Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Table of Contents
[fixme - what are PDPs?]
If you have a PDP you'd like to contribute to the Globus Toolkit, use the following template:
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
The above files are in DocBook XML format. Simply click the link, save to your hard drive, edit the file in a text or xml editor and email to ?. Don't worry about getting the tags right, it's enough to enter the information where it makes sense and we'll clean up the tags where necessary. |
The PDP uses configured access contol lists to ascertain if a subject can access an operation.
accessConfigFileProperty to configure the file containing policy for accessing resource. If not configured, file access-acl.conf is used by default.
adminConfigFileProperty to configure file containing policy for administrating the resource. If not configured, file admin-acl.conf is used by default.
The PDP looks for the files in the following order:
Current directory (.)
/etc
/etc/grid-security
$GLOBUS_LOCATION
The configured files should have the following format:
subjectName=serviceName#method1,method2;testService2#method1,method2
Each subject DN should be a seperate line. Equal to signs (=) and spaces should be escaped with backslash (\)
An equal to must separate the subject DN and the service/operation name description.
List of service URL and method names separated by semi-colon (;)
Each service and method description should container service URL followed by hash sign (#) and list of methods the subject DN is allowed to access/admin.
Method names for each service separated by comma (,).
| Bad configuration | INDETERMINATE |
| No configuration | INDETERMINATE |
| No policy for subject | DENY |
| Anonymous Access | DENY |
| No policy for subject to access service/operation | DENY |
| Policy exists for subject to access service/operation | PERMIT |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
This scheme checks the presence of a user's DN in a configured gridmap file. The grid map file contains a list of mappings from a user's DN to set of local user names that the user is mapped to. The DN and the list of comma-separated mappings are separated by a space. Each mapping is a separate new line by itself.
If the user is present in the configured gridmap file, the mappings are populated in the peer subject object as principals and the user is allowed access to the resource. Absence of DN in gridmap file yields a deny.
The gridmap file location or an instance of GridMap object needs to be configured as a parameter to this PDP. The parameter names are:
gridmap-fileProperty to configure the location of the gridmap file. (From CoG add details on how this file is read in, relative to current directory ?)]
gridmapObjectProperty to configure an instance of GridMap class.
The PDP looks for the gridmap file in the following order:
GridMap object property in the configuration.
GridMap file property in the configuration.
GridMap object in the container default properties.
GridMap file property in the container default properties.
A default grid map file can be configured as described in Section 1, “Configuring Default GridMap File”.
| No peer subject | INDETERMINATE |
| Bad/No gridmap configuration | INDETERMINATE |
| Failed girdmap refresh | INDETERMINATE |
| Anonymous Access | DENY |
| No gridmap entry | DENY |
| Gridmap entry present | PERMIT |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
PDP performs host-based authorization of the client, i.e expects the client to be running with host credential.
urlProperty that should be configured with the URL of the client.
serviceProperty that can be configured with the service, if service credentials are used rather than regular host credentials. By default the value is set to host.
| No peer subject | INDETERMINATE |
| Bad configuration | INDETERMINATE |
| url property not configured | INDETERMINATE |
| Anonymous Access | DENY |
| Peer DN does not match expected DN | DENY |
| Peer DN matches expected DN | PERMIT |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
| No peer subject | DENY |
| No local subject | INDETERMINATE |
| Peer subject does not match configured (expected) subject DN | DENY |
| Peer subject matches the configured(expected) subject DN | PERMIT |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
The PDP enforces a parameter based authorization policy on GetResourceProperty, GetMultipleResourceProperties and SetResourceProperties. QueryResourceProperties is not protected by this PDP and to prevent malicious access of RPs through that method, access to that method must be protected using other schemes. GetMultipleResourceProperies access is allowed only if policy allows user access to all the RPs qeuried.
get-rp-pdp-configProperty that should be configured with a file containing authorization policy for access to GetResourcePropery and GetMultipleResourceProperties method.
set-rp-pdp-configProperty that should be configured with a file containing authorization policy for access to SetResourceProperty method.
The format of the configuration files should be as follows:
subjectDN=qName1;qName2;qName3
All equal to signs and space in Subject DN should be escaped using backslash.
For example, if the set resource properties policy is defined as follows:
/C\=US/O\=Globus\ Alliance/OU\=User/CN\=101497d3dcd.3dcd5aef=\
{http://www.globus.org/tests/security}booleanVal;{http://www.globus.org\
/tests/security}intVal1
[Above should be a single line without any spaces. Spaces provided here for document formatting] This implies that subject DN "/C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef" can set value of the RPs {http://www.globus.org/tests/security}booleanVal and {http://www.globus.org/tests/security}intVal1
| Policy for set RP and get RP not configured | Initialize Exception |
| Erroneous configuration file | INDETERMINATE |
| Missing parameter value attribute | INDETERMINATE |
| No policy for user to access requested resource property. | DENY |
| Policy found for user to access requested resource property.. | PERMIT |
Default bootstrap interceptor (X509 Bootstrap PIP), is required to use this PDP.
Parameter PIP (Parameter PIP is required to use with this PDP to be able to collect information about the requested resource property. The ParameterPIP needs to be configured with the following :
servicePath getMultipleResourceProperties{http://docs.oasis-open.org\ /wsrf/2004/06/wsrf-WS-ResourceProperties-1.2-draft-01.xsd}\ getMultipleResourceProperties servicePath getResourceProperty {http://docs.oasis-open.org/wsrf/2004/06/wsrf\ -WS-ResourceProperties-1.2-draft-01.xsd}getResourceProperty servicePath setResourceProperties {http://docs.oasis-open.org/wsrf/2004/06/wsrf\ -WS-ResourceProperties-1.2-draft-01.xsd}SetResourceProperties[Above should be a single line without any spaces. Spaces provided here for document formatting]
The servicePath needs to be replaced with the service endpoint that required resource property access to be authorized based on parameters.
This PDP can be used to talk to any authorization service that implements the OGSA AuthZ interface. The steps involved include:
Secure call is made to the authorization service
Secure response is expected
Identity of soap message siganture or tls connection is established
If response is signed, identity of response signature is established.
Issuer identity is determined from authz service is 4 or 5, in that order
If there are any errors constructing request,contacting authz service or parsing response, an indeterminate decision is issued by container
Response signature is verified.
Every assertion in the response is verified to be issued by issuer identity (point 5)
If any of the statement is not a permit on the particular subject, resource, action, a deny is returned by issuer identity. Otherwise a permit is returned.
In the future, a delegation step from the issuer identity (in 5) to some other issuers could be set as policy on SAMLAuthzCallout to establish a chain.
authzServiceProperty that points to the authorization service to contact. The value should be a URL.
securityMechanismProperty that indicates the security mechanism to use to contact authorization service. Should be either "msg" for GSI Secure Message or "conv" for GSI Secure Conversation. If authorization service URL container "https" as protocol, GSI Secure Transport is used to contact the authorization service.
protectionLevelProperty that indicates the protection level to use to contact the authorization service. Should be either "sig" for signature and "enc" for encryption.
authzServiceCertificateProperty that points to the authorization service public certificate file. This property is required only if "securityMechanism" is GSI Secure Message and "protectionLevel" is encryption.
authzServiceIdentityProperty that has the expected identity of the authorization service. This is used for authorizing the call to authorization service.
samlAuthzSimpleDecisionProperty indicates if SimpleAuthorizationDecisionStatement as defined in OGSA AuthZ specification is being requested from the authorization service.
| Error constructing local SAML data types. | INDETERMINATE |
| Error converting EPR to string | INDETERMINATE |
| Error signing SAML Request | INDETERMINATE |
| Error accessing configured authorization service | INDETERMINATE |
| Null response from configured authorization service | INDETERMINATE |
| SAML exception from configured authorization service | INDETERMINATE |
| SAML Response signed by identity different from expected identity ofconfigured authorization service | INDETERMINATE |
| If decision returned from service is anything other than permit. | DENY |
| If decision returned from service is permit. | PERMIT |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
This PDP parses and enforces any SAML Authorization Decision Statements that are a part of the requester's attribute bag. Typically SAMLAuthzAssertionPIP is used in tandem with this PDP to collect those attributes.
The PDP expects the service name as SAML Resource and the operation name as action.
| No requester attributes | NOT_APPLICABLE |
| No resource attributes | INDETERMINATE |
| No action attributes | INDETERMINATE |
| If atleast one of the SAML Decision statement is permit for access to said resource and action | PERMIT |
| If none of the SAML Decision statement is permit for access to said resource and action | DENY |
Default bootstrap interceptor (X509 Bootstrap PIP), is required to use this PDP.
SAML Authorization Assertion PIP (SAMLAuthzAssertPIP is required to use with this PDP to be able to collect SAML Authorization Assertions that are sent in as a part of the request.
