openstack/tacker
Code Issues Proposed changes

Revised the OAuth 2.0 Admin doc structure

Browse Source 
This patch revises the structure of OAuth 2.0 Admin document by
separating the Tacker as an API server and Tacker as an API client.
And separates the HTTPS/mTLS document from the Oauth 2.0 document.

Change-Id: I15fc20e49ebb39eea346c8a475db8b22b600d301
Depends-On: I2deb71242f555bbae5ee7c798add18490cb38344
This commit is contained in:
Kyaw Myo Thant
2024-10-09 15:35:52 +09:00
parent 4e92f2f130
commit 1a2312bc61
7 changed files with 1842 additions and 1226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

432
doc/source/admin/configure_tls.rst Normal file
View File

@@ -0,0 +1,432 @@
======================================
Configuring HTTPS/mTLS for Tacker APIs
======================================
This document shows how to set up the HTTPS and two-way TLS as called as Mutual
TLS (mTLS) on Tacker APIs. In this guide, the ``$tacker_host_name`` will be
used as the host name for the Tacker APIs.
.. note::
The content of this document has been confirmed to work
using Tacker 2024.1 Caracal.
Preparations
~~~~~~~~~~~~
In order to enable TLS, it is necessary to use a private/public Certificate
Authority (CA) as a root certificate to sign certificates. Although you
typically use certificate issued by a public CA, this guide describes how to
create a private CA to test the HTTPS/mTLS functionality.
.. _Create private key and certificate:
Create a Private Certificate Authority (CA)
-------------------------------------------
If the certificate used for mTLS was issued by a public CA, skip steps 1 and 2.
1. Generate an RSA private key.
.. code-block:: console
$ openssl genrsa -out root_a.key 4096
2. Generate a self-signed certificate.
.. code-block:: console
$ openssl req -new -x509 -key root_a.key -out root_a.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Musashino
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenstackORG
Organizational Unit Name (eg, section) []:DevDept
Common Name (e.g. server FQDN or YOUR name) []:root_a.openstack.host
Email Address []:
3. If you need to support multiple root certificates, those root certificates
should be merged and configured on the server. For example, this guide uses
the root_a.pem created previously, and the root_b.pem created in a same way.
When creating the root_b.pem, specify the CN as `root_b.openstack.host`.
In this step, a new multi_ca.pem is created by concatenating two root
certificates.
.. code-block:: console
$ cat root_a.pem >> multi_ca.pem
$ cat root_b.pem >> multi_ca.pem
$ cat multi_ca.pem
-----BEGIN CERTIFICATE-----
MIIF1TCCA72gAwIBAgIUBAofPmi3cxX3/xvz6n3Pi9KjPW4wDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRIwEAYDVQQHDAlNdXNh
...
HC1PfWQYli7d+98zz1KXwUkLv9MmBOOnP83wS4upfspTpU1wBK9ZcKFAS5MkpuS6
0x5atdhal1RlulNblqs6TR5W+uiffCJblQRzDMSLLZVzkAULhWqRRkS7PxtKnc2z
cidL67MTrzni
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF1TCCA72gAwIBAgIUICVkJl1df1REQOKdF9VelC3+lEAwDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRIwEAYDVQQHDAlNdXNh
...
g+kVxAXPwbrZKTsWMvsCvD0xXs3nC/FKmlPx5VL+6smAKPTWQr9M/k+4voviboms
V59KPLVlmxKE
-----END CERTIFICATE-----
Create Private Key and Certificate
----------------------------------
In order to enable TLS, it is necessary to create a private key and
certificate. Although you typically use a certificate issued by a public CA,
this guide describes how to create a self-signed certificate using private CA
to test the mTLS functionality. If the certificate used for mTLS was issued by
a public CA, skip these steps.
1. Generate an RSA private key.
.. code-block:: console
$ openssl genrsa -out tacker_api.key 4096
2. Create a certificate signing request.
.. code-block:: console
$ openssl req -new -key tacker_api.key -out tacker_api.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Musashino
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenstackORG
Organizational Unit Name (eg, section) []:DevDept
Common Name (e.g. server FQDN or YOUR name) []:$tacker_host_name
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. Use the root certificate created in previous section to self-sign the
certificate.
.. code-block:: console
$ openssl x509 -req -in tacker_api.csr \
-CA root_a.pem -CAkey root_a.key -CAcreateserial \
-out tacker_api.pem -days 365 -sha384
Certificate request self-signature ok
subject=C = JP, ST = Tokyo, L = Musashino, O = OpenstackORG, OU = DevDept, CN = $tacker_host_name
Guide for Enabling HTTPS
~~~~~~~~~~~~~~~~~~~~~~~~
You can configure HTTPS in Tacker APIs by following these steps.
Configure HTTPS for Tacker APIs
-------------------------------
1. Modify the :doc:`/configuration/config` to enable SSL to implement HTTPS
support for the Tacker APIs.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[DEFAULT]
# Enable SSL on the API server (boolean value)
use_ssl = true
# Certificate file to use when starting the server securely (string value)
ssl_cert_file = /etc/tacker/tacker_api.pem
# Private key file to use when starting the server securely (string value)
ssl_key_file = /etc/tacker/tacker_api.key
[v2_vnfm]
# Endpoint of VNFM (self). (string value)
endpoint = https://$tacker_host_name:9890
[vnf_lcm]
# endpoint_url (string value)
endpoint_url = https://$tacker_host_name:9890/
2. Restart tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Verify HTTPS access to Tacker APIs
----------------------------------
1. Try access the Tacker APIs via HTTPS protocol to confirm that the
service has been successfully configured.
.. code-block:: console
$ curl -i -X GET https://$tacker_host_name:9890/ \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 122
Date: Tue, 01 Oct 2024 03:15:23 GMT
{"versions": [{"id": "v1.0", "status": "CURRENT", "links": [{"rel": "self", "href": "https://$tacker_host_name:9890/v1.0"}]}]}
2. When Tacker is switched to HTTPS, user can not access the Tacker APIs via
HTTP protocol.
.. code-block:: console
$ curl -i -X GET http://$tacker_host_name:9890/
curl: (52) Empty reply from server
.. _openstack HTTPS:
Enable Openstack Command to Use HTTPS-enabled Tacker APIs
---------------------------------------------------------
1. You have to set environment variable of the CA certificate to verify the
Tacker server certificate for accessing HTTPS-enabled Tacker APIs.
.. code:: console
$ export OS_CACERT=/opt/stack/certs/multi_ca.pem
2. Change the nfv-orchestration endpoints to access HTTPS-enabled Tacker APIs.
.. code-block:: console
$ openstack endpoint list --service nfv-orchestration
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
| 1d48e6e978c442b988f22ebc2cf2581e | RegionOne | tacker | nfv-orchestration | True | admin | http://$tacker_host_name:9890/ |
| 4d687048030942cb8dea98e84ff7d596 | RegionOne | tacker | nfv-orchestration | True | internal | http://$tacker_host_name:9890/ |
| acd08fcab9164fc89aabbc627771a499 | RegionOne | tacker | nfv-orchestration | True | public | http://$tacker_host_name:9890/ |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
$ openstack endpoint set 1d48e6e978c442b988f22ebc2cf2581e --url https://$tacker_host_name:9890/
$ openstack endpoint set 4d687048030942cb8dea98e84ff7d596 --url https://$tacker_host_name:9890/
$ openstack endpoint set acd08fcab9164fc89aabbc627771a499 --url https://$tacker_host_name:9890/
$ openstack endpoint list --service nfv-orchestration
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
| 1d48e6e978c442b988f22ebc2cf2581e | RegionOne | tacker | nfv-orchestration | True | admin | https://$tacker_host_name:9890/ |
| 4d687048030942cb8dea98e84ff7d596 | RegionOne | tacker | nfv-orchestration | True | internal | https://$tacker_host_name:9890/ |
| acd08fcab9164fc89aabbc627771a499 | RegionOne | tacker | nfv-orchestration | True | public | https://$tacker_host_name:9890/ |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
3. Execute a tacker command to confirm that OpenStack command can access the
Tacker APIs successfully.
.. code-block:: console
$ openstack vim list
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ID | Name | Tenant_id | Type | Is Default | Status |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ce04bbe5-3ffe-449f-ba2a-69c0a747b9ad | test-vim-k8s | 2e189ea6c1df4e4ba6d89de254b3a534 | kubernetes | True | ACTIVE |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
$ openstack vnf package list
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
| 718e94a6-dfbf-48a4-8c6f-eaa541063a1b | Sample VNF | ONBOARDED | IN_USE | ENABLED | { |
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6- |
| | | | | | dfbf-48a4-8c6f-eaa541063a1b" |
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6- |
| | | | | | dfbf-48a4-8c6f-eaa541063a1b/package_content" |
| | | | | | } |
| | | | | | } |
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
$ openstack vnflcm list --os-tacker-api-version 2
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| ID | VNF Instance Name | Instantiation State | VNF Provider | VNF Software Version | VNF Product Name | VNFD ID |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| 703148ca-addc-4226-bee8-ef73d81dbbbf | | INSTANTIATED | Company | 1.0 | Sample VNF | eb37da52-9d03-4544-a1b5-ff5664c7687d |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
Guide for Enabling Two-way TLS/mTLS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Two-way TLS as called as mTLS is contemporary versions of TLS `RFC5246`_
`RFC8446`_, that requires not only the server but also the client to send the
Certificate along with CertificateVerify messages during the handshake and for
the server to verify the CertificateVerify and Finished messages. The following
steps describes how to set up mTLS in Tacker APIs.
Configure mTLS for Tacker APIs
------------------------------
.. note::
In OAuth 2.0 Mutual-TLS client authentication by tls client certificate, you
have to create the client certificate with the specific Subject Distinguished
Names, eg: Common Name(CN), that is required by authorization server.
1. Modify the :doc:`/configuration/config` to enable mTLS support for the
Tacker APIs.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[DEFAULT]
# Enable SSL on the API server (boolean value)
use_ssl = true
# Certificate file to use when starting the server securely (string value)
ssl_cert_file = /etc/tacker/tacker_api.pem
# Private key file to use when starting the server securely (string value)
ssl_key_file = /etc/tacker/tacker_api.key
# CA certificate file to use to verify connecting clients (string value)
ssl_ca_file = /etc/tacker/multi_ca.pem
[v2_vnfm]
# Endpoint of VNFM (self). (string value)
endpoint = https://$tacker_host_name:9890
[vnf_lcm]
# endpoint_url (string value)
endpoint_url = https://$tacker_host_name:9890/
2. Restart tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Verify mTLS access to Tacker APIs
---------------------------------
1. Try access the Tacker APIs via mTLS protocol to confirm that the service has
been successfully configured. To access Tacker APIs via mTLS, it is required
to create a private key and certificate also for the client. You can follow
the same step in the previous section of :ref:`Create private key and
certificate` to create the client private key and certificate. In this
example, private key ``client.key`` and certificate ``client.pem`` is
created with the root CA which CN is `root_b.openstack.host`.
.. code-block:: console
$ curl -i -X GET https://$tacker_host_name:9890/ \
--cacert multi_ca.pem \
--cert client.pem \
--key client.key
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 120
Date: Tue, 01 Oct 2024 05:46:05 GMT
{"versions": [{"id": "v1.0", "status": "CURRENT", "links": [{"rel": "self", "href": "https://$tacker_host_name:9890/v1.0"}]}]}
2. When Tacker is switched to mTLS, user can not access the Tacker APIs via
HTTPS protocol meaning without sending client certificate.
.. code-block:: console
$ curl -i -X GET https://$tacker_host_name:9890/ \
--cacert multi_ca.pem
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
Enable Openstack Command to Use mTLS-enabled Tacker APIs
--------------------------------------------------------
1. For using openstack command to access mTLS-enabled Tacker APIs, addition to
CA certificate, the client private key and certificate that send to the
server for verifying the client have to be set in environment variables.
.. code-block:: console
$ export OS_CACERT=/opt/stack/certs/multi_ca.pem
$ export OS_KEY=/opt/stack/certs/client.key
$ export OS_CERT=/opt/stack/certs/client.pem
2. Change the nfv-orchestration endpoints to access HTTPS-enabled Tacker APIs.
See :ref:`openstack HTTPS` for details on how to change the endpoints.
3. Execute a tacker command to confirm that OpenStack command can access the
Tacker APIs successfully.
.. code-block:: console
$ openstack vim list
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ID | Name | Tenant_id | Type | Is Default | Status |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ce04bbe5-3ffe-449f-ba2a-69c0a747b9ad | test-vim-k8s | 2e189ea6c1df4e4ba6d89de254b3a534 | kubernetes | True | ACTIVE |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
$ openstack vnf package list
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
| 718e94a6-dfbf-48a4-8c6f-eaa541063a1b | Sample VNF | ONBOARDED | IN_USE | ENABLED | { |
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6- |
| | | | | | dfbf-48a4-8c6f-eaa541063a1b" |
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6- |
| | | | | | dfbf-48a4-8c6f-eaa541063a1b/package_content" |
| | | | | | } |
| | | | | | } |
+--------------------------------------+------------------+------------------+-------------+-------------------+---------------------------------------------------------+
$ openstack vnflcm list --os-tacker-api-version 2
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| ID | VNF Instance Name | Instantiation State | VNF Provider | VNF Software Version | VNF Product Name | VNFD ID |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| 703148ca-addc-4226-bee8-ef73d81dbbbf | | INSTANTIATED | Company | 1.0 | Sample VNF | eb37da52-9d03-4544-a1b5-ff5664c7687d |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
.. _`RFC5246`: https://datatracker.ietf.org/doc/html/rfc5246
.. _`RFC8446`: https://datatracker.ietf.org/doc/html/rfc8446

861
doc/source/admin/external_oauth2_usage_guide.rst
View File

File diff suppressed because it is too large Load Diff

12
doc/source/admin/index.rst
View File

@@ -25,15 +25,23 @@ Tacker Admin Guide
Tacker Configuration and Policy: :doc:`/configuration/index`
TLS
---
.. toctree::
:maxdepth: 1
configure_tls
OAuth 2.0
---------
.. toctree::
:maxdepth: 1
oauth2_usage_guide
oauth2_mtls_usage_guide
keystone_oauth2_usage_guide
external_oauth2_usage_guide
oauth2_client_usage_guide
OpenID
------

764
doc/source/admin/keystone_oauth2_usage_guide.rst Normal file
View File

@@ -0,0 +1,764 @@
================================================================
Using Keystone as OAuth 2.0 Authorization Server for Tacker APIs
================================================================
.. note::
The content of this document has been confirmed to work
using Tacker and Keystone 2024.1 Caracal.
Overview
~~~~~~~~
The third-party clients can access the NFV orchestration APIs that is provided
by Tacker via the Client Credentials Grant flow of `RFC6749`_ OAuth 2.0
Authorization Framework. OAuth 2.0 Client Credentials Grant flow is prescribed
in the API specification of `ETSI NFV-SOL013 v3.4.1`_. And Tacker implements
OAuth 2.0 Mutual-TLS Client Authentication based on `RFC8705`_. Tacker uses the
Keystonemiddleware to support OAuth 2.0 Client Credentials Grant and OAuth 2.0
Mutual-TLS Client Authentication through the Keystone identity server.
Preparations
~~~~~~~~~~~~
According to `RFC6749`_, HTTPS must be enabled in the authorization server
since requests include sensitive information in plain text, so it should enable
Tacker to support HTTPS protocols. You can reference this guide to enable HTTPS
for Tacker APIs :doc:`/admin/configure_tls`. For keystone server, reference the
`Configure HTTPS in Identity Service`_.
.. note::
Based on the server environment, this command may have to be run to enable
SSL module in apache2 service when setting up HTTPS protocol for keystone
server.
.. code-block:: console
$ sudo a2enmod ssl
.. note::
If the Keystone identity server supports the HTTPS protocol, set the CA file
and HTTPS auth url for Keystone Server in tacker.conf.
.. code-block:: console
[keystone_authtoken]
#cafile = /opt/stack/data/ca-bundle.pem
cafile = /opt/stack/certs/multi_ca.pem
#auth_url = http://$keystone_host_name/identity
auth_url = https://$keystone_host_name/identity
And if CA files that signed certificates used by the Keystone identity server
and the Tacker server are not the same, it is necessary to add CA file for
Keystone server into ``multi_ca.pem``.
.. code-block:: console
$ cat keystone.host.crt >> multi_ca.pem
Guide for OAuth 2.0 Client Credentials Grant
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To use OAuth 2.0 Client Credentials Grant for Tacker APIs, it is necessary to
confirm that `OAuth 2.0 client credentials`_ is enabled in the Keystone
identity server. In this example, ``$keystone_host_name`` is the domain name
used by the Keystone identity server, and the domain name used by the Tacker
server is ``$tacker_host_name``.
To use OAuth 2.0 Client Credentials Grant in Tacker, you should configure the
Tacker server and the Keystonemiddleware in the following steps.
Enable Client Credentials Grant
-------------------------------
To handle API requests using OAuth 2.0 Client Credentials Grant, you have to
configure the Keystonemiddleware which intercepts API calls from clients and
verifies a client's identity, see `Middleware Architecture`_.
1. Add ``keystonemiddleware.oauth2_token:filter_factory`` to the configuration
file ``api-paste.ini`` to enable OAuth 2.0 Client Credentials Grant.
.. code-block:: console
$ vi /etc/tacker/api-paste.ini
[composite:tackerapi_v1_0]
#keystone = request_id catch_errors authtoken keystonecontext extensions tackerapiapp_v1_0
keystone = request_id catch_errors oauth2token keystonecontext extensions tackerapiapp_v1_0
[composite:vnfpkgmapi_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnfpkgmapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnfpkgmapp_v1
[composite:vnflcm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnflcmaapp_v1
[composite:vnflcm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v2
keystone = request_id catch_errors oauth2token keystonecontext vnflcmaapp_v2
[composite:vnfpm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnfpmaapp_v2
keystone = request_id catch_errors oauth2token keystonecontext vnfpmaapp_v2
[composite:vnflcm_versions]
#keystone = request_id catch_errors authtoken keystonecontext vnflcm_api_versions
keystone = request_id catch_errors oauth2token keystonecontext vnflcm_api_versions
[composite:vnffm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnffmaapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnffmaapp_v1
[filter:oauth2token]
paste.filter_factory = keystonemiddleware.oauth2_token:filter_factory
2. Restart tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Verify Access to Tacker APIs
----------------------------
Access to the Tacker APIs with the OAuth 2.0 access token to verify that OAuth
2.0 Client Credentials Grant flow works correctly.
1. Obtain client credentials with application credentials API
See the `OAuth 2.0 usage guide`_ and `Application Credentials API`_ for
information about obtaining client credentials (`$oauth2_client_id` and
`$oauth2_client_secret`).
2. Obtain an access token from the `OAuth 2.0 Access Token API`_
.. code-block:: console
$ curl -i -u "$oauth2_client_id:$oauth2_client_secret" \
-X POST https://$keystone_host_name/identity/v3/OS-OAUTH2/token \
-H "application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Date: Wed, 22 May 2024 05:55:21 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 264
Vary: X-Auth-Token
x-openstack-request-id: req-269c250e-5fc8-439b-9d40-8ba6c139a245
Connection: close
{"access_token":"$oauth2_access_token","expires_in":3600,"token_type":"Bearer"}
3. Access the OpenStack Tacker APIs with the OAuth 2.0 access token to confirm
that OAuth 2.0 Client Credentials Grant flow works correctly
.. code-block:: console
$ curl -i -X GET "https://$tacker_host_name:9890/v1.0/vims" \
-H "Authorization: Bearer $oauth2_access_token" \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 736
X-Openstack-Request-Id: req-75594c93-dc19-49cd-9da5-6f8e9b7a7a03
Date: Wed, 22 May 2024 05:59:43 GMT
{"vims": [{"id": "84517803-0e84-401e-ad75-8f6b8ab0a3b6", "type": "openstack", "tenant_id": "d53a4605d776472d846aed35735d3494", "name": "openstack-admin-vim", "description": "", "placement_attr": {"regions": ["RegionOne"]}, "is_default": true, "created_at": "2024-06-03 14:29:08", "updated_at": null, "extra": {}, "auth_url": "https://$keystone_host_name/identity/v3", "vim_project": {"name": "nfv", "project_domain_name": "Default"}, "auth_cred": {"username": "nfv_user", "user_domain_name": "Default", "cert_verify": "False", "project_id": null, "project_name": "nfv", "project_domain_name": "Default", "auth_url": "https://$keystone_host_name/identity/v3", "key_type": "barbican_key", "secret_uuid": "***", "password": "***"}, "status": "ACTIVE"}]}
$ curl -i -X GET "https://$tacker_host_name:9890/vnfpkgm/v1/vnf_packages" \
-H "Authorization: Bearer $oauth2_access_token" \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 498
X-Openstack-Request-Id: req-3f5ebaad-6f66-43b7-bd0f-917a54558918
Date: Wed, 22 May 2024 06:06:24 GMT
[{"id": "6b02a067-848f-418b-add1-e9c020239b31", "onboardingState": "ONBOARDED", "operationalState": "ENABLED", "usageState": "IN_USE", "vnfProductName": "Sample VNF", "vnfSoftwareVersion": "1.0", "vnfdId": "b1bb0ce7-ebca-4fa7-95ed-4840d70a1177", "vnfdVersion": "1.0", "vnfProvider": "Company", "_links": {"self": {"href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31"}, "packageContent": {"href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31/package_content"}}}]
$ curl -i -X GET "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances" \
-H "Authorization: Bearer $oauth2_access_token" \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 603
X-Openstack-Request-Id: req-ceeb935f-e4af-4f46-bfa9-4fb3e83a4664
Date: Wed, 22 May 2024 06:24:33 GMT
[{"id": "fd25f4ca-27ac-423b-afcf-640a64544e61", "vnfInstanceName": "vnf-fd25f4ca-27ac-423b-afcf-640a64544e61", "instantiationState": "NOT_INSTANTIATED", "vnfdId": "b1bb0ce7-ebca-4fa7-95ed-4840d70a1177", "vnfProvider": "Company", "vnfProductName": "Sample VNF", "vnfSoftwareVersion": "1.0", "vnfdVersion": "1.0", "vnfPkgId": "6b02a067-848f-418b-add1-e9c020239b31", "_links": {"self": {"href": "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances/fd25f4ca-27ac-423b-afcf-640a64544e61"}, "instantiate": {"href": "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances/fd25f4ca-27ac-423b-afcf-640a64544e61/instantiate"}}}]
