[cas-dev] RE: [gt-user] Can CAS grant permissionsataservice/operationlevelwithview/execute actions mappings ?

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Tue Aug 15 11:28:46 CDT 2006 

Hi Karen,
 
> Oddly the contents of the epr file looks like:
> 
> <ns1:CounterReference xsi:type="ns2:EndpointReferenceType"
> xmlns:ns1="http://counter.com"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/03/addressing"><
> ns2:Address 
> xsi:type="ns2:AttributedURI">http://143.117.161.192:8080/wsrf/
services/SecureCounterService</ns2:Address><ns2:ReferenceProperties >
xsi:type="ns2:ReferencePropertiesType"><ns1:CounterKey>3055576
> 5</ns1:CounterKey></ns2:ReferenceProperties><ns2:ReferencePara
> meters xsi:type="ns2:ReferenceParametersType"/></ns1:CounterReference>
> 
> and is a different format to the example epr listed in the admin guide
> (http://192.168.1.101:8080/wsrf/services/SecureCounterService?
> zpCAOdk0t4MfUmJY2GlpjeOC1Mw=)
> 
> I extracted the Address and the CounterKey elements from this 
> file as the epr string and continued as follows:

Actually the string you need to use is stored in eprAsString file that is
passed as parameter in the command you used to create the counter:

bin/counter-create -s
http://localhost:8080/wsrf/services/SecureCounterService -m msg -z none -b
eprAsString > epr

That string is constructed using the steps listed in OGSA-AuthZ
specification on converting an EPR to string. At the enforcement point the
EPR is converted to string using the same steps. Since there is discrepency
in the object on which you set policy and the one being queried, your
authorization step fails. Try the steps you have by using string in
eprAsString.

Rachana



> 
> bin/cas-enroll -m msg object testUGp
> "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> e?30555765" 
> casDefaultNS
> 
> bin/cas-rights-admin -m msg grant testUGp object casDefaultNS 
> "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> e?30555765" 
> serviceAction
> "http://www.gridforum.org/namespaces/2003/06/ogsa-authorizatio
> n/saml/action/operation" 
> add
> 
> PolicyId is 4
> Completed successfully
> 
> bin/counter-add -e epr -m msg 10 -z none
> Error:
> org.globus.wsrf.security.authorization.AuthorizationDeniedException:
> "[/C=UK/O=eScience/OU=QUB/L=BESC/CN=karen 
> loughran/CN=2089013970]" is not authorized to invoke "add" 
> operation on this serviceExceptions thrown by PDPs which did 
> not return permit decision.
> Error accessing authorization service:
> "http://localhost:8080/wsrf/services/CASService"; nested exception is:
>         Authorization failed.; nested exception is:
>         java.lang.Exception: Exceptions thrown by PDPs which 
> did not return permit decision.
> Error accessing authorization service:
> "http://localhost:8080/wsrf/services/CASService"; nested exception is:
>         Authorization failed.
> 
> 
> But I would expect this user to have permissions to invoke 
> add on CounterService.  So I'm guessing I have done something 
> wrong in the configuration.
> 
> Can you confirm if I'm using the correct value for 
> authzServiceIdentity in my security-config.xml ?  Does my 
> process sound right ?
> 
> Thanks a lot,
> 
> Karen
> 
> 
> 
> 
> 
> 
> On Mon, 2006-08-14 at 13:50 -0500, Rachana Ananthakrishnan wrote: 
> > Karen,
> > 
> > Apparently you are missing --deps. This flag build 
> dependencies for a 
> > said bundle. So you can just look to build just CAS with 
> the --deps. 
> > But if you just need grid-proxy-init, it is in globus-gsi bundle.
> > 
> > The MDS dependencies is just to support the functionality of CAS 
> > service registering with Index service. It really is not required.
> > 
> > The code to push the assertion in header is part of the 
> 4.0.2 release. 
> > You can set property Constants.SAML_AUTHZ_ASSERTION on the 
> Stub with a 
> > SAMLAssertion object. The relevant handlers push the assertion onto 
> > the message headers. You can use SAMLAuthzAssertionPIP to 
> retrieve the 
> > assertion and SAMLAuthzAssertionPDP to use them to enforce authz 
> > decision. As an alternative, you can write your own custom 
> PDP/PIP and plug it in.
> > 
> > Rachana
> > 
> > > -----Original Message-----
> > > From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> > > Sent: Monday, August 14, 2006 8:34 AM
> > > To: Rachana Ananthakrishnan
> > > Cc: 'CAS Developers'; Terry Harmer
> > > Subject: RE: [gt-user] Can CAS grant permissions 
> > > ataservice/operationlevelwithview/execute actions mappings ?
> > > 
> > > Hi Rachana,
> > > 
> > > I have checked out the latest sources from trunk and I'm 
> trying to 
> > > build the minimum components to get CAS to work with the counter 
> > > service example you describe in your email/admin guide links.
> > > I have read "Globus: Accessing the Globus Alliance's Code 
> via CVS" 
> > > and have managed to build & install java-ws-core, mds and 
> cas with 
> > > the following commands:
> > > 
> > > ./make-packages.pl --anonymous --bundles=gt4-java-ws-core 
> > > --install=/opt/all/gt4.1.0 ./make-packages.pl --anonymous 
> > > --bundles=gt4-mds --install=/opt/all/gt4.1.0 ./make-packages.pl 
> > > --anonymous --bundles=gt4-cas --install=/opt/all/gt4.1.0
> > > 
> > > I also need the library libglobus_gsi_proxy_core_gcc32.so.0 (for
> > > grid-proxy-init) and looking through the file "etc/gt4/bundles" I 
> > > think it may be installed with the gt4-gram bundle as the bundle 
> > > seems to include some wsrf_security stuff.  Is this correct ???
> > > So I make:
> > > 
> > >     ./make-packages.pl --anonymous --bundles=gt4-java-admin   
> > >     --install /opt/all/gt4.1.0
> > > 
> > > followed by:
> > > 
> > >     ./make-packages.pl --anonymous --bundles=gt4-gram 
> > >     --install /opt/all/gt4.1.0
> > > 
> > > but get the following error:
> > > 
> > > Trying to make bundle gt4-gram
> > > ERROR: Bundling of gt4-gram failed.
> > > See 
> /home/kl/downloads/packaging/./log-output/bundle-logs/gt4-gram.
> > > at ./make-packages.pl line 884, <FILE> line 3238
> > > 
> > > log-output contains this:
> > > 
> > > WARNING: packaging data file not found in 
> > > /home/kl/downloads/packaging/bundle-output/gt4-gram/globus_c_w
> > > srf_cgen-2.25.tar.gz
> > > ERROR: The following queries did not match any packages:
> > >     pkgname=>globus_c_wsrf_cgen flavor=>ANY pkgtype=>ANY Died at 
> > > /opt/all/gt4.1.0/sbin/gpt-bundle line 665.
> > > 
> > > I do not understand the error, but perhaps I don't actually need 
> > > this bundle.  Can you tell me what the minimum bundles are that I 
> > > need to build in order to test out your example of using 
> CAS service 
> > > for the counter web service policy management ?
> > > 
> > > 
> > > On another issue, we will not be using the WS MDS Index service.  
> > > Are there any issues down the line in terms of 
> development which may 
> > > cause us problems if we're not using MDS ?
> > > 
> > > Also, in answer to your question, we would very much like 
> to use an 
> > > option where assertions are embedded in the SOAP header, 
> making it 
> > > more transparent.  Do you envisage such an option ?  If 
> so which GT4 
> > > release will it be in ?
> > > 
> > > Thanks for your help,
> > > 
> > > Karen
> > > 
> > > 
> > > 
> > > On Mon, 2006-08-07 at 07:27 -0500, Rachana Ananthakrishnan wrote:
> > > > Karen,
> > > > 
> > > > The script cas-wrap places the CAS assertion into the proxy 
> > > > certificate, so your SOAP header does not get changed. Do
> > > you want to
> > > > use an option where assertions are embedded in the SOAP 
> Header ? I 
> > > > have described setting things up using cas-wrap in this mail.
> > > > 
> > > > The current code in trunk has been modified to fix some
> > > issues to lend
> > > > CAS better to work with web services authorization and I
> > > have added a
> > > > section in the documentation on how to configure things 
> on CAS side:
> > > > 
> > > > 
> > > 
> http://www.globus.org/toolkit/docs/development/4.2-drafts/security/c
> > > as
> > > > /admin /index.html#cas-admin-example-ws-policy
> > > > 
> > > > (Note that you will need code from CVS for this example).
> > > > 
> > > > The service/action has no semantic meaning in CAS itself. Only 
> > > > your policy enforcement point, that is your resource in 
> this case, 
> > > > interprets what the service and action means.
> > > > 
> > > > Regarding the service side, to actually enforce the CAS
> > > assertion, you
> > > > will need to configure your service to use specific
> > > authorization scheme (PDP).
> > > > An example of one such configuration is provided as an
> > > attachment  in
> > > > this
> > > > bugzilla:
> > > > 
> > > > http://bugzilla.mcs.anl.gov/globus/attachment.cgi?id=966
> > > > 
> > > > This is a security descriptor you would require your
> > > service to use. 
> > > > This dictates that the SAMLAutorizationCallout module
> > > should be used
> > > > to talk to the CAS service (whose address has been
> > > configured). Note
> > > > that the parameter authzServiceIdentity points to the DN of the 
> > > > CAS server and need to be modified appropriately.
> > > > 
> > > > So you can use the above descriptor and modify to suit your 
> > > > service (change operation names, the authentication scheme you
> > > would like to
> > > > enforce and
> > > > such) and configure this as security descriptor for your
> > > service. Then
> > > > once you set up the resource/service/action in CAS service,
> > > you should
> > > > see the CAS assertion being used to enforce the policy in CAS.
> > > > 
> > > > I'll add the service side of things to the web pages.
> > > > 
> > > > Rachana
> > > > 
> > > > > -----Original Message-----
> > > > > From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> > > > > Sent: Thursday, August 03, 2006 10:16 AM
> > > > > To: Rachana Ananthakrishnan
> > > > > Cc: 'CAS Developers'
> > > > > Subject: RE: [gt-user] Can CAS grant permissions at 
> > > > > aservice/operationlevelwithview/execute actions mappings ?
> > > > > 
> > > > > Hi Rachana,
> > > > > 
> > > > > I'm able to successfully generate a proxy with:
> > > > > 
> > > > >             cas-proxy-init -t johntag2
> > > > > 
> > > > > And I am able to call my java test client with cs-wrap:
> > > > > 
> > > > >             cas-wrap -t johntag2 java SecureOperation2
> > > > > 
> > > > > The client program succeeds and returns the correct value
> > > BUT there
> > > > > is no difference in the SOAP message going over the 
> wire (have 
> > > > > traced it with tcpmon) than if I did NOT wrap the call
> > > with cas-wrap
> > > > > ?
> > > > > Shouldn't I see John's proxy information in the message
> > > going to the
> > > > > server ?
> > > > > 
> > > > > 
> > > > > On a separate point, its not clear to me from the
> > > documentation how
> > > > > server-actions are actually configured/handled 
> through CAS.  For 
> > > > > example, I have added my SimpleService as a resource 
> in CAS, and 
> > > > > added this to a group called 'dataServices'.  I have
> > > added a service
> > > > > type called 'service' and an action mapping pair 'service
> > > execute'.
> > > > > Finally, I have added a policy which states that 
> 'members of the 
> > > > > group editors can execute services from the dataServices
> > > group'.  (I
> > > > > have attached my command sequence for creating this scenario).
> > > > > 
> > > > > But how or where is it configured in CAS to map what 
> "execute" 
> > > > > actually means.  Does the user need to configure something at 
> > > > > the server side so that when a request is received (with
> > > cas-proxy), a
> > > > > piece of handler code is specified to say "if the
> > > supplied cas proxy
> > > > > states that the user is allowed to 'execute' this 
> service then 
> > > > > continue their request, else raise an exception".
> > > > > 
> > > > > In other words, do CAS intend for users to add a server
> > > side handler
> > > > > piece to enforce the "service action" policy implementation ?
> > > > > 
> > > > > Any clarification on this would be great,
> > > > > 
> > > > > Thanks
> > > > > Karen
> > > > > 
> > > > > 
> > > > > 
> > > > > On Wed, 2006-08-02 at 08:55 -0500, Rachana 
> Ananthakrishnan wrote:
> > > > > >  Karen,
> > > > > > 
> > > > > > > -----Original Messa
> > > > > > > I've been studying both the Developers Guide (section
> > > 5 - Usage
> > > > > > > scenarios) and the User's Guide (section 2 - Usage
> > > scenarios) to
> > > > > > > try to figure out how I might call my simple service
> > > via a java
> > > > > > > client program but I'm not sure that this will be
> > > possible.  The
> > > > > > > examples given in the User's guide talk of using
> > > cs-wrap with a
> > > > > > > grid-enabled-program.  It looks like this
> > > 'grid-enabled-program' 
> > > > > > > must be an executable file.  In the examples it mentions 
> > > > > > > gsincftp and globus-url-copy.
> > > > > > > 
> > > > > > > Am I right in my assumption that in GT4.0.2 I cannot
> > > call a java
> > > > > > > client to access my CAS enabled service ?
> > > > > > 
> > > > > > I am not sure I understand your scenario.
> > > > > > 
> > > > > > Typical usage scenario is to manage access rights to some
> > > > > resource (in your
> > > > > > case the service) using the CAS server. The user can then
> > > > > use cas-proxy-init
> > > > > > to generate a proxy with assertion embedded in the proxy. 
> > > > > The embedded
> > > > > > assertion will be used by the resource to determine if the
> > > > > user can access
> > > > > > the resource. The user can now use cas-wrap to invoke the
> > > > > client program.
> > > > > > The cas-wrap script just runs the client program using the
> > > > > proxy generated
> > > > > > by cas-proxy-init.
> > > > > > 
> > > > > > So I don't see why you can't run your java client to access
> > > > > the service
> > > > > > using cas-wrap.
> > > > > > 
> > > > > > Hope that helps,
> > > > > > Rachana
> > > > > > 
> > > > > > > 
> > > > > > > Thanks again for your help,
> > > > > > > 
> > > > > > > Karen
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > On Tue, 2006-08-01 at 10:42 -0500, Rachana
> > > Ananthakrishnan wrote:
> > > > > > > > Karen,
> > > > > > > > 
> > > > > > > > > With regards to the functionality you are currently
> > > > > > > implementing -
> > > > > > > > > "WS Authorization stack invoking operations 
> to ascertain
> > > > > > > permissions
> > > > > > > > > for a user", would it be possible for us to 
> get hold of
> > > > > > > some code to
> > > > > > > > > test it as soon as is reasonably possible and perhaps
> > > > > prior to
> > > > > > > > > release ?
> > > > > > > > 
> > > > > > > > Sure, this code sits in branch and I am just wrapping up
> > > > > > > testing. I'll
> > > > > > > > send you information as soon as I am done.
> > > > > > > > 
> > > > > > > > > Is the functionality you talk of in your 1st
> > > paragraph (push
> > > > > > > > > model) also in GT4.0.2 ?  Or do I have to 
> take GT 4.1.0
> > > > > > > to get it ?
> > > > > > > > 
> > > > > > > > It is in 4.1.0 and not in branch, since it is new
> > > functionality.
> > > > > > > > 
> > > > > > > > I am sorry I haven't had a chance to test your issue
> > > > > with PostGres,
> > > > > > > > but I will do so soon. The new branch code also has a
> > > > > default Derby
> > > > > > > > install, which make database install and testing
