Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Table of Contents
The CAS server can be used to store and manage policy for web services. The web service authorization decisions will require policy on a user accessing a particular operation on a said resource. Entities map to the CAS model as follows:
Table 1. Entity Mapping
| User | A user group in CAS service with user as member. |
| Operation | A Service/Action entry is used to represent a web service operation.
|
| WS Service/Resource | The EPR of resource represented as string. The EPR is converted to string using the algorithm specified in the OGSA AuthZ specification. |
The next sections discuss a few different ways the CAS server can be used to manage web services access policy.
This section describes using the CAS server as an authorization service to manage policy for web services. The sample service used here is the Counter Service distributed as a part of Java WS Core component. The CAS server needs to be bootstrapped with information about a super user and the sample assumes that the super user is the client. The methods on Counter Service that need to be protected needs to be added as actions and the EPR of the created counter resource needs to be added as an object.
- Configure the CAS service as described in here
Bootstrap the CAS service as described in here. Ensure that the user-subject in the bootstrap properties file to be the DN of the client. For example, following is a sample bootstrap properties file
ta-name=ta ta-authMethod=X509 ta-authData=/C=US/O=Globus/CN=Default CA user-name=su user-subject=/C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef userGroupname=superUserGroup
Start up container with -nosec option.
bin/globus-start-contianer -nosec
In another shell, set the CAS_SERVER_URL environment variable to point to the CAS service.
set CAS_SERVER_URL=http://localhost:8080/wsrf/services/CASService
Also set the CAS_SERVER_IDENTITY environment variable to point to the identity of the CAS service..
set CAS_SERVER_IDENTITY="/C=US/O=Globus Alliance/OU=User /CN=101497d3dcd.3dcd5aef"
Create a user group (testUGp) to give permission to access counter service.
bin/cas-group-admin.bat -m msg user create superUserGroup testUGp
Add super user to the testUGp. The nick name for super user would have been specified in the bootstrap properties file. In this sample it is su.
bin\cas-group-add-entry.bat -m msg user testUGp su
Add web service operation as a service type.
bin\cas-enroll.bat -m msg serviceType testUGp "http://www.gridforum.org/namespaces/2003/06/ogsa-authorization/ saml/action/operation"Add "add" (an operation on counter service) as an action of the above service type.
bin\cas-action.bat -m msg add "http://www.gridforum.org/namespaces/2003/06/ogsa-authorization/ saml/action/operation" addAdd "destroy" (an operation on counter service) as an action of the above service type.
bin\cas-action.bat -m msg add "http://www.gridforum.org/namespaces/2003/06/ogsa-authorization/ saml/action/operation" destroyCreate a new counter resource using the counter client and use the -b option to get the string representation of EPR.
bin\counter-create.bat -s http://localhost:8080/wsrf/services/SecureCounterService -m msg -z none -b eprAsString > eprEnroll the counter resource as an object. The object name will be the string representation of the EPR from previous step. Since we don't want any basename for this resource, use casDefautlNS as the namespace.
bin\cas-enroll.bat -m msg object testUGp "http://192.168.1.101:8080/wsrf/services/SecureCounterService? zpCAOdk0t4MfUmJY2GlpjeOC1Mw=" casDefaultNSGrant rights for testUGp to be able to add to the counter resource.
bin\cas-rights-admin.bat -m msg grant testUGp object casDefaultNS "http://192.168.1.101:8080/wsrf/services /SecureCounterService?zpCAOdk0t4MfUmJY2GlpjeOC1Mw=" serviceAction "http://www.gridforum.org/namespaces/2003/06/ogsa-authorization/ saml/action/operation" addAttempt adding to the counter resource.
bin\counter-add.bat -e epr -m msg 10 -z none
Attempt destroying the resource. You will see an authorization exception.
bin\wsrf-destroy.bat -m msg -z one -e epr
This section describes using the CAS server as a PDP local to the container to manage authorization policy for web services. Unlike the previous section the authorization service interface of CAS is not used. But a PDP, org.globus.cas.impl.LocalCasPdP, distributed with the CAS server code base is used to contact a co-hosted CAS server for authorization decisions. This PDP uses Java calls on the CAS resource to obtain policy information and returns a decision of PERMIT or DENY.
For a service to use this feature, the authorization configuration at service/resoruce level should be the LocalCasPdp. To grant access to users, the users need to be added to the CAS database. This can be done either during bootstrap or during runtime. The resource owner can then facilitate fine grained, per operation authorization by storing appropriate permissions on the local CAS server.
Following is a list of steps that highlights how the CasLocalPdp can be sued:
The test service used to as a part of this distribution to test this feature is used as the example service. The service consists of three methods, with following characteristics.
Table 2. Operation Details
Name Purpose Authentication Required Authorization Required Invocation on service/resource create Create a new resource and return EPR. Initialize with integer value and an array of CAS user nickname allowed to access new resource. Yes, any scheme None Service getValue Return current value of resource No No Resource add Integer value as parameter to add to current value Yes, any scheme LocalCasPdp Resource To configure the test service to use enforce authentication for create method, a security descriptor as shown below can be configured.
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> <auth-method> <GSISecureConversation/> <GSISecureMessage/> <GSISecureTransport/> </auth-method> <authzChain> <pdps> <interceptor name="none"/> </pdps> </authzChain> </serviceSecurityConfig>To configure the test resource to enforce authentication and use LocalCasPdp for authorization, a security descriptor file can be writen and loaded into the resource object as shown below
<serviceSecurityConfig xmlns="http://www.globus.org/security/descriptor/service"> <auth-method> <GSISecureConversation/> <GSISecureMessage/> <GSISecureTransport/> </auth-method> <methodAuthentication> <method name="getValue"> <auth-method> <none/> </auth-method> </method> </methodAuthentication> <authzChain> <pdps> <interceptor name="pdp:org.globus.cas.impl.LocalCasPdp"/> </pdps> </authzChain> </serviceSecurityConfig>Sample Resource code, where
resoruceSecDescis the path to the above file.public class TestResource implements SecureResource, ResourceIdentifier { ResourceSecurityDescriptor desc; public TestResource(int val, String resourceSecDesc) throws Exception { this.key = new Integer(hashCode()); this.value = val; this.desc = new ResourceSecurityDescriptor(resourceSecDesc); } public ResourceSecurityDescriptor getSecurityDescriptor() { return this.desc; } }The owner of the service should exist in the CAS database with the same DN used to run the service. Also, a user group to add all new CAS objects created is required. For the purpose of this sample, we assume that "testUser" exists on the server and a user group "testUserGroup". Refer to Section 2.3, “Bootstrapping the CAS database ” for details on how to bootstrap the CAS server.
A Service Action group with all operations in the service should be added to the CAS service. This needs to be done only once and can be done in the resoruce home. This example shows how a new group "testActionGp" can be added.
String casUrl = "local://host:port/wsrf/services/CASService"; Util util = new Util(casUrl); System.out.println("Creating service action group"); util.createServiceActionGroup("testUserGroup", "testActionGp");Note that local invocations can be used, since the CAS server is expected to be cohosted.
All operation on the service should be added to the service/action group.
util.addOperation(new String[] { "getValue", "add"}, "testActionGp");A User group per resource created can be added to the CAS server. This example uses the resource key as part of the group name.
String newUserGroupName = "objGp-" + key.toString(); util.createUserGroup(userGroup, newUserGroupName);The EPR of resource should be added as a CAS object. The EPR should be converted to string representation and added with default namespace.
String eprAsString = EPRUtil.getEPRAsString(epr); // The user group on which all rights are granted for thsi object can // be the new user group created in previous step. util.addResourceObject(eprAsString, "testUserGroup");With all CAS objects bootstrapped, permission for the new user group to perform actions in new service/action group on resource should be added to CAS server. Now any new user who needs to be allowed access just needs to be added to CAS server and then added to user group for the said resource.
// set permission for new user group, resource EPR and then new action // group. util.grantPermission(newUserGroupName, eprAsString, actionGroupName);On a create operation, when the list of authorized users is passed as parameter, the user should be added to the newly created user group.
util.addUserToGroup(newUserGroupName, "authorizedUserNick");With the above set up, a
createcall can be made by anyone, provided some authentication is used.getValuecan be invoked insecurely also.addwill require that the CAS server have policy about the user.