CNaaS Auth POC server installation

The CNaaS-NMS API uses JWT for authenting and authorizing users. If you have an existing JWT server you might be able to use that. This document describes how to set up a minimalistic JWT auth server developed as a proof-of-concept for supporting the CNaaS NMS project.

Set up a new VM and install docker/docker-compose. Create two new persistent docker volumes:

docker volume create cnaas-authserver-jwtcert
docker volume create cnaas-authserver-userdb

Create a new docker-compose.yaml file:

--- 
version: '3.7'
services:
  cnaas_auth:
    image: docker.sunet.se/auth-server-poc:latest
    ports:
      - 443:1443
    volumes:
      - type: volume
        source: cnaas-authserver-jwtcert
        target: /opt/auth-server-poc/cert/
      - type: volume
        source: cnaas-authserver-userdb
        target: /opt/auth-server-poc/userdb/
volumes:
  cnaas-authserver-jwtcert:
    external: true
  cnaas-authserver-userdb:
    external: true

Run "docker-compose up -d" or similar to start the container.

Enter the docker container using "docker exec -it cnaas_auth bash" (find the correct name of the container by running "docker ps")

Inside the docker, run the following to create a new JWT private and public key pair used to sign JWT tokens:

cd /opt/auth-server-poc/cert/
openssl ecparam -genkey -name prime256v1 -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem
chgrp www-data private.pem
chmod g+r private.pem

Restart the docker container or run: "killall uwsgi" inside the container to start using the newly generated cert.

You then need to create some accounts for the users that should be able to access the CNaaS NMS API. The user accounts are saved in a apache style .htpasswd file. When creating the first user you need to also create the .htpasswd file, this is done by passing the "-c" parameter to the htpasswd command. Run this inside the container to create two users, replace the usernames with your wanted acconut names:

htpasswd -c /opt/auth-server-poc/userdb/.htpasswd firstusername
htpasswd /opt/auth-server-poc/userdb/.htpasswd secondusername

After you have created the users and restarted the container with the newly generated JWT cert you should be able to ask the authentication API for a new JWT token. Run this from the VM/outside of the container:

curl -ks https://localhost/api/v1.0/auth -X POST -u indy -p

This should return a JSON reply with a JWT token.

To make the CNaaS NMS accept this JWT token you need to install the public key of the auth container on the API container for CNaaS NMS.

  • No labels