[cas-dev] RE: [gt-user] Can CAS grantpermissionsataservice/operationlevelwithview/execute actions mappings ?
Rachana Ananthakrishnan
ranantha at mcs.anl.gov
Thu Aug 17 12:27:15 CDT 2006
Karen,
Issue seems to be that the authorization module does not treat subject DN
with "emailAddress=" equal to the one with "E=". I have a filed a bug for
this issue : http://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=4665
The warning about the PermissionFault is benign. It is a discrepancy between
the WSDL file and the service code. I'll fix it.
The CAS_SERVER_IDENTITY and the authzServiceIdentity in your case should be
the same. It should point to the CAS server's credentials. Since DNs with
"emailAddress" and "E" are not treated the same, can you try to configure
the identity presented by peer for now (i.e which ever is expected) and test
things ?
>From this error:
> bin/cas-group-admin -m msg user create superUserGroup testUGp
> 2006-08-16 13:48:47,986 WARN authorization.BasicSubjectAuthorization
> [main,authorize:122] Authorization failed: expected
> principals
> [/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/e
> mailAddress=k.loughran at qub.ac.uk],
> peer principals
> [/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/E
> =k.loughran at qub.ac.uk]
I think that would mean CAS_SERVER_IDENTITY and authzServiceIdentity
containing "emailAddress". Please try this configuration and let me know if
you see any errors.
Thanks,
Rachana
> -----Original Message-----
> From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> Sent: Wednesday, August 16, 2006 8:47 AM
> To: Rachana Ananthakrishnan
> Cc: 'CAS Developers'; 'Terry Harmer'
> Subject: RE: [gt-user] Can CAS
> grantpermissionsataservice/operationlevelwithview/execute
> actions mappings ?
>
>
> Thanks Rachana, I'm now using the correct epr string (from eprAsString
> file) and I now have everything setup as per the documentation.
> However, I'm receiving the following message when I try to
> add to the counter service:
>
> bin/counter-add -e epr -m msg 10 -z none
> Error:
> org.globus.wsrf.security.authorization.AuthorizationDeniedException:
> "[/C=UK/O=eScience/OU=QUB/L=BESC/CN=karen
> loughran/CN=2089013970]" is not authorized to invoke "add"
> operation on this serviceExceptions thrown by PDPs which did
> not return permit decision.
> Error accessing authorization service:
> "http://localhost:8080/wsrf/services/CASService"; nested exception is:
> Authorization failed.; nested exception is:
> java.lang.Exception: Exceptions thrown by PDPs which
> did not return permit decision.
> Error accessing authorization service:
> "http://localhost:8080/wsrf/services/CASService"; nested exception is:
> Authorization failed.
>
>
> I can confirm that among the services the container reports
> to start up I do see the following three:
>
> [2]: http://143.117.161.192:8080/wsrf/services/CASService
> [5]: http://143.117.161.192:8080/wsrf/services/CounterService
> [21]: http://143.117.161.192:8080/wsrf/services/SecureCounterService
>
>
> The globus containter gives the following warning on startup.
> I'm not sure if it is significant to why my client is failing:
>
> 2006-08-16 11:41:56,350 WARN description.ServiceDescUtil
> [main,fixFaults:649] [CORE] Fault
> '{http://www.globus.org/07/2004/cas/casFaults}NoPermissionFaultType'
> defined
> in wsdl but it'is not thrown by the 'whoami' operation in the
> 'CASService'
> service.
>
> Is this error significant ? If so what does it mean ?
>
> I've attached the following files:
>
> share/globus_cas_service/bootstrapProperties
> share/globus_cas_service/casDbProperties
> etc/globus_wsrf_core_samples_counter/security-config.xml
>
>
> My CAS environment variables set are:
>
> CAS_SERVER_IDENTITY=/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/cskl
> ou01.cs.qub.ac.uk/E=k.loughran at qub.ac.uk
> # Have also tried CAS_SERVER_IDENTITY with "emailAddress="
> rather than "E=" :
> #CAS_SERVER_IDENTITY=/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csk
> lou01.cs.qub.ac.uk/emailAddress=k.loughran at qub.ac.uk
> CAS_CERT_FILE=/etc/grid-security/cas-cert.pem
> CAS_SERVER_URL=http://localhost:8080/wsrf/services/CASService
> #Have also tried CAS_SERVER_URL with actual IP address :
> #CAS_SERVER_URL=http://143.117.161.192:8080/wsrf/services/CASService
> CASKEY=/etc/grid-security/cas-key.pem
> CASCERT=/etc/grid-security/cas-cert.pem
>
> The sequence of CAS commands I'm executing is (after every
> attempt, I wipe database, re-bootstrap & restart container):
>
> bin/cas-group-admin -m msg user create superUserGroup testUGp
>
> bin/cas-group-add-entry -m msg user testUGp kl
>
> bin/cas-action -m msg add
> "http://www.gridforum.org/namespaces/2003/06/ogsa-authorizatio
> n/saml/action/operation"
> add
>
> bin/cas-action -m msg add
> "http://www.gridforum.org/namespaces/2003/06/ogsa-authorizatio
> n/saml/action/operation"
> destroy
>
> bin/counter-create -s
> http://localhost:8080/wsrf/services/SecureCounterService
> -m msg -z none -b eprAsString > epr
>
> bin/cas-enroll -m msg object testUGp
> "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> e?i20bqYYJ5WCL7utDRtG5GYIepj8="
> casDefaultNS
>
> bin/cas-rights-admin -m msg grant testUGp object casDefaultNS
> "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> e?i20bqYYJ5WCL7utDRtG5GYIepj8="
> serviceAction
> "http://www.gridforum.org/namespaces/2003/06/ogsa-authorizatio
> n/saml/action/operation"
> add
>
> bin/counter-add -e epr -m msg 10 -z none
>
>
>
> POINTS OF NOTE:
>
> One thing I do notice is that the environment variable
> CAS_SERVER_IDENTITY needs to contain "E=" as opposed to
> "emailAddress=".
> If it doesn't have this I get the following error when I try
> to perform cas admin commands:
>
> bin/cas-group-admin -m msg user create superUserGroup testUGp
> 2006-08-16 13:48:47,986 WARN authorization.BasicSubjectAuthorization
> [main,authorize:122] Authorization failed: expected
> principals
> [/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/e
> mailAddress=k.loughran at qub.ac.uk],
> peer principals
> [/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/E
> =k.loughran at qub.ac.uk]
> 2006-08-16 13:48:47,991 ERROR wssec.WSSecurityClientHandler
> [main,handleResponse:90]
> org.globus.wsrf.security.authorization.AuthorizationException:
> Authorization
> failed.; nested exception is:
> javax.xml.rpc.soap.SOAPFaultException: Authorization failed.
>
> On the other hand, authzServiceIdentity in
> security-config.xml needs to point to a CAS server DN which
> contains "emailAddress=" as opposed to "E=". If I try it
> with "E=" I get the following error when running the
> client:
>
> bin/counter-add -e epr -m msg 10 -z none
> Error:
> org.globus.wsrf.security.authorization.AuthorizationDeniedException:
> "[/C=UK/O=eScience/OU=QUB/L=BESC/CN=karen
> loughran/CN=2089013970]" is not authorized to invoke "add"
> operation on this serviceExceptions thrown by PDPs which did
> not return permit decision.
> Assertion issuer is different from identity that signed
> envelope (server identity). Assertion issuer is
> "/C=UK/O=eScience/OU=Authority/CN=CA/E=ca-operator at grid-support.ac.uk"
> and expected server identity is
> "/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/E
> =k.loughran at qub.ac.uk";
> nested exception is:
> java.lang.Exception: Exceptions thrown by PDPs which
> did not return permit decision.
> Assertion issuer is different from identity that signed
> envelope (server identity). Assertion issuer is
> "/C=UK/O=eScience/OU=Authority/CN=CA/E=ca-operator at grid-support.ac.uk"
> and expected server identity is
> "/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/E
> =k.loughran at qub.ac.uk"
>
>
> Should the CAS_SERVER_IDENTITY and authzServiceIdentity both
> point to the CAS server DN ? If so do you know why the 1st
> must have "E=" and the 2nd must have "emailAddress=". Is
> this related to my error given at the top of email ?
>
>
>
> On another unrelated issue; we have a trust model which we
> want to implement and we are wondering what future plans CAS
> might have to support trust models between organisations.
>
> Is there any documentation or written information on where
> CAS is going with trust models ?
>
> We are interested in models of trust between organisations,
> A-Symetic/Symetric trust relationships...
>
> For example, A B and C are companies. If B trusts A can C
> trust A (transitive).
>
> A might trust B completely but B only partially trusts A (Symetric).
>
>
> Many Thanks
> Karen
>
>
>
>
>
>
> On Tue, 2006-08-15 at 11:28 -0500, Rachana Ananthakrishnan wrote:
> > Hi Karen,
> >
> > > Oddly the contents of the epr file looks like:
> > >
> > > <ns1:CounterReference xsi:type="ns2:EndpointReferenceType"
> > > xmlns:ns1="http://counter.com"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/03/addressing"><
> > > ns2:Address
> > > xsi:type="ns2:AttributedURI">http://143.117.161.192:8080/wsrf/
> >
> services/SecureCounterService</ns2:Address><ns2:ReferenceProperties >
> > xsi:type="ns2:ReferencePropertiesType"><ns1:CounterKey>3055576
> > > 5</ns1:CounterKey></ns2:ReferenceProperties><ns2:ReferencePara
> > > meters
> > > xsi:type="ns2:ReferenceParametersType"/></ns1:CounterReference>
> > >
> > > and is a different format to the example epr listed in the admin
> > > guide
> (http://192.168.1.101:8080/wsrf/services/SecureCounterService?
> > > zpCAOdk0t4MfUmJY2GlpjeOC1Mw=)
> > >
> > > I extracted the Address and the CounterKey elements from
> this file
> > > as the epr string and continued as follows:
> >
> > Actually the string you need to use is stored in
> eprAsString file that
> > is passed as parameter in the command you used to create
> the counter:
> >
> > bin/counter-create -s
> > http://localhost:8080/wsrf/services/SecureCounterService -m msg -z
> > none -b eprAsString > epr
> >
> > That string is constructed using the steps listed in OGSA-AuthZ
> > specification on converting an EPR to string. At the
> enforcement point
> > the EPR is converted to string using the same steps. Since there is
> > discrepency in the object on which you set policy and the one being
> > queried, your authorization step fails. Try the steps you have by
> > using string in eprAsString.
> >
> > Rachana
> >
> >
> >
> > >
> > > bin/cas-enroll -m msg object testUGp
> > > "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> > > e?30555765"
> > > casDefaultNS
> > >
> > > bin/cas-rights-admin -m msg grant testUGp object casDefaultNS
> > > "http://143.117.161.192:8080/wsrf/services/SecureCounterServic
> > > e?30555765"
> > > serviceAction
> > > "http://www.gridforum.org/namespaces/2003/06/ogsa-authorizatio
> > > n/saml/action/operation"
> > > add
> > >
> > > PolicyId is 4
> > > Completed successfully
> > >
> > > bin/counter-add -e epr -m msg 10 -z none
> > > Error:
> > >
> org.globus.wsrf.security.authorization.AuthorizationDeniedException:
> > > "[/C=UK/O=eScience/OU=QUB/L=BESC/CN=karen
> > > loughran/CN=2089013970]" is not authorized to invoke "add"
> > > operation on this serviceExceptions thrown by PDPs which did not
> > > return permit decision.
