Last active
October 10, 2016 13:46
-
-
Save dstanek/2ed837563ff9bdb26fb9453ea40938a2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| An Ansible playbook for taking a Ubuntu 16.04 node and turning it into a testshib | |
| service provider for testing keystone/horizon federation. | |
| Roles can be found here: | |
| * https://galaxy.ansible.com/dstanek/devstack/ | |
| * https://galaxy.ansible.com/dstanek/keystone-sp/ | |
| Steps: | |
| 1. Create a new VM (Rackspace, Virtualbox, whatever) | |
| 2. Run 'ansible-playbook -i "[ip address]," playbook.yml' where [ip address] is your VM's IP. | |
| 3. Register your metadata | |
| a. Download http://[ip address]/Shibboleth.sso/Metadata giving the file a unique name | |
| b. Upload metadata to https://www.testshib.org/register.html | |
| 4. Assign 'admin' role to the 'finance_admin' group for the 'finance' domain (this doens't work in ansible for some reason) | |
| a. Login to your VM | |
| b. Run 'openstack --os-cloud devstack-admin role add --group finance_admins --domain finance admin' | |
| 5. Visit horizon and login using SAML2! | |
| Created organization: | |
| * Domain 'finance' | |
| * Project 'accounting' | |
| * Groups 'finance_admins', 'Member' | |
| Notes: | |
| * User 'myself' is just a member of the accounting project | |
| * User 'alterego' is a domain admin for 'finance' | |
| * User 'superego' is a cloud admin |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Setup devstack on a node | |
| hosts: all | |
| gather_facts: true | |
| remote_user: root | |
| vars: | |
| devstack_username: ubuntu | |
| pre_tasks: | |
| - name: Install packages required by Ansible | |
| package: | |
| name: "{{ item }}" | |
| state: latest | |
| with_items: | |
| - aptitude | |
| when: ansible_os_family == 'Debian' | |
| - name: Update the system packages | |
| apt: | |
| upgrade: full | |
| when: ansible_os_family == 'Debian' | |
| - name: Install packages required by Ansible | |
| package: | |
| name: "{{ item }}" | |
| state: latest | |
| with_items: | |
| - libselinux-python | |
| when: ansible_os_family == 'RedHat' | |
| roles: | |
| - dstanek.devstack | |
| tags: | |
| - devstack-setup | |
| - name: Setup a keystone service provider using testshib | |
| hosts: all | |
| gather_facts: true | |
| remote_user: root | |
| vars: | |
| admin_os_cloud: devstack-admin | |
| keystone_sp_idps: | |
| - name: testshib | |
| remote_id: https://idp.testshib.org/idp/shibboleth | |
| metadata_uri: http://www.testshib.org/metadata/testshib-providers.xml | |
| keystone_sp_hostname: "{{ inventory_hostname }}" | |
| keystone_sp_dashboard_hostname: "{{ inventory_hostname }}" | |
| pre_tasks: | |
| - name: install Python packages required by Ansible | |
| pip: | |
| name: "{{ item }}" | |
| state: latest | |
| with_items: | |
| - shade | |
| post_tasks: | |
| - name: Get service provider metadata | |
| uri: | |
| url: "http://{{ inventory_hostname }}/Shibboleth.sso/Metadata" | |
| return_content: yes | |
| register: sp_metadata | |
| tags: | |
| - keystone-sp-registration | |
| - debug: var=sp_metadata | |
| tags: | |
| - keystone-sp-registration | |
| - name: Register metadata with testshib.org | |
| uri: | |
| url: https://www.testshib.org/procupload.php | |
| method: POST | |
| body: "file={{ sp_metadata['content']|urlencode }}" | |
| register: registered | |
| tags: | |
| - keystone-sp-registration | |
| tags: | |
| - keystone-sp-registration | |
| - debug: var=registered | |
| roles: | |
| - keystone-sp | |
| tags: | |
| - keystone-setup | |
| - name: Wrap up | |
| hosts: all | |
| connection: local | |
| gather_facts: false | |
| tasks: | |
| - name: Dashboard URL | |
| debug: | |
| msg: "Visit the horizon dashboard at http://{{ inventory_hostname }}/dashboard" | |
| tags: | |
| - info |
I'm not sure if there's an easier way to do this, but I found that to change users I needed to
- in Horizon hit logout
- go to https://idp.testshib.org/idp/Authn/UserPassword and clear cookies
- in Horizon clear the _shibsession* cookie
- attempt login again
Author
keystone-sp lists 2.1 as a requirement. I run this from my Fedora laptop, which uses 2.1.
I normally use a private/incognito windows for logging in so I can just close and reopen as another user.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Also, keystone-sp failed because I was running the 2.0 version of ansible from Ubuntu. My setup commands prior to running ansible-playbook are: