Skip to content
This repository has been archived by the owner on Dec 5, 2023. It is now read-only.

Deploy and Configure the PEP

Jump to bottom
Alvaro Villanueva edited this page Nov 30, 2020 · 20 revisions

In order to initialize a local PEP instance, it will be necessary to:

  • Pre-configure the PEP
  • Build the PEP Docker Image
  • Run the PEP Docker Image

Configuration

The PEP gets all its configuration from the file located under config/config.json. The parameters that are accepted, and their meaning, are as follows:

  • realm: 'realm' parameter answered for each UMA ticket. Default is "eoepca"
  • auth_server_url: complete url (with "https") of the Authorization server.
  • proxy_endpoint: "/path"-formatted string to indicate where the reverse proxy should listen. The proxy will catch any request that starts with that path. Default is "/pep"
  • service_host: Host for the proxy to listen on. For example, "0.0.0.0" will listen on all interfaces
  • service_port: Port for the proxy to listen on. By default, 5566. Keep in mind you will have to edit the docker file and/or kubernetes yaml file in order for all the prot forwarding to work.
  • s_margin_rpt_valid: An integer representing how many seconds of "margin" do we want when checking RPT. For example, using 5 will make sure the provided RPT is valid now AND AT LEAST in the next 5 seconds.
  • check_ssl_certs: Toggle on/off (bool) to check certificates in all requests. This should be forced to True in a production environment
  • use_threads: Toggle on/off (bool) the usage of threads for the proxy. Recommended to be left as True.
  • debug_mode: Toggle on/off (bool) a debug mode of Flask. In a production environment, this should be false.
  • resource_server_endpoint: Complete url (with "https" and any port) of the Resource Server to protect with this PEP.
  • rpt_limit_uses: Number of uses for each of the RPTs.
  • client_id: string indicating a client_id for an already registered and configured client. This parameter is optional. When not supplied, the PEP will generate a new client for itself and store it in this key inside the JSON.
  • client_secret: string indicating the client secret for the client_id. This parameter is optional. When not supplied, the PEP will generate a new client for itself and store it in this key inside the JSON.

Usage & functionality

For simplicity, docker is the best approach to run. Using Docker-Compose it is possible to both build and run the PEP and its default persistence method (MongoDB) pointing towards the configured endpoints:

docker-compose up

When launched, the PEP will answer to all requests that start with the configured path. These answers will come in the form of UMA tickets (if there are no RPT provided, or an invalid one is used). In case the request is accompanied by an "Authorization: Bearer <valid_RPT>", the PEP will make a request to the resource server, for the resource located exactly at the path requested (minus the configured at config), and return the resource's server answer.

Deployment using Helm Charts

Pre-requisites

Installed Helm v2 (Official installation guide)

Installed Minikube (Can be achieved by following the instructions in the main EOEPCA Repository)

Configuration

The global values used in the definition of the charts can be modified in the values.yaml of the chart definition.

Installation

In order to deploy this repository with Helm Charts is needed to navigate to the /charts path within the repo. Run the following command specifying the name of the release:

sudo helm install --name myRelease ./pep-engine/

Clone this wiki locally