Skip to content

Latest commit

 

History

History
60 lines (43 loc) · 2.91 KB

README.md

File metadata and controls

60 lines (43 loc) · 2.91 KB

B2ACCESS Monitoring probe for ARGO

Setting up environment

  • The probe has been tested with Python version 2.7.x
  • You may need to install (using pip) the following Python modules as they do not come with original distribution:
    • requests
    • oauthlib
    • validators
  • As for the X.509 certificate based probing
    • the public and private keys should be in PEM format
    • should the private key encrypted with a passphrase, the value of -t flag should be sufficient enough to type in the secret (otherwise the prompt will disappear and the probe will fail), it is however recommended to not use the passphrase
  • The probe is not compatible with Unity version earlier than 2.x.x, please use v0.3 for earlier version

Overview

The B2ACCESS probe for ARGO does the following:

  • Fetch access token using the OAuth 2.0 client credentials flow
  • Validate the access token
  • Fetch user information (via REST API)
    • on the basis of the access token,
    • while authenticating with username and password, and
    • X509 certificate based authentication

Pre-requisites:

  • Probe robot users SHOULD have two accounts registered within B2ACCESS/UNITY: username/password and X509 certificate, former are the OAuth/OIDC client credentials
  • The probe users SHOULD be a part of the group /oauth-clients or the group defined for the property unity.oauth2.as.clientsGroup inside the /UNITY-CONF/endpoints/oauth2-as.properties file, additionally they SHOULD have sys:oauth:allowedGrantFlows = client attribute defined inside the group. The attribute can also be set by filling-up the OAuth client registration form
  • The users SHOULD also be a part of the group defined for the property unity.oauth2.as.usersGroup inside the /UNITY-CONF/endpoints/oauth2-as.properties file
  • Mandatory attributes such as email should be stored in root group of the B2ACCESS/UNITY instance
  • The UNITY administrator SHOULD enable certificate authenticator for the REST Admin endpoint (by default disabled)

Example:

unityServer.core.endpoints.x.endpointType=RESTAdmin
unityServer.core.endpoints.x.endpointConfigurationFile=conf/authenticators/empty.json
unityServer.core.endpoints.x.contextPath=/rest-admin
unityServer.core.endpoints.x.endpointRealm=defaultRealm
unityServer.core.endpoints.x.endpointName=RESTful administration API
unityServer.core.endpoints.x.endpointAuthenticators=pwdRest;certRest

How it works?

Username & password based authentication

python check_b2access.py -u [unity base url] -t [timeout in seconds] -V 1 -U [username] -P [password]

Example

python check_b2access.py -u https://localhost:8443 -t 10 -V 1 -U argo -P testPass

X.509 Certificate based authentication

python check_b2access.py -u [unity base url] -t [timeout in seconds] -V 2 -C [Filesystem path to public key] -K [Filesystem path to private key]

Example

python check_b2access.py -u https://localhost:8443 -t 10 -V 2 -C /Public_Key.pem -K Private_Key.pem