From 6a5ccae83bb0abed78998fb04a20dabb1fdf2ee4 Mon Sep 17 00:00:00 2001 From: Eraldo Junior Date: Tue, 10 Oct 2023 15:42:02 +0200 Subject: [PATCH] Feature: IAM docker compose and assets files #6188 (#6299) * IAM docker compose and IAM assets files * #6188 Binding to localhost and setting higher port --- etc/docker/dev/docker-compose-storage-iam.yml | 200 ++++++++++++++++++ etc/iam-assets/iam.conf | 27 +++ etc/iam-assets/keystore.jwks | 16 ++ 3 files changed, 243 insertions(+) create mode 100644 etc/docker/dev/docker-compose-storage-iam.yml create mode 100644 etc/iam-assets/iam.conf create mode 100755 etc/iam-assets/keystore.jwks diff --git a/etc/docker/dev/docker-compose-storage-iam.yml b/etc/docker/dev/docker-compose-storage-iam.yml new file mode 100644 index 0000000000..fd468229a8 --- /dev/null +++ b/etc/docker/dev/docker-compose-storage-iam.yml @@ -0,0 +1,200 @@ +version: "3" +services: + rucioclient: + image: docker.io/rucio/rucio-dev:latest-alma9 + command: ["sleep", "infinity"] + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z + - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z + - ../../certs/ruciouser.pem:/opt/rucio/etc/usercert.pem:z + - ../../certs/ruciouser.key.pem:/opt/rucio/etc/userkey.pem:z + - ../../certs/ruciouser.certkey.pem:/opt/rucio/etc/usercertkey.pem:z + - ../../certs/ssh/ruciouser_sshkey.pub:/root/.ssh/ruciouser_sshkey.pub:z + - ../../certs/ssh/ruciouser_sshkey:/root/.ssh/ruciouser_sshkey:z + - ../../../tools:/opt/rucio/tools:Z + - ../../../bin:/opt/rucio/bin:Z + - ../../../lib:/opt/rucio/lib:Z + - ../../../tests:/opt/rucio/tests:Z + environment: + - X509_USER_CERT=/opt/rucio/etc/usercert.pem + - X509_USER_KEY=/opt/rucio/etc/userkey.pem + - RDBMS=postgres14 + rucio: + image: docker.io/rucio/rucio-dev:latest-alma9 + ports: + - "127.0.0.1:8443:443" + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z + - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z + - ../../certs/ruciouser.pem:/opt/rucio/etc/usercert.pem:z + - ../../certs/ruciouser.key.pem:/opt/rucio/etc/userkey.pem:z + - ../../certs/ruciouser.certkey.pem:/opt/rucio/etc/usercertkey.pem:z + - ../../certs/ssh/ruciouser_sshkey.pub:/root/.ssh/ruciouser_sshkey.pub:z + - ../../certs/ssh/ruciouser_sshkey:/root/.ssh/ruciouser_sshkey:z + - ../../../tools:/opt/rucio/tools:Z + - ../../../bin:/opt/rucio/bin:Z + - ../../../lib:/opt/rucio/lib:Z + - ../../../tests:/opt/rucio/tests:Z + environment: + - X509_USER_CERT=/opt/rucio/etc/usercert.pem + - X509_USER_KEY=/opt/rucio/etc/userkey.pem + - RDBMS=postgres14 + ruciodb: + image: docker.io/postgres:14 + ports: + - "127.0.0.1:5432:5432" + environment: + - POSTGRES_USER=rucio + - POSTGRES_DB=rucio + - POSTGRES_PASSWORD=secret + command: ["-c", "fsync=off","-c", "synchronous_commit=off","-c", "full_page_writes=off"] + graphite: + image: docker.io/graphiteapp/graphite-statsd + ports: + - "127.0.0.1:8080:80" + fts: + image: docker.io/rucio/fts + ports: + - "127.0.0.1:8446:8446" + - "127.0.0.1:8449:8449" + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_fts.pem:/etc/grid-security/hostcert.pem:Z + - ../../certs/hostcert_fts.key.pem:/etc/grid-security/hostkey.pem:Z + ftsdb: + image: docker.io/mysql:8 + ports: + - "127.0.0.1:3306:3306" + command: --default-authentication-plugin=mysql_native_password + environment: + - MYSQL_USER=fts + - MYSQL_PASSWORD=fts + - MYSQL_ROOT_PASSWORD=fts + - MYSQL_DATABASE=fts + xrd1: + image: docker.io/rucio/xrootd + ports: + - "127.0.0.1:1094:1094" + environment: + - XRDPORT=1094 + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_xrd1.pem:/tmp/xrdcert.pem:Z + - ../../certs/hostcert_xrd1.key.pem:/tmp/xrdkey.pem:Z + xrd2: + image: docker.io/rucio/xrootd + ports: + - "127.0.0.1:1095:1095" + environment: + - XRDPORT=1095 + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_xrd2.pem:/tmp/xrdcert.pem:Z + - ../../certs/hostcert_xrd2.key.pem:/tmp/xrdkey.pem:Z + xrd3: + image: docker.io/rucio/xrootd + ports: + - "127.0.0.1:1096:1096" + environment: + - XRDPORT=1096 + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_xrd3.pem:/tmp/xrdcert.pem:Z + - ../../certs/hostcert_xrd3.key.pem:/tmp/xrdkey.pem:Z + xrd4: + image: docker.io/rucio/xrootd + ports: + - "127.0.0.1:1097:1097" + environment: + - XRDPORT=1097 + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + - ../../certs/hostcert_xrd4.pem:/tmp/xrdcert.pem:Z + - ../../certs/hostcert_xrd4.key.pem:/tmp/xrdkey.pem:Z + minio: + image: docker.io/minio/minio + ports: + - "127.0.0.1:9000:9000" + environment: + - MINIO_ACCESS_KEY=admin + - MINIO_SECRET_KEY=password + volumes: + - ../../certs/hostcert_minio.pem:/root/.minio/certs/public.crt:Z + - ../../certs/hostcert_minio.key.pem:/root/.minio/certs/private.key:Z + command: ["server", "/data"] + activemq: + image: docker.io/webcenter/activemq:latest + ports: + - "127.0.0.1:61613:61613" + environment: + - ACTIVEMQ_CONFIG_NAME=activemq + - ACTIVEMQ_CONFIG_DEFAULTACCOUNT=false + - ACTIVEMQ_USERS_fts=supersecret + - ACTIVEMQ_GROUPS_writes=fts + - ACTIVEMQ_USERS_receiver=supersecret + - ACTIVEMQ_GROUPS_reads=receiver + - ACTIVEMQ_CONFIG_SCHEDULERENABLED=true + ssh1: + image: docker.io/rucio/ssh + ports: + - "127.0.0.1:2222:22" + volumes: + - ../../certs/ssh/ruciouser_sshkey.pub:/tmp/sshkey.pub:Z + db-iam: + image: mariadb:10.11 + environment: + - TZ=Europe/Paris + - MYSQL_ROOT_PASSWORD=supersecret + - MYSQL_USER=iam + - MYSQL_PASSWORD=secret + - MYSQL_DATABASE=iam_db + ports: + - "127.0.0.1:3307:3306" + nginx-iam: + image: nginx + dns_search: cern.ch + environment: + TZ: Europe/Paris + NGINX_HOST: iam + NGINX_PORT: 443 + ports: + - "127.0.0.1:9443:443" + volumes: + - ../../certs/rucio_ca.pem:/etc/grid-security/certificates/5fca1cb1.0:z + # - ../../certs/hostcert_rucio.pem:/etc/grid-security/hostcert.pem:z + # - ../../certs/hostcert_rucio.key.pem:/etc/grid-security/hostkey.pem:z + - /etc/grid-security/:/etc/grid-security/ + - /dev/urandom:/dev/random + - ../../iam-assets/iam.conf:/etc/nginx/conf.d/default.conf:ro + iam: + image: indigoiam/iam-login-service:v1.8.2 + volumes: + - ../../iam-assets/keystore.jwks:/keystore.jwks:ro + environment: + - IAM_JAVA_OPTS=-Djava.security.egd=file:/dev/urandom -Dspring.profiles.active=prod,oidc,cern,registration,wlcg-scopes -agentlib:jdwp=transport=dt_socket,server=y,address=1044,suspend=n -Dlogging.file.name=/var/log/iam/iam.log + - IAM_HOST= + - IAM_PORT=8090 + - IAM_BASE_URL=https:// + - IAM_ISSUER=https:// + - IAM_FORWARD_HEADERS_STRATEGY=native + - IAM_KEY_STORE_LOCATION=file:/keystore.jwks + - IAM_JWK_CACHE_LIFETIME=21600 + # - IAM_X509_TRUST_ANCHORS_DIR=/etc/grid-security/certificates + # - IAM_X509_TRUST_ANCHORS_REFRESH=14400 + - IAM_TOMCAT_ACCESS_LOG_ENABLED=false + - IAM_TOMCAT_ACCESS_LOG_DIRECTORY=/tmp + - IAM_ACTUATOR_USER_USERNAME=user + - IAM_ACTUATOR_USER_PASSWORD=secret + - IAM_LOCAL_RESOURCES_ENABLE=true + - IAM_LOCAL_RESOURCES_LOCATION=file:/indigo-iam/local-resources + - IAM_ORGANISATION_NAME=rucio-dc + - IAM_TOPBAR_TITLE="INDIGO IAM for rucio-dc" + - IAM_DB_HOST= + - IAM_DB_PORT=3307 + - IAM_DB_NAME=iam_db + - IAM_DB_USERNAME=iam + - IAM_DB_PASSWORD=secret + ports: + - "127.0.0.1:8090:8090" \ No newline at end of file diff --git a/etc/iam-assets/iam.conf b/etc/iam-assets/iam.conf new file mode 100644 index 0000000000..0093d7fecb --- /dev/null +++ b/etc/iam-assets/iam.conf @@ -0,0 +1,27 @@ +server { + listen 443 ssl; + server_name ; + access_log /var/log/nginx/iam.access.log combined; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_certificate /etc/grid-security/hostcert.pem; + ssl_certificate_key /etc/grid-security/hostkey.pem; + + location / { + proxy_pass http://:8090; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + } +} + +proxy_set_header X-SSL-Client-Cert $ssl_client_cert; +proxy_set_header X-SSL-Client-I-Dn $ssl_client_i_dn; +proxy_set_header X-SSL-Client-S-Dn $ssl_client_s_dn; +proxy_set_header X-SSL-Client-Serial $ssl_client_serial; +proxy_set_header X-SSL-Client-V-Start $ssl_client_v_start; +proxy_set_header X-SSL-Client-V-End $ssl_client_v_end; +proxy_set_header X-SSL-Client-Verify $ssl_client_verify; +proxy_set_header X-SSL-Protocol $ssl_protocol; +proxy_set_header X-SSL-Server-Name $ssl_server_name; \ No newline at end of file diff --git a/etc/iam-assets/keystore.jwks b/etc/iam-assets/keystore.jwks new file mode 100755 index 0000000000..fae2ee3698 --- /dev/null +++ b/etc/iam-assets/keystore.jwks @@ -0,0 +1,16 @@ +{ + "keys": [ + { + "p": "9KpF2OFJu5S0TUX0oYI8Gi3W2tvqjpsfxPuHLc2_0qWkUq5R3p9H0kl495ys1XE2LPl0HFn3ap026waSjt-wFw", + "kty": "RSA", + "q": "l9yCwi8L2Tr493EJFsBUPrfupgp6gUwDZZGCt9b1aBihHPFIpy-OWE9f6KOX3TmnAOWtbwsFWNB5DljrnJDVdQ", + "d": "Ae5d6AKyfNHe1jOWsZgFXa7PcNdJdPVzs_QwlWd1CrC6SWbWcFheZ5tZgLfG3hRiLS03wxqnRYGXy7MqCnVIidmI9FmTc6VmouXG2ZdbWbQirnx_C6wbb6L0K5SceJn4MzqpIcTttMzsW3k7iYfH_LrqMmUfSIg8YxuqRUbApME", + "e": "AQAB", + "kid": "rsa1", + "qi": "nDagjeZyayVV2tojjaljot2gOAAU4y4DYuqDrFWtgdTXCkN_7uIIANx7V_fkE-_rTJRaHxJ3f_w6Pko69VXaOw", + "dp": "OhuanSjchyWJMPUVZap1tc3_QlmKurXS9Mi8UT-VeGUIwu5N2W7A8wuqJDzcu5C4yjOwxO8FGRgfq_ASrMYpnw", + "dq": "aICzbsOHSM6_QzADDCgAEUTrslFlqhJQCBYROUdwi1jfjhYwY_Ri5TyCCIqDWBZzaTekmNShslOL6qagRJaafQ", + "n": "kSMufwC7v4SYroKch9fEnDw4Q7yQgzPdLvDkSNG-3nbkcRBkwDyyfP36JfQimZ1u1-VENGD9sr_LiRbSrZmKUgLH7JP1rxROlxPoIGw0yJA0C7iK2RH9X8H6_mIitx7LimLP4Gl4cfKR6vUZJyPYz_B-DDT89ZONM4MsGXqunYM" + } + ] +} \ No newline at end of file