jeudi 16 décembre 2010

Automated Delivery of an Identity-enabled Drupal in the AWS Cloud (Part 2)

This the second part of a two-part post that examines how to automatically create an identity-enabled business application in the AWS cloud.

The first part discussed some rationals about the idea that open standards, free and open source software (FOSS), and automated configuration management bring business agility and better integration results than most one-size-fits-all identity integration solutions when it comes to extending the reach of an organization's authentication and access control policies outside of its administrative domain.

The second part intends to show how to effectively achieve this kind of integration with Drupal - the well-known open source content management system (CMS), and OpenAM - the market leading open source authentication, authorization, entitlement and federation product, and how the resulting identity integration can be automatically delivered into Amazon EC2 using the Opscode Chef tools and platform.

Let's try to do some work now...

Install and Configure Chef

Your best bet to get Chef running on your workstation is to follow the Opscode's How To Get Started Tutorial. You only need to complete Step1 and Step2. Creating a Chef client (Step3), at this point, is not necessary as we will do it "automagically" by using the knife bootstrap command.

After completing Step2 you should have a Chef repository that you will need to manage your cookbooks.

Import the required cookbooks
You need to download all the cookbooks that are in the dependency chain of the simplesamlphp cookbook, which I created for this post. The simplesamlphp cookbook has a direct dependency on the drupal cookbook, which in turn has a direct dependency over several other cookbooks including php, apache2  cookbooks. In other words, all the cookbooks required to build a full all-in-one LAMP stack.

You can download all these cookbooks separately from the Opscode's Cookbooks Repository or use knife. The best practice in working with the Opscode Platform is to always keep local copies of the cookbooks you are using in your chef-repo.

To import a cookbook with knife:
$ cd ~/chef-repo
$ knife cookbook site vendor cookbook-name

This command downloads cookbook-name, and creates a 'vendor branch' for you, which enables you to make your own custom changes to the cookbook and keep track of the differences between yours and the upstream. You'll find that there is no simplesamlphp cookbook in the Opscode's Coobooks Repository. That's normal because I didn't put it there since this cookbook is just a proof of concept for the post. You need to download it individually as well as a slightly modified version of the cookbook for drupal from GitHub.

Modify simplesamlphp cookbook
If you intend to run the same setup against your own instance of OpenAM server, you'll need to modify the simplesamlphp cookbook in oder to add the SAML v2 metadata descriptor of your own identity provider. For that you need to edit the file saml20-idp-remote.php under files and change the value of the idpname and idpid attributes within the drupalsaml role accordingly.

Upload all the cookbooks and roles
After you have modified your cookbooks or not, you need to upload them in your organization that resides in the Opscode Platform:

$ cd ~/chef-repo
$ knife cookbook upload --all
$ knife role from file roles/drupalsaml

Bootstrap the Drupal Server Instance in EC2

Chef's knife bootstrap command allows to literally bootstrap a fully functional Drupal server in EC2 out of a vanilla linux distribution. In this demo I use an EBS-backed Ubuntu 10.04 LTS (Lucid Lynx) Server 32-bit distribution with AMI id 'ami-f4340180'.
Don't forget to download the AWS key pair, for the AWS region you want to use, somewhere in your home directory (ex. ~/.ssh/eu-west-1-keypair.pem).

Launch a new EC2 instance from the AWS Management Console. Once the instance is running, copy it's Pulic DNS URL obtained from the dashboard and past it into the knife bootstrap command as shown below. Note the parameter -r 'role[drupalsaml]' that tells Chef to configure the instance as per the recipes and attributes defined in the drupalsaml role. The bootstrap is displayed to the instance's console starting with the installation of Chef itself, followed by the automated installation and configuration of all the required components (i.e. Apache2, PHP,  OpenSSL, MySQL, Drupal, simpleSAMLphp, memcached, and sendmail).

# knife bootstrap \
> -r 'role[drupalsaml]' -i ../.ssh/eu-west-keypair.pem -x ubuntu --sudoINFO: Bootstrapping Chef on 
0% [Working] 
Get: 1 lucid-security Release.gpg [198B]
Ign lucid-security/main Translation-en_GB   
96% [Connecting to (]
Ign lucid-security/universe Translation-en_GB
Get: 2 lucid-security Release [38.5kB]   
0% [Connecting to (] [2 Release 
Hit lucid Release.gpg                  

[.....] Successfully installed mixlib-authentication-1.1.4 Successfully installed mime-types-1.16 Successfully installed rest-client-1.6.1 Successfully installed bunny-0.6.0 Successfully installed abstract-1.0.0 Successfully installed erubis-2.6.6 Successfully installed moneta-0.6.0 Successfully installed highline-1.6.1 Successfully installed uuidtools-2.1.1 Successfully installed chef-0.9.12 17 gems installed [Wed, 15 Dec 2010 12:55:20 +0000] INFO: Client key /etc/chef/client.pem is not present - registering [Wed, 15 Dec 2010 12:55:24 +0000] WARN: HTTP Request Returned 404 Not Found: Cannot load node [Wed, 15 Dec 2010 12:55:27 +0000] INFO: Setting the run_list to ["role[drupalsaml]"] from JSON [Wed, 15 Dec 2010 12:55:29 +0000] INFO: Starting Chef Run (Version 0.9.12)

[.....] [Wed, 15 Dec 2010 13:00:31 +0000] INFO: Navigate to '' to complete the drupal installation [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Chef Run complete in 314.902713 seconds [Wed, 15 Dec 2010 13:00:43 +0000] INFO: cleaning the checksum cache [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Running report handlers [Wed, 15 Dec 2010 13:00:43 +0000] INFO: Report handlers complete

A the end of the run, which in my case took about 5 minutes, you get a fully operational identity-enabled Drupal server instance federated with OpenAM. Note however, the message at the end of the configuration sequence:

Navigate to '' to complete the drupal installation.

This is because Drupal 6.x requires some manual configuration at the end of the installation. According to a conversation I had with Marius Ducea, who authored the cookbook for Drupal, that limitation should be removed with Drupal 7.

It is assumed that there is an OpenAM 9.5 server running somewhere in your data center or in the cloud. That OpenAM server must be accessible from the newly created Drupal instance. In this demo, I have created an OpenAM server in EC2 that is attached to an Elastic IP (static IP address). Chef is also used in the OpenAM server to help with automatically importing the metadata descriptor of the SAML2 service providers that are started in the same Opscode's managed organization. A unique recipe for OpenAM is executed on a regular basis, by chef-client running as a daemon, which only task is to search for any node that is assigned with the drupalsaml role, then retrieve the location of the service provider metadata reading the simplesamlphp.metadata attribute, to finally execute ssoadm import-entity locally. The openam recipe is fairly straighforward.

sps = []
url =
hostname =

search(:node, "role:drupalsaml") do |n|
  sps << n

sps.each do |n|
  url = n['simplesamlphp']['metadata']
  hostname = n['hostname']

  if !url.nil? && url.match(/^http/)
    bash "download-entity-descriptor" do
      user "root"
      cwd "/tmp"
      code <<-EOH
      wget #{url}
      only_if "/usr/bin/test ! -f /var/log/entities#{hostname}"

    execute "move_entity_descriptor" do
      user "root"
      command "mv /tmp/openam-idp /var/log/entities/#{hostname}"
      action :nothing

    execute "ssoadm_import_entity" do
      user "root"
      command "/opt/openam/bin/ssoadm import-entity -u amadmin -f /opt/openam/password -m /tmp/openam-idp -t local"
      notifies :run, resources("execute[move_entity_descriptor]")

Now, you click on the screencast below to see how the identity federation between Drupal and OpenAM works in practice.


16 commentaires:

Libby lydia a dit…

I highly recommend his/her workings with the useful informative information.
law dissertation papers

devon broad a dit…

Payday cash advances, day and Fitting financial loans, in addition to Automobile check cashing conception financial loans. the general public target aiding you select for the right assets loan product or service which is able to assist you to satisfy your own economic needs.

Deann J Outlaw a dit…

USA day cash advances in Il possesses many various assets loan picks therefore on be wise that embrace, day cash advances, day and Fitting easy auto title loans chicago financial loans, to boot to Automobile conception financial loans. the public target aiding you select for the right assets loan product or service that's in a very position to assist you to satisfy your own economic needs.

steve7876 a dit…

The learning lab is providing the best Maths and Early Childhood Music Tutor Sydney and if you are looking for maths tutor for your child contact us now!

steve7876 a dit…

Since the subprime credit business bit is feeble against dangerous practices used by a couple improvement experts, you should constantly read the change assention purposely, especially the honest disclosures part, to avow you won't be gotten in a guarantee trap. resilience salt cell

steve7876 a dit…

Permits this massive floor work live appanage skilled family inner learn & an individual reckon to be cunning to cyclone teem something pest control company in Maryland

shahbaz a dit…

Well this indeed looks like a really good way by which people can be able to improve a lot on what is going around them by understand things up close. It will be something that will be much more effective too.synthetic diamond rings

Shahzad Sajjad a dit…

Thanks a lot a lot pertaining to expressing this write-up! That is a good explanation.goldline salt cell

mathscoursesydney a dit…

Today i have no idea about that coding because i am new ! Recently i have start development class. Overall i should show your post ROOF EGDE PROTECTION to our teacher.

shahbaz a dit…
Ce commentaire a été supprimé par l'auteur.
shahbaz a dit…

I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end.Envio de motos

shahbaz a dit…

I love reading through a post that will make men and women think. Also, thanks for allowing me to comment!dallas ecommerce web design

shahbaz a dit…

I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious.fx compared

shahbaz a dit…

I would love it if you would share this and/or any other projects you have been up to at Tuesday Talent Show at Chef In Training Tomorrow! Plus there is going to be a fun giveaway too! Thanks so much and I hope to see you there!google pixel singapore

shahbaz a dit…

Thank you for benefiting from time to focus on this kind of, I feel firmly about it and also really like comprehending far more with this particular subject matter. In case doable, when you get know-how, is it possible to thoughts modernizing your site together with far more details? It’s extremely useful to transfer companies

shahbaz a dit…

I would love to stop by. But, I think it might have to wait until this summer. I did not know that Serlkay had ever expanded its size. I must say that a succesful family owned business in this day and age is a very refreshing sight! As well as this is a very refreshing site!order tote bags