> > > Error accessing authorization service:
> > > "http://localhost:8080/wsrf/services/CASService"; nested
> exception is:
> > > Authorization failed.; nested exception is:
> > > java.lang.Exception: Exceptions thrown by PDPs
> which did not
> > > return permit decision.
> > > Error accessing authorization service:
> > > "http://localhost:8080/wsrf/services/CASService"; nested
> exception is:
> > > Authorization failed.
> > >
> > >
> > > But I would expect this user to have permissions to invoke add on
> > > CounterService. So I'm guessing I have done something
> wrong in the
> > > configuration.
> > >
> > > Can you confirm if I'm using the correct value for
> > > authzServiceIdentity in my security-config.xml ? Does my process
> > > sound right ?
> > >
> > > Thanks a lot,
> > >
> > > Karen
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, 2006-08-14 at 13:50 -0500, Rachana Ananthakrishnan wrote:
> > > > Karen,
> > > >
> > > > Apparently you are missing --deps. This flag build
> > > dependencies for a
> > > > said bundle. So you can just look to build just CAS with
> > > the --deps.
> > > > But if you just need grid-proxy-init, it is in
> globus-gsi bundle.
> > > >
> > > > The MDS dependencies is just to support the
> functionality of CAS
> > > > service registering with Index service. It really is
> not required.
> > > >
> > > > The code to push the assertion in header is part of the
> > > 4.0.2 release.
> > > > You can set property Constants.SAML_AUTHZ_ASSERTION on the
> > > Stub with a
> > > > SAMLAssertion object. The relevant handlers push the assertion
> > > > onto the message headers. You can use SAMLAuthzAssertionPIP to
> > > retrieve the
> > > > assertion and SAMLAuthzAssertionPDP to use them to
> enforce authz
> > > > decision. As an alternative, you can write your own custom
> > > PDP/PIP and plug it in.
> > > >
> > > > Rachana
> > > >
> > > > > -----Original Message-----
> > > > > From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> > > > > Sent: Monday, August 14, 2006 8:34 AM
> > > > > To: Rachana Ananthakrishnan
> > > > > Cc: 'CAS Developers'; Terry Harmer
> > > > > Subject: RE: [gt-user] Can CAS grant permissions
> > > > > ataservice/operationlevelwithview/execute actions mappings ?
> > > > >
> > > > > Hi Rachana,
> > > > >
> > > > > I have checked out the latest sources from trunk and I'm
> > > trying to
> > > > > build the minimum components to get CAS to work with
> the counter
> > > > > service example you describe in your email/admin guide links.
> > > > > I have read "Globus: Accessing the Globus Alliance's Code
> > > via CVS"
> > > > > and have managed to build & install java-ws-core, mds and
> > > cas with
> > > > > the following commands:
> > > > >
> > > > > ./make-packages.pl --anonymous --bundles=gt4-java-ws-core
> > > > > --install=/opt/all/gt4.1.0 ./make-packages.pl --anonymous
> > > > > --bundles=gt4-mds --install=/opt/all/gt4.1.0
> ./make-packages.pl
> > > > > --anonymous --bundles=gt4-cas --install=/opt/all/gt4.1.0
> > > > >
> > > > > I also need the library
> libglobus_gsi_proxy_core_gcc32.so.0 (for
> > > > > grid-proxy-init) and looking through the file
> "etc/gt4/bundles"
> > > > > I think it may be installed with the gt4-gram bundle as the
> > > > > bundle seems to include some wsrf_security stuff. Is
> this correct ???
> > > > > So I make:
> > > > >
> > > > > ./make-packages.pl --anonymous --bundles=gt4-java-admin
> > > > > --install /opt/all/gt4.1.0
> > > > >
> > > > > followed by:
> > > > >
> > > > > ./make-packages.pl --anonymous --bundles=gt4-gram
> > > > > --install /opt/all/gt4.1.0
> > > > >
> > > > > but get the following error:
> > > > >
> > > > > Trying to make bundle gt4-gram
> > > > > ERROR: Bundling of gt4-gram failed.
