Table of Contents
The Community Authorization Service (CAS) allows a virtual organization to express policy regarding resources distributed across a number of sites. A CAS server issues assertions to the virtual organization users, granting them fine-grained access rights to resources. Servers recognize and enforce the assertions. CAS is designed to be extensible to multiple services and is currently supported by the GridFTP server and web services.
Features new in GT 4.2.0:
- Support for OGSA-AuthZ Authorization Service interface
- Support for managing web services policy.
Other Supported Features
- File-level access control for GridFTP
- Issuance of SAML authorization decisions
Deprecated Features
- None
Fixed SAML assertion embedded in proxy when cas-proxy-init is used in order to comply with RFC 3820 requirements on certificate extension. Support for OID 1.3.6.1.4.1.3536.1.1.1.9 has been discontinued and new OID 1.3.6.1.4.1.3536.1.1.1.12, with value set to be a DER encoded ASN.1 representation of the SAML asseriton has been added. Details are part of Bug 5606
Added an implicit namespace casDefaultNS, which is treated as a special namspace with no base name and exact comparison algorithm.
Grant all access to created groups disabled: The previous versions of CAS allowed granting newly created groups grantAll access to themselves. This feature has been disabled to prevent recursive permission issues.
Update to OpenSAML 1.1: The service has been updated to use OpenSAML 1.1.
Command line client options: The command line client options have been changed to use options that are standard across the toolkit. Note that all features that were supported before are still supported, but some of the option names have changed.
Allow both a push from the client and a pull from the server model for the CAS deployment
- Bug 3259: Error parsing environment variables set for CAS clients.
- Bug 3371: CAS group delete fails if grant all permissions is made on newly created group.
- Bug 3648: CAS server not prepending ftp://<hostname> to the resource in the assertion
- Bug 3728: Credentials for CAS is invalid.
- Bug 3895: Issuer of assertion should be CAS server's DN
- Bug 3947: CAS Service must release all of its resources on deactivation
- Bug 4776: bundle making error in trunk
- Bug 4882: lifetime bug in embedAssertion method
- Bug 5606: CAS 1.3.6.1.4.1.3536.1.1.1.9 certificate extension is not a properly DER encoded ASN.1 structure
- Bug 5193: error by issuing cas-proxy-init with -b or --policyFilename parameter
- Bug 5629: RP definition needs to be ref
The following problems and limitations are known to exist for CAS at the time of the 4.2.0 release:
The CAS service depends on the following GT components:
- WS Authentication and Authorization
- Java WS Core
The CAS GridFTP authorization module depends on the following GT components:
- Non-WS Authentication and Authorization
The CAS service depends on the following 3rd party software:
- OpenSAML
The CAS GridFTP authorization module depends on the following 3rd party software:
- libxml
Tested Platforms for CAS
- Windows XP
- Linux (Red Hat 7.3)
Tested Containers for CAS
- Java WS Core container
- Tomcat 5.0.30
CAS has been updated to use the latest version of Java WS Core, which now supports the final version of WSRF/WSN specification.. This service is not compatible with the previous stable versions, GT 4.0.x
Fixed SAML assertions embedded in proxy to comply with RFC 3820 requirements. CAS assertions generated by default in GT 4.0.x will not be consumed by GT 4.2.x services that use assertions.
Associated standards for CAS:
Click here for more information about this component.