Added Repose Docker File

This provides middleware for Authentication and Role Based Access Controls using Openstack Keystone Change-Id: Ic17b671f8404663d7bbca8c74bdac2964a37c581
2014-10-14 12:26:51 -04:00 · 2014-10-14 12:26:51 -04:00 · 82812120b8
commit 82812120b8
parent 907acf8f9f
19 changed files with 285 additions and 42 deletions
--- a/docker/api/Dockerfile
+++ b/docker/api/Dockerfile
@ -3,12 +3,6 @@
 ##
 ##

-# The following files should exist in this folder before running Dockerfile
-# - docker_rsa (private key) -> public key should be published to the private git repo
-# - poppy.conf (desired configuration for poppy api)
-# - logging.conf (desired logging configuration file)
-
-
 FROM ubuntu:14.04
 MAINTAINER Amit Gandhi <amit.gandhi@rackspace.com>

@ -29,21 +23,8 @@ RUN python get-pip.py
 # uwsgi 
 RUN pip install uwsgi 

-# Make ssh dir
-RUN mkdir /root/.ssh/
-
-# Copy over private key, and set permissions
-ADD docker_rsa /root/.ssh/id_rsa
-
-RUN chmod 700 /root/.ssh/id_rsa
-RUN echo "Host github.com\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config
-RUN echo "IdentityFile ~/.ssh/id_rsa" >> /etc/ssh/ssh_config
-
-# Create known_hosts
-RUN touch /root/.ssh/known_hosts
-
 # Pull project
-RUN git clone git@github.com:rackerlabs/cdn /home/poppy
+RUN git clone https://github.com/stackforge/poppy.git /home/poppy

 # Install Requirements
 RUN sudo pip install -r /home/poppy/requirements/requirements.txt
@ -66,5 +47,5 @@ RUN chmod -R +w /var/run/poppy
 #RUN /usr/local/bin/uwsgi --ini /root/uwsgi.ini

 # Start Poppy
-EXPOSE 80
+EXPOSE 8081
 CMD ["/usr/local/bin/uwsgi", "--ini", "/root/uwsgi.ini"]
--- a/docker/api/README.md
+++ b/docker/api/README.md
@ -0,0 +1,38 @@
+Before Starting
+---------------
+
+The following files should exist in this folder before running Dockerfile
+* docker_rsa (private key) -> public key should be published to the private git repo
+* poppy.conf (desired configuration for poppy api)
+* logging.conf (desired logging configuration file)
+
+
+
+Building the Poppy Server Docker Image
+--------------------------------------
+
+From the docker/api folder::
+
+    $ docker build -t poppy-server .
+
+
+Running the Poppy Docker Container
+--------------------------------------
+
+Name the container 'poppy-server'::
+
+    $ docker run -d -p 81:8081 --name poppy-server poppy-server
+
+
+Testing
+--------
+
+Access the running poppy api instance home document::
+
+    $ curl <docker_ip>/v1.0/
+
+
+Next Steps
+----------
+
+If running locally with Cassandra, ensure the Cassandra Docker Container is running and linked.
--- a/docker/api/logging.conf
+++ b/docker/api/logging.conf
@ -18,7 +18,7 @@ qualname=poppy-server

 [logger_combined]
 level=DEBUG
-handlers=devel
+handlers=devel,file
 qualname=poppy-combined

 [handler_production]
--- a/docker/api/poppy.conf
+++ b/docker/api/poppy.conf
@ -4,7 +4,7 @@

 [DEFAULT]
 # Show more verbose log output (sets INFO log level output)
-;verbose = False
+verbose = True

 # Show debugging output in logs (sets DEBUG log level output)
 ;debug = False
@ -27,27 +27,27 @@ log_file = poppy.log

 [drivers]
 # Transport driver module (e.g., falcon, pecan)
-transport = falcon
+transport = pecan
+
+# Manager driver module (e.g. default)
+manager = default

 # Storage driver module (e.g., mongodb, sqlite, cassandra)
-# change to cassandra if you want to use cassandra storage
-storage = mockdb
+storage = cassandra

+# Provider modules list (a list of comma separated provider module list)
+providers = fastly

-[drivers:transport:falcon]
+# DNS driver module (e.g., default, designate, rackspace)
+dns = rackspace
+
+[drivers:transport:pecan]
 bind = 0.0.0.0
-port = 8888
-
-[drivers:storage:mongodb]
-uri = mongodb://localhost
-database = poppy
+port = 8081

 [drivers:storage:cassandra]
-cluster = "<your-cassandra-server-link-name>"
+cluster = "192.168.59.103"
 keyspace = poppy

-[drivers:storage:mockdb]
-database = poppy
-
 [drivers:provider:fastly]
-apikey = "<MYAPIKEY>"
+apikey = "MYAPIKEY"
--- a/docker/api/uwsgi.ini
+++ b/docker/api/uwsgi.ini
@ -2,7 +2,7 @@
 master = true
 chdir = /home/poppy/
 workers = 4
-http-socket = 0.0.0.0:80
+http-socket = 0.0.0.0:8081
 logger = file:/var/log/poppy/poppy.log
 pidfile = /var/run/poppy/poppy.pid
 die-on-term = true
@ -11,4 +11,4 @@ buffer-size = 32768
 max-requests = 15000
 no-orphans = true
 vacuum = true
-module = poppy.transport.falcon.app:app
+module = poppy.transport.app:app
--- a/docker/cassandra/README.md
+++ b/docker/cassandra/README.md
--- a/docker/repose/Dockerfile
+++ b/docker/repose/Dockerfile
@ -0,0 +1,22 @@
+# Dockerfile for Repose (www.openrepose.org)
+
+FROM ubuntu
+
+MAINTAINER Felix Sargent (felix.sargent@rackspace.com)
+
+RUN apt-get update
+RUN apt-get install -y wget
+RUN wget -O - http://repo.openrepose.org/debian/pubkey.gpg | apt-key add - && echo "deb http://repo.openrepose.org/debian stable main" > /etc/apt/sources.list.d/openrepose.list
+RUN apt-get update && apt-get install -y repose-valve repose-filter-bundle repose-extensions-filter-bundle
+
+# Remove default Repose configuration files
+RUN rm /etc/repose/*.cfg.xml
+
+# Copy our configuration files in.
+COPY ./repose_configs /etc/repose
+
+# Expose Port 8080 -- Change this to use other ports for Repose
+EXPOSE 8080
+
+# Start Repose
+CMD java -jar /usr/share/lib/repose/repose-valve.jar
--- a/docker/repose/README.md
+++ b/docker/repose/README.md
@ -0,0 +1,43 @@
+Based on the Repose Wiki Instructions: https://repose.atlassian.net/wiki/display/REPOSE/Docker
+
+
+Building the Repose Docker Image
+--------------------------------------
+
+From the docker/repose folder:
+
+    $ docker build -t repose_img_1 .
+
+
+Running the Repose Docker Container
+--------------------------------------
+
+Name the container 'repose'
+
+    $ docker run -d -p 80:8080 --name repose repose_img_1
+
+
+Other Notes
+-----------
+
+The docker container will use the configuration files stored in the "repose_configs" folder.  Please modify these files for your needs.
+
+* client-auth-n.cfg.xml - update admin credentials to keystone
+
+
+Currently the following configurations are defined (system-model.cfg)::
+
+
+Filters
+=======
+
+* content-normalization: Blacklists certain headers
+* client-auth: Client Authentication (Keystone via the client-auth-n.cfg.xml file)
+* api-validator: Role Based Access Control (via the capabilities.wadl.xml file)
+* rate-limiting: Control rate of requests to the API (via the rate-limiting.cfg.xml file)
+
+
+Destinations
+============
+
+* Endpoints are passed to the specified host.  A valid destination can either be an endpoint or a target cluster. All nodes within the target cluster of a destination are considered eligible for routing and REPOSE, by default, forwards to each node in round-robin order, starting at the top of the node sequence.
--- a/docker/repose/repose_configs/capabilities.wadl.xml
+++ b/docker/repose/repose_configs/capabilities.wadl.xml
@ -0,0 +1,44 @@
+<application xmlns="http://wadl.dev.java.net/2009/02" xmlns:rax="http://docs.rackspace.com/api">
+  <!-- Observer          rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" -->
+  <!-- Creator & Higher  rax:roles="cdn:creator cdn:admin admin identity:user-admin" -->
+  <!-- Administrator     rax:roles="cdn:admin admin identity:user-admin" -->
+  <!-- Operator          rax:roles="cdn:operator" -->
+  <resources>
+    <resource path="/v1.0">
+      <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+      <resource path="/services">
+        <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+        <method name="POST" rax:roles="cdn:creator cdn:admin admin identity:user-admin"/>
+        <resource path="/{service_name}">
+          <param name="service_name" style="template" type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" />