> > > > > See
> > > /home/kl/downloads/packaging/./log-output/bundle-logs/gt4-gram.
> > > > > at ./make-packages.pl line 884, <FILE> line 3238
> > > > >
> > > > > log-output contains this:
> > > > >
> > > > > WARNING: packaging data file not found in
> > > > > /home/kl/downloads/packaging/bundle-output/gt4-gram/globus_c_w
> > > > > srf_cgen-2.25.tar.gz
> > > > > ERROR: The following queries did not match any packages:
> > > > > pkgname=>globus_c_wsrf_cgen flavor=>ANY
> pkgtype=>ANY Died at
> > > > > /opt/all/gt4.1.0/sbin/gpt-bundle line 665.
> > > > >
> > > > > I do not understand the error, but perhaps I don't
> actually need
> > > > > this bundle. Can you tell me what the minimum
> bundles are that
> > > > > I need to build in order to test out your example of using
> > > CAS service
> > > > > for the counter web service policy management ?
> > > > >
> > > > >
> > > > > On another issue, we will not be using the WS MDS
> Index service.
> > > > > Are there any issues down the line in terms of
> > > development which may
> > > > > cause us problems if we're not using MDS ?
> > > > >
> > > > > Also, in answer to your question, we would very much like
> > > to use an
> > > > > option where assertions are embedded in the SOAP header,
> > > making it
> > > > > more transparent. Do you envisage such an option ? If
> > > so which GT4
> > > > > release will it be in ?
> > > > >
> > > > > Thanks for your help,
> > > > >
> > > > > Karen
> > > > >
> > > > >
> > > > >
> > > > > On Mon, 2006-08-07 at 07:27 -0500, Rachana
> Ananthakrishnan wrote:
> > > > > > Karen,
> > > > > >
> > > > > > The script cas-wrap places the CAS assertion into the proxy
> > > > > > certificate, so your SOAP header does not get changed. Do
> > > > > you want to
> > > > > > use an option where assertions are embedded in the SOAP
> > > Header ? I
> > > > > > have described setting things up using cas-wrap in
> this mail.
> > > > > >
> > > > > > The current code in trunk has been modified to fix some
> > > > > issues to lend
> > > > > > CAS better to work with web services authorization and I
> > > > > have added a
> > > > > > section in the documentation on how to configure things
> > > on CAS side:
> > > > > >
> > > > > >
> > > > >
> > >
> http://www.globus.org/toolkit/docs/development/4.2-drafts/security/c
> > > > > as
> > > > > > /admin /index.html#cas-admin-example-ws-policy
> > > > > >
> > > > > > (Note that you will need code from CVS for this example).
> > > > > >
> > > > > > The service/action has no semantic meaning in CAS
> itself. Only
> > > > > > your policy enforcement point, that is your resource in
> > > this case,
> > > > > > interprets what the service and action means.
> > > > > >
> > > > > > Regarding the service side, to actually enforce the CAS
> > > > > assertion, you
> > > > > > will need to configure your service to use specific
> > > > > authorization scheme (PDP).
> > > > > > An example of one such configuration is provided as an
> > > > > attachment in
> > > > > > this
> > > > > > bugzilla:
> > > > > >
> > > > > > http://bugzilla.mcs.anl.gov/globus/attachment.cgi?id=966
> > > > > >
> > > > > > This is a security descriptor you would require your
> > > > > service to use.
> > > > > > This dictates that the SAMLAutorizationCallout module
> > > > > should be used
> > > > > > to talk to the CAS service (whose address has been
> > > > > configured). Note
> > > > > > that the parameter authzServiceIdentity points to the DN of
> > > > > > the CAS server and need to be modified appropriately.