4. Confirm that a client can not access the Tacker APIs with an X-Auth-Token.
.. code-block:: console
$ curl -i -X POST https://$keystone_host_name/identity/v3/auth/tokens?nocatalog \
-d '{"auth":{"identity":{"methods":["password"],"password": {"user":{"domain":{"name":"$userDomainName"},"name":"$userName","password":"$password"}}},"scope":{"project":{"domain":{"name":"$projectDomainName"},"name":"$projectName"}}}}' \
-H 'Content-type:application/json' \
--cacert multi_ca.pem
HTTP/1.1 201 CREATED
Date: Wed, 05 Jun 2024 06:48:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 712
X-Subject-Token: $x_auth_token
Vary: X-Auth-Token
x-openstack-request-id: req-bc85eb93-eb34-41d6-970e-1cbd776c1878
Connection: close
{"token": {"methods": ["password"], "user": {"domain": {"id": "$userDomainId" , "name": "$userDomainName"}, "id": "$userId", "name": "$userName", "password_expires_at": null}, "audit_ids": ["nHh38yyHSnWfPItIUnesEQ"], "expires_at": "2024-06-05T07:48:33.000000Z", "issued_at": "2024-06-05T06:48:33.000000Z", "project": {"domain": {"id": "$projectDomainId", "name": "$projectDomainName"}, "id": "$projectId", "name": "$projectName"}, "is_domain": false, "roles": [{"id": "4f50d53ed79a42bd89105954f21d9f1d", "name": "member"}, {"id": "9c9f278da6e74c2dbdb80fc0a5ed9010", "name": "manager"}, {"id": "fcdedca5ce604c90b241bab70f85d8cc", "name": "admin"}, {"id": "42ff1a2ac70d4496a90dd6aa8985feb1", "name": "reader"}]}}
$ curl -i -X GET "https://$tacker_host_name:9890/v1.0/vims" \
-H "X-Auth-Token:$x_auth_token" \
--cacert multi_ca.pem
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Content-Length: 114
Www-Authenticate: Keystone uri="https://$keystone_host_name/identity"
X-Openstack-Request-Id: req-5ee22493-4961-4272-82c6-c44978d3ed8b
Date: Wed, 05 Jun 2024 07:02:02 GMT
{"error": {"code": 401, "title": "Unauthorized", "message": "The request you have made requires authentication."}}
Enable OpenStack Command through Client Credentials Grant
---------------------------------------------------------
To use OAuth 2.0 Client Credentials Grant from OpenStack CLI, you have to use
``v3oauth2clientcredential`` as ``auth_type``.
1. Before executing the command, you should remove the variables that affect
the OpenStack command from the OS environment, then set the variables that
required by OAuth 2.0 Client Credentials Grant to the OS
environment.
.. code-block:: console
$ unset OS_USERNAME
$ unset OS_USER_ID
$ unset OS_USER_DOMAIN_ID
$ unset OS_USER_DOMAIN_NAME
$ unset OS_TOKEN
$ unset OS_PASSCODE
$ unset OS_REAUTHENTICATE
$ unset OS_TENANT_ID
$ unset OS_TENANT_NAME
$ unset OS_PROJECT_ID
$ unset OS_PROJECT_NAME
$ unset OS_PROJECT_DOMAIN_ID
$ unset OS_PROJECT_DOMAIN_NAME
$ unset OS_DOMAIN_ID
$ unset OS_DOMAIN_NAME
$ unset OS_SYSTEM_SCOPE
$ unset OS_TRUST_ID
$ unset OS_DEFAULT_DOMAIN_ID
$ unset OS_DEFAULT_DOMAIN_NAME
.. code-block:: console
$ export OS_AUTH_URL=https://$keystone_host_name/identity
$ export OS_IDENTITY_API_VERSION=3
$ export OS_REGION_NAME="RegionOne"
$ export OS_INTERFACE=public
$ export OS_OAUTH2_ENDPOINT=https://$keystone_host_name/identity/v3/OS-OAUTH2/token
$ export OS_OAUTH2_CLIENT_ID=$oauth2_client_id
$ export OS_OAUTH2_CLIENT_SECRET=$oauth2_client_secret
$ export OS_AUTH_TYPE=v3oauth2clientcredential
$ export OS_CACERT=/opt/stack/certs/multi_ca.pem
2. Execute a tacker command to confirm that OpenStack command can access the
Tacker APIs successfully.
.. code-block:: console
$ openstack vim list
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
| ID | Name | Tenant_id | Type | Is Default | Status |
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
| 84517803-0e84-401e-ad75-8f6b8ab0a3b6 | openstack-admin-vim | d53a4605d776472d846aed35735d3494 | openstack | True | ACTIVE |
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
$ openstack vnf package list
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| 6b02a067-848f-418b-add1-e9c020239b31 | Sample VNF | ONBOARDED | IN_USE | ENABLED | { |
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31" |
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31/package_content" |
| | | | | | } |
| | | | | | } |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
$ openstack vnflcm list
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| ID | VNF Instance Name | Instantiation State | VNF Provider | VNF Software Version | VNF Product Name | VNFD ID |
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| fd25f4ca-27ac-423b-afcf-640a64544e61 | vnf-fd25f4ca-27ac-423b-afcf-640a64544e61 | NOT_INSTANTIATED | Company | 1.0 | Sample VNF | b1bb0ce7-ebca-4fa7-95ed-4840d70a1177 |
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
Guide for OAuth 2.0 Mutual-TLS Client Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To use OAuth 2.0 Mutual-TLS Client Authentication in Tacker, you should
configure the Tacker server, the Keystone identity server and the Keystone
middleware in the following steps.
.. TODO(Kyaw Myo Thant): delete this part and change to referencing the
Keystone document after the following patch is merged
https://review.opendev.org/c/openstack/keystone/+/860928
Enable Keystone to Support Mutual-TLS Client Authentication
-----------------------------------------------------------
1. Modify the apache configuration file and add options to implement mutual TLS
support for the Keystone service. You can reference
:doc:`/admin/configure_tls` to create Private root CA, private key and
certificate that will be required in this guide. And the certificate and key
files should be stored where the apache service can access.
.. note::
If HTTPS protocol has been enabled for keystone server in previous
section by referencing `Configure HTTPS in Identity Service`_, that
configuration must be disabled by unlinking or removing the symlinked
configuration file before enabling mTLS.
.. code-block:: console
$ sudo unlink /etc/apache2/sites-enabled/000-default.conf
.. code-block:: console
$ sudo vi /etc/apache2/sites-enabled/keystone-wsgi-public.conf
ProxyPass "/identity" "unix:/var/run/uwsgi/keystone-wsgi-public.socket|uwsgi://uwsgi-uds-keystone-wsgi-public" retry=0
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/keystone.pem
SSLCertificateKeyFile /etc/ssl/private/keystone.key
SSLCACertificateFile /etc/ssl/certs/multi_ca.pem
<Location /identity/v3/OS-OAUTH2/token>
SSLVerifyClient require
SSLOptions +ExportCertData
SSLOptions +StdEnvVars
SSLRequireSSL
</Location>
</VirtualHost>
</IfModule>
2. Restart apache service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart apache2.service
3. Modify the ``keystone.conf`` to enable the os-oauth2-api to use TLS
certificates for user authentication.
.. code-block:: console
$ vi /etc/keystone/keystone.conf
[oauth2]
oauth2_authn_method=certificate
oauth2_cert_dn_mapping_id=oauth2_mapping
4. Restart Keystone service so that the modified configuration information
takes effect.
.. code-block:: console
$ sudo systemctl restart devstack@keystone
Enable Mutual-TLS Client Authentication
---------------------------------------
1. Enable mTLS (aka., two-way TLS) for Tacker APIs to use Oauth 2.0 Mutual-TLS
client authentication.
See :doc:`/admin/configure_tls` for detailed steps, to enable mTLS for
Tacker APIs.
2. Add ``keystonemiddleware.oauth2_mtls_token:filter_factory`` to the
configuration file ``api-paste.ini`` to enable OAuth 2.0 Mutual-TLS client
authentication.
.. code-block:: console
$ vi /etc/tacker/api-paste.ini
[composite:tackerapi_v1_0]
#keystone = request_id catch_errors authtoken keystonecontext extensions tackerapiapp_v1_0
keystone = request_id catch_errors oauth2_mtls_token keystonecontext extensions tackerapiapp_v1_0
[composite:vnfpkgmapi_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnfpkgmapp_v1
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnfpkgmapp_v1
[composite:vnflcm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v1
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnflcmaapp_v1
[composite:vnflcm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v2
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnflcmaapp_v2
[composite:vnfpm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnfpmaapp_v2
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnfpmaapp_v2
[composite:vnflcm_versions]
#keystone = request_id catch_errors authtoken keystonecontext vnflcm_api_versions
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnflcm_api_versions
[composite:vnffm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnffmaapp_v1
keystone = request_id catch_errors oauth2_mtls_token keystonecontext vnffmaapp_v1
[filter:oauth2_mtls_token]
paste.filter_factory = keystonemiddleware.oauth2_mtls_token:filter_factory
Create Mapping Rules for Validating TLS Certificates
----------------------------------------------------
Because different root certificates have different ways of authenticating TLS
certificates provided by client, the relevant mapping rules need to be set in
the system.
