FIWARE, profile picture
Uploaded byFIWARE
PPTX, PDF853 views

Building Your Own IoT Platform using FIWARE GEis

This document provides a comprehensive guide on how to build a secure IoT platform using FIWARE GEIs within a container-based environment, specifically using Docker. It details the architecture, setup steps for various components like MongoDB and Orion Context Broker, and emphasizes the implementation of a security layer through identity management and authorization systems. The document serves as a practical resource for developers looking to integrate IoT solutions with enhanced security measures.

Internet
Related topics:
Internet of Things

Embed presentation

Downloaded 37 times
Building your own IoT platform using FIWARE GEis José Manuel Cantera Fonseca Technological Expert. Data Chapter. josemanuel.canterafonseca@telefonica.com
Introduction Talk Objectives Illustrate how a secured IoT platform instance can be implemented using FIWARE GEis on a container-based environment (Docker) Understand how to set up a security layer on top of a Context Broker Learn how to configure all the components at the different layers
TargetArchitectureusingfiware securitystack Context Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN IoT platform Infrastructure I9 I8 IoT Devices Open Data Sources
Getting started A basic context broker set up 4
BasicData&Controlbrokersetup Data & Control Broker (Orion) mongoDB Application (Data Consumer) NGSIv2NGSIv2 Data ingestion Internet / VPN Operator Infrastructure I8 IoT Devices Open Data Sources
Step1.-MongoDB(I) mongoDB is the NoSQL database used to store context data mongoDB is properly packaged as a docker container Use mongoDB 3.2 docker container Prepare a folder to store mongoDB data Ex. $HOME/data/mongo Run mongoDB $ docker run --name mongo -v $HOME/data/mongo:/data/db -d -h mongo -p 27017:27017 mongo:3.2
Step1.-mongoDB(II) $ docker ps -a to list running containers aa075751485b mongo:3.2 "/entrypoint.sh mongo" 5 seconds ago Up 4 seconds 0.0.0.0:27017->27017/tcp mongo run mongo client application to check everything is ok You might need to install it https://docs.mongodb.com/v3.2/tutorial/install-mongodb-on-ubuntu/ $ apt-get install mongodb-org-shell $ mongo> show dbs Or you can directly connect to the container
Step2.-Orioncontextbroker(I) Orion is an implementation of the “Data and Context Broker” An open source project hosted by the FIWARE OSS https://github.com/fiware/context.Orion (License Affero GPL v3.0) properly packaged as a docker container running on CentOS 6 Orion uses mongoDB as the data storage For running Orion … $ docker run --name orion -d -p 1026:1026 --link mongo -h orion fiware/orion:1.4.1 -dbhost mongo $ docker ps -a
STEP2.-OrionContextbroker(II) $ curl -s localhost:1026/version | python -mjson.tool { "orion" : { "version" : "1.4.1", "uptime" : "0 d, 0 h, 1 m, 17 s", "git_hash" : "905d5fa58ace7fa4f14330ddc982b41cf9b30be6", "compile_time" : "Mon Oct 10 15:06:02 UTC 2016", "compiled_by" : "root", "compiled_in" : "b99744612d0b" } } $ mongo > show dbs > use orion Now a DB named “orion” should appear if everything is ok db.getCollectionNames() [ "entities" ] curl -s localhost:1026/v2/entities | python -mjson.tool
Step3.-Let’saddsomeentitiestoorion(I) $ curl localhost:1026/v2/entities -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, "barometricPressure": { "value": 720, "type": "Number" }, "dateObserved": { "value": "2016-10-18T11:08:20.228Z", "type": "DateTime" }, "source": { "value": "http://www.aemet.es", "type": "URL" } } EOF
Step3.-Let’saddsomeentitiestoorion(II) $ curl localhost:1026/v2/entities?options=keyValues | python -mjson.tool [ { "barometricPressure": 720, "dateObserved": "2016-10-18T11:08:20.00Z", "id": "WeatherObserved-6789", "source": "http://www.aemet.es", "temperature": 23, "type": "WeatherObserved" } ] $ mongo > use orion switched to db orion > db.entities.find({}) { "_id" : { "id" : "WeatherObserved-6789", "type" : "WeatherObserved", "servicePath" : "/" }, "attrNames" : [ "temperature", "barometricPressure", "dateObserved", "source" ], "attrs" : { "temperature" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 23, "mdNames" : [ ] }, "barometricPressure" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 720, "mdNames" : [ ] }, "dateObserved" : { "type" : "DateTime", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 1476788900, "mdNames" : [ ] }, "source" : { "type" : "URL", "creDate" : 1476789680, "modDate" : 1476789680, "value" : "http://www.aemet.es", "mdNames" : [ ] } }, "creDate" : 1476789680, "modDate" : 1476789680 }
Step4.-Multitenancy (I) Orion Context Broker is multitenant Logical databases isolated, each one containing data from different organizations or domains Tenant is a “service” in FIWARE terminology. Aka a “Domain” in OpenStack terminology A tenant can be composed by multiple child sub- tenants “subservice” in FIWARE terminology Aka a “Project” in OpenStack terminology
Step4.-Multitenancy (II) The way to address tenants are HTTP headers Fiware-Service : <<Tenant_Name>> Fiware-Servicepath: <<Subservice_Name>> Subtenants follow a hierarchical structure and there is a default subtenant, root one (‘/’) Example: Fiware-service: weather Fiware-servicepath: /Spain A pair (service, subservice) is used for security
Step4.-Multitenancy (III) TENANT="Fiware-Service:$1" SUBSERVICE="Fiware-ServicePath:/$2" curl localhost:1026/v2/entities --header $TENANT --header $SUBSERVICE -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, …… } EOF ● Creating an entity in a (tenant , subtenant)
Step4.-Multitenancy (IV) $mongo > show dbs local 0.000GB orion 0.000GB orion-example_a 0.000GB orion-london 0.000GB orion-weather 0.000GB There will be as many databases as tenants available “orion” is the DB which stores data in the default tenant DB name is “orion-” + <<tenant_name>> To query data of a tenant just issue regular NGSIv2 requests using Fiware-Service and Fiware-Servicepath headers
Deeping dive Adding a security layer to the data & control broker 16
TargetArchitectureusingfiwaresecuritystack Data & Control Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN Operator Infrastructure I9 I8 IoT Devices Open Data Sources
Step4.-Securitystack-preparation Security stack uses MySQL to store configuration data $ docker run --name mysql -d -p 3306:3306 -h mysql -v $HOME/data/mysql:/var/lib/mysql -e "MYSQL_ROOT_PASSWORD=gsma" -e "MYSQL_DATABASE=keypass" -e "MYSQL_USER=keypass" -e "MYSQL_PASSWORD=keypass" mysql:5.5 Check that everything is ok. Above command creates a database named “keypass” used later. $ docker exec -it mysql bash mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
Step4.1.-keystone(I) Keystone is an open source project hosted by OpenStack OSS Community https://github.com/openstack/keystone (Apache 2.0 license) Keystone is an Identity Manager service capable of storing information about domains, project, users, groups or roles Keystone is in charge of generating tokens which can be used to get access to services requiring credentials For this exercise we will be using a keystone image
Step4.1.-keystone(II) Running keystone $ docker run --name keystone -d -p 5001:5001 --link mysql -h keystone telefonicaiot/fiware-keystone-spassword -dbhost mysql -default_pwd 4pass1w0rd -mysql_pwd gsma Sanity check operations $ docker logs keystone $ docker exec -it keystone bash (to open a shell session on the container) $ curl -s -S http://localhost:5001/v3 | python -mjson.tool Once we have a keystone instance up and running different REST requests can be issued http://developer.openstack.org/api-ref/identity/v3/index.html
$ docker exec -it mysql bash root@mysql:/# mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | keystone | | mysql | | performance_schema | +--------------------+ mysql> use keystone; Step4.1.-keystone(II-B) show tables; +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | migrate_version | | policy | | project | | region | | role | | service | | spassword | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ Checking keystone has created its database properly
Step4.1.-keystone(III) Remember: Fiware-Service → Domain in Keystone Fiware-Servicepath → Project in Keystone A developer will register in Keystone as user in a domain <-> Developer can get access to the data offered by the corresponding FIWARE service (tenant) We will later show how this works in practice