> > > > > >
> > > > > > So you can use the above descriptor and modify to suit your
> > > > > > service (change operation names, the authentication
> scheme you
> > > > > would like to
> > > > > > enforce and
> > > > > > such) and configure this as security descriptor for your
> > > > > service. Then
> > > > > > once you set up the resource/service/action in CAS service,
> > > > > you should
> > > > > > see the CAS assertion being used to enforce the
> policy in CAS.
> > > > > >
> > > > > > I'll add the service side of things to the web pages.
> > > > > >
> > > > > > Rachana
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Karen Loughran [mailto:k.loughran at qub.ac.uk]
> > > > > > > Sent: Thursday, August 03, 2006 10:16 AM
> > > > > > > To: Rachana Ananthakrishnan
> > > > > > > Cc: 'CAS Developers'
> > > > > > > Subject: RE: [gt-user] Can CAS grant permissions at
> > > > > > > aservice/operationlevelwithview/execute actions mappings ?
> > > > > > >
> > > > > > > Hi Rachana,
> > > > > > >
> > > > > > > I'm able to successfully generate a proxy with:
> > > > > > >
> > > > > > > cas-proxy-init -t johntag2
> > > > > > >
> > > > > > > And I am able to call my java test client with cs-wrap:
> > > > > > >
> > > > > > > cas-wrap -t johntag2 java SecureOperation2
> > > > > > >
> > > > > > > The client program succeeds and returns the correct value
> > > > > BUT there
> > > > > > > is no difference in the SOAP message going over the
> > > wire (have
> > > > > > > traced it with tcpmon) than if I did NOT wrap the call
> > > > > with cas-wrap
> > > > > > > ?
> > > > > > > Shouldn't I see John's proxy information in the message
> > > > > going to the
> > > > > > > server ?
> > > > > > >
> > > > > > >
> > > > > > > On a separate point, its not clear to me from the
> > > > > documentation how
> > > > > > > server-actions are actually configured/handled
> > > through CAS. For
> > > > > > > example, I have added my SimpleService as a resource
> > > in CAS, and
> > > > > > > added this to a group called 'dataServices'. I have
> > > > > added a service
> > > > > > > type called 'service' and an action mapping pair 'service
> > > > > execute'.
> > > > > > > Finally, I have added a policy which states that
> > > 'members of the
> > > > > > > group editors can execute services from the dataServices
> > > > > group'. (I
> > > > > > > have attached my command sequence for creating
> this scenario).
> > > > > > >
> > > > > > > But how or where is it configured in CAS to map what
> > > "execute"
> > > > > > > actually means. Does the user need to configure
> something
> > > > > > > at the server side so that when a request is
> received (with
> > > > > cas-proxy), a
> > > > > > > piece of handler code is specified to say "if the
> > > > > supplied cas proxy
> > > > > > > states that the user is allowed to 'execute' this
> > > service then
> > > > > > > continue their request, else raise an exception".
> > > > > > >
> > > > > > > In other words, do CAS intend for users to add a server
> > > > > side handler
> > > > > > > piece to enforce the "service action" policy
> implementation ?
> > > > > > >
> > > > > > > Any clarification on this would be great,
> > > > > > >
> > > > > > > Thanks
> > > > > > > Karen
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, 2006-08-02 at 08:55 -0500, Rachana
> > > Ananthakrishnan wrote:
> > > > > > > > Karen,
> > > > > > > >
> > > > > > > > > -----Original Messa
> > > > > > > > > I've been studying both the Developers Guide (section
> > > > > 5 - Usage
> > > > > > > > > scenarios) and the User's Guide (section 2 - Usage
> > > > > scenarios) to
> > > > > > > > > try to figure out how I might call my simple service
> > > > > via a java
> > > > > > > > > client program but I'm not sure that this will be
> > > > > possible. The
> > > > > > > > > examples given in the User's guide talk of using
> > > > > cs-wrap with a
> > > > > > > > > grid-enabled-program. It looks like this
> > > > > 'grid-enabled-program'
> > > > > > > > > must be an executable file. In the examples
> it mentions
> > > > > > > > > gsincftp and globus-url-copy.
