GT4 CAS Interfaces

Home -> Toolkit -> Docs -> 4.0 -> Security -> Cas	Website Email Lists Search:

1. Semantics and syntax of APIs

1.1. Programming Model Overview

The CAS service allows for managing fine grained access policy of resources in a VO. The service has a back end database that stores data about users/resources/actions and the associated rights. It provides an administrative interface for managing the data and a query interface that allows users to retrieve this information. One of the operations in the query interface includes a means to get a signed SAML assertion that the client can present to a resource for authorization purposes.

1.2. Component API

Some relevant APIs:

org.globus.cas.CasPortType
org.globus.cas.impl.CasConstants
org.globus.cas.impl.client.CasProxyHelper

Complete API:

2. Semantics and syntax of the WSDL

2.1. Protocol overview

This component is used to store and retrieve assertions about the rights a user has on some resource to perform some action on a service type. It uses the Security Assertion Markup Language (SAML) to express an authorization query and return an assertion about the objects in the query. It also provides a WSDL interface for administrative tasks such as managing information about users and resources as well as granting and revoking rights on them.

2.2. Operations

addUser: Adds a new user.
removeUser: Removes a user.
addTrustAnchor: Adds a new trust anchor.
removeTrustAnchor: Removes a trust anchor.
createGroup: Creates a new user, object or action group.
deleteGroup: Deletes a user, object or action group.
createObject: Creates a new object (resource).
deleteObject: Deletes an object (resource).
createObjectNamespace: Creates a new object namespace.
deleteObjectNamespace: Deletes an object namespace.
manageObjectGroups: Adds/deletes objects to an object group.
manageUserGroups: Adds/deletes objects to an user group.
createServiceType: Creates a new service type.
deleteServiceType: Deletes service type.
manageServiceAction: Adds/deletes service type and action mapping.
manageServiceActionGroups: Creates/deletes a new service/action group.
grant: Grants a user the right to perform service/action (or a group of service/actions) on a resource (or a group of resources).
revoke: Revokes a user's right.
whoami: Returns the CAS nickname associated with the user.
list: Returns the list of users/objects/service/action types.
findApplicablePolicy: Returns all relevant policy for a said user/object/service/action.
getCasObject: Returns the user/object/service/action represented by Object given a id.
getGroupMembers: Returns all members for a given user/object/servce/action group.
getAssertion: Returns an assertion for a said query that contains the rights that the user for the action and resource specified in the query.

2.3. Resource properties

ServerDN: The DN from the credentials used by the CAS Service
VODescription: This is a string that describes the VO relevant to CAS Service.

2.4. Faults

NoPermissionFault: Throws if the client is not allowed to invoke the operation.
CasFault: Throws if any other error occurs.

2.5. WSDL and Schema Definition

3. Command-line tools

Please see the CAS Command Reference.

4. Overview of Graphical User Interfaces

There is no GUI for CAS.

5. Semantics and syntax of domain-specific interface

To get a handle for the CAS service port type, the org.globus.cas.impl.client.CasClientSetup class can be used.
Sample Code:
To get a handle to a CAS service with instance URL instanceURL and identity serviceIdentity:
```
CasClientSetup clientSetup = new CasClientSetup();
CommunityAuthorizationServicePortType casPort = 
    clientSetup.getCASPort(instanceURL, serverIdentity);
```
To generate a proxy with embedded CAS assertions the API in the class org.globus.cas.impl.client.CasProxyHelper can be used. The class org.globus.cas.impl.client.ClientParams is used to pass in appropriate parameters and the datatype org.globus.cas.impl.client.ResourceActionsMap is used to represent the resource/actions mapping for which assertions are requested on.
Listed below is sample code that uses the client side util API to generate a proxy with CAS assertions embedded in it.
1. The ClientParams class is used to construct the parameter. If the default constructor is used and none of the values are set then the requested assertion lifetime is set to 24 hours, the default proxy file is used and the proxy containing the embedded assertions is named with a ".cas" extension at the end of the proxy file.
```
ClientParams clientParams = new ClientParams();
```
2. The following is used to set assertion lifetime. If not set then 24 hours is used.
```
clientParams.setAssertionLifetime(lifetime);
```
3. Set the file name of the proxy to use. If not set then the default credential is used.
```
clientParams.setProxyFileName(proxyFilename);
```
4. Set the file name that the proxy with CAS assertions will be written to. If not set then original proxy file name is appended with a tag.
```
clientParams.setCasProxyFileName(casProxyFilename);
```
5. Set the extension to append to the original proxy filename. If not set then the extension ".cas" is used. The extension is only used if a filename for the CAS proxy is not set.
```
clientParams.setCasProxyTag(tag);
```
6. Set the resource/actions for which the assertion is requested on. It uses an array of data type ResourceActionsMap (explained below).
```
clientParams.setResourceActionsMap(resActions);
```
7. The ResouceActionsMap datatype is used to represent the resource and the actions on the resource for which the permissions are required. It uses a String to represent the resource and a vector of strings to represent the actions.
  The resource should be of the form "objectNamespace|objectName". The action should be of the form "serviceType actionName".
8. Create an instance of the Helper class:
```
CasProxyHelper casProxyHelper = new CasProxyHelper(instanceURL, serverIdentity);
```
  Where:
  - instanceURL is the URL used to contact the CAS service.
  - serverIdentity is the expected identity of the server. If null, host authorization is used.
9. Generate the proxy with CAS assertions:
```
String casProxyFilename = casProxyHelper.getCasProxy(clientParams);
```
  This method contacts the CAS service, retrieves assertions, embeds the assertions in a proxy credential and returns the path to the proxy file.

6. Configuration interface

	Note
	Typically a single CAS server is run per VO and multiple client installations are done. This document contains information about deploying a CAS server and is not needed for a CAS client installation. Please refer to the documentation for CAS client install.

6.1. Configuration overview

The CAS service can be configured with a description of the VO the CAS service serves and the maximum lifetime of the assertions it can issue. Also, the service needs to be configured with information about the back end database it uses. Any database with a JDBC driver and reasonable SQL support can be used. That said, PostgreSQL was used for development and testing and we strongly recommend that you use it. The CAS database schema to be used with PostgreSQL has been provided in $GLOBUS_LOCATION/etc/globus_cas_service/casDbSchema/cas_pgsql_database_schema.sql.

Other than that, the security settings of the service can be modified in the security descriptor associated with the CAS service. It allows for configuring the credentials that will be used by the service, the type of authentication and message protection required as well as the authorization mechanism. By default, the following security configuration is installed:

Credentials are determined by the container level security descriptor. If there is no container level security descriptor or if it does not specify which credentials to use then default credentials are used.
Authentication and message integrity protection is enforced for all methods except queryResourceProperties and getResourceProperty. This means that you may use any of GSI Transport, GSI Secure Message or GSI Secure Conversation when interacting with the CAS service.
The standard authorization framework is not used for authorization. Instead the the service uses the back end database to determine if the call is permitted.

	Note
	Changing required authentication and authorization methods will require matching changes to the clients that contact this service.

	Important
	If the service is configured to use GSI Secure Transport, then container credentials are used for the handshake, irrespective of whether service level credentials are specified.

6.2. Loading the CAS service at start up

By default, the CAS service is not loaded at start up. To change this behavior, uncomment the loadOnStartup property set in $GLOBUS_LOCATION/etc/globus_cas_service/server-config.wsdd as shown below.

Once the loadOnStartup property is uncommented, the following happens at start up:

The CAS service is loaded.
The database connection pool is initialized.
The service registers itself to the default MDS Index Service.

<service name="CASService" provider="Handler" use="literal" 
      
      style="document">
      
      <!-- Uncomment if the service needs to be initialized at startup -->
      
      <parameter name="loadOnStartup" value="true"/>
      
      <parameter name="allowedMethodsClass" 
      
      value="org.globus.cas.CASPortType"/>
      
      .
      
      .
      
      .
      
      </service>

6.3. Changing the maximum assertion lifetime

To change the maximum assertion lifetime and VO description, set the parameters maxAssertionLifetime and voDescription in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml to the desired values.

6.4. Configuring database backend

To alter the configuration of the database back end edit the databaseConfiguration section of $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml as follows:

Table 1. Database parameters

driver	The JDBC driver to be used
connectionURL	The JDBC connection url to be used when connecting to the database
userName	The user name to connect to the database as
password	The corresponding database password
activeConnections	The maximum number of active connections at any given instance
onExhaustAction	The action to perform when the connection pool is exhausted. If value is 0 then fail, if 1 then block and if 2 then grow the pool (get more connections)
maxWait	The maximum time in milliseconds that the pool will wait for a connection to be returned
idleConnections	The maximum number of idle connections at any given time

6.5. Configuring security descriptor

To alter the security descriptor configuration refer to Security Descriptors. The file to be changed is $GLOBUS_LOCATION/etc/globus_cas_service/security-config.xml.

6.6. Configuring with a GridFTP Server

CAS is used to administer access rights to files and directories and the GridFTP server can be configured to enforce those rights.

For detailed information about configuring CAS for use with a GridFTP server, see http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html.

6.7. CAS auto-registration with default WS MDS Index Service

With a default GT 4.0.1 installation, CAS is automatically registered with the default WS MDS Index Service running in the same container for monitoring and discovery purposes.

	Note
	If you are using GT 4.0.0, we strongly recommend upgrading to 4.0.1 to take advantage of this capability.

However, if must use GT 4.0.0, or if this registration was turned off and you want to turn it back on, this is how it is configured:

There is a jndi resource defined in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml as follows :

 
    <resource name="mdsConfiguration" 
    
    type="org.globus.wsrf.impl.servicegroup.client.MDSConfiguration">
    <resourceParams>
    <parameter> 
    <name>reg</name>
    <value>true</value>
    </parameter>
    <parameter> 
    <name>factory</name>
    <value>org.globus.wsrf.jndi.BeanFactory</value>
    </parameter>
    </resourceParams>
    </resource>

To configure the automatic registration of CAS to the default WS MDS Index Service, change the value of the parameter <reg> as follows:

true turns on auto-registration; this is the default in GT 4.0.1.
false turns off auto-registration; this is the default in GT 4.0.0.

6.7.1. Configuring resource properties

By default, the VoDescription resource property (which describes the virtual organization relevant to the CAS Service) is sent to the default Index Service.

You can configure which resource properties are sent in the registration.xml file, $GLOBUS_LOCATION/etc/globus_cas_service/registration.xml. The following is the relevant section of the file:

      <Content xsi:type="agg:AggregatorContent"
      xmlns:agg="http://mds.globus.org/aggregator/types">
      
      <agg:AggregatorConfig xsi:type="agg:AggregatorConfig">
      
      <agg:GetResourcePropertyPollType
      xmlns:cas="http://www.globus.org/07/2004/cas">
      <!-- Specifies that the index should refresh information
      every 8 hours (28800000ms) -->
      <agg:PollIntervalMillis>28800000</agg:PollIntervalMillis>
      
      <!-- specifies that all Resource Properties should be
      collected from the RFT factory -->
      
      <agg:ResourcePropertyName>cas:VoDescription</agg:ResourcePropertyName>
      
      </agg:GetResourcePropertyPollType>
      </agg:AggregatorConfig> 
      <agg:AggregatorData/>
      </Content>

6.8. Registering CAS manually with default WS MDS Index Service

If a third party needs to register an CAS service manually, see Registering with mds-servicegroup-add in the WS MDS Aggregator Framework documentation.

7. Environment variable interface

All CAS client programs use the following environment variables to determine the appropriate URL to connect to and server identity to expect. In all cases, the command line options takes precedence over the environment variables.

The URL is determined using this algorithm:
- If the -c command line option was specified, the URL specified with that option is used.
- Otherwise, the CAS_SERVER_URL environment variable must be set, and its value is used.
The server identity (i.e. the expected subject name of the CAS server certificate) is determined as follows:
- If the -s command line option was specified, the value specified with that option is used as the identity
- Otherwise, if the CAS_SERVER_IDENTITY environment variable is set, the value of that variable is used as the expected server identity. Ensure that the value is enclosed within double quotes if there are spaces in the DN. The double quotes are required by the CAS scripts when they are run from a Windows shell, although the shell does not require it even if the value has spaces.
- If neither is set, host authorization is done and the expected server credential is cas/<fqdn>, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.