Step4.1.-keystone(IV) List all domains curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/domains/ | python - mjson.tool { "domains": [ { "enabled": true, "id": "8b883aaa740e4d75b91095eaa550b35c", "links": { "self": "http://localhost:5001/v3/domains/8b883aaa740e4d75b91095eaa550b35c" }, "name": "admin_domain" }, { "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "enabled": true, "id": "default", "links": { "self": "http://localhost:5001/v3/domains/default" }, "name": "Default" } ]
Step4.1.-keystone(V) List all users curl -s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/users/ | python - mjson.tool "users": [ { "description": "Cloud service", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "02cd3dbb6ceb48eb92588c7885bbcc1f", "links": { "self": "http://localhost:5001/v3/users/02cd3dbb6ceb48eb92588c7885bbcc1f" }, "name": "pep" }, { "description": "Cloud administrator", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "177cf5a4d12e4f85b7b65cbcac6d9697", "links": { "self": "http://localhost:5001/v3/users/177cf5a4d12e4f85b7b65cbcac6d9697" }, "name": "cloud_admin" }
Step4.1.-keystone(VI) Get a token for the cloud_admin user curl localhost:5001/v3/auth/tokens -s -S --header 'Content-Type: application/json' -d @- <<EOF { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "cloud_admin", "domain": { "name": "admin_domain" }, "password": "4pass1w0rd" } } } } } EOF HTTP/1.1 201 Created X-Subject-Token: 19e200834a3f4e149c7f4033a003a8f4
Step4.2.-keypass.-authPDP(I) keypass is an implementation of the FIWARE Authorization PDP (Policy Decision Point) Keypass is an open source project hosted at https://github.com/telefonicaid/fiware-keypass License is Apache 2.0 It complies with XACML (eXtensible Access Control Markup Language) v3.0. It provides an API to get authorization decisions based on authorization policies
Step4.2.-keypass.-AuthPDP(II) Running keypass $ docker run --name keypass -d -p 7070:7070 -h keypass --link mysql telefonicaiot/fiware- keypass -dbhost mysql $ docker logs keypass $ curl --header 'Fiware-Service: dummy' localhost:7070/version 1.2.1
Step4.3.-Steelskin.-PEPproxy (I) Steelskin is an implementation of the FIWARE PEP (Policy Enforcement Point) Steelskin is an open source project hosted at https://github.com/telefonicaid/fiware-pep-steelskin License is Affero GPL 3.0 A proxy which ensures that only authorized users are able to perform requests against the Data & Control Broker https://github.com/telefonicaid/fiware-pep-steelskin#-rules-to-determine-the- context-broker-action-from-the-request
Step4.3.-Steelskin.-PEPproxy (II) Running: $ docker run -d --name pep -p 1027:1026 --link orion --link keystone --link keypass -e LOG_LEVEL=DEBUG -e AUTHENTICATION_HOST=keystone -e AUTHENTICATION_PORT=5001 -e ACCESS_HOST=keypass -e ACCESS_PORT=7070 -e TARGET_HOST=orion -e TARGET_PORT=1026 -e PROXY_USERNAME=pep -e PROXY_PASSWORD=4pass1w0rd telefonicaiot/fiware-pep-steelskin $ docker logs pep $ docker exec -it pep bash → $ curl localhost:11211/version { "version": "1.2.0-next", "port":1026 }
Step4.3.-Steelskin.-PEPproxy(III) Remember: Given an HTTP Request (x-auth-token, fiware- service, fiware-servicepath) First PEP queries keystone to validate the auth token and obtain (user, domain, role in project) Then, PEP queries keypass to obtain the authorization policies for the role in question A match between subject policies and the requested operation is done If the requested operation is allowed, the HTTP request is forwarded to the Data & Control Broker If not a non-authorized error is raised curl localhost:1027/v2/entities
STEP5.-Usingthemalltogether $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d18f7dbe7f75 telefonicaiot/fiware-pep-steelskin "/bin/sh -c bin/pepPr" 16 minutes ago Up 16 minutes 11211/tcp, 0.0.0.0:1027->1026/tcp pep 7e1853f0e2c4 telefonicaiot/fiware-keypass "/opt/keypass/keypass" 45 minutes ago Up 45 minutes 0.0.0.0:7070-7071->7070-7071/tcp keypass c4f6ab6c390f telefonicaiot/fiware-keystone-spassword "/opt/keystone/keysto" About an hour ago Up About an hour 0.0.0.0:5001->5001/tcp keystone 5bf5d7e8b284 mysql:5.5 "docker-entrypoint.sh" 18 hours ago Up 18 hours 0.0.0.0:3307->3306/tcp mysql 6c63cee20ae2 fiware/orion:1.4.1 "/usr/bin/contextBrok" 24 hours ago Up 24 hours 0.0.0.0:1026->1026/tcp orion 4f1d9298fb70 mongo:3.2 "/entrypoint.sh mongo" 24 hours ago Up 24 hours 0.0.0.0:27017->27017/tcp mongo
Step5.1.-Orchestratortotherescue Manual provision of configurations of the three security components can be cumbersome TEF has developed an open source project (named orchestrator) that helps to provide security configurations https://github.com/telefonicaid/orchestrator License is Affero GPL 3.0 It can be instantiated as a service but there are some useful scripts which can be used https://github.com/telefonicaid/orchestrator/blob/master/SCRIPTS.md
Step5.2.-configuringaservice(tenant) $ git clone https://github.com/telefonicaid/orchestrator $ cd orchestrator $ pip install -r requirements.txt $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewService.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd weatherdata "Weather Data" weather_admin weather_admin_PWD http localhost 7070 Checking that everything went ok ./orchestrator/commands/printServices.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd
Step5.3.-configuringaSub-service $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewSubService.py http localhost 5001 weatherdata weather_admin weather_admin_PWD "Spain" "Weather in Spain" Checking that everything went ok ./orchestrator/commands/printSubServices.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we have a pair (Fiware-Service, Fiware-Servicepath) → (‘weatherdata’, ‘/Spain`) We can check that we can get access to data 1/ obtain a token for the `weather_admin’ user Ex. `5bb5c6e310814b93a01d74385fe52bef` 2/ issue a GET request through the PEP proxy curl localhost:1027/v2/entities --header 'Fiware-Service:weatherdata' --header 'Fiware-Servicepath:
Step5.4.-addingadeveloperwithconsumerpermissions $ ./orchestrator/commands/createNewServiceUser.py http localhost 5001 weatherdata weather_admin weather_admin_PWD developer1 developer1_PWD Checking that everything went ok ./orchestrator/commands/printServiceUsers.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we need to assign the role “SubServiceCustomer” to the user ‘developer1’ ./orchestrator/commands/assignRoleSubServiceUser.py http localhost 5001 weatherdata Spain weather_admin weather_admin_PWD SubServiceCustomer developer1 Checking that everything went ok ./orchestrator/commands/listSubServiceRoleAssignments.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Spain True Now ‘developer1’ is able to query weather data on the sub-service ‘Spain’. However he cannot provide data as his role is ‘SubServiceCustomer’
Step5.5.-gettingaccesstodatawith‘developer1’ (I) First of all a token must be obtained . Then : $ curl -s -S localhost:1027/v2/entities --header 'Fiware-service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' | python -mjson.tool [ { "barometricPressure": { "metadata": {}, "type": "Number", "value": 720 }, "dateObserved": { "metadata": {}, "type": "DateTime", "value": "2016-10-18T11:08:20.00Z" }, "id": "WeatherObserved-6789", "type": "WeatherObserved" } ]
Step5.5.-gettingaccesstodatawith‘developer1’ (II) An attempt to create a new entity on (weatherdata,/Spain) will fail curl localhost:1027/v2/entities -s -S --header 'Content-Type: application/json' --header 'Fiware- Service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' -d @- <<EOF { "id": "WeatherObserved-4567", …. } EOF { "name": "ACCESS_DENIED", "message": "The user does not have the appropriate permissions to access the selected action" } Developer will need to be assigned the role ‘SubServiceAdmin’ in order to be able to post new data
What’shappeningbehindthescenes A set of predefined policies have been pre-populated to the ‘keypass’ database docker exec -it mysql mysql --user=keypass --password=keypass mysql> use keypass; select policy from Policies; Relevant policies are https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-customer.xml https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-admin.xml
Andfinally... Remember to remove old docker containers (exited) $ docker rm <container> You should only expose the IdM (for tokens) and the PEP Proxy (ports) to the developer Ensure the mounted volumes for database data have enough space for the data to be stored Remember, you can open a shell session on a container $ docker exec -it <<container_name> bash And then get access to the logs, databases, local services, ….
Questions 40
Thank you! http://fiware.org Follow @FIWARE on Twitter

