FiWare

OAuth2-based authorization and authentication in Cosmos WebHDFS at FIWARE Lab

 Developers  Comments Off on OAuth2-based authorization and authentication in Cosmos WebHDFS at FIWARE Lab
Jul 182015
 
FIWARE

APIs in FIWARE should be RESTful APIs. And RESTful APIs in FIWARE should be protected with OAuth2”. This sentence, which is true for most of the enablers in FIWARE, did not completly applied for Cosmos BigData. Until now.

OAuth2 is the evolution of the OAuth protocol, an open standard for authorization. Using OAuth, client applications can access in a secure way certain server resources on behalf of the resource owner, and the best, without sharing their credentials with the service. This works because of a trusted authorization service in charge of emitting some pieces of security information: the access tokens. Once requested, the access token is attached to the service request so that the server may ask the authorization service for the validity of the user requesting the access (authentication) and the availability of the resource itself for this user (authorization).

FIWARE implements the above concept through the Identity Manager GE (Keyrock implementation) and the Access Control (AuthZForce implementation); these two enablers together conform the OAuth2-based authorization service in FIWARE:

  • Access tokens are requested to the Identity Manager, which is asked by the final service for authentication purposes once the tokens are received. Please observe by asking this the service not only discover who is the real FIWARE user behind the request, but the service has full certainty the user is who he/she says to be.
  • At the same time, the Identity Manager relies on the Access Control for authorization purposes. The access token gives, in addition to the real identity of the user, his/her roles according to the requested resource. The Access Control owns a list of policies regarding who is allowed to access all the resources based on the user roles.

And how does this affects to Cosmos BigData? HDFS (big) data can be accessed through the native WebHDFS RESTful API. This API was not protected with FIWARE authentication/authorization mechanisms but with Hadoop ones. This leaded Cosmos to be one of the few remaining “rebel” enablers avoiding homogeneity in the access to FIWARE APIs.

So, what’s next? Let’s learn with an example!

How can I request an access token? Do the following request to the Cosmos Token Generator in FIWARE Lab (cosmos.lab.fiware.org:13000):

$ curl -X POST "https://cosmos.lab.fiware.org/cosmos-auth/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=frb@tid.es&password=xxxxxxxx

{"access_token": "qjHPUcnW6leYAqr3Xw34DWLQlja0Ix", "token_type": "Bearer", "expires_in": 3600, "refresh_token": “V2Wlk7aFCnElKlW9BOmRzGhBtqgR2z"}

As you can see, your FIWARE Lab credentials are required in the payload, in the form of a password-based grant type (this will be the only time you have to give them).

Once the access token is got (in the example above, it is qjHPUcnW6leYAqr3Xw34DWLQlja0Ix), simply add it to the same WebHDFS request you were performing in the past. The token is added by using the X-Auth-Token header:

$ curl -X GET "http://cosmos.lab.fiware.org:14000/webhdfs/v1/user/frb/path/to/the/data?op=liststatus&user.name=frb" -H "X-Auth-Token: qjHPUcnW6leYAqr3Xw34DWLQlja0Ix”

{"FileStatuses":{"FileStatus":[…]}}

Now, if you try the above request with a random token the server will return the token is not valid; that's because you have not authenticated properly:

$ curl -X GET "http://cosmos.lab.fiware.org:14000/webhdfs/v1/user/frb/path/tp/the/data?op=liststatus&user.name=frb" -H "X-Auth-Token: randomtoken93487345”

User token not authorized

The same way, if using a valid token but trying to access another HDFS userspace, you will get the same answer; that's because you are not authorized to access any HDFS userspace but the one owned by you:

$ curl -X GET "http://cosmos.lab.fiware.org:14000/webhdfs/v1/user/fgalan/path/tp/the/data?op=liststatus&user.name=fgalan" -H "X-Auth-Token: qjHPUcnW6leYAqr3Xw34DWLQlja0Ix"

User token not authorized

Once this point is reached, you may say “OK, but I’m not using WebHDFS at all”. Are you sure? Because, if you are using Cygnus, the tool to build Orion context data archives, then you are using WebHDFS. This is because WebHDFS is the RESTful API used to persist the data in a HDFS backend such as Cosmos. Sadly, any Cygnus version had support for OAuth2… until now. Cygnus 0.8.2 is freshly available and supports OAUth2 through this parameter:

<your_cygnus_agent_name>.sinks.<your_sink_name>.oauth2_token = <your_token>

The token is got from cosmos.lab.fiware.org:13000 as seen before. And upgrading to Cygnus 0.8.2 is as easy as doing:

$ (sudo) yum clean all # just to clean the yum cache

$ (sudo) yum list cygnus# this will show you 0.82 is available

$ (sudo) sudo rpm -e -vv –allmatches –nodeps –noscripts –notriggers cygnus # this is needed if you have installed a version < 0.8.0

$ (sudo) yum install cygnus# this installs 0.8.2

Any doubt? Any question you may have, do not hesitate to contact us through stackoverflow.com or fiware-lab-help@lists.fiware.org. More details can be obtained from these two stack overflow questions:

http://stackoverflow.com/questions/31187977/oauth2-access-to-cosmos-webhdfs-in-fiware-lab

http://stackoverflow.com/questions/31310111/oauth2-in-cygnus

 

Attend our webinars!

