如何配置FIWARE组件以避免为应用程序响应创建AZF域

Question

问题摘要:如何让FIWARE IdM Keyrock和FIWARE Authzforce正确地设置AZF域，从而避免"AZF域未为应用程序XYZ创建“响应？

我试图使用FIWARE Orion、FIWARE PepProxy Wilma、FIWARE IdM Keyrock、FIWARE Authzforce正确地配置服务器。我到达了前3个组件正常工作并相互交互的阶段，但现在我尝试插入自动化，并获得以下错误：AZF domain not created for application。我已经尝试过在以下链接中提供的所有解决方案，但没有人工作：

• 指南/#级别-2-基本-授权
• 所以
• 如何将Fiware PEP WILMA代理配置为在我自己的服务器上使用Keyrock和Orion实例
• Fiware IDM+AuthZForce+PEP-Proxy-Wilma
• Fiware -如何将PEP代理连接到Orion并使用HTTPS配置两者？
• Fiware AuthZForce错误："AZF域未为应用程序创建“
• AuthZForce安全级别2:基本授权错误"AZF域未为应用程序创建“
• https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma
• “AZF域未为应用程序创建”AuthZforce
• Fiware AuthZForce错误："AZF域未为应用程序创建“
• Fiware合适组件
• https://www.slideshare.net/FI-WARE/adding-identity-management-and-access-control-to-your-app-70523086
• 官方文档无法使用，因为引用了(可能)旧版本的IdM

在以下内容中，您可以找到再现我的场景的说明：

1. 使用Docker容器安装Orion

- Create a directory on your system on which to work (for example, `/home/fiware-orion-docker`).
- Create a new file called `docker-compose.yml` inside your directory with the following contents:  

  mongo:          image: mongo:3.4          command: --nojournal      orion:          image: fiware/orion          links:              - mongo          ports:              - "1026:1026"          command: -dbhost mongo -logLevel DEBUG          dns:              - 208.67.222.222              - 208.67.220.220

- PAY ATTENTION: without the DNS it will never send notifications!!!
- PAY ATTENTION 2 ([source](https://svenv.nl/unixandlinux/dockerufw/) ): Connections from docker containers get routed into the (iptables) FORWARD chain, this needs to be configured to allow connections through it. The default is to DROP the connections. Thus if you use a firewall you have to change it:

    - `sudo nano /etc/default/ufw`
    - Set DEFAULTFORWARDPOLICY to “ACCEPT”.          `DEFAULT_FORWARD_POLICY="ACCEPT"` 
    - Save the file.
    - Reload ufw          `sudo ufw reload` 

​

- Within the directory you created, type the following command in the command line: `sudo docker-compose up -d`.
- After a few seconds you should have your Context Broker running and listening on port `1026`.
- Check that everything works with

curl localhost:1026/version

​

1. 安装FIWARE IdM Keyrock (用于通过Orion进行身份验证)： https://github.com/ging/fiware-idm

- WARNING -1: (if the next command doesn't work:  `sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu artful stable"` )
- WARNING 0: if you have a firewall: **DISABLE IT**, otherwise docker-compose will not work
- sudo apt-get install docker-compose
- mkdir fiware-idm
- cd fiware-idm
- create docker-compose.yml `nano docker-compose.yml`

 version: "3.5" services:     keyrock:         image: fiware/idm:7.6.0         container\_name: fiware-keyrock         hostname: keyrock         networks:             default:                 ipv4\_address: 172.18.1.5         depends\_on:             - mysql-db         ports:             - "3000:3000"         environment:             - DEBUG=idm:\*             - IDM\_DB\_HOST=mysql-db             - IDM\_HOST=http://localhost:3000             - IDM\_PORT=3000             # Development use only             # Use Docker Secrets for Sensitive Data             - IDM\_DB\_PASS=secret             - IDM\_DB\_USER=root             - IDM\_ADMIN\_USER=admin             - IDM\_ADMIN\_EMAIL=admin@test.com             - IDM\_ADMIN\_PASS=1234      mysql-db:         restart: always         image: mysql:5.7         hostname: mysql-db         container\_name: db-mysql         expose:             - "3306"         ports:             - "3306:3306"         networks:             default:                 ipv4\_address: 172.18.1.6         environment:             # Development use only             # Use Docker Secrets for Sensitive Data             - "MYSQL\_ROOT\_PASSWORD=secret"             - "MYSQL\_ROOT\_HOST=172.18.1.5"         volumes:             - mysql-db:/var/lib/mysql  networks:     default:         ipam:             config:                 - subnet: 172.18.1.0/24 volumes:     mysql-db: ~