More Related Content

ODP
Deploy Mediawiki Using FIWARE Lab Facilities
byFIWARE
 
PDF
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
bywallyqs
 
PDF
Openstack 101
byPOSSCON
 
PPTX
Fiware cloud developers week brussels
byFernando Lopez Aguilar
 
PDF
How to Install & Configure Your Own Identity Manager GE
byFIWARE
 
PDF
The 'Serverless' Paradigm, OpenWhisk and FIWARE
byFIWARE
 
PPTX
Cosmos, Big Data GE Implementation
byFIWARE
 
PPTX
Intro to the FIWARE Lab
byFIWARE
 
Deploy Mediawiki Using FIWARE Lab Facilities
byFIWARE
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
bywallyqs
 
Openstack 101
byPOSSCON
 
Fiware cloud developers week brussels
byFernando Lopez Aguilar
 
How to Install & Configure Your Own Identity Manager GE
byFIWARE
 
The 'Serverless' Paradigm, OpenWhisk and FIWARE
byFIWARE
 
Cosmos, Big Data GE Implementation
byFIWARE
 
Intro to the FIWARE Lab
byFIWARE
 

What's hot

PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
PPTX
Vault - Secret and Key Management
byAnthony Ikeda
 
PDF
OpenStack Architecture
byMirantis
 
PPTX
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
PDF
Introducing Vault
byRamit Surana
 
