[cas-dev] RE: [gt-user] Can CAS grant permissions at aservice/operationlevel withview/execute actions mappings ?

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Wed Aug 2 08:55:54 CDT 2006 

 
Karen,

> -----Original Messa
> I've been studying both the Developers Guide (section 5 - Usage
> scenarios) and the User's Guide (section 2 - Usage scenarios) 
> to try to figure out how I might call my simple service via a 
> java client program but I'm not sure that this will be 
> possible.  The examples given in the User's guide talk of 
> using cs-wrap with a grid-enabled-program.  It looks like 
> this 'grid-enabled-program' must be an executable file.  In 
> the examples it mentions gsincftp and globus-url-copy.
> 
> Am I right in my assumption that in GT4.0.2 I cannot call a 
> java client to access my CAS enabled service ?

I am not sure I understand your scenario.

Typical usage scenario is to manage access rights to some resource (in your
case the service) using the CAS server. The user can then use cas-proxy-init
to generate a proxy with assertion embedded in the proxy. The embedded
assertion will be used by the resource to determine if the user can access
the resource. The user can now use cas-wrap to invoke the client program.
The cas-wrap script just runs the client program using the proxy generated
by cas-proxy-init.

So I don't see why you can't run your java client to access the service
using cas-wrap.

Hope that helps,
Rachana

> 
> Thanks again for your help,
> 
> Karen
> 
> 
> 
> On Tue, 2006-08-01 at 10:42 -0500, Rachana Ananthakrishnan wrote:
> > Karen,
> > 
> > > With regards to the functionality you are currently 
> implementing - 
> > > "WS Authorization stack invoking operations to ascertain 
> permissions 
> > > for a user", would it be possible for us to get hold of 
> some code to 
> > > test it as soon as is reasonably possible and perhaps prior to 
> > > release ?
> > 
> > Sure, this code sits in branch and I am just wrapping up 
> testing. I'll 
> > send you information as soon as I am done.
> > 
> > > Is the functionality you talk of in your 1st paragraph (push
> > > model) also in GT4.0.2 ?  Or do I have to take GT 4.1.0 
> to get it ?
> > 
> > It is in 4.1.0 and not in branch, since it is new functionality.
> > 
> > I am sorry I haven't had a chance to test your issue with PostGres, 
> > but I will do so soon. The new branch code also has a default Derby 
> > install, which make database install and testing really easy.
> > 
> > Rachana
> > 
> > > 
> > > Thanks a lot,
> > > Karen
> > > 
> > > 
> > > On Mon, 2006-07-31 at 08:16 -0500, Rachana Ananthakrishnan wrote:
> > > > Hi Karen,
> > > > 
> > > > I'll look at your other email with error trace, but 
> yes, CAS can 
> > > > be used to store and enforce permissions on web services. The 
> > > > 4.1.0 release included authorization schemes that can extract
> > > assertion from
> > > > proxy (assertions that were embedded by requesting from CAS
> > > service)
> > > > and use the assertion to determine if a said user can
> > > request a specific operation on a service.
> > > > 
> > > > The above would be a push model, where the client gets
> > > assertion from
> > > > CAS and pushes it to the web services authorization stack. 
> > > The other
> > > > option is to use CAS as an authorization service and 
> have the WS 
> > > > authorization stack invoke operations on CAS to ascertain
> > > permissions
> > > > for a user. I am currently working on some modifications to
> > > CAS to get this feature going.
> > > > 
> > > > Rachana
> > > > 
> > > > > -----Original Message-----
> > > > > From: owner-gt-user at globus.org
> > > > > [mailto:owner-gt-user at globus.org] On Behalf Of Karen Loughran
> > > > > Sent: Friday, July 28, 2006 10:08 AM
> > > > > To: gt-user at globus.org
> > > > > Subject: [gt-user] Can CAS grant permissions at a
> > > service/operation
> > > > > level withview/execute actions mappings ?
> > > > > 
> > > > > 
> > > > > Hi there,
> > > > > 
> > > > > I don't have CAS successfully configured yet, but I 
> have a query 
> > > > > about its functionality which will help me determine
> > > whether it will
> > > > > meet our requirements.
> > > > > 
> > > > > Throughout CAS' documentation an example of setting 
> up a GridFTP 
> > > > > server is used to illustrate how permissions for
> > > different actions
> > > > > can be granted to data groups.  Examples refer to
> > > file/read action
> > > > > specifications on specific directories/files.
> > > > > 
> > > > > Can CAS also implement policies which would allow for the
> > > following
> > > > > scenario:
> > > > > 
> > > > > The operations provided by a service are only visible and/or 
> > > > > executable by certain user groups, ie, is it possible 
> to define 
> > > > > a service type for "operation" with actions "view" 
> and "execute" 
> > > > > on this so that CAS can be configured to prevent certain user 
> > > > > groups from viewing/executing certain operations ?  Can
> > > restricted viewing
> > > > > also be applied at the service level itself so that certain 
> > > > > users are prevented from seeing the service at all ?
> > > > > 
> > > > > Taking the GT4 Math Service example (from the Gt4 tutorial).
> > > > > Users in user group A can see and execute setValue 
> and getValue.
> > > > > Users in user group B can only execute getValue.
> > > > > Users in user group C can not even view the 
> operations offered 
> > > > > by the MathService.
> > > > > Users in user group D cannot even view/access details of
> > > a service
> > > > > at all.
> > > > > 
> > > > > ?
> > > > > 
> > > > > Thanks
> > > > > Karen
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > 
> > > 
> > 
> 
>

More information about the cas-dev mailing list