forked from indigo-iam/iam
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'indigo-iam:master' into 809_jdbc-session-separate-db
- Loading branch information
Showing
169 changed files
with
8,064 additions
and
1,598 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| // For format details, see https://aka.ms/devcontainer.json. For config options, see the | ||
| // README at: https://github.com/devcontainers/templates/tree/main/src/java | ||
| { | ||
| "name": "IAM Dev Container - H2", | ||
| // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile | ||
| "image": "mcr.microsoft.com/devcontainers/java:1-17-bookworm", | ||
| "features": { | ||
| "ghcr.io/devcontainers/features/java:1": { | ||
| "version": "none", | ||
| "installMaven": "true", | ||
| "installGradle": "false" | ||
| } | ||
| }, | ||
| // Use 'forwardPorts' to make a list of ports inside the container available locally. | ||
| "forwardPorts": [ | ||
| 8080 | ||
| ], | ||
| // Use 'postCreateCommand' to run commands after the container is created. | ||
| // "postCreateCommand": "java -version", | ||
| // Configure tool-specific properties. | ||
| "customizations": { | ||
| "vscode": { | ||
| "settings": { | ||
| "java.configuration.updateBuildConfiguration": "automatic", | ||
| "java.format.settings.url": "https://raw.githubusercontent.com/italiangrid/codestyle/master/eclipse-google-java-codestyle-formatter.xml", | ||
| "java.format.settings.profile": "GoogleStyle (CNAF)", | ||
| "maven.settingsFile": ".mvn/cnaf-mirror-settings.xml", | ||
| "java.configuration.maven.userSettings": ".mvn/cnaf-mirror-settings.xml" | ||
| }, | ||
| "extensions": [ | ||
| "vmware.vscode-boot-dev-pack" | ||
| ] | ||
| } | ||
| }, | ||
| "containerEnv": { | ||
| "SPRING_PROFILES_ACTIVE": "h2-test,dev" | ||
| }, | ||
| // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. | ||
| // "remoteUser": "root" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| services: | ||
| devcontainer: | ||
| image: mcr.microsoft.com/devcontainers/java:1-17-bookworm | ||
| volumes: | ||
| - ../..:/workspaces/iam | ||
| network_mode: service:db | ||
| user: vscode | ||
| depends_on: | ||
| - db | ||
| environment: | ||
| IAM_DB_HOST: db | ||
| IAM_DB_NAME: iam | ||
| IAM_DB_USERNAME: iam | ||
| IAM_DB_PASSWORD: pwd | ||
| SPRING_PROFILES_ACTIVE: mysql-test,dev | ||
| command: sleep infinity | ||
|
|
||
| db: | ||
| image: mariadb:latest | ||
| restart: unless-stopped | ||
| environment: | ||
| MYSQL_ROOT_PASSWORD: dev | ||
| MYSQL_DATABASE: iam | ||
| MYSQL_USER: iam | ||
| MYSQL_PASSWORD: pwd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| // For format details, see https://aka.ms/devcontainer.json. For config options, see the | ||
| // README at: https://github.com/devcontainers/templates/tree/main/src/java | ||
| { | ||
| "name": "IAM Dev Container - MySQL", | ||
| // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile | ||
| "dockerComposeFile": "compose.yaml", | ||
| "service": "devcontainer", | ||
| "workspaceFolder": "/workspaces/iam", | ||
| "shutdownAction": "stopCompose", | ||
| "features": { | ||
| "ghcr.io/devcontainers/features/java:1": { | ||
| "version": "none", | ||
| "installMaven": "true", | ||
| "installGradle": "false" | ||
| } | ||
| }, | ||
| // Use 'forwardPorts' to make a list of ports inside the container available locally. | ||
| "forwardPorts": [ | ||
| 8080 | ||
| ], | ||
| // Use 'postCreateCommand' to run commands after the container is created. | ||
| // "postCreateCommand": "java -version", | ||
| // Configure tool-specific properties. | ||
| "customizations": { | ||
| "vscode": { | ||
| "settings": { | ||
| "java.configuration.updateBuildConfiguration": "automatic", | ||