PDF
Secrets in Kubernetes
byJerry Jalava
 
PDF
Unity Makes Strength
byXavier Mertens
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PDF
Secret Management with Hashicorp’s Vault
byAWS Germany
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
PPTX
Modular Layer 2 In OpenStack Neutron
bymestery
 
PDF
Notes for AWS IoT
by承翰 蔡
 
PDF
how to use openstack api
byLiang Bo
 
PDF
Arduino、Web 到 IoT
byJustin Lin
 
PDF
Monitoring OSGi Applications with the Web Console - Carsten Ziegeler
bymfrancis
 
PDF
HashiTLS Demystifying Security Certs
byMitchell Pronschinske
 
PDF
Third Party Auth in WebObjects
byWO Community
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
PPTX
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 
PDF
OSMC 2021 | On the Bleeding Edge of OpenTelemetry
byNETWAYS
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
Vault - Secret and Key Management
byAnthony Ikeda
 
OpenStack Architecture
byMirantis
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
Introducing Vault
byRamit Surana
 
Secrets in Kubernetes
byJerry Jalava
 
Unity Makes Strength
byXavier Mertens
 
Hashicorp Vault ppt
byShrey Agarwal
 
Secret Management with Hashicorp’s Vault
byAWS Germany
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
Modular Layer 2 In OpenStack Neutron
bymestery
 
Notes for AWS IoT
by承翰 蔡
 
how to use openstack api
byLiang Bo
 
Arduino、Web 到 IoT
byJustin Lin
 
Monitoring OSGi Applications with the Web Console - Carsten Ziegeler
bymfrancis
 
HashiTLS Demystifying Security Certs
byMitchell Pronschinske
 
Third Party Auth in WebObjects
byWO Community
 
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 
OSMC 2021 | On the Bleeding Edge of OpenTelemetry
byNETWAYS
 

Viewers also liked

PPTX
Introduction to FIWARE Open Ecosystem
byFernando Lopez Aguilar
 
PPTX
IoT on the Edge
byFIWARE
 
PPT
X-GSN in OpenIoT SummerSchool
byJean-Paul Calbimonte
 
PPTX
Creating end-to-end IoT applications with Eclipse Kura & Solair IoT Platform
bySolair
 
PPTX
IoT World Forum Press Conference - 10.14.2014
byBessie Wang
 
PPTX
The Future of IoT: Why We Need the Open Interconnect Consortium
bySamsung Open Source Group
 
PDF
Internet of Things (IoT) and Google
byAbdullah Çetin ÇAVDAR
 
PPTX
IoT Platform Meetup - Oracle
byFilip Kolář
 
PDF
Semantic Interoperability as Key to IoT Platform Federation
bysymbiote-h2020
 
PDF
An introduction to the IoTC
byNewell Thompson
 
PDF
What, Why and What for FIWARE?
byforumvirium
 
PPTX
How to Contribute to FIWARE
byFIWARE
 
PPTX
The FIWARE Marketplace
byFIWARE
 
PDF
Interoperability with Standardless IoT (Global IoT Day Wien)
byDavid Janes
 
PPTX
symbIoTe - AIOTI Open Day @ NDC, 08 Feb 2016, Athens, Greece
bysymbiote-h2020
 
PDF
Oies_IoT_Platform_Selection_Services_2017
byFrancisco Maroto
 
PPTX
Welcome to the 1st FIWARE Summit
byFIWARE
 
PDF
IoT Platforms Interoperability and the symbIoTe Vision
bysymbiote-h2020
 
PPTX
FIWARE: the best is yet to come
byFIWARE
 
PPTX
Spanish AgriFood Cooperatives
byFIWARE
 
Introduction to FIWARE Open Ecosystem
byFernando Lopez Aguilar
 
IoT on the Edge
byFIWARE
 
X-GSN in OpenIoT SummerSchool
byJean-Paul Calbimonte
 
Creating end-to-end IoT applications with Eclipse Kura & Solair IoT Platform
bySolair
 
IoT World Forum Press Conference - 10.14.2014
byBessie Wang
 
The Future of IoT: Why We Need the Open Interconnect Consortium
bySamsung Open Source Group
 
Internet of Things (IoT) and Google
byAbdullah Çetin ÇAVDAR
 
IoT Platform Meetup - Oracle
byFilip Kolář
 
Semantic Interoperability as Key to IoT Platform Federation
bysymbiote-h2020
 
An introduction to the IoTC
byNewell Thompson
 
What, Why and What for FIWARE?
byforumvirium
 
How to Contribute to FIWARE
byFIWARE
 
The FIWARE Marketplace
byFIWARE
 
Interoperability with Standardless IoT (Global IoT Day Wien)
byDavid Janes
 
symbIoTe - AIOTI Open Day @ NDC, 08 Feb 2016, Athens, Greece
bysymbiote-h2020
 
Oies_IoT_Platform_Selection_Services_2017
byFrancisco Maroto
 
Welcome to the 1st FIWARE Summit
byFIWARE
 
IoT Platforms Interoperability and the symbIoTe Vision
bysymbiote-h2020
 
FIWARE: the best is yet to come
byFIWARE
 
Spanish AgriFood Cooperatives
byFIWARE
 

Similar to Building Your Own IoT Platform using FIWARE GEis

PPTX
FIWARE Primer - Learn FIWARE in 60 Minutes
byFederico Michele Facca
 
PDF
FIWARE Wednesday Webinars - How to Secure IoT Devices
byFIWARE
 
PDF
FIWARE Wednesday Webinars - Short Term History within Smart Systems
byFIWARE
 
PPTX
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
PDF
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
byFIWARE
 
PDF
FIWARE Global Summit - A Multi-database Plugin for the Orion FIWARE Context B...
byFIWARE
 
PDF
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
byDevDay Dresden
 
PDF
Integrating Fiware Orion, Keyrock and Wilma
byDalton Valadares
 
PPTX
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
byCodemotion
 
PPTX
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
PDF
Setting up your virtual infrastructure using fi-lab cloud
byFernando Lopez Aguilar
 
PPTX
Fiware docker container service multi tenant isolation and user defined netwo...
byKenneth Nagin
 