+          <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+          <method name="DELETE" rax:roles="cdn:creator cdn:admin admin identity:user-admin"/>
+          <method name="PATCH" rax:roles="cdn:creator cdn:admin admin identity:user-admin"/>
+          <resource path="/assets">
+            <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+            <method name="DELETE" rax:roles="cdn:creator cdn:admin admin identity:user-admin"/>
+          </resource>
+        </resource>
+      </resource>
+      <resource path="/flavors">
+        <method name="GET" rax:roles="cdn:operator cdn:observer observer cdn:creator cdn:admin admin identity:user-admin" />
+        <method name="POST" rax:roles="cdn:operator"/>
+        <resource path="/{flavor_id}">
+          <param name="flavor_id" style="template" type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" />
+          <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+          <method name="DELETE" rax:roles="cdn:operator"/>
+        </resource>
+      </resource>
+      <resource path="/ping">
+        <method name="GET" rax:roles="cdn:observer observer cdn:admin admin identity:user-admin" />
+      </resource>
+      <resource path="/health">
+        <method name="GET" rax:roles="cdn:operator" />
+        <resource path="/{node}">
+          <param name="node" style="template" type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" />
+          <method name="GET" rax:roles="cdn:operator" />
+        </resource>
+      </resource>
+    </resource>
+  </resources>
+</application>
--- a/docker/repose/repose_configs/client-auth-n.cfg.xml
+++ b/docker/repose/repose_configs/client-auth-n.cfg.xml
@ -0,0 +1,5 @@
+<client-auth xmlns="http://docs.rackspacecloud.com/repose/client-auth/v1.0">
+  <openstack-auth delegable="false" tenanted="false" request-groups="false" token-cache-timeout="600000" user-cache-timeout="600000" xmlns="http://docs.openrepose.org/repose/client-auth/os-ids-auth/v1.0">
+    <identity-service username="" password="" uri="" />
+  </openstack-auth>
+</client-auth>
--- a/docker/repose/repose_configs/container.cfg.xml
+++ b/docker/repose/repose_configs/container.cfg.xml
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repose-container xmlns='http://docs.rackspacecloud.com/repose/container/v2.0'>
+    <deployment-config http-port="8774" https-port="8775" connection-timeout="30000" read-timeout="30000">
+        <deployment-directory auto-clean="false">/var/repose</deployment-directory>
+        <artifact-directory check-interval="60000">/usr/share/repose/filters</artifact-directory>
+        <logging-configuration href="log4j.properties"/>
+    </deployment-config>
+</repose-container>
--- a/docker/repose/repose_configs/content-normalization.cfg.xml
+++ b/docker/repose/repose_configs/content-normalization.cfg.xml
@ -0,0 +1,21 @@
+<content-normalization xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://docs.api.rackspacecloud.com/repose/content-normalization/v1.0">
+  <header-filters>
+    <blacklist id="ReposeHeaders">
+      <header id="X-Authorization" />
+      <header id="X-Catalog" />
+      <header id="X-Default-Region" />
+      <header id="X-Identity-Status" />
+      <header id="X-Impersonator-Id" />
+      <header id="X-Impersonator-Name" />
+      <header id="X-PP-Groups" />
+      <header id="X-PP-User" />
+      <header id="X-Roles" />
+      <header id="X-Tenant-Id" />
+      <header id="X-Tenant-Name" />
+      <header id="X-Token-Expires" />
+      <header id="X-User-Id" />
+      <header id="X-User-Name" />
+    </blacklist>
+  </header-filters>
+  <media-types />
+</content-normalization>
--- a/docker/repose/repose_configs/http-connection-pool.cfg.xml
+++ b/docker/repose/repose_configs/http-connection-pool.cfg.xml
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<http-connection-pools xmlns="http://docs.rackspacecloud.com/repose/http-connection-pool/v1.0">
+
+  <!-- Configuration for the default pool.  Any users of the service will by default, retrieve HTTP connections
+        using this default pool configuration.
+    -->
+  <pool id="default"
+        default="true"
