jeudi 16 décembre 2010

Automated Delivery of an Identity-enabled Drupal in the AWS Cloud (Part 2)

This the second part of a two-part post that examines how to automatically create an identity-enabled business application in the AWS cloud.

The first part discussed some rationals about the idea that open standards, free and open source software (FOSS), and automated configuration management bring business agility and better integration results than most one-size-fits-all identity integration solutions when it comes to extending the reach of an organization's authentication and access control policies outside of its administrative domain.

The second part intends to show how to effectively achieve this kind of integration with Drupal - the well-known open source content management system (CMS), and OpenAM - the market leading open source authentication, authorization, entitlement and federation product, and how the resulting identity integration can be automatically delivered into Amazon EC2 using the Opscode Chef tools and platform.

Let's try to do some work now...

Install and Configure Chef

Your best bet to get Chef running on your workstation is to follow the Opscode's How To Get Started Tutorial. You only need to complete Step1 and Step2. Creating a Chef client (Step3), at this point, is not necessary as we will do it "automagically" by using the knife bootstrap command.

After completing Step2 you should have a Chef repository that you will need to manage your cookbooks.

Import the required cookbooks
You need to download all the cookbooks that are in the dependency chain of the simplesamlphp cookbook, which I created for this post. The simplesamlphp cookbook has a direct dependency on the drupal cookbook, which in turn has a direct dependency over several other cookbooks including php, apache2  cookbooks. In other words, all the cookbooks required to build a full all-in-one LAMP stack.

You can download all these cookbooks separately from the Opscode's Cookbooks Repository or use knife. The best practice in working with the Opscode Platform is to always keep local copies of the cookbooks you are using in your chef-repo.

To import a cookbook with knife:
$ cd ~/chef-repo
$ knife cookbook site vendor cookbook-name

This command downloads cookbook-name, and creates a 'vendor branch' for you, which enables you to make your own custom changes to the cookbook and keep track of the differences between yours and the upstream. You'll find that there is no simplesamlphp cookbook in the Opscode's Coobooks Repository. That's normal because I didn't put it there since this cookbook is just a proof of concept for the post. You need to download it individually as well as a slightly modified version of the cookbook for drupal from GitHub.

Modify simplesamlphp cookbook
If you intend to run the same setup against your own instance of OpenAM server, you'll need to modify the simplesamlphp cookbook in oder to add the SAML v2 metadata descriptor of your own identity provider. For that you need to edit the file saml20-idp-remote.php under files and change the value of the idpname and idpid attributes within the drupalsaml role accordingly.


Upload all the cookbooks and roles
After you have modified your cookbooks or not, you need to upload them in your organization that resides in the Opscode Platform:

$ cd ~/chef-repo
$ knife cookbook upload --all
$ knife role from file roles/drupalsaml

Bootstrap the Drupal Server Instance in EC2

Chef's knife bootstrap command allows to literally bootstrap a fully functional Drupal server in EC2 out of a vanilla linux distribution. In this demo I use an EBS-backed Ubuntu 10.04 LTS (Lucid Lynx) Server 32-bit distribution with AMI id 'ami-f4340180'.
Don't forget to download the AWS key pair, for the AWS region you want to use, somewhere in your home directory (ex. ~/.ssh/eu-west-1-keypair.pem).

Launch a new EC2 instance from the AWS Management Console. Once the instance is running, copy it's Pulic DNS URL obtained from the dashboard and past it into the knife bootstrap command as shown below. Note the parameter -r 'role[drupalsaml]' that tells Chef to configure the instance as per the recipes and attributes defined in the drupalsaml role. The bootstrap is displayed to the instance's console starting with the installation of Chef itself, followed by the automated installation and configuration of all the required components (i.e. Apache2, PHP,  OpenSSL, MySQL, Drupal, simpleSAMLphp, memcached, and sendmail).

# knife bootstrap ec2-46-51-163-241.eu-west-1.compute.amazonaws.com \
> -r 'role[drupalsaml]' -i ../.ssh/eu-west-keypair.pem -x ubuntu --sudoINFO: Bootstrapping Chef on 
0% [Working]3-241.eu-west-1.compute.amazonaws.com 
Get: 1 http://security.ubuntu.com lucid-security Release.gpg [198B]
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_GB   
96% [Connecting to eu-west-1.ec2.archive.ubuntu.com (10.224.74.112)]
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_GB
Get: 2 http://security.ubuntu.com lucid-security Release [38.5kB]   
0% [Connecting to eu-west-1.ec2.archive.ubuntu.com (10.224.74.112)] [2 Release 
Hit http://eu-west-1.ec2.archive.ubuntu.com lucid Release.gpg                  

[.....]

ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed mixlib-authentication-1.1.4
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed mime-types-1.16
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed rest-client-1.6.1
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed bunny-0.6.0
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed abstract-1.0.0
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed erubis-2.6.6
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed moneta-0.6.0
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed highline-1.6.1
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed uuidtools-2.1.1
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com Successfully installed chef-0.9.12
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com 17 gems installed
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 12:55:20 +0000] INFO: Client key /etc/chef/client.pem is not present - registering
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 12:55:24 +0000] WARN: HTTP Request Returned 404 Not Found: Cannot load node ip-10-234-178-251.eu-west-1.compute.internal
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 12:55:27 +0000] INFO: Setting the run_list to ["role[drupalsaml]"] from JSON
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 12:55:29 +0000] INFO: Starting Chef Run (Version 0.9.12)

[.....]

ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 13:00:31 +0000] INFO: Navigate to 'http://ec2-46-51-163-241.eu-west-1.compute.amazonaws.com/install.php' to complete the drupal installation
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Chef Run complete in 314.902713 seconds
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 13:00:43 +0000] INFO: cleaning the checksum cache
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Running report handlers
ec2-46-51-163-241.eu-west-1.compute.amazonaws.com [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Report handlers complete

A the end of the run, which in my case took about 5 minutes, you get a fully operational identity-enabled Drupal server instance federated with OpenAM. Note however, the message at the end of the configuration sequence:

Navigate to 'http://ec2-46-51-163-241.eu-west-1.compute.amazonaws.com/install.php' to complete the drupal installation.

This is because Drupal 6.x requires some manual configuration at the end of the installation. According to a conversation I had with Marius Ducea, who authored the cookbook for Drupal, that limitation should be removed with Drupal 7.

It is assumed that there is an OpenAM 9.5 server running somewhere in your data center or in the cloud. That OpenAM server must be accessible from the newly created Drupal instance. In this demo, I have created an OpenAM server in EC2 that is attached to an Elastic IP (static IP address). Chef is also used in the OpenAM server to help with automatically importing the metadata descriptor of the SAML2 service providers that are started in the same Opscode's managed organization. A unique recipe for OpenAM is executed on a regular basis, by chef-client running as a daemon, which only task is to search for any node that is assigned with the drupalsaml role, then retrieve the location of the service provider metadata reading the simplesamlphp.metadata attribute, to finally execute ssoadm import-entity locally. The openam recipe is fairly straighforward.

sps = []
url = String.new
hostname = String.new

search(:node, "role:drupalsaml") do |n|
  sps << n
end

sps.each do |n|
  url = n['simplesamlphp']['metadata']
  hostname = n['hostname']

  if !url.nil? && url.match(/^http/)
    bash "download-entity-descriptor" do
      user "root"
      cwd "/tmp"
      code <<-EOH
      wget #{url}
      EOH
      only_if "/usr/bin/test ! -f /var/log/entities#{hostname}"
    end

    execute "move_entity_descriptor" do
      user "root"
      command "mv /tmp/openam-idp /var/log/entities/#{hostname}"
      action :nothing
    end

    execute "ssoadm_import_entity" do
      user "root"
      command "/opt/openam/bin/ssoadm import-entity -u amadmin -f /opt/openam/password -m /tmp/openam-idp -t local"
      notifies :run, resources("execute[move_entity_descriptor]")
    end
  end
end  

Now, you click on the screencast below to see how the identity federation between Drupal and OpenAM works in practice.


video

3 commentaires:

Libby lydia a dit…

I highly recommend his/her workings with the useful informative information.
law dissertation papers

devon broad a dit…

Payday cash advances, day and Fitting financial loans, in addition to Automobile check cashing conception financial loans. the general public target aiding you select for the right assets loan product or service which is able to assist you to satisfy your own economic needs.

Deann J Outlaw a dit…

USA day cash advances in Il possesses many various assets loan picks therefore on be wise that embrace, day cash advances, day and Fitting easy auto title loans chicago financial loans, to boot to Automobile conception financial loans. the public target aiding you select for the right assets loan product or service that's in a very position to assist you to satisfy your own economic needs.