SlideShare a Scribd company logo

Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production

FIWARE
FIWARE

This training camp teaches you how FIWARE technologies and iSHARE, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the development of innovative services based on data sharing and creating value out of the data they share. SMEs and Digital Innovation Hubs (DIHs) will be equipped with the necessary know-how to use the i4Trust framework for creating data spaces!

Related slideshows

Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
 
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
FIWARE Global Summit - The Scorpio NGSI-LD Broker: Features and Supported Arc...
 
1 of 18
Download to read offline
Kong, Keyrock, Keycloak, i4Trust - Options to secure FIWARE in production Stefan Wiedemann, Technical Lead & Architect FIWARE Foundation
1 Role of an API-Gateway in FIWARE platforms ▪ Context Broker as the central component ▪ Contacted: • from different external actors • from different internal actors • with different loads ▪ No “self-defense” mechanism We need a component to protect the platform
2 Role of an API-Gateway in FIWARE platforms ▪ Context Broker as the central component ▪ Contacted: • from different external actors • from different internal actors • with different loads ▪ No “self-defense” mechanism We need a component to protect the platform
Role of an API-Gateway in FIWARE platforms ▪ Access control: PEP-Proxy & Policy-decision Point • Allow to control who can access what ▪ Additional requirements: • Rate-limiting? • Usage-Control? • Monitoring? API-Gateway as the central entry point can provide those capabilities 3
Role of an API-Gateway in FIWARE platforms 4
Why Kong? ▪ One of the most popular and adopted solutions in the market ▪ OpenSource(and Enterprise) Version available, maintained by a huge and active community ▪ Production ready deployment tools ▪ Plugin-support: • FIWARE specific functionality can be implemented as plugin • Supports various languages, e.g lua, go and python ▪ Plugins for the additional requirements available - Kong Hub: • Rate-limiting • Usage monitoring 5
Why Kong? 6
Running Kong ▪ Multiple solutions available: Kong - Install and run ▪ Running with Helm on OpenShift: • Kong in the FIWARE demo environment ▪ Some details about the demo environment: • Uses the official Kong Helm-Chart • Extended with support for OpenShift routes • Pre-built image from FIWARE, already including the plugins • Declarative configuration via ConfigMap • Applied via GitOps - ArgoCD 7
Kong as PEP-Proxy ▪ Plugins for using Kong as a PEP in FIWARE: • ngsi-ishare-policies to enforce iTrust compliant authz/n • Keyrock as PDP - delegate role-based decisions to Keyrock • Keycloak as PDP - delegate decisions to Keycloak • External-Authz - delegate decisions to a compliant endpoint, for example the DSBA-PDP to support Verifiable Credentials 8
General plugin configuration 9 kong: … env: … plugins: bundled,pep-plugin,ngsi-ishare-policies pluginserver_names: pep-plugin pluginserver_pep_plugin_start_cmd: "/go-plugins/pep-plugin" pluginserver_pep_plugin_query_cmd: "/go-plugins/pep-plugin -dump" … dblessConfig: configMap: kong-configmap