PDF
FIWARE Wednesday Webinars - Strategies for Context Data Persistence
byFIWARE
 
PPTX
The rise of microservices - containers and orchestration
byAndrew Morgan
 
PPTX
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
byMongoDB
 
PDF
FIWARE Tech Summit - FIWARE-based Smart City Platforms
byFIWARE
 
PPTX
The Rise of Microservices - Containers and Orchestration
byMongoDB
 
PPTX
Setting up your virtual infrastructure using fi lab cloud webminar
byHenar Muñoz Frutos
 
PPTX
Setting up your virtual infrastructure using fi lab cloud
byHenar Muñoz Frutos
 
PPTX
Setting up your virtual infrastructure using FI-LAB Cloud
byFIWARE
 
FIWARE Primer - Learn FIWARE in 60 Minutes
byFederico Michele Facca
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
byFIWARE
 
FIWARE Wednesday Webinars - Short Term History within Smart Systems
byFIWARE
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
byFIWARE
 
FIWARE Global Summit - A Multi-database Plugin for the Orion FIWARE Context B...
byFIWARE
 
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
byDevDay Dresden
 
Integrating Fiware Orion, Keyrock and Wilma
byDalton Valadares
 
Federico Michele Facca - FIWARE Primer - Learn FIWARE in 60 Minutes
byCodemotion
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
Setting up your virtual infrastructure using fi-lab cloud
byFernando Lopez Aguilar
 
Fiware docker container service multi tenant isolation and user defined netwo...
byKenneth Nagin
 
FIWARE Wednesday Webinars - Strategies for Context Data Persistence
byFIWARE
 
The rise of microservices - containers and orchestration
byAndrew Morgan
 
Webinar: Enabling Microservices with Containers, Orchestration, and MongoDB
byMongoDB
 
FIWARE Tech Summit - FIWARE-based Smart City Platforms
byFIWARE
 
The Rise of Microservices - Containers and Orchestration
byMongoDB
 
Setting up your virtual infrastructure using fi lab cloud webminar
byHenar Muñoz Frutos
 
Setting up your virtual infrastructure using fi lab cloud
byHenar Muñoz Frutos
 
Setting up your virtual infrastructure using FI-LAB Cloud
byFIWARE
 

More from FIWARE

PPTX
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
byFIWARE
 
PPTX
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
byFIWARE
 
PPTX
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
byFIWARE
 
PPTX
Ulrich Ahle_FIWARE.pptx
byFIWARE
 
PDF
Katharina Hogrebe Herne Digital Days.pdf
byFIWARE
 
PPTX
Lukas Künzel Smart City Operating System.pptx
byFIWARE
 
PPTX
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
byFIWARE
 
PPTX
Evangelists + iHubs Promo Slides.pptx
byFIWARE
 
PPTX
WE_LoRaWAN _ IoT.pptx
byFIWARE
 
PPTX
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
byFIWARE
 
PPTX
Dennis Wendland_The i4Trust Collaboration Programme.pptx
byFIWARE
 
PPTX
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
byFIWARE
 
PPTX
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
byFIWARE
 
PDF
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
byFIWARE
 
PPTX
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
byFIWARE
 
PDF
Water Quality - Lukas Kuenzel.pdf
byFIWARE
 
PPTX
EU Opp_Clara Pezuela - German chapter.pptx
byFIWARE
 
PDF
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
byFIWARE
 
PPTX
Behm_Herne_NeMo_akt.pptx
byFIWARE
 
PPTX
Behm_Herne_NeMo.pptx
byFIWARE
 
HTAG_Skalierung_Plattform_lokal_final_versand.pptx
byFIWARE
 
Christoph Mertens_IDSA_Introduction to Data Spaces.pptx
byFIWARE
 
Pierre Golz Der Transformationsprozess im Konzern Stadt.pptx
byFIWARE
 
Ulrich Ahle_FIWARE.pptx
byFIWARE
 
Katharina Hogrebe Herne Digital Days.pdf
byFIWARE
 
Lukas Künzel Smart City Operating System.pptx
byFIWARE
 
Aleksandar Vrglevski _FIWARE DACH_OSIH.pptx
byFIWARE
 
Evangelists + iHubs Promo Slides.pptx
byFIWARE
 
WE_LoRaWAN _ IoT.pptx
byFIWARE
 
Cameron Brooks_FGS23_FIWARE Summit_Keynote_Cameron.pptx
byFIWARE
 
Dennis Wendland_The i4Trust Collaboration Programme.pptx
byFIWARE
 
Boris Otto_FGS2023_Opening- EU Innovations from Data_PUB_V1_BOt.pptx
byFIWARE
 
FiWareSummit.msGIS-Data-to-Value.2023.06.12.pptx
byFIWARE
 
Abdulrahman Ibrahim_FGS23 Opening - Abdulrahman Ibrahim.pdf
byFIWARE
 
Bjoern de Vidts_FGS23_Opening_athumi - bjord de vidts - personal data spaces....
byFIWARE
 
Water Quality - Lukas Kuenzel.pdf
byFIWARE
 
EU Opp_Clara Pezuela - German chapter.pptx
byFIWARE
 
FGS2023_Opening_Red Hat Keynote Andrea Battaglia.pdf
byFIWARE
 
Behm_Herne_NeMo_akt.pptx
byFIWARE
 
Behm_Herne_NeMo.pptx
byFIWARE
 

Recently uploaded

PDF
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
PDF
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
PPT
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
PPTX
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
PDF
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
PDF
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
PPTX
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
PDF
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
PPTX
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
PPTX
evolution of internet (internet journey)
byyamunadevi49
 
PPTX
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
PPTX
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
PDF
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
PPTX
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
PPTX
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
evolution of internet (internet journey)
byyamunadevi49
 
