Skip to content

Federated authentication component for rOCCI-server

License

Notifications You must be signed in to change notification settings

the-rocci-project/keystorm

Repository files navigation

Keystorm

Keystorm

The federated authentication component for rOCCI-server.

Keystorm allows users to authenticate using several protocols, currently OIDC(OpenID Connect) and VOMS(Virtual Organization Membership Service). After successful authentication, user is given an unscoped token that is generated from credentials received from authentication protocol. User can use unscoped token to generate scoped token that is used to access cloud service.

Requirements

  • Ruby 2.2.7+
  • OpenNebula 5.2+ (when using OpenNebula cloud provider)
  • Memcache

Installation

In production Keystorm must NEVER be accessible remotly. It should run under Apache2 server that handles authentication and forwards credentials to Keystorm.

Apache2

Default Apache2 configuration can be found in example/apache2

Keystorm

Docker

https://hub.docker.com/r/therocciproject/keystorm/

Source

git clone https://github.com/the-rocci-project/keystorm.git
cd keystorm
bundle install --deployment --without development test

export RAILS_ENV=production
export HOST=127.0.0.1
export SECRET_KEY_BASE=$(head -c 69 /dev/urandom | base64 -w 0)
export KEYSTORM_OPENNEBULA_SECRET=oneadmin:opennebula
export KEYSTORM_TOKEN_KEY=$(head -c 12 /dev/urandom | base64 -w 0) # Must be 16 chars
export KEYSTORM_TOKEN_IV=$(head -c 12 /dev/urandom | base64 -w 0) # Must be 16 chars

bundle exec puma # --daemon

Acknowledgements

This work is co-funded by the EOSC-hub project (Horizon 2020) under Grant number 777536.