 Blog, Webinar  Comments Off on Attend our webinars!
Mar 272014
 
FI-WARE webinars

On Monday (March 31) and Tuesday (April 1) we will have 7 webinars open to anyone who wants to participate. These webinars are focused on the most used General Enablers at our previous Challenges and Hackathons. This way all participants in our FI-WARE Challenges can learn more about FI-WARE and FI-LAB

Below you can find the agenda for each day and a description of each webinar. 

Next Monday, next Tuesday… go to http://www.mashme.tv/M/2qvRiO to attend! Hope to see you there! 

(*) Chrome browser + Java7u51 in a Windows machine are recommended.

WEBINAR AGENDA

* All times are CEST.

Monday, March 31st 

10:00 – 10:55 (CEST) – Identity Management and Access Control – KeyRock
11:00 – 11:55 (CEST) – Advanced Cloud capabilities
12:00 – 12:55 (CEST)– Mashup technologies – Wirecloud

Tuesday, April 1st

12:00 – 12:55 (CEST) – Real-time Multimedia Stream Processing – Kurento
15:30 – 16:25 (CEST) – Connection to the Internet of Things: DCA and Figway
16:30 – 17:25 (CEST)– Context Awareness: Orion Context Broker
17:30 – 18:25 (CEST)– Map/Reduce – Cosmos Big Data

WEBINAR DESCRIPTIONS

Advanced Cloud Capabilities
This webinar will be practical session on FI-LAB Cloud. We will how to use of the FI-LAB Cloud portal so that you will be able to deploy and access to virtual machines, create containers and objects as well as instantiate blueprints (VMs along with software) 

Identity Management and Access Control – KeyRock
In this webinar we will explain how to secure your applications and GE's using FI-WARE Identity Management. We will explain how to create a FI-WARE account and register an application in the platform managing organizations, roles and permissions. We also describe OAuth2, the protocol that your application uses to allow access to your users with their FI-WARE accounts. And we will have a live demo in which you will learn how to implement that protocol in your application in a few easy steps.

Mashup technologies – Wirecloud
WireCloud builds on cutting-edge end-user development, RIA and semantic technologies to offer a next-generation end-user centred web application mashup platform. This webinar will teach how to develop those mashups, including development of the mashable application components used as building blocks.

Real-time Multimedia Stream Processing – Kurento
This webminar introduces Kurento, a framework for building multimedia and streaming applications based on predefined blocks: RTP, WebRTC, HTTP and RTSP senders/receivers and face detection, plate recognition or object tracking, augmented reality, group communications or media mixing and blending among others. During the webminar, we will use Kurento APIs for showing how to create media applications for videoconferencing or video streaming in a simple and seamless manner. We will also demonstrate how these applications can be enriched with Kurento's advanced processing capabilities.

Connection to the Internet of Things
This webinar will explain how to connect Internet-of-Things settings to FI-WARE through DCA and Figway enablers and how to exploit such resources in your Future Internet Apps. Two different scenarios are considered: large IoT settings such as smartcities and scope-limited deployments, typically smart spaces.

Context Awareness: Orion Context Broker
This webinar will be practical session on Orion Context Broker. We will start describing where to find the Orion information in the FI-WARE Catalogue, then how a FI-LAB user can create her/his out-of-the-box ready-to-use Orion instance. Finally, we will walk-through the main operations to manage context in Orion Context Broker. 

Map/Reduce – Cosmos Big Data
This webinar will explain Cosmos, the Big Data and Open Data platform, focusing on how to manage your data and how you can obtain value-added information from it. Several demos will be shown, such as basic WebHDFS usage, HiveQL and MapReduce examples.

New webinar: FIWARE LAB Identity Manager and how to authenticate your users with OAuth

 Blog  Comments Off on New webinar: FIWARE LAB Identity Manager and how to authenticate your users with OAuth
Jan 232014
 
Today, Thursday 23rd, we will have a new webinar. This time it will be dedicated to FIWARE LAB Identity Manager and how to authenticate your users with OAuth, taught by Álvaro Alonso, Carolina García and Javier Cerviño. 
 
Go to http://www.mashme.tv/M/2qvRiO at 4pm CET and, if you cannot attend, don't worry! We will publish the recording of the webinar for further reference. 
 
In this webinar we will learn to use the FIWARE LAB Identity Manager: to register new accounts, create new organizations, add users to our organizations and assign roles to them. We will also see how to change our applications in order to authenticate our users using their credentials in the Identity Manager, using OAuth 2.0 libraries.