- `sudo docker-compose up -d` (This will automatically download the two images and run the IdM Keyrock service. (-d is used to run it in background)).  
- Now you should be able to access the Identity Management tool through the website [http://localhost:3000](http://localhost:3000/) 
    - username: `admin@test.com`
    - password: `1234`

​

- Register a new user and enable it through the interface
- Then use the GUI to:  
    - Create an "Organization" (e.g., ORGANIZ1)
    - Create an "application"  
        - Step 1:    Name: Orion Idm Description: Orion Idm URL: http://localhost Callback URL: http://localhost Grant Type: Authorization Code, Implicit, Resource Owner Password, Client Credentials, Refresh Token Provider: newuser
        - Step 2: leave empty
        - Step 3: choose "Provider"
        - Step 4:   
            - click on "OAuth2 Credentials" and take notes of "Client ID" (94480bc9-43e8-4c15-ad45-0bb227e42e63) and "Client Secret" (4f6ye5y7-b90d-473a-3rr7-ea2f6dd43246)
            - Click on "PEP Proxy" and then on "Register a new PEP Proxy"
            - take notes of "Application Id" (94480bc9-43e8-4c15-ad45-0bb227e42e63), "Pep Proxy Username" (pep\_proxy\_dad356d2-dasa-4f95-a9hf-9ab06tccf929), and "Pep Proxy Password" (pep\_proxy\_a33667ec-57y1-498k-85aa-ef77ue5f6234)
            - Click on "Authorize" (Users) and authorize all the existing users with both roles (Purchaser and Provider for all the options)
            - Click on "Authorize" (Organizations) and authorize all the existing organizations with both roles (Purchaser and Provider for all the options)

​

​

​

​

1. 安装FIWARE Authzforce

- `sudo docker pull authzforce/server:latest` (latest was 8.1.0 at the moment of writing)
- `sudo docker run -d -p 8085:8080 --name authzforce_server authzforce/server`

​

1. 安装FIWARE PEP代理Wilma (用于为Orion启用https和身份验证)：

- git clone [https://github.com/ging/fiware-pep-proxy.git](https://github.com/ging/fiware-pep-proxy.git)
- cd fiware-pep-proxy
- cp config.js.template config.js
- nano config.js  

var config = {}；//仅在禁用https时使用config.pep_port = 5056；config.https =未定义的config.idm ={config.idm={ host：'localhost'，端口: 3000，ssl: false } config.app ={ host：'localhost'，端口：'1026'，ssl: false // Use true，如果应用服务器侦听https } config.response_type = 'code'；//在Account Portal config.pep ={ app_id：'91180bc9-43e8-4c14-ad45-0bb117e42e63‘中注册PEP代理时获得的证书，用户名：'pep_proxy_a33667ec-57y1-498k-85aa-ef77ue5f6234'，密码：’pep_proxy_a33667ec-57y1-498k-85aa-ef77ue5f6234‘，trusted_apps：[] } // in秒config.cache_time = 300；不检查身份验证/授权//示例的路径的//列表：'/public/*'，‘/static/’config.public_paths = []；config.magic_key =未定义；module.exports = config；config.authorization ={ enabled: true，pdp：'authzforce'，// idm use authzforce azf：{ protocol：'http'，host：'localhost'，port: 8085，custom_policy: undefined，// use undefined to default策略检查(HTTP谓词+ path)。}}

- install all the dependencies `npm install`
- run the proxy `sudo node server`

​

1. 创建一个用户角色:重新连接到IdM http://localhost:3000

- click on your application
- click on `Manage rules` at the top of the page
- click on the `+` button near Roles  
    - Name: "trial"

​

- Save
- click on the `+` button near Permission  
    - Permission Name: trial1
    - Description: trial1
    - HTTP action: GET
    - Resource: version

​

- Save
- come back to the application
- Click on "Authorize" near "Authorized users"
- Assign the "trial" role to your user

​

1. 现在使用PostMan获取令牌：

- connect to localhost:3000/oauth2/token and send the following parameters  
    - Body:
    - username: 
    - password: 
    - grant\_type: password
    - Header:
    - Content-Type: application/x-www-form-urlencoded
    - Authorization: BASIC 

​

- take note of the obtained `access_token`

​

1. 使用以下参数尝试通过http://localhost:5056/version连接到Orion：

- Header:  
    - X-auth-token: 

​

​

1. 您将获得以下响应：AZF domain not created for application 91180bc9-43e8-4c14-ad45-0bb117e42e63

Answer 1

您的本地设置似乎存在时间问题。更具体地说，您的机器上的docker-compose的时间似乎不是在等待Keyrock在PEP代理超时之前可用。

处理这些问题有多种策略，例如在启动入口点添加等待、在docker-compose中添加restart:true、修改基础结构或使用一些第三方脚本。一个很好的策略列表可以在答案这里中找到。