1. Create a mapping rule file. When using Subject Distinguished Names,
the "SSL_CLIENT_SUBJECT_DN_*" format must be used. When using Issuer
Distinguished Names, the "SSL_CLIENT_ISSUER_DN_*" format must be used.
The "*" part is the key of the attribute for Distinguished Names converted
to uppercase. For more information about the attribute types for
Distinguished Names, see the relevant RFC documentation such as: `RFC1779`_,
`RFC2985`_, `RFC4519`_, etc. In this example, 4 Subject Distinguished Names
is mapped for user identity. You can map other Distinguished Names like
email. For detail, reference `Mapping Combinations`_.
.. code-block:: console
$ vi oauth2_mapping.json
[
{
"local": [
{
"user": {
"name": "{0}",
"id": "{1}",
"domain": {
"name": "{2}",
"id": "{3}"
}
}
}
],
"remote": [
{
"type": "SSL_CLIENT_SUBJECT_DN_CN"
},
{
"type": "SSL_CLIENT_SUBJECT_DN_UID"
},
{
"type": "SSL_CLIENT_SUBJECT_DN_O"
},
{
"type": "SSL_CLIENT_SUBJECT_DN_DC"
},
{
"type": "SSL_CLIENT_ISSUER_DN_CN",
"any_one_of": [
"root_b.openstack.host"
]
}
]
}
]
2. Use the mapping file to create the oauth2_mapping rule in keystone.
.. code-block:: console
$ openstack mapping create --rules oauth2_mapping.json oauth2_mapping
+----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | oauth2_mapping |
| rules | [{'local': [{'user': {'name': '{0}', 'id': '{1}', 'domain': {'name': '{2}', 'id': '{3}'}}}], 'remote': [{'type': 'SSL_CLIENT_SUBJECT_DN_CN'}, |
| | {'type': 'SSL_CLIENT_SUBJECT_DN_UID'}, {'type': 'SSL_CLIENT_SUBJECT_DN_O'}, {'type': 'SSL_CLIENT_SUBJECT_DN_DC'}, {'type': 'SSL_CLIENT_ISSUER_DN_CN', |
| | 'any_one_of': ['root_b.openstack.host']}]}] |
| schema_version | 1.0 |
+----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
3. If it already exists, use the file to update the mapping rule in keystone.
.. code-block:: console
$ openstack mapping set --rules oauth2_mapping.json oauth2_mapping
4. To use ``oauth2_mtls_token`` Keystonemiddleware, default project of the user
must be set. In this example, the default project of ``nfv_user`` user is
set to ``nfv`` project that is in the ``default`` project domain.
.. code-block:: console
$ openstack user show nfv_user
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | None |
| domain_id | default |
| email | None |
| enabled | True |
| id | 173c59254d3040969e359e5df0a3b475 |
| name | nfv_user |
| description | None |
| password_expires_at | None |
+---------------------+----------------------------------+
$ openstack project show nfv
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 2e189ea6c1df4e4ba6d89de254b3a534 |
| is_domain | False |
| name | nfv |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
.. code-block:: console
$ openstack user set 173c59254d3040969e359e5df0a3b475 \
--project 2e189ea6c1df4e4ba6d89de254b3a534 \
--project-domain default
Verify Access to Tacker APIs
----------------------------
Access to the Tacker APIs with client certificate to verify that OAuth 2.0
Mutual-TLS Client Authenticating works correctly.
1. To use OAuth 2.0 Mutual-TLS Client Authentication, the client private key
and certificate is necessary. Create a certificate signing request based on
the mapping rule created in previous section. For this guide, 4 Subject
Distinguished Names mapped in oauth2 mapping rule have to be included.
.. code-block:: console
$ openssl genrsa -out nfv_user.key 4096
$ openssl req -new -key nfv_user.key -out nfv_user.csr \
-subj "/UID=173c59254d3040969e359e5df0a3b475/O=Default/DC=default/CN=nfv_user"
2. Use the root certificate to generate a self-signed certificate for the user.
Because the Issuer Common Names is mapped to be ``root_b.openstack.host`` in
previous section, the client certificate has to be signed with root_b which
CN is ``root_b.openstack.host``. Root certificate can be created by
referencing :doc:`/admin/configure_tls`.
.. code-block:: console
$ openssl x509 -req -in nfv_user.csr \
-CA root_b.pem -CAkey root_b.key -CAcreateserial -out \
nfv_user.pem -days 180 -sha256
Certificate request self-signature ok
subject=UID = 173c59254d3040969e359e5df0a3b475, O = Default, DC = default, CN = nfv_user
3. Obtain OAuth 2.0 Certificate-Bound access tokens through OAuth 2.0
Mutual-TLS Client Authentication.
.. code-block:: console
$ curl -i -X POST https://$keystone_host_name/identity/v3/OS-OAUTH2/token \
-H "application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=173c59254d3040969e359e5df0a3b475" \
--cacert multi_ca.pem \
--key nfv_user.key \
--cert nfv_user.pem
HTTP/1.1 200 OK
Date: Mon, 30 Sep 2024 05:31:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 307
Vary: X-Auth-Token
x-openstack-request-id: req-11c95e0e-4b3f-4150-8ce9-b82f047c6906
Connection: close
{"access_token":"$oauth2_mtls_access_token","expires_in":3600,"token_type":"Bearer"}
4. Access Tacker APIs using obtained OAuth 2.0 Certificate-Bound access tokens.
.. code-block:: console
$ curl -i "https://$tacker_host_name:9890/v1.0/vims" \
-H "Authorization: Bearer $oauth2_mtls_access_token" \
-H "application/json" \
--cert nfv_user.pem \
--key nfv_user.key \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2182
X-Openstack-Request-Id: req-9c39a83a-c123-4857-ac8c-ac0ada066ab1
Date: Wed, 02 Oct 2024 00:23:17 GMT
{"vims": [{"id": "ce04bbe5-3ffe-449f-ba2a-69c0a747b9ad", "type": "kubernetes", "tenant_id": "2e189ea6c1df4e4ba6d89de254b3a534", "name": "test-vim-k8s", "description": "", "placement_attr": {"regions": ["default", "kube-node-lease", "kube-public", "kube-system"]}, "is_default": true, "created_at": "2024-07-04 09:07:56", "updated_at": null, "extra": {}, "auth_url": "https://10.0.2.15:6443", "vim_project": {"name": "nfv"}, "auth_cred": {"bearer_token": "***", "ssl_ca_cert": "$ssl_ca_cert", "auth_url": "https://10.0.2.15:6443", "username": "None", "key_type": "barbican_key", "secret_uuid": "***"}, "status": "ACTIVE"}]}
$ curl -i "https://$tacker_host_name:9890/vnfpkgm/v1/vnf_packages" \
-H "Authorization: Bearer $oauth2_mtls_access_token" \
-H "application/json" \
--cert nfv_user.pem \
--key nfv_user.key \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 498
X-Openstack-Request-Id: req-32628f18-a8e6-49cc-8ac6-b2e49d961a42
Date: Wed, 02 Oct 2024 00:24:25 GMT
[{"usageState": "IN_USE", "operationalState": "ENABLED", "id": "718e94a6-dfbf-48a4-8c6f-eaa541063a1b", "onboardingState": "ONBOARDED", "vnfProductName": "Sample VNF", "vnfProvider": "Company", "vnfSoftwareVersion": "1.0", "vnfdId": "eb37da52-9d03-4544-a1b5-ff5664c7687d", "vnfdVersion": "1.0", "_links": {"self": {"href": "/vnfpkgm/v1/vnf_packages/718e94a6-dfbf-48a4-8c6f-eaa541063a1b"}, "packageContent": {"href": "/vnfpkgm/v1/vnf_packages/718e94a6-dfbf-48a4-8c6f-eaa541063a1b/package_content"}}}
$ curl -i "https://$tacker_host_name:9890/vnflcm/v2/vnf_instances" \
-H "Authorization: Bearer $oauth2_mtls_access_token" \
-H "application/json" \
-H "Version:2.0.0"
--cert nfv_user.pem \
--key nfv_user.key \
--cacert multi_ca.pem
HTTP/1.1 200 OK
Content-Length: 829
Version: 2.0.0
Accept-Ranges: none
Content-Type: application/json
X-Openstack-Request-Id: req-adcc7680-8491-413d-806e-47906d2601fa
Date: Wed, 02 Oct 2024 00:36:24 GMT
[{"id": "703148ca-addc-4226-bee8-ef73d81dbbbf", "vnfdId": "eb37da52-9d03-4544-a1b5-ff5664c7687d", "vnfProvider": "Company", "vnfProductName": "Sample VNF", "vnfSoftwareVersion": "1.0", "vnfdVersion": "1.0", "instantiationState": "INSTANTIATED", "_links": {"self": {"href": "http://$tacker_host_name:9890/vnflcm/v2/vnf_instances/703148ca-addc-4226-bee8-ef73d81dbbbf"}, "terminate": {"href": "http://$tacker_host_name:9890/vnflcm/v2/vnf_instances/703148ca-addc-4226-bee8-ef73d81dbbbf/terminate"}, "scale": {"href": "http://$tacker_host_name:9890/vnflcm/v2/vnf_instances/703148ca-addc-4226-bee8-ef73d81dbbbf/scale"}, "heal": {"href": "http://$tacker_host_name:9890/vnflcm/v2/vnf_instances/703148ca-addc-4226-bee8-ef73d81dbbbf/heal"}, "changeExtConn": {"href": "http://$tacker_host_name:9890/vnflcm/v2/vnf_instances/703148ca-addc-4226-bee8-ef73d81dbbbf/change_ext_conn"}}}]
Enable OpenStack Command through Mutual-TLS Client Authentication
-----------------------------------------------------------------
To use OAuth 2.0 Mutual-TLS Client Authentication from OpenStack CLI, you have
to use ``v3oauth2mtlsclientcredential`` as ``auth_type``.
1. Before executing the command, you should remove the variables that affect
the OpenStack command from the OS environment, then set the variables that
required by OAuth 2.0 Mutual-TLS Client Authentication to the OS
environment.