| "java.format.settings.url": "https://raw.githubusercontent.com/italiangrid/codestyle/master/eclipse-google-java-codestyle-formatter.xml", | ||
| "java.format.settings.profile": "GoogleStyle (CNAF)", | ||
| "maven.settingsFile": ".mvn/cnaf-mirror-settings.xml", | ||
| "java.configuration.maven.userSettings": ".mvn/cnaf-mirror-settings.xml" | ||
| }, | ||
| "extensions": [ | ||
| "vmware.vscode-boot-dev-pack" | ||
| ] | ||
| } | ||
| }, | ||
| // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. | ||
| // "remoteUser": "root" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| [submodule "compose/voms-replica/voms-testsuite"] | ||
| path = compose/voms-replica/voms-testsuite | ||
| url = [email protected]:italiangrid/voms-testsuite.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| <?xml version="1.0"?> | ||
| <settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> | ||
| <!--<localRepository>/tmp/m2-repository</localRepository>--> | ||
| <interactiveMode>false</interactiveMode> | ||
| <mirrors> | ||
| <mirror> | ||
| <id>nexus</id> | ||
| <name>CNAF maven mirror</name> | ||
| <url>https://repo.cloud.cnaf.infn.it/repository/maven-public</url> | ||
| <mirrorOf>*</mirrorOf> | ||
| </mirror> | ||
| </mirrors> | ||
| <profiles> | ||
| <profile> | ||
| <id>nexus</id> | ||
| <repositories> | ||
| <repository> | ||
| <id>central</id> | ||
| <url>http://central</url> | ||
| <releases><enabled>true</enabled></releases> | ||
| <snapshots><enabled>true</enabled></snapshots> | ||
| </repository> | ||
| </repositories> | ||
| </profile> | ||
| </profiles> | ||
| <activeProfiles> | ||
| <activeProfile>nexus</activeProfile> | ||
| </activeProfiles> | ||
| </settings> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| --settings=./.mvn/cnaf-mirror-settings.xml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| COMPOSE_PROJECT_NAME=voms | ||
| TRUST_IMAGE=indigoiam/egi-trustanchors | ||
| TRUST_IMAGE_TAG=igi-test-ca | ||
| DB_IMAGE=mysql | ||
| DB_IMAGE_TAG=8.3 | ||
| NGINX_IMAGE=baltig.infn.it:4567/cnafsd/ngx_http_voms_module/nginx-httpg-voms | ||
| NGINX_IMAGE_TAG=latest | ||
| VOMS_AA_IMAGE=indigoiam/voms-aa-bp | ||
| VOMS_AA_IMAGE_TAG=v1.8.3 | ||
| GRID_CLIENTS_IMAGE=indigoiam/robot-framework | ||
| GRID_CLIENTS_IMAGE_TAG=latest | ||
| IAM_IMAGE=indigoiam/iam-login-service | ||
| IAM_IMAGE_TAG=v1.8.3 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # VOMS-AA Replica | ||
|
|
||
| This folder contains a docker compose example to deploy three instances of VOMS-AA in two sites with a DB replica. | ||
|
|
||
|  | ||
|
|
||
| With this setup the VOMS-AA service can be replicated on one or more remote locations. If one location fails or is overloaded, a VOMS client can connect to the other locations. | ||
|
|
||
| ## Deployment description | ||
|
|
||
| The `compose` file definises a few containers: | ||
|
|
||
| * `trust`: docker image for the GRID CA certificates plus the `igi-test-ca` used in this deployment for test certificates. | ||
|
|
||
| The actual VOMS services are virtually divided between three sites: | ||
|
|
||
| #### Site 1: CERN | ||
| * `db-primary`: a dump of the IAM db for test environment. In addition to the db populated with the iam `mysql-dev` profile, the user `test` has a certificate with DN `/C=IT/O=IGI/CN=test0` linked to his account and he also is part of the `indigo-dc` group (necessary to obtain VOMS proxies). A second SQL script creates a `replicator` user for replica. | ||
| * `db-replica`: a DB configured to replicate the statements of `db-primary`, from the initial one. It conects with SSL and is configured to be read-only. Only the IAM DB tables which are used by VOMS-AA are replicated. You can see them [here](assets/mysql-conf/replica.cnf). | ||