This PDP does self authorization and expects the peer subject to match the local subject, which is the current JAAS Subject associated with the service/resource. The current JAAS subject is determined by the value of the run-as element in the service security descriptor (see Configuring run-as mode).
| No peer subject | DENY |
| No local subject | INDETERMINATE |
| Peer subject matches local subject | PERMIT |
| Peer subject does not match local subject | DENY |
No interceptors are related other than the default bootstrap interceptor (X509 Bootstrap PIP), which is required to be used with this PDP.
Uses Java Login module to authorize based on user name and password used on the method call. The username and password are passed to the Login module using javax.security.auth.callback.NameCallback and javax.security.auth.callback.PasswordCallback.
Username authorization as part of the authorization framework for a service involves setting up a Configuration class that reads in the Login Module to be using. It is also possible to specify the login modules to be used by altering some parameters in the java.security file located at $JAVA_HOME/jre/lib/security which has been discussed under the general configuration section. Steps for username authorization using Login Modules configured via custom Configuration classes is described under the custom configuration section.
Login modules can be setup for use by our application in two different ways. One, by adding the login module to the list of login modules used by the JVM. This method has been explained under the JVM Configuration. Second, by creating a custom configuration class to dynamically pick up the login module.
Some login module and configuration file needs to be configured (example: jre/lib/ext/jaasmod.jar and jre/lib/security/java.security). A sample configuration entry:
login.configuration.provider=com.sun.security.auth.login.ConfigFile
login.config.url.1=file:${java.home}/lib/security/jaas.config
Sample jaas.config file:
Login {
com.sun.security.auth.module.NTLoginModule required;
};
A configuration class is used to setup a specified login module for executing authorization. The class details are provided to the Toolkit through the security descriptor for the service that enforces username auhorization. In order for the username authorization handler to use a custom Login Configuration, a parameter with name "login-config" and a value containing the custom Configuration classname has to be specified along with the PDP in the security descriptor. The PDP in this case is "Username Authorization". The relevant snippet from the service security descriptor is shown below:
<authzChain>
<pdps>
<interceptor name="prefix:org.globus.wsrf.impl.security.authorization.UsernameAuthzPDP">
<parameter>
<param:nameValueParam>
<param:parameter name="login-config" value="org.globus.wsrf.impl.security.authorization.LoginConfiguration"/>
</param:nameValueParam>
</parameter>
</interceptor>
</pdps>
</authzChain>
| Internal Details |
|---|---|
The usernameAuthorization PDP loads the Configuration specified in the parameter "login-config" and sets that as the
current configuration.(These are internal details which may be disregarded safely for the purposes of writing up a
custom configuration)
String className = (String) this.chainConfig.getProperty(this.prefix, "login-config");
Class config = ClassLoaderUtils.forName(className);
Object loginConfig = config.newInstance();
if(loginConfig instanceof Configuration ){
Configuration.setConfiguration((Configuration) loginConfig);
}
|
The custom Configuration class has to be a subclass of
javax.security.auth.login.Configuration.
An example custom Configuration class is available in the unit tests directory at
org.globus.wsrf.impl.security.authorization.LoginConfiguration.
The login module that has to be used is specified using a login.config file that the
configuration class uses. The configuration class loads the appropriate properties from
this file. A sample entry for this file is:
Login {
org.globus.wsrf.impl.security.authorization.UsernameLoginModule required;
};
More details regarding Login Configuration files can be found here. The next section focuses on the setup and usage of login modules.
The login modules can be used to handle the authorization of users. The details regarding writing login modules is beyond the scope of this document and can be found at in the Login Module Developers' guide
The unit tests have an example of a login module org.globus.impl.security.authorization.UsernameLoginModule. The username and password to authorize the client have to be passed via the client security descriptor similar to the one listed below. If the password type is not provided then it defaults to PasswordText. In that case, the passwords are sent unencrypted over the wire.
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
<GSISecureTransport>
<integrity/>
</GSISecureTransport>
<usernameType>
<username value="globus"/>
<passwordType>
<password value="unittesting"/>
<type value="http://docs.oasis open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
</passwordType>
</usernameType>
<authz value="none"/>
</clientSecurityConfig>
This login module handles the authorization of usernames and passwords supplied either as Text (unencrypted format)
or as a Digest (encrypted format.) by comparing them to the username and password stored on the server in a file.
The format of the parameters in the password file used by our example Login Module is illustrated in the following example.
~/tests/unit/etc/Test-authz-pwd
name=globus password=unittesting usernames=globus
In summary, Login Modules can be used to implement username authorization. This can be done by either changing the java environment to invoke your login module or by programmatically setting the authorization framework to use your login module. The unit tests provide a good example of how this can be done programmatically which in most cases would prove beneficial.