.. code-block:: console
$ unset OS_USERNAME
$ unset OS_USER_ID
$ unset OS_USER_DOMAIN_ID
$ unset OS_USER_DOMAIN_NAME
$ unset OS_TOKEN
$ unset OS_PASSCODE
$ unset OS_REAUTHENTICATE
$ unset OS_TENANT_ID
$ unset OS_TENANT_NAME
$ unset OS_PROJECT_ID
$ unset OS_PROJECT_NAME
$ unset OS_PROJECT_DOMAIN_ID
$ unset OS_PROJECT_DOMAIN_NAME
$ unset OS_DOMAIN_ID
$ unset OS_DOMAIN_NAME
$ unset OS_SYSTEM_SCOPE
$ unset OS_TRUST_ID
$ unset OS_DEFAULT_DOMAIN_ID
$ unset OS_DEFAULT_DOMAIN_NAME
.. code-block:: console
$ export OS_AUTH_TYPE=v3oauth2mtlsclientcredential
$ export OS_KEY=/opt/stack/certs/nfv_user.key
$ export OS_CERT=/opt/stack/certs/nfv_user.pem
$ export OS_CACERT=/opt/stack/certs/multi_ca.pem
$ export OS_OAUTH2_CLIENT_ID=173c59254d3040969e359e5df0a3b475
$ export OS_OAUTH2_ENDPOINT=https://$keystone_host_name/identity/v3/OS-OAUTH2/token
$ export OS_INTERFACE=public
$ export OS_REGION_NAME="RegionOne"
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_URL=https://$keystone_host_name/identity
2. Execute Tacker commands to confirm that OpenStack command can access the
Tacker APIs successfully.
.. code-block:: console
$ openstack vim list
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ID | Name | Tenant_id | Type | Is Default | Status |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
| ce04bbe5-3ffe-449f-ba2a-69c0a747b9ad | test-vim-k8s | 2e189ea6c1df4e4ba6d89de254b3a534 | kubernetes | True | ACTIVE |
+--------------------------------------+--------------+----------------------------------+------------+------------+--------+
$ openstack vnf package list
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| 718e94a6-dfbf-48a4-8c6f-eaa541063a1b | Sample VNF | ONBOARDED | IN_USE | ENABLED | { |
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6-dfbf-48a4-8c6f-eaa541063a1b" |
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/718e94a6-dfbf-48a4-8c6f-eaa541063a1b/package_content" |
| | | | | | } |
| | | | | | } |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
$ openstack vnflcm list --os-tacker-api-version 2
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| ID | VNF Instance Name | Instantiation State | VNF Provider | VNF Software Version | VNF Product Name | VNFD ID |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| 703148ca-addc-4226-bee8-ef73d81dbbbf | | INSTANTIATED | Company | 1.0 | Sample VNF | eb37da52-9d03-4544-a1b5-ff5664c7687d |
+--------------------------------------+-------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
.. _RFC6749: https://datatracker.ietf.org/doc/html/rfc6749
.. _ETSI NFV-SOL013 v3.4.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/013/03.04.01_60/gs_nfv-sol013v030401p.pdf
.. _OAuth 2.0 client credentials: https://docs.openstack.org/keystone/latest/admin/oauth2-usage-guide.html
.. _Middleware Architecture: https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html
.. _OAuth 2.0 usage guide: https://docs.openstack.org/keystone/latest/admin/oauth2-usage-guide.html
.. _Application Credentials API: https://docs.openstack.org/api-ref/identity/v3/index.html#application-credentials
.. _OAuth 2.0 Access Token API: https://docs.openstack.org/api-ref/identity/v3-ext/index.html#os-oauth2-api
.. _RFC1779: https://datatracker.ietf.org/doc/html/rfc1779
.. _RFC2985: https://datatracker.ietf.org/doc/html/rfc2985
.. _RFC4519: https://datatracker.ietf.org/doc/html/rfc4519
.. _RFC8705: https://datatracker.ietf.org/doc/html/rfc8705
.. _Configure HTTPS in Identity Service: https://docs.openstack.org/keystone/latest/admin/configure-https.html
.. _Mapping Combinations: https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html

201
doc/source/admin/oauth2_client_usage_guide.rst Normal file
View File

@@ -0,0 +1,201 @@
======================================
Configuring Tacker as OAuth 2.0 Client
======================================
.. note::
The content of this document has been confirmed to work
using Tacker 2024.1 Caracal.
Overview
~~~~~~~~
As an API client, Tacker can use Oauth 2.0 Client Credentials Grant flow and
OAuth 2.0 Mutual-TLS Client Authentication to access the Notification server
and the External NFVO server. The OAuth 2.0 Client Credentials Grant flow of
`RFC6749`_ OAuth 2.0 Authorization Framework is prescribed in the API
specification of `ETSI NFV-SOL013 v3.4.1`_. And Tacker implements OAuth 2.0
Mutual-TLS Client Authentication based on `RFC8705`_.
Guide for OAuth 2.0 Client Credentials Grant
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can enable Tacker as OAuth 2.0 Client Credentials Grant by following this
guide.
Enable Client Credentials Grant for Access to Notification Server
-----------------------------------------------------------------
If the certification of the notification authorization server is not trusted,
the configuration file :doc:`/configuration/config` can be modified to set the
``verify_oauth2_ssl`` to false, then the backend no longer verify the
certification when it obtains the OAuth 2.0 access token.
If the certification of the notification callback API is not trusted, the
configuration file :doc:`/configuration/config` can be modified to set the
``verify_notification_ssl`` to false, then the backend no longer verify the
certification when it sends a notification.
1. Modify the configuration file as needed.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[vnf_lcm]
verify_notification_ssl = false
[authentication]
verify_oauth2_ssl = false
2. Restart Tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker.service
Verify that Access Uses Client Credentials Grant
------------------------------------------------
Subscribe to a notification that requires OAuth 2.0 Client Credentials
Grant to confirm that Tacker can send a notification successfully to
Notification Server.
.. code-block:: console
$ cat subsc_create_req.json
{
"filter": {
"vnfInstanceSubscriptionFilter":{
"vnfdIds": [
"108135bb-8f21-4b91-a548-4aad3cf72a87"
]
}
},
"callbackUri" : "$callback_uri",
"authentication": {
"authType":["OAUTH2_CLIENT_CREDENTIALS"],
"paramsOauth2ClientCredentials": {
"clientId": "$notification_oauth2_client_id",
"clientPassword": "$notification_oauth2_client_secret",
"tokenEndpoint": "$notification_oauth2_token_endpoint"
}
}
}
$ openstack vnflcm subsc create subsc_create_req.json --os-tacker-api-version 2
+--------------+----------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------------------------------------------------------------------+
| Callback URI | $callback_uri |
| Filter | { |
| | "vnfInstanceSubscriptionFilter": { |
| | "vnfdIds": [ |
| | "108135bb-8f21-4b91-a548-4aad3cf72a87" |
| | ] |
| | } |
| | } |
| ID | b25c2d6f-6de4-450a-a25d-321868d3ed83 |
| Links | { |
| | "self": { |
| | "href": "https://$tacker_host_name/vnflcm/v2/subscriptions/b25c2d6f-6de4-450a-a25d-321868d3ed83" |
| | } |
| | } |
| verbosity | FULL |
+--------------+----------------------------------------------------------------------------------------------------------+
Guide for OAuth 2.0 Mutual-TLS Client Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To use Tacker as mTLS OAuth 2.0 client, client private key and certificate will
be necessary. You can reference :doc:`/admin/configure_tls` to create private
root CA, private key and certificate that will be required in this guide.
Because different authorization servers have different ways of authenticating
TLS certificates provided by client, the relevant Subject Distinguished Names
such as Common Name need to be set when creating client certificate according
to the authorization server. The ``tacker_cert_and_key.pem`` file that is used
in this guide, can be created by concatenating the client certificate file and
client private key file.
.. code-block:: console
$ cat tacker_client.pem tacker_client.key >> tacker_cert_and_key.pem
You can enable Tacker as a mTLS OAuth 2.0 client by the following steps in this
guide.
Enable Mutual-TLS Client Authentication for Access to Notification server
-------------------------------------------------------------------------
The following parts describe steps to enable mTLS only for access to the
Notification server.
1. Modify the configuration file ``tacker.conf`` to enable SSL to implement
mTLS support. The following settings are examples, and the certificate
should be saved in a directory with appropriate access permission.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[v2_vnfm]
notification_mtls_ca_cert_file = /etc/tacker/multi_ca.pem
notification_mtls_client_cert_file = /etc/tacker/tacker_cert_and_key.pem
2. Restart Tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Enable Mutual-TLS Client Authentication for Access to External NFVO server
--------------------------------------------------------------------------
The following parts describe steps to enable mTLS only for access to the
External NFVO server.
1. Modify the configuration file ``tacker.conf`` to enable SSL to implement
mTLS support. The `client_id` and `client_password` must be obtained from
the authentication server used by the External NFVO server.
If you are using Keystone as the authentication server, you can use user_id
as the client_id for mTLS authentication.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[v2_nfvo]
use_external_nfvo = True
endpoint = https://endpoint.host
token_endpoint = https://token_endpoint.host/token
client_id = client_id
client_password = client_password
mtls_ca_cert_file = /etc/tacker/multi_ca.pem
mtls_client_cert_file = /etc/tacker/tacker_cert_and_key.pem
2. Restart Tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Verify that Access Uses Mutual-TLS Client Authentication
--------------------------------------------------------
Access to the External NFVO server and the Notification server is not outputted
to the Tacker log. Therefore, check the access log of the External NFVO server
and the Notification server when executing lcm operations, or use the packet
capture software to confirm that the access to each server is the mTLS
communication. If the packet capture shows that the client and the server are
sending certificates to each other during the handshake, you can verify that
mTLS is enabled.
.. _RFC8705: https://datatracker.ietf.org/doc/html/rfc8705
.. _RFC6749: https://datatracker.ietf.org/doc/html/rfc6749
.. _ETSI NFV-SOL013 v3.4.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/013/03.04.01_60/gs_nfv-sol013v030401p.pdf

241
doc/source/admin/oauth2_mtls_usage_guide.rst
View File

@@ -1,241 +0,0 @@
===========================================
Configuring Tacker as mTLS OAuth 2.0 Client
===========================================
.. note::
The content of this document has been confirmed to work
using Tacker 2024.1 Caracal.
Overview
~~~~~~~~
Tacker implements Mutual TLS (mTLS) for OAuth 2.0 Client Authentication based
on `RFC8705`_ as an extension of Tacker. As an API client, Tacker can use a
mTLS connection to access the Notification server and the External NFVO server.
Guide
~~~~~
You can enable Tacker server to support mTLS by the following steps in this
guide. In this example, `tacker.host` is the domain name used by the Tacker
server.
Create a private/public Certificate Authority (CA)
--------------------------------------------------
In order to use mTLS, it is necessary to create a private/public Certificate
Authority (CA) as a root certificate that will be used to sign client and
Tacker certificates. Although you typically use certificate issued by a public
CA, this guide describes how to create a private CA to test the mTLS
functionality. If the certificate used for mTLS authentication was issued by a
public CA, skip steps 1 and 2.