General plugin configuration Examples: ▪ i4Trust configuration ▪ Keyrock configuration 10 services: - host: “fiware-orion-ld” name: “orion-keyrock” port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: pep-plugin config: <PLUGIN_SPECIFIC_CONFIGURATION>
Keyrock configuration 11 # keyrock example - host: "fiware-orion-ld" name: "orion-keyrock" port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: pep-plugin config: authorizationendpointtype: Keyrock authorizationendpointaddress: https://keyrock.fiware.dev/user keyrockappid: 7c902139-d4d0-461a-bb14-7fa29aa143fe - name: request-transformer config: remove: headers: - Authorization - authorization
i4Trust configuration 12 # i4Trust example - host: "fiware-orion-ld" name: "orion-i4trust" port: 1026 protocol: http routes: - name: orion-i4trust paths: - /i4trust strip_path: true plugins: - name: ngsi-ishare-policies config: access_token: header_names: - "authorization" - "Authorization" ar: identifier: "EU.EORI.NL000000004" host: "https://ar.isharetest.net" token_endpoint: "https://ar.isharetest.net/connect/token" delegation_endpoint: "https://ar.isharetest.net/delegation" satellite: identifier: "EU.EORI.NL000000000" host: "https://scheme.isharetest.net" token_endpoint: "https://scheme.isharetest.net/connect/token" trusted_list_endpoint: "https://scheme.isharetest.net/trusted_list" jws: identifier: … private_key: … x5c: …
Keycloak configuration 13 # keycloak example - host: "fiware-orion-ld" name: "orion-keycloak" port: 1026 protocol: http routes: - name: orion-keycloak paths: - /keycloak strip_path: true plugins: - name: pep-plugin config: authorizationendpointtype: Keycloak authorizationendpointaddress: http://fiware-keycloak:80 keycloakrealm: fiware-server keycloakclientid: orion-pep keycloakclientsecret: 978ad148-d99b-406d-83fc-578597290a79 - name: request-transformer config: remove: headers: - Authorization - authorization Keycloak Realm: https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware /keycloak/templates/realmConfigMap.yaml
Rate-limiting ▪ Rate-limiting plugin: • https://docs.konghq.com/hub/kong-inc/rate-limiting/ • Configure per route 14 - host: "fiware-orion-ld" name: "orion-limited" port: 1026 protocol: http routes: - name: orion-limited paths: - /limited strip_path: true plugins: - name: rate-limiting config: minute: 3
Monitoring ▪ Prometheus integration: • https://docs.konghq.com/hub/kong-inc/prometheus/ • Configure per route and enable scraping 15 - host: "fiware-orion-ld" name: "orion-keyrock" port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: prometheus kong: podAnnotations: prometheus.io/scrape: 'true' prometheus.io/port: '9102'
Further reading ▪ i4Trust-tutorials: https://github.com/i4Trust/tutorials ▪ UI: https://github.com/pantsel/konga ▪ Plugin development: • Lua • Go ▪ Slides: https://github.com/wistefan/presentations 16
Thank you! http://fiware.org Follow @FIWARE on Twitter