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 

Building Your Own IoT Platform using FIWARE GEis

  • 1.
    Building your ownIoT platform using FIWARE GEis José Manuel Cantera Fonseca Technological Expert. Data Chapter. josemanuel.canterafonseca@telefonica.com
  • 2.
    Introduction Talk Objectives Illustrate howa secured IoT platform instance can be implemented using FIWARE GEis on a container-based environment (Docker) Understand how to set up a security layer on top of a Context Broker Learn how to configure all the components at the different layers
  • 3.
    TargetArchitectureusingfiware securitystack Context Broker (Orion) mongoDB Application (Data Consumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Isauthorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN IoT platform Infrastructure I9 I8 IoT Devices Open Data Sources
  • 4.
    Getting started A basiccontext broker set up 4
  • 5.
    BasicData&Controlbrokersetup Data & Control Broker (Orion) mongoDB Application (DataConsumer) NGSIv2NGSIv2 Data ingestion Internet / VPN Operator Infrastructure I8 IoT Devices Open Data Sources
  • 6.
    Step1.-MongoDB(I) mongoDB is theNoSQL database used to store context data mongoDB is properly packaged as a docker container Use mongoDB 3.2 docker container Prepare a folder to store mongoDB data Ex. $HOME/data/mongo Run mongoDB $ docker run --name mongo -v $HOME/data/mongo:/data/db -d -h mongo -p 27017:27017 mongo:3.2
  • 7.
    Step1.-mongoDB(II) $ docker ps-a to list running containers aa075751485b mongo:3.2 "/entrypoint.sh mongo" 5 seconds ago Up 4 seconds 0.0.0.0:27017->27017/tcp mongo run mongo client application to check everything is ok You might need to install it https://docs.mongodb.com/v3.2/tutorial/install-mongodb-on-ubuntu/ $ apt-get install mongodb-org-shell $ mongo> show dbs Or you can directly connect to the container
  • 8.
    Step2.-Orioncontextbroker(I) Orion is an implementationof the “Data and Context Broker” An open source project hosted by the FIWARE OSS https://github.com/fiware/context.Orion (License Affero GPL v3.0) properly packaged as a docker container running on CentOS 6 Orion uses mongoDB as the data storage For running Orion … $ docker run --name orion -d -p 1026:1026 --link mongo -h orion fiware/orion:1.4.1 -dbhost mongo $ docker ps -a
  • 9.
    STEP2.-OrionContextbroker(II) $ curl -slocalhost:1026/version | python -mjson.tool { "orion" : { "version" : "1.4.1", "uptime" : "0 d, 0 h, 1 m, 17 s", "git_hash" : "905d5fa58ace7fa4f14330ddc982b41cf9b30be6", "compile_time" : "Mon Oct 10 15:06:02 UTC 2016", "compiled_by" : "root", "compiled_in" : "b99744612d0b" } } $ mongo > show dbs > use orion Now a DB named “orion” should appear if everything is ok db.getCollectionNames() [ "entities" ] curl -s localhost:1026/v2/entities | python -mjson.tool
  • 10.
    Step3.-Let’saddsomeentitiestoorion(I) $ curl localhost:1026/v2/entities-s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, "barometricPressure": { "value": 720, "type": "Number" }, "dateObserved": { "value": "2016-10-18T11:08:20.228Z", "type": "DateTime" }, "source": { "value": "http://www.aemet.es", "type": "URL" } } EOF
  • 11.
    Step3.-Let’saddsomeentitiestoorion(II) $ curl localhost:1026/v2/entities?options=keyValues| python -mjson.tool [ { "barometricPressure": 720, "dateObserved": "2016-10-18T11:08:20.00Z", "id": "WeatherObserved-6789", "source": "http://www.aemet.es", "temperature": 23, "type": "WeatherObserved" } ] $ mongo > use orion switched to db orion > db.entities.find({}) { "_id" : { "id" : "WeatherObserved-6789", "type" : "WeatherObserved", "servicePath" : "/" }, "attrNames" : [ "temperature", "barometricPressure", "dateObserved", "source" ], "attrs" : { "temperature" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 23, "mdNames" : [ ] }, "barometricPressure" : { "type" : "Number", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 720, "mdNames" : [ ] }, "dateObserved" : { "type" : "DateTime", "creDate" : 1476789680, "modDate" : 1476789680, "value" : 1476788900, "mdNames" : [ ] }, "source" : { "type" : "URL", "creDate" : 1476789680, "modDate" : 1476789680, "value" : "http://www.aemet.es", "mdNames" : [ ] } }, "creDate" : 1476789680, "modDate" : 1476789680 }
  • 12.
    Step4.-Multitenancy (I) Orion ContextBroker is multitenant Logical databases isolated, each one containing data from different organizations or domains Tenant is a “service” in FIWARE terminology. Aka a “Domain” in OpenStack terminology A tenant can be composed by multiple child sub- tenants “subservice” in FIWARE terminology Aka a “Project” in OpenStack terminology
  • 13.
    Step4.-Multitenancy (II) The wayto address tenants are HTTP headers Fiware-Service : <<Tenant_Name>> Fiware-Servicepath: <<Subservice_Name>> Subtenants follow a hierarchical structure and there is a default subtenant, root one (‘/’) Example: Fiware-service: weather Fiware-servicepath: /Spain A pair (service, subservice) is used for security
  • 14.
    Step4.-Multitenancy (III) TENANT="Fiware-Service:$1" SUBSERVICE="Fiware-ServicePath:/$2" curl localhost:1026/v2/entities--header $TENANT --header $SUBSERVICE -s -S --header 'Content-Type: application/json' -d @- <<EOF { "id": "WeatherObserved-6789", "type": "WeatherObserved", "temperature": { "value": 23, "type": "Number" }, …… } EOF ● Creating an entity in a (tenant , subtenant)
  • 15.
    Step4.-Multitenancy (IV) $mongo > showdbs local 0.000GB orion 0.000GB orion-example_a 0.000GB orion-london 0.000GB orion-weather 0.000GB There will be as many databases as tenants available “orion” is the DB which stores data in the default tenant DB name is “orion-” + <<tenant_name>> To query data of a tenant just issue regular NGSIv2 requests using Fiware-Service and Fiware-Servicepath headers
  • 16.
    Deeping dive Adding asecurity layer to the data & control broker 16
  • 17.
