARGET_HOST=orion -e TARGET_PORT=1026 -e PROXY_USERNAME=pep -e PROXY_PASSWORD=4pass1w0rd telefonicaiot/fiware-pep-steelskin $ docker logs pep $ docker exec -it pep bash → $ curl localhost:11211/version { "version": "1.2.0-next", "port":1026 }
  • 30. Step4.3.-Steelskin.-PEPproxy(III) Remember: Given an HTTP Request (x-auth-token, fiware- service, fiware-servicepath) First PEP queries keystone to validate the auth token and obtain (user, domain, role in project) Then, PEP queries keypass to obtain the authorization policies for the role in question A match between subject policies and the requested operation is done If the requested operation is allowed, the HTTP request is forwarded to the Data & Control Broker If not a non-authorized error is raised curl localhost:1027/v2/entities
  • 31. STEP5.-Usingthemalltogether $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d18f7dbe7f75 telefonicaiot/fiware-pep-steelskin "/bin/sh -c bin/pepPr" 16 minutes ago Up 16 minutes 11211/tcp, 0.0.0.0:1027->1026/tcp pep 7e1853f0e2c4 telefonicaiot/fiware-keypass "/opt/keypass/keypass" 45 minutes ago Up 45 minutes 0.0.0.0:7070-7071->7070-7071/tcp keypass c4f6ab6c390f telefonicaiot/fiware-keystone-spassword "/opt/keystone/keysto" About an hour ago Up About an hour 0.0.0.0:5001->5001/tcp keystone 5bf5d7e8b284 mysql:5.5 "docker-entrypoint.sh" 18 hours ago Up 18 hours 0.0.0.0:3307->3306/tcp mysql 6c63cee20ae2 fiware/orion:1.4.1 "/usr/bin/contextBrok" 24 hours ago Up 24 hours 0.0.0.0:1026->1026/tcp orion 4f1d9298fb70 mongo:3.2 "/entrypoint.sh mongo" 24 hours ago Up 24 hours 0.0.0.0:27017->27017/tcp mongo
  • 32. Step5.1.-Orchestratortotherescue Manual provision of configurations of the three security components can be cumbersome TEF has developed an open source project (named orchestrator) that helps to provide security configurations https://github.com/telefonicaid/orchestrator License is Affero GPL 3.0 It can be instantiated as a service but there are some useful scripts which can be used https://github.com/telefonicaid/orchestrator/blob/master/SCRIPTS.md
  • 33. Step5.2.-configuringaservice(tenant) $ git clone https://github.com/telefonicaid/orchestrator $ cd orchestrator $ pip install -r requirements.txt $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewService.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd weatherdata "Weather Data" weather_admin weather_admin_PWD http localhost 7070 Checking that everything went ok ./orchestrator/commands/printServices.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd
  • 34. Step5.3.-configuringaSub-service $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewSubService.py http localhost 5001 weatherdata weather_admin weather_admin_PWD "Spain" "Weather in Spain" Checking that everything went ok ./orchestrator/commands/printSubServices.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we have a pair (Fiware-Service, Fiware-Servicepath) → (‘weatherdata’, ‘/Spain`) We can check that we can get access to data 1/ obtain a token for the `weather_admin’ user Ex. `5bb5c6e310814b93a01d74385fe52bef` 2/ issue a GET request through the PEP proxy curl localhost:1027/v2/entities --header 'Fiware-Service:weatherdata' --header 'Fiware-Servicepath:
  • 35. Step5.4.-addingadeveloperwithconsumerpermissions $ ./orchestrator/commands/createNewServiceUser.py http localhost 5001 weatherdata weather_admin weather_admin_PWD developer1 developer1_PWD Checking that everything went ok ./orchestrator/commands/printServiceUsers.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we need to assign the role “SubServiceCustomer” to the user ‘developer1’ ./orchestrator/commands/assignRoleSubServiceUser.py http localhost 5001 weatherdata Spain weather_admin weather_admin_PWD SubServiceCustomer developer1 Checking that everything went ok ./orchestrator/commands/listSubServiceRoleAssignments.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Spain True Now ‘developer1’ is able to query weather data on the sub-service ‘Spain’. However he cannot provide data as his role is ‘SubServiceCustomer’
  • 36. Step5.5.-gettingaccesstodatawith‘developer1’ (I) First of all a token must be obtained . Then : $ curl -s -S localhost:1027/v2/entities --header 'Fiware-service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' | python -mjson.tool [ { "barometricPressure": { "metadata": {}, "type": "Number", "value": 720 }, "dateObserved": { "metadata": {}, "type": "DateTime", "value": "2016-10-18T11:08:20.00Z" }, "id": "WeatherObserved-6789", "type": "WeatherObserved" } ]
  • 37. Step5.5.-gettingaccesstodatawith‘developer1’ (II) An attempt to create a new entity on (weatherdata,/Spain) will fail curl localhost:1027/v2/entities -s -S --header 'Content-Type: application/json' --header 'Fiware- Service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' -d @- <<EOF { "id": "WeatherObserved-4567", …. } EOF { "name": "ACCESS_DENIED", "message": "The user does not have the appropriate permissions to access the selected action" } Developer will need to be assigned the role ‘SubServiceAdmin’ in order to be able to post new data
  • 38. What’shappeningbehindthescenes A set of predefined policies have been pre-populated to the ‘keypass’ database docker exec -it mysql mysql --user=keypass --password=keypass mysql> use keypass; select policy from Policies; Relevant policies are https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-customer.xml https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-admin.xml
  • 39. Andfinally... Remember to remove old docker containers (exited) $ docker rm <container> You should only expose the IdM (for tokens) and the PEP Proxy (ports) to the developer Ensure the mounted volumes for database data have enough space for the data to be stored Remember, you can open a shell session on a container $ docker exec -it <<container_name> bash And then get access to the logs, databases, local services, ….