1. Generate an RSA private key.
.. code-block:: console
$ openssl genrsa -out root_a.key 4096
2. Generate a self-signed certificate.
.. code-block:: console
$ openssl req -new -x509 -key root_a.key -out root_a.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IssuingORG
Organizational Unit Name (eg, section) []:CertDept
Common Name (e.g. server FQDN or YOUR name) []:root_a.openstack.host
Email Address []:root_a@issuing.org
3. If you need to support multiple root certificates, those root certificates
should be merged and configured on the server. For example, this guide uses
the root_a.pem created previously, and the root_b.pem created in a same way.
When creating the root_b.pem, specify the CN as `root_b.openstack.host`.
In this step, a new multi_ca.pem is created by concatenating two root
certificates.
.. code-block:: console
$ cat root_a.pem >> multi_ca.pem
$ cat root_b.pem >> multi_ca.pem
$ cat multi_ca.pem
-----BEGIN CERTIFICATE-----
MIIF1TCCA72gAwIBAgIUN7d0MTiikDjDMLxUQ8SJcV97Nz8wDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCSlAxEDAOBgNVBAgMB2ppYW5nc3UxDzANBgNVBAcMBnN1
...
K/k00vZmrZXONglaf/OeMalhiRaOTsK2CzEvg6Xgu1zOjtNshm6qnSEXDYxzJue2
FPLDGEMKSCLb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF1TCCA72gAwIBAgIUOiAEZWTheMS5wFA661G6bushkg4wDQYJKoZIhvcNAQEL
BQAwejELMAkGA1UEBhMCY24xEDAOBgNVBAgMB2ppYW5nc3UxDzANBgNVBAcMBnN1
...
UzvplIZcNZKzgOLLrSkk42/yqxdTZnc3BeBiVsA5T6aapNbY8D6ZpPU2cYYSxrfK
VpOanJoJy22J
-----END CERTIFICATE-----
Create private key and client certificate
-----------------------------------------
In order to use mTLS, it is necessary to create a private key and client
certificate. Although you typically use a certificate issued by a public CA,
this guide describes how to create a self-signed certificate to test the mTLS
functionality. If the certificate used for mTLS authentication was issued by a
public CA, skip steps 1 to 3.
1. Generate an RSA private key.
.. code-block:: console
$ openssl genrsa -out tacker_priv.key 4096
2. Create a certificate signing request.
.. code-block:: console
$ openssl req -new -key tacker_priv.key -out tacker_csr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Chiyoda-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenstackORG
Organizational Unit Name (eg, section) []:DevDept
Common Name (e.g. server FQDN or YOUR name) []:tacker.host
Email Address []:dev@tacker.host
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. Use the root certificate to generate a self-signed certificate.
.. code-block:: console
$ openssl x509 -req -in tacker_csr.csr \
-CA root_a.pem -CAkey root_a.key -CAcreateserial \
-out tacker_ca.pem -days 365 -sha384
Signature ok
subject=C = JP, ST = Tokyo, L = Chiyoda-ku, O = OpenstackORG, OU = DevDept, CN = tacker.host, emailAddress = dev@tacker.host
Getting CA Private Key
4. Merge the key and certificate into a single file by concatenating.
.. code-block:: console
$ cat tacker_ca.pem >> tacker_cert_and_key.pem
$ cat tacker_priv.key >> tacker_cert_and_key.pem
$ cat tacker_cert_and_key.pem
-----BEGIN CERTIFICATE-----
MIIEdzCCAl8CFGfZSo8q0f0AkmFHrDYAgOygq+X0MA0GCSqGSIb3DQEBCwUAMFYx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
...
kMgBy0mLyN84vqY2GItKdYrBsEUWSif6i3tVTDa1r0gpf2o4PPOHUAaelStm3eqU
KFoR418Y432RaxCEPrDOh11PAY80A/xDBhKPYM5XdRlRNtaMmdM4R2p2vw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAt82fxcWknYkcXUuBZkk1f4M93peFh7PAgpXPMAcknp8dzm97
0veZnyh8a4PP7NBGPoKbuBERsVbd6O6HKn4qd8SYehyQ5oYbUVg5n1YsBnPHVq40
...
4CmYegzdMh+VcDkN5vQu1wUSucqCXvzIVgNnbvmxbE7ZuDhCAHNhOvs5jPc1sh79
qAEY3/z0kZ3muKc3y9GqjdVzn6JgysXzUZ5bb3LvFe+nTYXsAU9gJw==
-----END RSA PRIVATE KEY-----
Enable mTLS for access to Notification server
---------------------------------------------
The following parts describe steps to enable mTLS only for access to the
Notification server.
1. Modify the configuration file ``tacker.conf`` to enable SSL to implement
mTLS support. For the settings, specify the path where
the certificate file created in the previous chapter is stored. The
following settings are examples, and the certificate should be saved in a
directory with appropriate access permission.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[v2_vnfm]
notification_mtls_ca_cert_file = /etc/tacker/multi_ca.pem
notification_mtls_client_cert_file = /etc/tacker/tacker_cert_and_key.pem
2. Restart Tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Enable mTLS for access to External NFVO server
----------------------------------------------
The following parts describe steps to enable mTLS only for access to the
External NFVO server.
1. Modify the configuration file ``tacker.conf`` to enable SSL to implement
mTLS support. The `client_id` and `client_password` must be obtained from
the authentication server used by the External NFVO server.
If you are using Keystone as the authentication server, you can use user_id
as the client_id for mTLS authentication.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[v2_nfvo]
use_external_nfvo = True
endpoint = https://endpoint.host
token_endpoint = https://token_endpoint.host/token
client_id = client_id
client_password = client_password
mtls_ca_cert_file = /etc/tacker/multi_ca.pem
mtls_client_cert_file = /etc/tacker/tacker_cert_and_key.pem
2. Restart Tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
Verifying that Access to Each Server Uses mTLS
----------------------------------------------
Access to the External NFVO server and the Notification server is not outputted
to the Tacker log. Therefore, check the access log of the External NFVO server
and the Notification server when executing lcm operations, or use the packet
capture software to confirm that the access to each server is the mTLS
communication. If the packet capture shows that the client and the server are
sending certificates to each other during the handshake, you can verify that
mTLS is enabled.
.. _RFC8705: https://datatracker.ietf.org/doc/html/rfc8705

557
doc/source/admin/oauth2_usage_guide.rst
View File

@@ -1,557 +0,0 @@
==========================
Using OAuth 2.0 for Tacker
==========================
.. note::
The content of this document has been confirmed to work
using Tacker and Keystone 2024.1 Caracal.
Overview
~~~~~~~~
The third-party clients can access the NFV orchestration APIs that is provided
by Tacker via the Client Credentials Grant flow in
`RFC6749`_ OAuth 2.0 Authorization Framework. OAuth 2.0 Client Credentials
Grant flow is prescribed in the API specification of `ETSI NFV-SOL013 v3.4.1`_.
Tacker uses the Keystone middleware to support OAuth 2.0 Client
Credentials Grant through the Keystone identity server.
Preparations
~~~~~~~~~~~~
To use OAuth 2.0 for Tacker, it is necessary to confirm that `OAuth 2.0 client
credentials`_ is enabled in the Keystone identity server. In this example,
$keystone_host_name is the domain name used by the Keystone identity server,
and the domain name used by the tacker server is $tacker_host_name.
Guide
~~~~~
To use OAuth 2.0 Client Credentials Grant in Tacker, you should configure the
tacker-server and the Keystone middleware in the following steps.
Enable Tacker HTTPS Service
---------------------------
According to RFC6749, HTTPS must be enabled in the authorization server since
requests include sensitive information in plain text, so it should enable
Tacker to support HTTPS protocols.
1. Generate an RSA private key.
.. code-block:: console
$ cd /etc/tacker
$ openssl genrsa -out tacker.key 2048
2. Create a certificate signing request.
.. code-block:: console
$ openssl req -new -key tacker.key -out tacker.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:$tacker_host_name
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
3. Generate a self signed certificate.
.. code-block:: console
$ openssl x509 -req -days 365 -in tacker.csr \
-signkey tacker.key -out tacker.host.crt
Certificate request self-signature ok
subject=CN = $tacker_host_name
4. Modify the :doc:`/configuration/config` to enable SSL to implement HTTP
support for the Tacker APIs.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[DEFAULT]
# Enable SSL on the API server (boolean value)
use_ssl = true
# Certificate file to use when starting the server securely (string value)
ssl_cert_file = /etc/tacker/tacker.host.crt
# Private key file to use when starting the server securely (string value)
ssl_key_file = /etc/tacker/tacker.key
[v2_vnfm]
#
# From tacker.sol_refactored.common.config
#
# Endpoint of VNFM (self). (string value)
endpoint = https://$tacker_host_name:9890
[vnf_lcm]
# Vnflcm options group
#
# From tacker.conf
#
# endpoint_url (string value)
endpoint_url = https://$tacker_host_name:9890/
.. note::
If the Keystone identity server supports the HTTPS protocol,
set the following in tacker.conf:
.. code-block:: console
[keystone_authtoken]
#cafile = /opt/stack/data/ca-bundle.pem
cafile = /etc/keystone/keystone.host.crt
#auth_url = http://$keystone_host_name/identity
auth_url = https://$keystone_host_name/identity
5. Restart tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
6. Try access the Tacker APIs via HTTPS protocol to confirm that the
service has been successfully configured.
.. code-block:: console
$ curl -i --cacert tacker.host.crt -X GET https://$tacker_host_name:9890/
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 122
Date: Wed, 22 May 2024 04:57:57 GMT
{"versions": [{"id": "v1.0", "status": "CURRENT", "links": [{"rel": "self", "href": "https://$tacker_host_name/v1.0"}]}]}
7. When Tacker is switched to HTTPS, user can not access the Tacker APIs via
HTTP protocol.
.. code-block:: console
$ curl -i -X GET http://$tacker_host_name:9890/
curl: (52) Empty reply from server
Enable OAuth 2.0 Client Credentials Authorization
-------------------------------------------------
To handle API requests using OAuth 2.0, you have to configure the Keystone
middleware which intercepts API calls from clients and verifies a client's
identity, see `Middleware Architecture`_.
1. Add ``keystonemiddleware.oauth2_token:filter_factory`` to the configuration
file ``api-paste.ini`` to enable OAuth 2.0 Client Credentials Grant.