    TargetArchitectureusingfiwaresecuritystack Data & Control Broker (Orion) mongoDB Application (DataConsumer) Identity Manager (Keystone) Authorization PDP (Keypass) PEP Proxy (Steelskin) Token validation (domain, project, role) Is authorized? Allow or Deny NGSIv2 Registration App NGSIv2 Add user Domain, Project, Roles Token Developer Data ingestionGet token Internet / VPN Operator Infrastructure I9 I8 IoT Devices Open Data Sources
  • 18.
    Step4.-Securitystack-preparation Security stack usesMySQL to store configuration data $ docker run --name mysql -d -p 3306:3306 -h mysql -v $HOME/data/mysql:/var/lib/mysql -e "MYSQL_ROOT_PASSWORD=gsma" -e "MYSQL_DATABASE=keypass" -e "MYSQL_USER=keypass" -e "MYSQL_PASSWORD=keypass" mysql:5.5 Check that everything is ok. Above command creates a database named “keypass” used later. $ docker exec -it mysql bash mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
  • 19.
    Step4.1.-keystone(I) Keystone is anopen source project hosted by OpenStack OSS Community https://github.com/openstack/keystone (Apache 2.0 license) Keystone is an Identity Manager service capable of storing information about domains, project, users, groups or roles Keystone is in charge of generating tokens which can be used to get access to services requiring credentials For this exercise we will be using a keystone image
  • 20.
    Step4.1.-keystone(II) Running keystone $ dockerrun --name keystone -d -p 5001:5001 --link mysql -h keystone telefonicaiot/fiware-keystone-spassword -dbhost mysql -default_pwd 4pass1w0rd -mysql_pwd gsma Sanity check operations $ docker logs keystone $ docker exec -it keystone bash (to open a shell session on the container) $ curl -s -S http://localhost:5001/v3 | python -mjson.tool Once we have a keystone instance up and running different REST requests can be issued http://developer.openstack.org/api-ref/identity/v3/index.html
  • 21.
    $ docker exec-it mysql bash root@mysql:/# mysql --user=root --password=gsma mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keypass | | keystone | | mysql | | performance_schema | +--------------------+ mysql> use keystone; Step4.1.-keystone(II-B) show tables; +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | migrate_version | | policy | | project | | region | | role | | service | | spassword | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ Checking keystone has created its database properly
  • 22.
    Step4.1.-keystone(III) Remember: Fiware-Service → Domainin Keystone Fiware-Servicepath → Project in Keystone A developer will register in Keystone as user in a domain <-> Developer can get access to the data offered by the corresponding FIWARE service (tenant) We will later show how this works in practice
  • 23.
    Step4.1.-keystone(IV) List all domains curl-s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/domains/ | python - mjson.tool { "domains": [ { "enabled": true, "id": "8b883aaa740e4d75b91095eaa550b35c", "links": { "self": "http://localhost:5001/v3/domains/8b883aaa740e4d75b91095eaa550b35c" }, "name": "admin_domain" }, { "description": "Owns users and tenants (i.e. projects) available on Identity API v2.", "enabled": true, "id": "default", "links": { "self": "http://localhost:5001/v3/domains/default" }, "name": "Default" } ]
  • 24.
    Step4.1.-keystone(V) List all users curl-s -S --header x-auth-token:4pass1w0rd http://localhost:5001/v3/users/ | python - mjson.tool "users": [ { "description": "Cloud service", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "02cd3dbb6ceb48eb92588c7885bbcc1f", "links": { "self": "http://localhost:5001/v3/users/02cd3dbb6ceb48eb92588c7885bbcc1f" }, "name": "pep" }, { "description": "Cloud administrator", "domain_id": "8b883aaa740e4d75b91095eaa550b35c", "enabled": true, "id": "177cf5a4d12e4f85b7b65cbcac6d9697", "links": { "self": "http://localhost:5001/v3/users/177cf5a4d12e4f85b7b65cbcac6d9697" }, "name": "cloud_admin" }
  • 25.
    Step4.1.-keystone(VI) Get a tokenfor the cloud_admin user curl localhost:5001/v3/auth/tokens -s -S --header 'Content-Type: application/json' -d @- <<EOF { "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "cloud_admin", "domain": { "name": "admin_domain" }, "password": "4pass1w0rd" } } } } } EOF HTTP/1.1 201 Created X-Subject-Token: 19e200834a3f4e149c7f4033a003a8f4
  • 26.
    Step4.2.-keypass.-authPDP(I) keypass is animplementation of the FIWARE Authorization PDP (Policy Decision Point) Keypass is an open source project hosted at https://github.com/telefonicaid/fiware-keypass License is Apache 2.0 It complies with XACML (eXtensible Access Control Markup Language) v3.0. It provides an API to get authorization decisions based on authorization policies
  • 27.
    Step4.2.-keypass.-AuthPDP(II) Running keypass $ dockerrun --name keypass -d -p 7070:7070 -h keypass --link mysql telefonicaiot/fiware- keypass -dbhost mysql $ docker logs keypass $ curl --header 'Fiware-Service: dummy' localhost:7070/version 1.2.1
  • 28.
    Step4.3.-Steelskin.-PEPproxy (I) Steelskin isan implementation of the FIWARE PEP (Policy Enforcement Point) Steelskin is an open source project hosted at https://github.com/telefonicaid/fiware-pep-steelskin License is Affero GPL 3.0 A proxy which ensures that only authorized users are able to perform requests against the Data & Control Broker https://github.com/telefonicaid/fiware-pep-steelskin#-rules-to-determine-the- context-broker-action-from-the-request
  • 29.
    Step4.3.-Steelskin.-PEPproxy (II) Running: $ dockerrun -d --name pep -p 1027:1026 --link orion --link keystone --link keypass -e LOG_LEVEL=DEBUG -e AUTHENTICATION_HOST=keystone -e AUTHENTICATION_PORT=5001 -e ACCESS_HOST=keypass -e ACCESS_PORT=7070 -e TARGET_HOST=orion -e TARGET_PORT=1026 -e PROXY_USERNAME=pep -e PROXY_PASSWORD=4pass1w0rd telefonicaiot/fiware-pep-steelskin $ docker logs pep $ docker exec -it pep bash → $ curl localhost:11211/version { "version": "1.2.0-next", "port":1026 }
  • 30.
    Step4.3.-Steelskin.-PEPproxy(III) Remember: Given anHTTP Request (x-auth-token, fiware- service, fiware-servicepath) First PEP queries keystone to validate the auth token and obtain (user, domain, role in project) Then, PEP queries keypass to obtain the authorization policies for the role in question A match between subject policies and the requested operation is done If the requested operation is allowed, the HTTP request is forwarded to the Data & Control Broker If not a non-authorized error is raised curl localhost:1027/v2/entities
  • 31.
    STEP5.-Usingthemalltogether $ docker ps-a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d18f7dbe7f75 telefonicaiot/fiware-pep-steelskin "/bin/sh -c bin/pepPr" 16 minutes ago Up 16 minutes 11211/tcp, 0.0.0.0:1027->1026/tcp pep 7e1853f0e2c4 telefonicaiot/fiware-keypass "/opt/keypass/keypass" 45 minutes ago Up 45 minutes 0.0.0.0:7070-7071->7070-7071/tcp keypass c4f6ab6c390f telefonicaiot/fiware-keystone-spassword "/opt/keystone/keysto" About an hour ago Up About an hour 0.0.0.0:5001->5001/tcp keystone 5bf5d7e8b284 mysql:5.5 "docker-entrypoint.sh" 18 hours ago Up 18 hours 0.0.0.0:3307->3306/tcp mysql 6c63cee20ae2 fiware/orion:1.4.1 "/usr/bin/contextBrok" 24 hours ago Up 24 hours 0.0.0.0:1026->1026/tcp orion 4f1d9298fb70 mongo:3.2 "/entrypoint.sh mongo" 24 hours ago Up 24 hours 0.0.0.0:27017->27017/tcp mongo
  • 32.
    Step5.1.-Orchestratortotherescue Manual provision ofconfigurations of the three security components can be cumbersome TEF has developed an open source project (named orchestrator) that helps to provide security configurations https://github.com/telefonicaid/orchestrator License is Affero GPL 3.0 It can be instantiated as a service but there are some useful scripts which can be used https://github.com/telefonicaid/orchestrator/blob/master/SCRIPTS.md
  • 33.
    Step5.2.-configuringaservice(tenant) $ git clonehttps://github.com/telefonicaid/orchestrator $ cd orchestrator $ pip install -r requirements.txt $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd $HOME/gsma/orchestrator/src ./orchestrator/commands/createNewService.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd weatherdata "Weather Data" weather_admin weather_admin_PWD http localhost 7070 Checking that everything went ok ./orchestrator/commands/printServices.py http localhost 5001 admin_domain cloud_admin 4pass1w0rd
  • 34.
    Step5.3.-configuringaSub-service $ export PYTHONPATH=$PYTHONPATH:$HOME/gsma/orchestrator/src cd$HOME/gsma/orchestrator/src ./orchestrator/commands/createNewSubService.py http localhost 5001 weatherdata weather_admin weather_admin_PWD "Spain" "Weather in Spain" Checking that everything went ok ./orchestrator/commands/printSubServices.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we have a pair (Fiware-Service, Fiware-Servicepath) → (‘weatherdata’, ‘/Spain`) We can check that we can get access to data 1/ obtain a token for the `weather_admin’ user Ex. `5bb5c6e310814b93a01d74385fe52bef` 2/ issue a GET request through the PEP proxy curl localhost:1027/v2/entities --header 'Fiware-Service:weatherdata' --header 'Fiware-Servicepath:
  • 35.
    Step5.4.-addingadeveloperwithconsumerpermissions $ ./orchestrator/commands/createNewServiceUser.py httplocalhost 5001 weatherdata weather_admin weather_admin_PWD developer1 developer1_PWD Checking that everything went ok ./orchestrator/commands/printServiceUsers.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Now we need to assign the role “SubServiceCustomer” to the user ‘developer1’ ./orchestrator/commands/assignRoleSubServiceUser.py http localhost 5001 weatherdata Spain weather_admin weather_admin_PWD SubServiceCustomer developer1 Checking that everything went ok ./orchestrator/commands/listSubServiceRoleAssignments.py http localhost 5001 weatherdata weather_admin weather_admin_PWD Spain True Now ‘developer1’ is able to query weather data on the sub-service ‘Spain’. However he cannot provide data as his role is ‘SubServiceCustomer’
  • 36.
    Step5.5.-gettingaccesstodatawith‘developer1’ (I) First ofall a token must be obtained . Then : $ curl -s -S localhost:1027/v2/entities --header 'Fiware-service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' | python -mjson.tool [ { "barometricPressure": { "metadata": {}, "type": "Number", "value": 720 }, "dateObserved": { "metadata": {}, "type": "DateTime", "value": "2016-10-18T11:08:20.00Z" }, "id": "WeatherObserved-6789", "type": "WeatherObserved" } ]
  • 37.
    Step5.5.-gettingaccesstodatawith‘developer1’ (II) An attemptto create a new entity on (weatherdata,/Spain) will fail curl localhost:1027/v2/entities -s -S --header 'Content-Type: application/json' --header 'Fiware- Service:weatherdata' --header 'Fiware-servicepath:/Spain' --header 'x-auth-token:36a1d0558612473da438c93d74d4aefc' -d @- <<EOF { "id": "WeatherObserved-4567", …. } EOF { "name": "ACCESS_DENIED", "message": "The user does not have the appropriate permissions to access the selected action" } Developer will need to be assigned the role ‘SubServiceAdmin’ in order to be able to post new data
  • 38.
    What’shappeningbehindthescenes A set ofpredefined policies have been pre-populated to the ‘keypass’ database docker exec -it mysql mysql --user=keypass --password=keypass mysql> use keypass; select policy from Policies; Relevant policies are https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-customer.xml https://github.com/telefonicaid/orchestrator/blob/master/src/orchestrator/core /policies/policy-orion-admin.xml
  • 39.
    Andfinally... Remember to removeold docker containers (exited) $ docker rm <container> You should only expose the IdM (for tokens) and the PEP Proxy (ports) to the developer Ensure the mounted volumes for database data have enough space for the data to be stored Remember, you can open a shell session on a container $ docker exec -it <<container_name> bash And then get access to the logs, databases, local services, ….
  • 40.
  • 41.