> > > really easy.
> > > > > > > > 
> > > > > > > > Rachana
> > > > > > > > 
> > > > > > > > > 
> > > > > > > > > Thanks a lot,
> > > > > > > > > Karen
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > On Mon, 2006-07-31 at 08:16 -0500, Rachana
> > > > > Ananthakrishnan wrote:
> > > > > > > > > > Hi Karen,
> > > > > > > > > > 
> > > > > > > > > > I'll look at your other email with error trace, but
> > > > > > > yes, CAS can
> > > > > > > > > > be used to store and enforce permissions on web
> > > > > services. The
> > > > > > > > > > 4.1.0 release included authorization schemes that
> > > > > can extract
> > > > > > > > > assertion from
> > > > > > > > > > proxy (assertions that were embedded by requesting 
> > > > > > > > > > from CAS
> > > > > > > > > service)
> > > > > > > > > > and use the assertion to determine if a 
> said user can
> > > > > > > > > request a specific operation on a service.
> > > > > > > > > > 
> > > > > > > > > > The above would be a push model, where the 
> client gets
> > > > > > > > > assertion from
> > > > > > > > > > CAS and pushes it to the web services
> > > authorization stack. 
> > > > > > > > > The other
> > > > > > > > > > option is to use CAS as an authorization service and
> > > > > > > have the WS
> > > > > > > > > > authorization stack invoke operations on CAS to
> > > ascertain
> > > > > > > > > permissions
> > > > > > > > > > for a user. I am currently working on some
> > > modifications
> > > > > > > > > > to
> > > > > > > > > CAS to get this feature going.
> > > > > > > > > > 
> > > > > > > > > > Rachana
> > > > > > > > > > 
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: owner-gt-user at globus.org 
> > > > > > > > > > > [mailto:owner-gt-user at globus.org] On Behalf Of
> > > > > Karen Loughran
> > > > > > > > > > > Sent: Friday, July 28, 2006 10:08 AM
> > > > > > > > > > > To: gt-user at globus.org
> > > > > > > > > > > Subject: [gt-user] Can CAS grant permissions at a
> > > > > > > > > service/operation
> > > > > > > > > > > level withview/execute actions mappings ?
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > Hi there,
> > > > > > > > > > > 
> > > > > > > > > > > I don't have CAS successfully configured 
> yet, but I
> > > > > > > have a query
> > > > > > > > > > > about its functionality which will help 
> me determine
> > > > > > > > > whether it will
> > > > > > > > > > > meet our requirements.
> > > > > > > > > > > 
> > > > > > > > > > > Throughout CAS' documentation an example 
> of setting
> > > > > > > up a GridFTP
> > > > > > > > > > > server is used to illustrate how permissions for
> > > > > > > > > different actions
> > > > > > > > > > > can be granted to data groups.  Examples refer to
> > > > > > > > > file/read action
> > > > > > > > > > > specifications on specific directories/files.
> > > > > > > > > > > 
> > > > > > > > > > > Can CAS also implement policies which would allow 
> > > > > > > > > > > for the
> > > > > > > > > following
> > > > > > > > > > > scenario:
> > > > > > > > > > > 
> > > > > > > > > > > The operations provided by a service are only
> > > > > visible and/or
> > > > > > > > > > > executable by certain user groups, ie, is it 
> > > > > > > > > > > possible
> > > > > > > to define
> > > > > > > > > > > a service type for "operation" with 
> actions "view" 
> > > > > > > and "execute" 
> > > > > > > > > > > on this so that CAS can be configured to prevent
> > > > > certain user
> > > > > > > > > > > groups from viewing/executing certain
> > > operations ?  Can
> > > > > > > > > restricted viewing
> > > > > > > > > > > also be applied at the service level itself so
> > > > > that certain
> > > > > > > > > > > users are prevented from seeing the 
> service at all ?
> > > > > > > > > > > 
> > > > > > > > > > > Taking the GT4 Math Service example (from the Gt4
> > > > > tutorial).
> > > > > > > > > > > Users in user group A can see and execute setValue
> > > > > > > and getValue.
> > > > > > > > > > > Users in user group B can only execute getValue.
> > > > > > > > > > > Users in user group C can not even view the
> > > > > > > operations offered
> > > > > > > > > > > by the MathService.
> > > > > > > > > > > Users in user group D cannot even view/access
> > > details of
> > > > > > > > > a service
> > > > > > > > > > > at all.
> > > > > > > > > > > 
> > > > > > > > > > > ?
> > > > > > > > > > > 
> > > > > > > > > > > Thanks
> > > > > > > > > > > Karen
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > > 
> > 
> 
>

More information about the cas-dev mailing list