More Related Content

Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production

  • 1. Kong, Keyrock, Keycloak, i4Trust - Options to secure FIWARE in production Stefan Wiedemann, Technical Lead & Architect FIWARE Foundation
  • 2. 1 Role of an API-Gateway in FIWARE platforms ▪ Context Broker as the central component ▪ Contacted: • from different external actors • from different internal actors • with different loads ▪ No “self-defense” mechanism We need a component to protect the platform
  • 3. 2 Role of an API-Gateway in FIWARE platforms ▪ Context Broker as the central component ▪ Contacted: • from different external actors • from different internal actors • with different loads ▪ No “self-defense” mechanism We need a component to protect the platform
  • 4. Role of an API-Gateway in FIWARE platforms ▪ Access control: PEP-Proxy & Policy-decision Point • Allow to control who can access what ▪ Additional requirements: • Rate-limiting? • Usage-Control? • Monitoring? API-Gateway as the central entry point can provide those capabilities 3
  • 5. Role of an API-Gateway in FIWARE platforms 4
  • 6. Why Kong? ▪ One of the most popular and adopted solutions in the market ▪ OpenSource(and Enterprise) Version available, maintained by a huge and active community ▪ Production ready deployment tools ▪ Plugin-support: • FIWARE specific functionality can be implemented as plugin • Supports various languages, e.g lua, go and python ▪ Plugins for the additional requirements available - Kong Hub: • Rate-limiting • Usage monitoring 5
  • 8. Running Kong ▪ Multiple solutions available: Kong - Install and run ▪ Running with Helm on OpenShift: • Kong in the FIWARE demo environment ▪ Some details about the demo environment: • Uses the official Kong Helm-Chart • Extended with support for OpenShift routes • Pre-built image from FIWARE, already including the plugins • Declarative configuration via ConfigMap • Applied via GitOps - ArgoCD 7
  • 9. Kong as PEP-Proxy ▪ Plugins for using Kong as a PEP in FIWARE: • ngsi-ishare-policies to enforce iTrust compliant authz/n • Keyrock as PDP - delegate role-based decisions to Keyrock • Keycloak as PDP - delegate decisions to Keycloak • External-Authz - delegate decisions to a compliant endpoint, for example the DSBA-PDP to support Verifiable Credentials 8
  • 10. General plugin configuration 9 kong: … env: … plugins: bundled,pep-plugin,ngsi-ishare-policies pluginserver_names: pep-plugin pluginserver_pep_plugin_start_cmd: "/go-plugins/pep-plugin" pluginserver_pep_plugin_query_cmd: "/go-plugins/pep-plugin -dump" … dblessConfig: configMap: kong-configmap
  • 11. General plugin configuration Examples: ▪ i4Trust configuration ▪ Keyrock configuration 10 services: - host: “fiware-orion-ld” name: “orion-keyrock” port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: pep-plugin config: <PLUGIN_SPECIFIC_CONFIGURATION>
  • 12. Keyrock configuration 11 # keyrock example - host: "fiware-orion-ld" name: "orion-keyrock" port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: pep-plugin config: authorizationendpointtype: Keyrock authorizationendpointaddress: https://keyrock.fiware.dev/user keyrockappid: 7c902139-d4d0-461a-bb14-7fa29aa143fe - name: request-transformer config: remove: headers: - Authorization - authorization
  • 13. i4Trust configuration 12 # i4Trust example - host: "fiware-orion-ld" name: "orion-i4trust" port: 1026 protocol: http routes: - name: orion-i4trust paths: - /i4trust strip_path: true plugins: - name: ngsi-ishare-policies config: access_token: header_names: - "authorization" - "Authorization" ar: identifier: "EU.EORI.NL000000004" host: "https://ar.isharetest.net" token_endpoint: "https://ar.isharetest.net/connect/token" delegation_endpoint: "https://ar.isharetest.net/delegation" satellite: identifier: "EU.EORI.NL000000000" host: "https://scheme.isharetest.net" token_endpoint: "https://scheme.isharetest.net/connect/token" trusted_list_endpoint: "https://scheme.isharetest.net/trusted_list" jws: identifier: … private_key: … x5c: …
  • 14. Keycloak configuration 13 # keycloak example - host: "fiware-orion-ld" name: "orion-keycloak" port: 1026 protocol: http routes: - name: orion-keycloak paths: - /keycloak strip_path: true plugins: - name: pep-plugin config: authorizationendpointtype: Keycloak authorizationendpointaddress: http://fiware-keycloak:80 keycloakrealm: fiware-server keycloakclientid: orion-pep keycloakclientsecret: 978ad148-d99b-406d-83fc-578597290a79 - name: request-transformer config: remove: headers: - Authorization - authorization Keycloak Realm: https://github.com/FIWARE-Ops/fiware-gitops/blob/master/aws/fiware /keycloak/templates/realmConfigMap.yaml
  • 15. Rate-limiting ▪ Rate-limiting plugin: • https://docs.konghq.com/hub/kong-inc/rate-limiting/ • Configure per route 14 - host: "fiware-orion-ld" name: "orion-limited" port: 1026 protocol: http routes: - name: orion-limited paths: - /limited strip_path: true plugins: - name: rate-limiting config: minute: 3
  • 16. Monitoring ▪ Prometheus integration: • https://docs.konghq.com/hub/kong-inc/prometheus/ • Configure per route and enable scraping 15 - host: "fiware-orion-ld" name: "orion-keyrock" port: 1026 protocol: http routes: - name: orion-keyrock paths: - /keyrock strip_path: true plugins: - name: prometheus kong: podAnnotations: prometheus.io/scrape: 'true' prometheus.io/port: '9102'
  • 17. Further reading ▪ i4Trust-tutorials: https://github.com/i4Trust/tutorials ▪ UI: https://github.com/pantsel/konga ▪ Plugin development: • Lua • Go ▪ Slides: https://github.com/wistefan/presentations 16