[cas-dev] RE: [gt-user] Can CAS grant permissions at aservice/operationlevelwithview/execute actions mappings ?
Rachana Ananthakrishnan
ranantha at mcs.anl.gov
Mon Aug 7 07:27:10 CDT 2006
Karen,
The script cas-wrap places the CAS assertion into the proxy certificate, so
your SOAP header does not get changed. Do you want to use an option where
assertions are embedded in the SOAP Header ? I have described setting things
up using cas-wrap in this mail.
The current code in trunk has been modified to fix some issues to lend CAS
better to work with web services authorization and I have added a section in
the documentation on how to configure things on CAS side:
http://www.globus.org/toolkit/docs/development/4.2-drafts/security/cas/admin
/index.html#cas-admin-example-ws-policy
(Note that you will need code from CVS for this example).
The service/action has no semantic meaning in CAS itself. Only your policy
enforcement point, that is your resource in this case, interprets what the
service and action means.
Regarding the service side, to actually enforce the CAS assertion, you will
need to configure your service to use specific authorization scheme (PDP).
An example of one such configuration is provided as an attachment in this
bugzilla:
http://bugzilla.mcs.anl.gov/globus/attachment.cgi?id=966
This is a security descriptor you would require your service to use. This
dictates that the SAMLAutorizationCallout module should be used to talk to
the CAS service (whose address has been configured). Note that the parameter
authzServiceIdentity points to the DN of the CAS server and need to be
modified appropriately.
So you can use the above descriptor and modify to suit your service (change
operation names, the authentication scheme you would like to enforce and
such) and configure this as security descriptor for your service. Then once
you set up the resource/service/action in CAS service, you should see the
CAS assertion being used to enforce the policy in CAS.
I'll add the service side of things to the web pages.
Rachana
> -----Original Message-----
> From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> Sent: Thursday, August 03, 2006 10:16 AM
> To: Rachana Ananthakrishnan
> Cc: 'CAS Developers'
> Subject: RE: [gt-user] Can CAS grant permissions at
> aservice/operationlevelwithview/execute actions mappings ?
>
> Hi Rachana,
>
> I'm able to successfully generate a proxy with:
>
> cas-proxy-init -t johntag2
>
> And I am able to call my java test client with cs-wrap:
>
> cas-wrap -t johntag2 java SecureOperation2
>
> The client program succeeds and returns the correct value BUT
> there is no difference in the SOAP message going over the
> wire (have traced it with tcpmon) than if I did NOT wrap the
> call with cas-wrap ?
> Shouldn't I see John's proxy information in the message going
> to the server ?
>
>
> On a separate point, its not clear to me from the
> documentation how server-actions are actually
> configured/handled through CAS. For example, I have added my
> SimpleService as a resource in CAS, and added this to a group
> called 'dataServices'. I have added a service type called
> 'service' and an action mapping pair 'service execute'.
> Finally, I have added a policy which states that 'members of
> the group editors can execute services from the dataServices
> group'. (I have attached my command sequence for creating
> this scenario).
>
> But how or where is it configured in CAS to map what
> "execute" actually means. Does the user need to configure
> something at the server side so that when a request is
> received (with cas-proxy), a piece of handler code is
> specified to say "if the supplied cas proxy states that the
> user is allowed to 'execute' this service then continue their
> request, else raise an exception".
>
> In other words, do CAS intend for users to add a server side
> handler piece to enforce the "service action" policy implementation ?
>
> Any clarification on this would be great,
>
> Thanks
> Karen
>
>
>
> On Wed, 2006-08-02 at 08:55 -0500, Rachana Ananthakrishnan wrote:
> > Karen,
> >
> > > -----Original Messa
> > > I've been studying both the Developers Guide (section 5 - Usage
> > > scenarios) and the User's Guide (section 2 - Usage scenarios)
> > > to try to figure out how I might call my simple service via a
> > > java client program but I'm not sure that this will be
> > > possible. The examples given in the User's guide talk of
> > > using cs-wrap with a grid-enabled-program. It looks like
> > > this 'grid-enabled-program' must be an executable file. In
> > > the examples it mentions gsincftp and globus-url-copy.
> > >
> > > Am I right in my assumption that in GT4.0.2 I cannot call a
> > > java client to access my CAS enabled service ?
> >
> > I am not sure I understand your scenario.
> >
> > Typical usage scenario is to manage access rights to some
> resource (in your
> > case the service) using the CAS server. The user can then
> use cas-proxy-init
> > to generate a proxy with assertion embedded in the proxy.
> The embedded
> > assertion will be used by the resource to determine if the
> user can access
> > the resource. The user can now use cas-wrap to invoke the
> client program.
> > The cas-wrap script just runs the client program using the
> proxy generated
> > by cas-proxy-init.