> > > > > > > > >
> > > > > > > > > Am I right in my assumption that in GT4.0.2 I cannot
> > > > > call a java
> > > > > > > > > client to access my CAS enabled service ?
> > > > > > > >
> > > > > > > > I am not sure I understand your scenario.
> > > > > > > >
> > > > > > > > Typical usage scenario is to manage access
> rights to some
> > > > > > > resource (in your
> > > > > > > > case the service) using the CAS server. The
> user can then
> > > > > > > use cas-proxy-init
> > > > > > > > to generate a proxy with assertion embedded in
> the proxy.
> > > > > > > The embedded
> > > > > > > > assertion will be used by the resource to
> determine if the
> > > > > > > user can access
> > > > > > > > the resource. The user can now use cas-wrap to
> invoke the
> > > > > > > client program.
> > > > > > > > The cas-wrap script just runs the client
> program using the
> > > > > > > proxy generated
> > > > > > > > by cas-proxy-init.
> > > > > > > >
> > > > > > > > So I don't see why you can't run your java client to
> > > > > > > > access
> > > > > > > the service
> > > > > > > > using cas-wrap.
> > > > > > > >
> > > > > > > > Hope that helps,
> > > > > > > > Rachana
> > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks again for your help,
> > > > > > > > >
> > > > > > > > > Karen
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Tue, 2006-08-01 at 10:42 -0500, Rachana
> > > > > Ananthakrishnan wrote:
> > > > > > > > > > Karen,
> > > > > > > > > >
> > > > > > > > > > > With regards to the functionality you are
> currently
> > > > > > > > > implementing -
> > > > > > > > > > > "WS Authorization stack invoking operations
> > > to ascertain
> > > > > > > > > permissions
> > > > > > > > > > > for a user", would it be possible for us to
> > > get hold of
> > > > > > > > > some code to
> > > > > > > > > > > test it as soon as is reasonably possible and
> > > > > > > > > > > perhaps
> > > > > > > prior to
> > > > > > > > > > > release ?
> > > > > > > > > >
> > > > > > > > > > Sure, this code sits in branch and I am
> just wrapping
> > > > > > > > > > up
> > > > > > > > > testing. I'll
> > > > > > > > > > send you information as soon as I am done.
> > > > > > > > > >
> > > > > > > > > > > Is the functionality you talk of in your 1st
> > > > > paragraph (push
> > > > > > > > > > > model) also in GT4.0.2 ? Or do I have to
> > > take GT 4.1.0
> > > > > > > > > to get it ?
> > > > > > > > > >
> > > > > > > > > > It is in 4.1.0 and not in branch, since it is new
> > > > > functionality.
> > > > > > > > > >
> > > > > > > > > > I am sorry I haven't had a chance to test your issue
> > > > > > > with PostGres,
> > > > > > > > > > but I will do so soon. The new branch code
> also has a
> > > > > > > default Derby
> > > > > > > > > > install, which make database install and testing
> > > > > really easy.
> > > > > > > > > >
> > > > > > > > > > Rachana
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Thanks a lot,
> > > > > > > > > > > Karen
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Mon, 2006-07-31 at 08:16 -0500, Rachana
> > > > > > > Ananthakrishnan wrote:
> > > > > > > > > > > > Hi Karen,
> > > > > > > > > > > >
> > > > > > > > > > > > I'll look at your other email with error trace,
> > > > > > > > > > > > but
> > > > > > > > > yes, CAS can
> > > > > > > > > > > > be used to store and enforce permissions on web
> > > > > > > services. The
> > > > > > > > > > > > 4.1.0 release included authorization
> schemes that
> > > > > > > can extract
> > > > > > > > > > > assertion from
> > > > > > > > > > > > proxy (assertions that were embedded by
> requesting
> > > > > > > > > > > > from CAS
> > > > > > > > > > > service)
> > > > > > > > > > > > and use the assertion to determine if a
> > > said user can
> > > > > > > > > > > request a specific operation on a service.