| * `vomsaa-primary` and `vomsaa-replica`: the main voms-aa microservices, each connected to their own DB. | ||
| * `ngx-primary` and `ngx-replica`: an extension to NGINX, used for TLS termination, reverse proxy and possibly VOMS proxies validation. They sends requests to the corresponding `vomsaa-primary` and `vomsaa-replica` services. | ||
|
|
||
|
|
||
| #### Site 2: CNAF | ||
| * `db-remote`: this is a full replica of `db-replica`. Only the tables used by VOMS-AA are present in `db-replica`, and thus we avoiding transmitting over the remote network useless information. | ||
| * `vomsaa-remote` | ||
| * `ngx-remote` | ||
|
|
||
| #### Site 3: Anywhere else | ||
| * `client`: it is a single container containing GRID clients (in particular `voms-proxy-init`) used to query both the VOMS services. It connects in round-robin fashion to each endpoint and when one fails it falls back to the others. Here a p12 file for the test user encrypted with the `pass` password is present in the well-known directory (`/home/test/.globus/usercred.p12`). It can be used to obtain a VOMS proxy by `voms-aa` serving a VO named `indigo-dc`. | ||
|
|
||
| ### Networking | ||
|
|
||
| We use a few distinct networks, similar to a real scenario: | ||
|
|
||
| * `site1-lan` and `site2-lan`: The internal LAN of the two sites. These are used to connect the DB, VOMS-AA and NGINX between them inside the same site. | ||
| * `site-to-site-tunnel`: This is a VPN network or any tunnel network between the two sites, used by `db-remote` to connect to `db-replica`. | ||
| * `wan`: The NGINX servers are exposed on the public network so that the clients can connect from anywhere. | ||
|
|
||
| ## Test | ||
|
|
||
| Run the docker-compose with | ||
|
|
||
| ``` | ||
| $ docker compose up -d | ||
| ``` | ||
|
|
||
| and wait for the `trust` service to finish; all the services will be available shortly afterwards. | ||
|
|
||
| To query the voms-aa using the VOMS client, run: | ||
|
|
||
| ``` | ||
| $ docker compose exec client voms-proxy-init -voms indigo-dc | ||
| Enter GRID pass phrase for this identity: | ||
| Contacting voms-remote.test.example:443 [/C=IT/O=IGI/CN=*.test.example] "indigo-dc"... | ||
| Remote VOMS server contacted succesfully. | ||
| Created proxy in /tmp/x509up_u1000. | ||
| Your proxy is valid until Sat Mar 16 03:54:38 CET 2024 | ||
| ``` | ||
|
|
||
| Check the content of the proxy with | ||
|
|
||
| ``` | ||
| $ docker compose exec client voms-proxy-info -all | ||
| subject : /C=IT/O=IGI/CN=test0/CN=441572696 | ||
| issuer : /C=IT/O=IGI/CN=test0 | ||
| identity : /C=IT/O=IGI/CN=test0 | ||
| type : RFC3820 compliant impersonation proxy | ||
| strength : 2048 | ||
| path : /tmp/x509up_u1000 | ||
| timeleft : 11:59:45 | ||
| key usage : Digital Signature, Non Repudiation, Key Encipherment | ||
| === VO indigo-dc extension information === | ||
| VO : indigo-dc | ||
| subject : /C=IT/O=IGI/CN=test0 | ||
| issuer : /C=IT/O=IGI/CN=*.test.example | ||
| attribute : /indigo-dc/Role=NULL/Capability=NULL | ||
| timeleft : 11:59:45 | ||
| uri : voms-remote.test.example:8080 | ||
| ``` | ||
| If you want to force the query to one voms-aa use one of the followings: | ||
| ``` | ||
| $ docker compose exec client voms-proxy-init -voms voms-primary | ||
| $ docker compose exec client voms-proxy-init -voms voms-replica | ||
| $ docker compose exec client voms-proxy-init -voms voms-remote | ||
| ``` | ||
|
|
||
| To run the testsuite: | ||
| ``` | ||
| $ docker compose exec testsuite bash run-testsuite.sh | ||
| ``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.