+        http.socket.timeout="210000"/>
+
+</http-connection-pools>
--- a/docker/repose/repose_configs/log4j.properties
+++ b/docker/repose/repose_configs/log4j.properties
@ -0,0 +1,18 @@
+# Set root logger level
+log4j.rootLogger=DEBUG, consoleOut, defaultFile
+
+# Console
+log4j.appender.consoleOut=org.apache.log4j.ConsoleAppender
+log4j.appender.consoleOut.layout=org.apache.log4j.PatternLayout
+log4j.appender.consoleOut.layout.ConversionPattern=%d %-4r [%t] %-5p %c %x - %m%n
+
+# File
+log4j.appender.defaultFile=org.apache.log4j.RollingFileAppender
+log4j.appender.defaultFile.File=/var/log/repose/repose_log.txt
+log4j.appender.defaultFile.MaxFileSize=2MB
+log4j.appender.defaultFile.MaxBackupIndex=2
+log4j.appender.defaultFile.layout = org.apache.log4j.PatternLayout
+log4j.appender.defaultFile.layout.ConversionPattern=%d %-4r [%t] %-5p %c %x - %m%n
+
+#Jetty Logging Turned Off
+log4j.logger.org.eclipse.jetty=OFF
--- a/docker/repose/repose_configs/rate-limiting.cfg.xml
+++ b/docker/repose/repose_configs/rate-limiting.cfg.xml
@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- http://wiki.openrepose.org/display/REPOSE/Rate+Limiting+Filter -->
+<rate-limiting xmlns="http://docs.rackspacecloud.com/repose/rate-limiting/v1.0">
+    <!--
+        Defines an endpoint with a matching regex to bind GET requests for
+        returning live rate limiting information.
+    -->
+    <request-endpoint uri-regex="/limits" include-absolute-limits="false"/>
+
+    <global-limit-group>
+        <limit id="global" uri="*" uri-regex=".*" value="1000" unit="MINUTE"/>
+    </global-limit-group>
+
+    <!-- Limits for all other requests -->
+    <limit-group id="limited" groups="limited" default="true">
+        <limit id="all" uri="*" uri-regex="/.*" http-methods="POST PUT GET DELETE" unit="MINUTE" value="100" />
+    </limit-group>
+
+    <!-- Limits for WhiteListed IPs -->
+    <limit-group id="unlimited" groups="unlimited" default="false">
+
+    </limit-group>
+
+</rate-limiting>
--- a/docker/repose/repose_configs/system-model.cfg.xml
+++ b/docker/repose/repose_configs/system-model.cfg.xml
@ -0,0 +1,16 @@
+<system-model xmlns="http://docs.rackspacecloud.com/repose/system-model/v2.0">
+  <repose-cluster id="repose" rewrite-host-header="false">
+    <nodes>
+      <node id="docker" hostname="localhost" http-port="8080" />
+    </nodes>
+    <filters>
+      <filter name="content-normalization" />
+      <filter name="client-auth" />
+      <filter name="uri-stripper" />
+      <filter name="api-validator" />
+    </filters>
+    <destinations>
+      <endpoint id="endpoint" protocol="http" hostname="192.168.59.103" root-path="" port="81" default="true" />
+    </destinations>
+  </repose-cluster>
+</system-model>
--- a/docker/repose/repose_configs/uri-stripper.cfg.xml
+++ b/docker/repose/repose_configs/uri-stripper.cfg.xml
@ -0,0 +1 @@
+<uri-stripper xmlns="http://docs.api.rackspacecloud.com/repose/uri-stripper/v1.0" rewrite-location="true" token-index="1"/>
--- a/docker/repose/repose_configs/validator.cfg.xml
+++ b/docker/repose/repose_configs/validator.cfg.xml
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<validators multi-role-match="false" xmlns="http://openrepose.org/repose/validator/v1.0">
+  <validator default="true" enable-rax-roles="true" role="default" wadl="capabilities.wadl.xml" />
+</validators>
--- a/etc/poppy.conf
+++ b/etc/poppy.conf
@ -38,13 +38,17 @@ manager = default
 storage = mockdb

 # Provider modules list (a list of comma separated provider module list)
-providers = mock,cloudfront,fastly
+providers = mock,fastly
+
+# DNS driver module (e.g. default, designate, rackspace)
+dns = default

 [drivers:transport:limits]
 max_services_per_page = 20

-# DNS driver module (e.g. default, designate, rackspace)
-dns = default
+[drivers:transport:pecan]
+bind = 0.0.0.0
+port = 8888

 [drivers:storage:cassandra]
 # Comma-separated list of hosts (Example: cass01,cass02,cass03)
				`@ -0,0 +1 @@`
				`<uri-stripper xmlns="http://docs.api.rackspacecloud.com/repose/uri-stripper/v1.0" rewrite-location="true" token-index="1"/>`