.. code-block:: console
$ vi /etc/tacker/api-paste.ini
[composite:tackerapi_v1_0]
#keystone = request_id catch_errors authtoken keystonecontext extensions tackerapiapp_v1_0
keystone = request_id catch_errors oauth2token keystonecontext extensions tackerapiapp_v1_0
[composite:vnfpkgmapi_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnfpkgmapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnfpkgmapp_v1
[composite:vnflcm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnflcmaapp_v1
[composite:vnflcm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnflcmaapp_v2
keystone = request_id catch_errors oauth2token keystonecontext vnflcmaapp_v2
[composite:vnfpm_v2]
#keystone = request_id catch_errors authtoken keystonecontext vnfpmaapp_v2
keystone = request_id catch_errors oauth2token keystonecontext vnfpmaapp_v2
[composite:vnflcm_versions]
#keystone = request_id catch_errors authtoken keystonecontext vnflcm_api_versions
keystone = request_id catch_errors oauth2token keystonecontext vnflcm_api_versions
[composite:vnffm_v1]
#keystone = request_id catch_errors authtoken keystonecontext vnffmaapp_v1
keystone = request_id catch_errors oauth2token keystonecontext vnffmaapp_v1
[filter:oauth2token]
paste.filter_factory = keystonemiddleware.oauth2_token:filter_factory
2. Restart tacker service so that the modified configuration information takes
effect.
.. code-block:: console
$ sudo systemctl restart devstack@tacker
3. Obtain client credentials with application credentials API
See the `OAuth 2.0 usage guide`_ and `Application Credentials API`_ for
information about obtaining client credentials.
4. Obtain an access token from the `OAuth 2.0 Access Token API`_
.. code-block:: console
$ curl -i --cacert keystone.host.crt -u "$oauth2_client_id:$oauth2_client_secret" \
-X POST https://$keystone_host_name/identity/v3/OS-OAUTH2/token \
-H "application/x-www-form-urlencoded" \
-d "grant_type=client_credentials"
HTTP/1.1 200 OK
Date: Wed, 22 May 2024 05:55:21 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 264
Vary: X-Auth-Token
x-openstack-request-id: req-269c250e-5fc8-439b-9d40-8ba6c139a245
Connection: close
{"access_token":"$oauth2_access_token","expires_in":3600,"token_type":"Bearer"}
$ curl -i --cacert tacker.host.crt -X GET "https://$tacker_host_name:9890/v1.0/vims" \
-H "Authorization: Bearer $oauth2_access_token"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 736
X-Openstack-Request-Id: req-75594c93-dc19-49cd-9da5-6f8e9b7a7a03
Date: Wed, 22 May 2024 05:59:43 GMT
{"vims": [{"id": "84517803-0e84-401e-ad75-8f6b8ab0a3b6", "type": "openstack", "tenant_id": "d53a4605d776472d846aed35735d3494", "name": "openstack-admin-vim", "description": "", "placement_attr": {"regions": ["RegionOne"]}, "is_default": true, "created_at": "2024-06-03 14:29:08", "updated_at": null, "extra": {}, "auth_url": "https://$keystone_host_name/identity/v3", "vim_project": {"name": "nfv", "project_domain_name": "Default"}, "auth_cred": {"username": "nfv_user", "user_domain_name": "Default", "cert_verify": "False", "project_id": null, "project_name": "nfv", "project_domain_name": "Default", "auth_url": "https://keystone/identity/v3", "key_type": "barbican_key", "secret_uuid": "***", "password": "***"}, "status": "ACTIVE"}]}
$ curl -i --cacert tacker.host.crt -X GET "https://$tacker_host_name:9890/vnfpkgm/v1/vnf_packages" \
-H "Authorization: Bearer $oauth2_access_token"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 498
X-Openstack-Request-Id: req-3f5ebaad-6f66-43b7-bd0f-917a54558918
Date: Wed, 22 May 2024 06:06:24 GMT
[{"id": "6b02a067-848f-418b-add1-e9c020239b31", "onboardingState": "ONBOARDED", "operationalState": "ENABLED", "usageState": "IN_USE", "vnfProductName": "Sample VNF", "vnfSoftwareVersion": "1.0", "vnfdId": "b1bb0ce7-ebca-4fa7-95ed-4840d70a1177", "vnfdVersion": "1.0", "vnfProvider": "Company", "_links": {"self": {"href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31"}, "packageContent": {"href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31/package_content"}}}]
5. Access the OpenStack Tacker APIs with the OAuth 2.0 access token to confirm
that OAuth 2.0 Client Credentials Grant flow works correctly
.. code-block:: console
$ curl -i --cacert tacker.host.crt -X GET "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances" \
-H "Authorization: Bearer $oauth2_access_token"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 603
X-Openstack-Request-Id: req-ceeb935f-e4af-4f46-bfa9-4fb3e83a4664
Date: Wed, 22 May 2024 06:24:33 GMT
[{"id": "fd25f4ca-27ac-423b-afcf-640a64544e61", "vnfInstanceName": "vnf-fd25f4ca-27ac-423b-afcf-640a64544e61", "instantiationState": "NOT_INSTANTIATED", "vnfdId": "b1bb0ce7-ebca-4fa7-95ed-4840d70a1177", "vnfProvider": "Company", "vnfProductName": "Sample VNF", "vnfSoftwareVersion": "1.0", "vnfdVersion": "1.0", "vnfPkgId": "6b02a067-848f-418b-add1-e9c020239b31", "_links": {"self": {"href": "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances/fd25f4ca-27ac-423b-afcf-640a64544e61"}, "instantiate": {"href": "https://$tacker_host_name:9890/vnflcm/v1/vnf_instances/fd25f4ca-27ac-423b-afcf-640a64544e61/instantiate"}}}]
6. Confirm that a client can not access the Tacker APIs with an X-Auth-Token.
.. code-block:: console
$ curl -i --cacert keystone.host.crt -X POST https://$keystone_host_name/identity/v3/auth/tokens?nocatalog \
-d '{"auth":{"identity":{"methods":["password"],"password": {"user":{"domain":{"name":"$userDomainName"},"name":"$userName","password":"$password"}}},"scope":{"project":{"domain":{"name":"$projectDomainName"},"name":"$projectName"}}}}' \
-H 'Content-type:application/json'
HTTP/1.1 201 CREATED
Date: Wed, 05 Jun 2024 06:48:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: application/json
Content-Length: 712
X-Subject-Token: $x_auth_token
Vary: X-Auth-Token
x-openstack-request-id: req-bc85eb93-eb34-41d6-970e-1cbd776c1878
Connection: close
{"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "ee8962d8fe0d4eafbf2155eac988fce8", "name": "nfv_user", "password_expires_at": null}, "audit_ids": ["nHh38yyHSnWfPItIUnesEQ"], "expires_at": "2024-06-05T07:48:33.000000Z", "issued_at": "2024-06-05T06:48:33.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "d53a4605d776472d846aed35735d3494", "name": "nfv"}, "is_domain": false, "roles": [{"id": "4f50d53ed79a42bd89105954f21d9f1d", "name": "member"}, {"id": "9c9f278da6e74c2dbdb80fc0a5ed9010", "name": "manager"}, {"id": "fcdedca5ce604c90b241bab70f85d8cc", "name": "admin"}, {"id": "42ff1a2ac70d4496a90dd6aa8985feb1", "name": "reader"}]}}
$ curl -i --cacert tacker.host.crt -X GET "https://$tacker_host_name:9890/v1.0/vims" \
-H "X-Auth-Token:$x_auth_token"
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Content-Length: 114
Www-Authenticate: Keystone uri="https://$keystone_host_name/identity"
X-Openstack-Request-Id: req-5ee22493-4961-4272-82c6-c44978d3ed8b
Date: Wed, 05 Jun 2024 07:02:02 GMT
{"error": {"code": 401, "title": "Unauthorized", "message": "The request you have made requires authentication."}}
Enable OpenStack Command through OAuth 2.0 Client Credentials Authorization
---------------------------------------------------------------------------
To use OAuth 2.0 Client Credentials Grant from OpenStack CLI, you have to use
``v3oauth2clientcredential`` as ``auth_type``.
1. Before executing the command, you should remove the variables that affect
the OpenStack command from the OS environment, then set the variables that
required by OAuth 2.0 client credentials authorization to the OS
environment.
.. code-block:: console
$ unset OS_USERNAME
$ unset OS_USER_ID
$ unset OS_USER_DOMAIN_ID
$ unset OS_USER_DOMAIN_NAME
$ unset OS_TOKEN
$ unset OS_PASSCODE
$ unset OS_REAUTHENTICATE
$ unset OS_TENANT_ID
$ unset OS_TENANT_NAME
$ unset OS_PROJECT_ID
$ unset OS_PROJECT_NAME
$ unset OS_PROJECT_DOMAIN_ID
$ unset OS_PROJECT_DOMAIN_NAME
$ unset OS_DOMAIN_ID
$ unset OS_DOMAIN_NAME
$ unset OS_SYSTEM_SCOPE
$ unset OS_TRUST_ID
$ unset OS_DEFAULT_DOMAIN_ID
$ unset OS_DEFAULT_DOMAIN_NAME
$ export OS_AUTH_URL=https://$keystone_host_name/identity
$ export OS_IDENTITY_API_VERSION=3
$ export OS_REGION_NAME="RegionOne"
$ export OS_INTERFACE=public
.. code-block:: console
$ export OS_OAUTH2_ENDPOINT=https://$keystone_host_name/identity/v3/OS-OAUTH2/token
$ export OS_OAUTH2_CLIENT_ID=$oauth2_client_id
$ export OS_OAUTH2_CLIENT_SECRET=$oauth2_client_secret
$ export OS_AUTH_TYPE=v3oauth2clientcredential
$ export OS_CACERT=/etc/keystone/keystone.host.crt
2. Change the tacker endpoints to use the HTTPS protocol to access the tacker
API.
.. code-block:: console
$ openstack endpoint list --service nfv-orchestration
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
| 4729bdacd3ff486394142e663561dddd | RegionOne | tacker | nfv-orchestration | True | public | http://$tacker_host_name:9890/ |
| 9152dd2790fa4a25aa9884685534c8cd | RegionOne | tacker | nfv-orchestration | True | internal | http://$tacker_host_name:9890/ |
| f868f32d84dc4087bc4322c854413912 | RegionOne | tacker | nfv-orchestration | True | admin | http://$tacker_host_name:9890/ |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+--------------------------------+
$ openstack endpoint set 4729bdacd3ff486394142e663561dddd --url https://$tacker_host_name:9890/
$ openstack endpoint set 9152dd2790fa4a25aa9884685534c8cd --url https://$tacker_host_name:9890/
$ openstack endpoint set f868f32d84dc4087bc4322c854413912 --url https://$tacker_host_name:9890/
$ openstack endpoint list --service nfv-orchestration
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
| 4729bdacd3ff486394142e663561dddd | RegionOne | tacker | nfv-orchestration | True | public | https://$tacker_host_name:9890/ |
| 9152dd2790fa4a25aa9884685534c8cd | RegionOne | tacker | nfv-orchestration | True | internal | https://$tacker_host_name:9890/ |
| f868f32d84dc4087bc4322c854413912 | RegionOne | tacker | nfv-orchestration | True | admin | https://$tacker_host_name:9890/ |
+----------------------------------+-----------+--------------+-------------------+---------+-----------+---------------------------------+
3. When the self signed certificates used by the Keystone identity server and
the Tacker server are not the same, it is necessary to merge multiple
certificates into a single file and then set the path to the file to the OS
environment variable.
