With the addition of K2K-specific tests in the tempest plugin and a
config toggle in the plugin to disable use of the external IdP, we can
safely add a voting federation job. This also fixes the devstack plugin
to install the xmlsec1 tool which is needed for K2K.
Change-Id: I9dc634e073657ff337751ec67363a57bd10e20d4
Depends-on: https://review.opendev.org/689222
Modify the install_federation function for adding Shibboleth
installation for OpenSUSE in federation.sh, and also modify
uninstall_federation function for removing Shibboleth packages
when running `./unstack.sh`.
Partial-bug: #1757000
Change-Id: Ic3e0c37cff4d0dd3336521bac13da550fa6edfcf
Modify the install_federation function for adding Shibboleth repo
and installation for CentOS in federation.sh, and also modify
uninstall_federation function for removing Shibboleth packages
when running `./unstack.sh`.
Partial-bug: #1757000
Change-Id: I8c0f63d0a4fe19eab58e7cba3c49905f35266f9d
testshib.org is no longer maintained and has been broken for some
time[1]. Use the new samltest.id provider instead.
This is not a permanent solution, this is a stopgap measure until we
configure our own IdP in the devstack plugin.
[1] https://marc.info/?l=shibboleth-users&m=154056288800549&w=2
Change-Id: Ifa514395d9cdb2197ef8a43885ec598483dd7a38
The upload_sp_metadata function is testshib specific and should
only be called when the identity provider is testshib.
Change-Id: I0dac596a51197417a3ceb8b2e1f4db5db108e84f
Keystone was complaining about not being able to load the
remote_id_attribute in the mapped group [0]. Since moving
to uwsgi, restarting keystone is done separately from apache,
so the configuration file wasn't being reloaded. Added a line
to restart the keystone service.
Also added a line to restart apache after configuration.
[0] http://paste.openstack.org/show/616498/
Change-Id: I4e7c04241c5058152529f8c95963be6f05f51a51
Closes-Bug: 1700847
* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
configurable.
* Copy over an attribute map that includes support for
keystone as an idp attributes.
bp devstack-plugin
Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
[0] switched keystone to use uwsgi and mod_proxy_uwsgi by default
instead of mod_wsgi breaking the Devstack plugin which assumed
the latter. This commit fixes the Devstack plugin to work with
both and therefore fixes the functional v3 only gates which
are currently broken.
[0]. I46294fb24e3c23fa19fcfd7d6c9ee8a932354702
Change-Id: Iaffb3f18fd0f1444a6b6067d63474c27eb1bd13d
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
This patch adds a function to configure the settings for test cases. It
currently sets the needed settings for the first federation scenario
test (follow up patch). If needed, additional settings can be added.
Change-Id: I5f0d0b5eeee1d8f03b38a2eb4cdc2101d3dccaa1
This leads to some bug where we can't rerun ./stack.sh.
The error displayed is:
[ERROR] /home/stack/devstack/lib/keystone:599 keystone did not start
Change-Id: I452cf2a023195fa64bb39953d5a3c32acda035ce
In order to register the service provider in testshib, we need to upload
its metadata.
Also makes some minor fixes.
Change-Id: Idfe0eb016370e7776de3525a813d0535cfc75e27
In a previous patch, I implemented a Devstack plugin to enable
federation and idp features in keystone. The plugin was to be
configured from environment variables for the idp entityID, metadata,
sp_auth_url, sp_url, etc. Providing an endless and untestable matrix
of combinations. Therefore the review was gathering dust waiting for
brave reviewers.
This review extracts the meat of the previous patch and removes all
the configuration options. This plugin now does one thing only: It
installs mod_shibboleth and sets up testshib.org as the IdP for keystone.
While testshib.org will not be used in our functional testing, this
is a necessary first step to make such complex changes more testable
reproducible and reviewable.
A follow-up patch will install a shibboleth-idp, and either that one,
or a later one, will switch from testshib.org to the local shibboleth.
This plugin will not yet be run as part of the gate, as "enable_service
federation" needs to be added to the Devstack options.
To run add the following after the lines that set up keystone from a
gerrit review:
enable_plugin keystone $KEYSTONE_REPO
enable_service keystone-saml2-federation
Change-Id: I6f7491ff063359d7065c77b00fe5bfc76f8587d6
This review creates the structure for the Devstack plugin and
prints to the console to ensure its execution in the gate.
Follow-up reviews will do more useful stuff like setting up
the environment for our functional testing (ldap, federation).
Change-Id: I820ae355ae8f3183fee2b8207e3c17e8bd10dc17