> > > > > > > > > > > >
> > > > > > > > > > > > The above would be a push model, where the
> > > client gets
> > > > > > > > > > > assertion from
> > > > > > > > > > > > CAS and pushes it to the web services
> > > > > authorization stack.
> > > > > > > > > > > The other
> > > > > > > > > > > > option is to use CAS as an
> authorization service
> > > > > > > > > > > > and
> > > > > > > > > have the WS
> > > > > > > > > > > > authorization stack invoke operations on CAS to
> > > > > ascertain
> > > > > > > > > > > permissions
> > > > > > > > > > > > for a user. I am currently working on some
> > > > > modifications
> > > > > > > > > > > > to
> > > > > > > > > > > CAS to get this feature going.
> > > > > > > > > > > >
> > > > > > > > > > > > Rachana
> > > > > > > > > > > >
> > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > From: owner-gt-user at globus.org
> > > > > > > > > > > > > [mailto:owner-gt-user at globus.org] On Behalf Of
> > > > > > > Karen Loughran
> > > > > > > > > > > > > Sent: Friday, July 28, 2006 10:08 AM
> > > > > > > > > > > > > To: gt-user at globus.org
> > > > > > > > > > > > > Subject: [gt-user] Can CAS grant
> permissions at
> > > > > > > > > > > > > a
> > > > > > > > > > > service/operation
> > > > > > > > > > > > > level withview/execute actions mappings ?
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > Hi there,
> > > > > > > > > > > > >
> > > > > > > > > > > > > I don't have CAS successfully configured
> > > yet, but I
> > > > > > > > > have a query
> > > > > > > > > > > > > about its functionality which will help
> > > me determine
> > > > > > > > > > > whether it will
> > > > > > > > > > > > > meet our requirements.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Throughout CAS' documentation an example
> > > of setting
> > > > > > > > > up a GridFTP
> > > > > > > > > > > > > server is used to illustrate how
> permissions for
> > > > > > > > > > > different actions
> > > > > > > > > > > > > can be granted to data groups.
> Examples refer
> > > > > > > > > > > > > to
> > > > > > > > > > > file/read action
> > > > > > > > > > > > > specifications on specific directories/files.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Can CAS also implement policies which would
> > > > > > > > > > > > > allow for the
> > > > > > > > > > > following
> > > > > > > > > > > > > scenario:
> > > > > > > > > > > > >
> > > > > > > > > > > > > The operations provided by a service are only
> > > > > > > visible and/or
> > > > > > > > > > > > > executable by certain user groups, ie, is it
> > > > > > > > > > > > > possible
> > > > > > > > > to define
> > > > > > > > > > > > > a service type for "operation" with
> > > actions "view"
> > > > > > > > > and "execute"
> > > > > > > > > > > > > on this so that CAS can be configured
> to prevent
> > > > > > > certain user
> > > > > > > > > > > > > groups from viewing/executing certain
> > > > > operations ? Can
> > > > > > > > > > > restricted viewing
> > > > > > > > > > > > > also be applied at the service level itself so
> > > > > > > that certain
> > > > > > > > > > > > > users are prevented from seeing the
> > > service at all ?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Taking the GT4 Math Service example (from the
> > > > > > > > > > > > > Gt4
> > > > > > > tutorial).
> > > > > > > > > > > > > Users in user group A can see and execute
> > > > > > > > > > > > > setValue
> > > > > > > > > and getValue.
> > > > > > > > > > > > > Users in user group B can only
> execute getValue.
> > > > > > > > > > > > > Users in user group C can not even view the
> > > > > > > > > operations offered
> > > > > > > > > > > > > by the MathService.
> > > > > > > > > > > > > Users in user group D cannot even view/access
> > > > > details of
> > > > > > > > > > > a service
> > > > > > > > > > > > > at all.
> > > > > > > > > > > > >
> > > > > > > > > > > > > ?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > Karen
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
More information about the cas-dev
mailing list