.. code-block:: console
$ cat keystone.host.crt >> openstack_client.crt
$ cat tacker.host.crt >> openstack_client.crt
$ cat openstack_client.crt
-----BEGIN CERTIFICATE-----
MIIDhTCCAm0CFCVKt8eYhOMvOCtQQPfjXTbIux8aMA0GCSqGSIb3DQEBCwUAMH8x
CzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ3N1MQ8wDQYDVQQHDAZTdXpob3Ux
DTALBgNVBAoMBEpmdHQxDDAKBgNVBAsMA0RldjEWMBQGA1UEAwwNa2V5c3RvbmUu
aG9zdDEYMBYGCSqGSIb3DQEJARYJdGVzdEBqZnR0MB4XDTIyMDMwODAxNTA1NloX
DTIzMDMwODAxNTA1NlowfzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0ppYW5nc3Ux
DzANBgNVBAcMBlN1emhvdTENMAsGA1UECgwESmZ0dDEMMAoGA1UECwwDRGV2MRYw
FAYDVQQDDA1rZXlzdG9uZS5ob3N0MRgwFgYJKoZIhvcNAQkBFgl0ZXN0QGpmdHQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyFCA2S7yrOzSgWaPte9rh
/XX7S6TTOHRoH3OI75hY2bMA3sfVaq5be6XHa6K5b9sNz1sjgxM5sffBLA8VbawT
Tz+ZUGhpOs1bQuye7ayDg6g/8YUvBth+MHl9c58dDVYudKag8Vcanlztda8LYJSe
1sJKekfXZDG692R1lihGWrgVl+DV9elxK54knplvAqPzmt3KF+wra0s0QgySXA/D
HTBQRJtNqG0ofPDfmCT0SwQSBpdiX2XQ9CGZXVHvUaM4RgPNIHCXi4laDXlSKc53
Pyxk68R1jm9lodMj+oJdyl+CYydDbm2T2rJFByCxTd+BeWt31UBN7e3UJPI6uyZT
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAEJRVuhCWsdP4DA/gjPixWuVaTvdArh
4HAK0WOsuXX1uLUTqXUrt86Ao5yudr5mSs/rSwIzW3Lggk2yrcR/NutecdHFZXln
LFzArhkX/FeW2LddPOmJhVXFnHVc3woWdrUtgp5TjZRt+PrGUWjM2z9QrLeAp/PP
qBJ3BNjizM+Jz5KMKeXU0zWS6y/0dcwruOwa8loZ2FiG3f/UubOyNGUgLodFrxhQ
vIaeHkaYZw3CHBSYjs7eJiwZNjMrb+eL0CFoJd0UF+30PptUfews61KuIQTk0od1
5aZoXdQ/YHWorLJoluUFrNqZUykDfFm7JLBjubuHglvVUTSJ1mbDGto=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDgTCCAmkCFBkaTpj6Fm1yuBJrOI7OF1ZxEKbOMA0GCSqGSIb3DQEBCwUAMH0x
CzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ3N1MQ8wDQYDVQQHDAZTdXpob3Ux
DTALBgNVBAoMBGpmdHQxDDAKBgNVBAsMA2RldjEUMBIGA1UEAwwLdGFja2VyLmhv
c3QxGDAWBgkqhkiG9w0BCQEWCXRlc3RAamZ0dDAeFw0yMjAzMDgwMjQ2MDZaFw0y
MzAzMDgwMjQ2MDZaMH0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ3N1MQ8w
DQYDVQQHDAZTdXpob3UxDTALBgNVBAoMBGpmdHQxDDAKBgNVBAsMA2RldjEUMBIG
A1UEAwwLdGFja2VyLmhvc3QxGDAWBgkqhkiG9w0BCQEWCXRlc3RAamZ0dDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIUIDZLvKs7NKBZo+172uH9dftL
pNM4dGgfc4jvmFjZswDex9Vqrlt7pcdrorlv2w3PWyODEzmx98EsDxVtrBNPP5lQ
aGk6zVtC7J7trIODqD/xhS8G2H4weX1znx0NVi50pqDxVxqeXO11rwtglJ7Wwkp6
R9dkMbr3ZHWWKEZauBWX4NX16XErniSemW8Co/Oa3coX7CtrSzRCDJJcD8MdMFBE
m02obSh88N+YJPRLBBIGl2JfZdD0IZldUe9RozhGA80gcJeLiVoNeVIpznc/LGTr
xHWOb2Wh0yP6gl3KX4JjJ0NubZPaskUHILFN34F5a3fVQE3t7dQk8jq7JlMCAwEA
ATANBgkqhkiG9w0BAQsFAAOCAQEAH0B2qgwKjWje0UfdQOb1go8EKsktHOvIDK5+
dXz2wNFJpKCekvSGK4/2KEp1McTTDj0w8nlWcGZgaOcvjuq8ufWrggjdADa2xJHr
4pfxNMQrQXCFZ5ikCoLDx9QKDyN81b12GWpr1yPYIanSghbhx4AW7BkVQwtELun8
d6nHGTixkqxljbEB9qM/wOrQMlm/9oJvyU4Po7weav8adPVyx8zFh9UCH2qXKUlo
3e5D8BKkBpo4DtoXGPaYBuNt/lI7emhfikcZ2ZbeytIGdC4InoooYMKJkfjMxyim
DSqhxuyffTmmMmEx1GK9PYLy7uPJkfn/mn9K9VL71p4QnJQt7g==
-----END CERTIFICATE-----
$ export OS_CACERT=/etc/openstack/openstack_client.crt
4. Execute a tacker command to confirm that OpenStack command can access the
Tacker APIs successfully.
.. code-block:: console
$ openstack vim list
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
| ID | Name | Tenant_id | Type | Is Default | Status |
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
| 84517803-0e84-401e-ad75-8f6b8ab0a3b6 | openstack-admin-vim | d53a4605d776472d846aed35735d3494 | openstack | True | ACTIVE |
+--------------------------------------+---------------------+----------------------------------+-----------+------------+--------+
$ openstack vnf package list
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| Id | Vnf Product Name | Onboarding State | Usage State | Operational State | Links |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
| 6b02a067-848f-418b-add1-e9c020239b31 | Sample VNF | ONBOARDED | IN_USE | ENABLED | { |
| | | | | | "self": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31" |
| | | | | | }, |
| | | | | | "packageContent": { |
| | | | | | "href": "/vnfpkgm/v1/vnf_packages/6b02a067-848f-418b-add1-e9c020239b31/package_content" |
| | | | | | } |
| | | | | | } |
+--------------------------------------+------------------+------------------+-------------+-------------------+-------------------------------------------------------------------------------------------------+
$ openstack vnflcm list
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| ID | VNF Instance Name | Instantiation State | VNF Provider | VNF Software Version | VNF Product Name | VNFD ID |
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
| fd25f4ca-27ac-423b-afcf-640a64544e61 | vnf-fd25f4ca-27ac-423b-afcf-640a64544e61 | NOT_INSTANTIATED | Company | 1.0 | Sample VNF | b1bb0ce7-ebca-4fa7-95ed-4840d70a1177 |
+--------------------------------------+------------------------------------------+---------------------+--------------+----------------------+------------------+--------------------------------------+
Subscribe to Notifications that need OAuth 2.0 Client Credentials Grant
-----------------------------------------------------------------------
If the certification of the notification authorization server is not trusted,
the configuration file :doc:`/configuration/config` can be modified to set the
``verify_oauth2_ssl`` to false, then the backend no longer verify the
certification when it obtains the OAuth 2.0 access token.
If the certification of the notification callback API is not trusted, the
configuration file :doc:`/configuration/config` can be modified to set the
``verify_notification_ssl`` to false, then the backend no longer verify the
certification when it sends a notification.
1. Modify the configuration file as needed.
.. code-block:: console
$ vi /etc/tacker/tacker.conf
[vnf_lcm]
verify_notification_ssl = false
[authentication]
verify_oauth2_ssl = false
2. Subscribe to a notification that requires OAuth 2.0 client authorization to
confirm that the backend can send a notification successfully.
.. code-block:: console
$ cat subsc_create_req.json
{
"filter": {
"vnfInstanceSubscriptionFilter":{
"vnfdIds": [
"108135bb-8f21-4b91-a548-4aad3cf72a87"
]
}
},
"callbackUri" : "$callback_uri",
"authentication": {
"authType":["OAUTH2_CLIENT_CREDENTIALS"],
"paramsOauth2ClientCredentials": {
"clientId": "$notification_oauth2_client_id",
"clientPassword": "$notification_oauth2_client_secret",
"tokenEndpoint": "$notification_oauth2_token_endpoint"
}
}
}
$ openstack vnflcm subsc create subsc_create_req.json --os-tacker-api-version 2
+--------------+----------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------------------------------------------------------------------+
| Callback URI | $callback_uri |
| Filter | { |
| | "vnfInstanceSubscriptionFilter": { |
| | "vnfdIds": [ |
| | "108135bb-8f21-4b91-a548-4aad3cf72a87" |
| | ] |
| | } |
| | } |
| ID | b25c2d6f-6de4-450a-a25d-321868d3ed83 |
| Links | { |
| | "self": { |
| | "href": "https://$tacker_host_name/vnflcm/v2/subscriptions/b25c2d6f-6de4-450a-a25d-321868d3ed83" |
| | } |
| | } |
| verbosity | FULL |
+--------------+----------------------------------------------------------------------------------------------------------+
.. _RFC6749: https://datatracker.ietf.org/doc/html/rfc6749
.. _ETSI NFV-SOL013 v3.4.1:
https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/013/03.04.01_60/gs_nfv-sol013v030401p.pdf
.. _OAuth 2.0 client credentials:
https://docs.openstack.org/keystone/latest/admin/oauth2-usage-guide.html
.. _Middleware Architecture:
https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html
.. _OAuth 2.0 usage guide:
https://docs.openstack.org/keystone/latest/admin/oauth2-usage-guide.html
.. _Application Credentials API:
https://docs.openstack.org/api-ref/identity/v3/index.html#application-credentials
.. _OAuth 2.0 Access Token API:
https://docs.openstack.org/api-ref/identity/v3-ext/index.html#os-oauth2-api