> >
> > So I don't see why you can't run your java client to access
> the service
> > using cas-wrap.
> >
> > Hope that helps,
> > Rachana
> >
> > >
> > > Thanks again for your help,
> > >
> > > Karen
> > >
> > >
> > >
> > > On Tue, 2006-08-01 at 10:42 -0500, Rachana Ananthakrishnan wrote:
> > > > Karen,
> > > >
> > > > > With regards to the functionality you are currently
> > > implementing -
> > > > > "WS Authorization stack invoking operations to ascertain
> > > permissions
> > > > > for a user", would it be possible for us to get hold of
> > > some code to
> > > > > test it as soon as is reasonably possible and perhaps
> prior to
> > > > > release ?
> > > >
> > > > Sure, this code sits in branch and I am just wrapping up
> > > testing. I'll
> > > > send you information as soon as I am done.
> > > >
> > > > > Is the functionality you talk of in your 1st paragraph (push
> > > > > model) also in GT4.0.2 ? Or do I have to take GT 4.1.0
> > > to get it ?
> > > >
> > > > It is in 4.1.0 and not in branch, since it is new functionality.
> > > >
> > > > I am sorry I haven't had a chance to test your issue
> with PostGres,
> > > > but I will do so soon. The new branch code also has a
> default Derby
> > > > install, which make database install and testing really easy.
> > > >
> > > > Rachana
> > > >
> > > > >
> > > > > Thanks a lot,
> > > > > Karen
> > > > >
> > > > >
> > > > > On Mon, 2006-07-31 at 08:16 -0500, Rachana
> Ananthakrishnan wrote:
> > > > > > Hi Karen,
> > > > > >
> > > > > > I'll look at your other email with error trace, but
> > > yes, CAS can
> > > > > > be used to store and enforce permissions on web
> services. The
> > > > > > 4.1.0 release included authorization schemes that
> can extract
> > > > > assertion from
> > > > > > proxy (assertions that were embedded by requesting from CAS
> > > > > service)
> > > > > > and use the assertion to determine if a said user can
> > > > > request a specific operation on a service.
> > > > > >
> > > > > > The above would be a push model, where the client gets
> > > > > assertion from
> > > > > > CAS and pushes it to the web services authorization stack.
> > > > > The other
> > > > > > option is to use CAS as an authorization service and
> > > have the WS
> > > > > > authorization stack invoke operations on CAS to ascertain
> > > > > permissions
> > > > > > for a user. I am currently working on some modifications to
> > > > > CAS to get this feature going.
> > > > > >
> > > > > > Rachana
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: owner-gt-user at globus.org
> > > > > > > [mailto:owner-gt-user at globus.org] On Behalf Of
> Karen Loughran
> > > > > > > Sent: Friday, July 28, 2006 10:08 AM
> > > > > > > To: gt-user at globus.org
> > > > > > > Subject: [gt-user] Can CAS grant permissions at a
> > > > > service/operation
> > > > > > > level withview/execute actions mappings ?
> > > > > > >
> > > > > > >
> > > > > > > Hi there,
> > > > > > >
> > > > > > > I don't have CAS successfully configured yet, but I
> > > have a query
> > > > > > > about its functionality which will help me determine
> > > > > whether it will
> > > > > > > meet our requirements.
> > > > > > >
> > > > > > > Throughout CAS' documentation an example of setting
> > > up a GridFTP
> > > > > > > server is used to illustrate how permissions for
> > > > > different actions
> > > > > > > can be granted to data groups. Examples refer to
> > > > > file/read action
> > > > > > > specifications on specific directories/files.
> > > > > > >
> > > > > > > Can CAS also implement policies which would allow for the
> > > > > following
> > > > > > > scenario:
> > > > > > >
> > > > > > > The operations provided by a service are only
> visible and/or
> > > > > > > executable by certain user groups, ie, is it possible
> > > to define
> > > > > > > a service type for "operation" with actions "view"
> > > and "execute"
> > > > > > > on this so that CAS can be configured to prevent
> certain user
> > > > > > > groups from viewing/executing certain operations ? Can
> > > > > restricted viewing
> > > > > > > also be applied at the service level itself so
> that certain
> > > > > > > users are prevented from seeing the service at all ?
> > > > > > >
> > > > > > > Taking the GT4 Math Service example (from the Gt4
> tutorial).
> > > > > > > Users in user group A can see and execute setValue
> > > and getValue.
> > > > > > > Users in user group B can only execute getValue.
> > > > > > > Users in user group C can not even view the
> > > operations offered
> > > > > > > by the MathService.
> > > > > > > Users in user group D cannot even view/access details of
> > > > > a service
> > > > > > > at all.
> > > > > > >
> > > > > > > ?
> > > > > > >
> > > > > > > Thanks
> > > > > > > Karen
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
More information about the cas-dev
mailing list