Commit a4c99008 authored by cdanger's avatar cdanger

Added Dockerfile in dist/src/docker for minimal Docker image of

AuthzForce Server
parent 1d2ec036
......@@ -14,7 +14,10 @@ Issues reported on [GitHub](https://github.com/authzforce/server/issues) are ref
- authzforce-ce-core-pap-api: 6.4.0
- authzforce-ce-core-pdp-api: 9.1.0
- Dependency authzforce-ce-core replaced with authzforce-ce-core-pdp-engine with version 8.0.0 (authzforce-ce-core is now a multi-module project made of the core module `pdp-engine` and test utilities module `pdp-testutils` which is used by tests of webapp module)
- Dependency authzforce-ce-core replaced with authzforce-ce-core-pdp-engine with version 8.0.0 (authzforce-ce-core is now a multi-module project made of the core module `pdp-engine` and test utilities module `pdp-testutils` which is used by tests of webapp module)
### Added
- [Dockerfile](dist/src/docker/Dockerfile) for building Docker image of AuthzForce Server with minimal configuration
## 7.0.0
......
......@@ -11,7 +11,7 @@ AuthZForce Server provides a multi-tenant RESTful API to Policy Administration P
AuthZForce Server is also the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org) *Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
**Go to the [tags](https://gitlab.ow2.org/authzforce/server/tags) page for specific release info: downloads (Linux packages), Docker image, [release notes](CHANGELOG.md), and [documentation](http://readthedocs.org/projects/authzforce-ce-fiware/versions/).**
**Go to the [releases](https://github.com/authzforce/server/releases) page for specific release info: downloads (Linux packages), Docker image, [release notes](CHANGELOG.md), and [documentation](http://readthedocs.org/projects/authzforce-ce-fiware/versions/).**
*If you are interested in using an embedded XACML-compliant PDP in your Java applications, AuthZForce also provides a PDP engine as a Java library in [Authzforce core project](http://github.com/authzforce/core).*
......@@ -70,10 +70,10 @@ Every release is distributed as follows:
- Other Linux distributions: `.tar.gz`;
- Docker image.
For download links, please go to the specific [release tag description](https://gitlab.ow2.org/authzforce/server/tags).
For download links, please go to the specific [release page](https://github.com/authzforce/server/releases).
## Documentation
For documentation links, please go to the specific [release tag description](https://gitlab.ow2.org/authzforce/server/tags).
For links to the documentation of a release, please go to the specific [release page](https://github.com/authzforce/server/releases).
## Examples of usage and PEP code with a web service authorization module
For an example of using an AuthzForce Server's RESTful PDP API in a real-life use case, please refer to the JUnit test class [RESTfulPdpBasedAuthzInterceptorTest](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptorTest.java) and the Apache CXF authorization interceptor [RESTfulPdpBasedAuthzInterceptor](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptor.java). The test class runs a test similar to @coheigea's [XACML 3.0 Authorization Interceptor test](https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-sts-xacml/src/test/java/org/apache/coheigea/cxf/sts/xacml/authorization/xacml3/XACML3AuthorizationTest.java) but using AuthzForce Server as PDP instead of OpenAZ. In this test, a web service client requests a Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a [RESTfulPdpBasedAuthzInterceptor](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptor.java) that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision with these attributes from a remote PDP provided by AuthzForce Server, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it.
......@@ -100,8 +100,11 @@ The sources for the manuals are located in [fiware repository](http://github.com
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
</code></pre>
1. Update the CHANGELOG according to keepachangelog.com.
1. To perform the release (example using a HTTP proxy):
1. Update the `AUTHZFORCE_SERVER_VERSION` ENV variable to the new version in [Dockerfile](dist/src/docker/Dockerfile).
1. Update the [changelog](CHANGELOG.md) with the new version according to keepachangelog.com.
1. Commit and push latest changes
1. Test the Dockerfile by triggering Docker automated build on the current Github release branch in [authzforce-ce-server's Docker repository](https://hub.docker.com/r/authzforce/server/) (*Build Settings*). Check the result in *Build Details*.
1. After Docker build is OK, perform the software release (example using a HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
</code></pre>
......
# Copyright (C) 2012-2017 Thales Services SAS.
#
# This file is part of AuthZForce CE.
#
# AuthZForce CE is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# AuthZForce CE is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
# Best practices for writing Dockerfiles:
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
# Tips to do an unattended installation on Debian/Ubuntu:
# http://www.microhowto.info/howto/perform_an_unattended_installation_of_a_debian_package.html
# The alternative is to use FROM ubuntu:* then install tomcat ubuntu package and use upstart/sysctl init script but this is not the way to go:
# https://github.com/docker/docker/issues/6800
FROM tomcat:8-jre8
MAINTAINER AuthzForce Team (contact mailing list: http://scr.im/azteam)
ENV DEBIAN_FRONTEND noninteractive
# Proxy configuration (if you are building from behind a proxy)
# Next release of docker 1.9.0 should allow you to configure these by passing build-time arguments
# More info: https://github.com/docker/docker/issues/14634
#ENV http_proxy 'http://user:password@proxy-host:proxy-port'
#ENV https_proxy 'http://user:password@proxy-host:proxy-port'
#ENV HTTP_PROXY 'http://user:password@proxy-host:proxy-port'
#ENV HTTPS_PROXY 'http://user:password@proxy-host:proxy-port'
ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"
ENV AUTHZFORCE_SERVER_VERSION="7.0.0"
ENV AUTHZFORCE_SERVER_DOWNLOAD_URL="http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/$AUTHZFORCE_SERVER_VERSION/authzforce-ce-server-dist-$AUTHZFORCE_SERVER_VERSION.deb"
# Download and install Authzforce Server (service starts automatically)
# Where there is a command with a pipe, we need to put in between quotes and make it an argument to bash -c command
RUN apt-get update --assume-yes -qq && \
apt-get install --assume-yes -qq \
locales-all \
locales \
less \
apt-utils \
debconf-utils \
gdebi \
curl && \
rm -rf /var/lib/apt/lists/*
RUN locale-gen en_US en_US.UTF-8
RUN dpkg-reconfigure locales
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
RUN curl --silent --output authzforce-ce-server.deb --location $AUTHZFORCE_SERVER_DOWNLOAD_URL && \
dpkg --extract authzforce-ce-server.deb /root/authzforce/ && \
mv /root/authzforce/etc/tomcat8/Catalina /usr/local/tomcat/conf/ && \
mv /root/authzforce/opt/* /opt/ && \
rm -rf /opt/authzforce-ce-server/data/domains/* && \
rm -rf /root/authzforce && \
rm -f authzforce-ce-server.deb
CMD ["catalina.sh", "run"]
### Exposed ports
# - App server
EXPOSE 8080
## AuthzForce Server CE - Minimal Docker image
This image of a minimal AuthzForce Server runtime is intended to work together with [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) and [PEP Proxy Wilma](http://catalogue.fiware.org/enablers/pep-proxy-wilma) generic enabler.
## Image contents
- OpenJDK JRE 8;
- Tomcat 8;
- AuthzForce Server CE (version matching the Docker image tag).
## Usage
This image gives you a minimal installation for testing purposes. The AuthzForce Installation and Administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) provides you a better approach for using it in a production environment. This installation guide also gives instructions to install from .deb package (instead of Docker), which is the recommended way for Ubuntu hosts.
Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-7.0.0* with the current Docker image tag that you are using):
```
docker run -d -p 8080:8080 --name <container-name> fiware/authzforce-ce-server:release-7.0.0
```
As stands in the AuthZForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
* **Create a domain**
```
curl -s --request POST \
--header "Accept: application/xml" \
--header "Content-Type: application/xml;charset=UTF-8" \
--data '<?xml version="1.0" encoding="UTF-8"?><taz:domainProperties xmlns:taz="http://authzforce.github.io/rest-api-model/xmlns/authz/5" />' \
http://<authzforce-container-ip>:8080/authzforce-ce/domains
```
* **Retrieve the domain ID**
```
curl -s --request GET http://<authzforce-container-ip>:8080/authzforce-ce/domains
```
* **Domain removal**
```
curl --verbose --request DELETE \
--header "Content-Type: application/xml;charset=UTF-8" \
--header "Accept: application/xml" \
http://<authzforce-container-ip>:8080/authzforce-ce/domains/<domain-id>
```
* **User and Role Management Setup && Domain Role Assignment**
These tasks are now delegated to the [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) enabler. Here you can find how to use the interface for that purpose: [How to manage AuthzForce in Fiware](https://www.fiware.org/devguides/handling-authorization-and-access-control-to-apis/how-to-manage-access-control-in-fiware/).
## User feedback
### Documentation
All the information regarding the Dockerfile is hosted publicly on [Github](https://github.com/authzforce/server/tree/master/src/docker).
### Issues
If you find any issue with this image, feel free to report at [Github issue tracking system](https://github.com/authzforce/server/issues).
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment