Table of Contents
- 1. Semantics and syntax of APIs
- 2. Semantics and syntax of the WSDL
- 3. Command-line tools
- 4. Overview of Graphical User Interfaces
- 5. Semantics and syntax of domain-specific interface
- 6. Configuration interface
- 6.1. Configuration overview
- 6.2. Loading the CAS service at start up
- 6.3. Changing the maximum assertion lifetime
- 6.4. Configuring database backend
- 6.5. Configuring security descriptor
- 6.6. Configuring with a GridFTP Server
- 6.7. CAS auto-registration with default WS MDS Index Service
- 6.8. Registering CAS manually with default WS MDS Index Service
- 7. Environment variable interface
The CAS service allows for managing fine grained access policy of resources in a VO. The service has a back end database that stores data about users/resources/actions and the associated rights. It provides an administrative interface for managing the data and a query interface that allows users to retrieve this information. One of the operations in the query interface includes a means to get a signed SAML assertion that the client can present to a resource for authorization purposes.
Some relevant APIs:
- org.globus.cas.CasPortType
- org.globus.cas.impl.CasConstants
- org.globus.cas.impl.client.CasProxyHelper
Complete API:
This component is used to store and retrieve assertions about the rights a user has on some resource to perform some action on a service type. It uses the Security Assertion Markup Language (SAML) to express an authorization query and return an assertion about the objects in the query. It also provides a WSDL interface for administrative tasks such as managing information about users and resources as well as granting and revoking rights on them.
addUser
: Adds a new user.removeUser
: Removes a user.addTrustAnchor
: Adds a new trust anchor.removeTrustAnchor
: Removes a trust anchor.createGroup
: Creates a new user, object or action group.deleteGroup
: Deletes a user, object or action group.createObject
: Creates a new object (resource).deleteObject
: Deletes an object (resource).createObjectNamespace
: Creates a new object namespace.deleteObjectNamespace
: Deletes an object namespace.manageObjectGroups
: Adds/deletes objects to an object group.manageUserGroups
: Adds/deletes objects to an user group.createServiceType
: Creates a new service type.deleteServiceType
: Deletes service type.manageServiceAction
: Adds/deletes service type and action mapping.manageServiceActionGroups
: Creates/deletes a new service/action group.grant
: Grants a user the right to perform service/action (or a group of service/actions) on a resource (or a group of resources).revoke
: Revokes a user's right.whoami
: Returns the CAS nickname associated with the user.list
: Returns the list of users/objects/service/action types.findApplicablePolicy
: Returns all relevant policy for a said user/object/service/action.getCasObject
: Returns the user/object/service/action represented by Object given a id.getGroupMembers
: Returns all members for a given user/object/servce/action group.getAssertion
: Returns an assertion for a said query that contains the rights that the user for the action and resource specified in the query.
ServerDN
: The DN from the credentials used by the CAS ServiceVODescription
: This is a string that describes the VO relevant to CAS Service.
NoPermissionFault
: Throws if the client is not allowed to invoke the operation.CasFault
: Throws if any other error occurs.
Please see the CAS Command Reference.
To get a handle for the CAS service port type, the
org.globus.cas.impl.client.CasClientSetup
class can be used.Sample Code:
To get a handle to a CAS service with instance URL
instanceURL
and identityserviceIdentity
:CasClientSetup clientSetup = new CasClientSetup(); CommunityAuthorizationServicePortType casPort = clientSetup.getCASPort(instanceURL, serverIdentity);
To generate a proxy with embedded CAS assertions the API in the class
org.globus.cas.impl.client.CasProxyHelper
can be used. The classorg.globus.cas.impl.client.ClientParams
is used to pass in appropriate parameters and the datatypeorg.globus.cas.impl.client.ResourceActionsMap
is used to represent the resource/actions mapping for which assertions are requested on.Listed below is sample code that uses the client side util API to generate a proxy with CAS assertions embedded in it.
The ClientParams class is used to construct the parameter. If the default constructor is used and none of the values are set then the requested assertion lifetime is set to 24 hours, the default proxy file is used and the proxy containing the embedded assertions is named with a ".cas" extension at the end of the proxy file.
ClientParams clientParams = new ClientParams();
The following is used to set assertion lifetime. If not set then 24 hours is used.
clientParams.setAssertionLifetime(lifetime);
Set the file name of the proxy to use. If not set then the default credential is used.
clientParams.setProxyFileName(proxyFilename);
Set the file name that the proxy with CAS assertions will be written to. If not set then original proxy file name is appended with a tag.
clientParams.setCasProxyFileName(casProxyFilename);
Set the extension to append to the original proxy filename. If not set then the extension ".cas" is used. The extension is only used if a filename for the CAS proxy is not set.
clientParams.setCasProxyTag(tag);
Set the resource/actions for which the assertion is requested on. It uses an array of data type ResourceActionsMap (explained below).
clientParams.setResourceActionsMap(resActions);
The
ResouceActionsMap
datatype is used to represent the resource and the actions on the resource for which the permissions are required. It uses a String to represent the resource and a vector of strings to represent the actions.The resource should be of the form "
objectNamespace
|objectName
". The action should be of the form "serviceType actionName
".Create an instance of the Helper class:
CasProxyHelper casProxyHelper = new CasProxyHelper(instanceURL, serverIdentity);
Where:
instanceURL
is the URL used to contact the CAS service.serverIdentity
is the expected identity of the server. If null, host authorization is used.
Generate the proxy with CAS assertions:
String casProxyFilename = casProxyHelper.getCasProxy(clientParams);
This method contacts the CAS service, retrieves assertions, embeds the assertions in a proxy credential and returns the path to the proxy file.
Note | |
---|---|
Typically a single CAS server is run per VO and multiple client installations are done. This document contains information about deploying a CAS server and is not needed for a CAS client installation. Please refer to the documentation for CAS client install. |
The CAS service can be configured with a description of the VO the CAS service serves and the maximum lifetime of the assertions it can issue. Also, the service needs to be configured with information about the back end database it uses. Any database with a JDBC driver and reasonable SQL support can be used. That said, PostgreSQL was used for development and testing and we strongly recommend that you use it. The CAS database schema to be used with PostgreSQL has been provided in $GLOBUS_LOCATION/etc/globus_cas_service/casDbSchema/cas_pgsql_database_schema.sql.
Other than that, the security settings of the service can be modified in the security descriptor associated with the CAS service. It allows for configuring the credentials that will be used by the service, the type of authentication and message protection required as well as the authorization mechanism. By default, the following security configuration is installed:
- Credentials are determined by the container level security descriptor. If there is no container level security descriptor or if it does not specify which credentials to use then default credentials are used.
- Authentication and message integrity protection is enforced for all methods except queryResourceProperties and getResourceProperty. This means that you may use any of GSI Transport, GSI Secure Message or GSI Secure Conversation when interacting with the CAS service.
- The standard authorization framework is not used for authorization. Instead the the service uses the back end database to determine if the call is permitted.
Note | |
---|---|
Changing required authentication and authorization methods will require matching changes to the clients that contact this service. |
Important | |
---|---|
If the service is configured to use GSI Secure Transport, then container credentials are used for the handshake, irrespective of whether service level credentials are specified. |
By default, the CAS service is not loaded at start up. To change this behavior, uncomment the loadOnStartup property set in $GLOBUS_LOCATION/etc/globus_cas_service/server-config.wsdd as shown below.
Once the loadOnStartup property is uncommented, the following happens at start up:
- The CAS service is loaded.
- The database connection pool is initialized.
- The service registers itself to the default MDS Index Service.
<service name="CASService" provider="Handler" use="literal" style="document"> <!-- Uncomment if the service needs to be initialized at startup --> <parameter name="loadOnStartup" value="true"/> <parameter name="allowedMethodsClass" value="org.globus.cas.CASPortType"/> . . . </service>
To change the maximum assertion lifetime and VO description, set the parameters maxAssertionLifetime
and voDescription
in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml
to the desired values.
To alter the configuration of the database back end edit the databaseConfiguration
section of
$GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml
as follows:
Table 1. Database parameters
driver | The JDBC driver to be used |
connectionURL | The JDBC connection url to be used when connecting to the database |
userName | The user name to connect to the database as |
password | The corresponding database password |
activeConnections | The maximum number of active connections at any given instance |
onExhaustAction | The action to perform when the connection pool is exhausted. If value is 0 then fail, if 1 then block and if 2 then grow the pool (get more connections) |
maxWait | The maximum time in milliseconds that the pool will wait for a connection to be returned |
idleConnections | The maximum number of idle connections at any given time |
To alter the security descriptor configuration refer to
Security Descriptors.
The file to be changed is $GLOBUS_LOCATION/etc/globus_cas_service/security-config.xml
.
CAS is used to administer access rights to files and directories and the GridFTP server can be configured to enforce those rights.
For detailed information about configuring CAS for use with a GridFTP server, see http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_GridFTP.html.
With a default GT 4.0.1 installation, CAS is automatically registered with the default WS MDS Index Service running in the same container for monitoring and discovery purposes.
Note | |
---|---|
If you are using GT 4.0.0, we strongly recommend upgrading to 4.0.1 to take advantage of this capability. |
However, if must use GT 4.0.0, or if this registration was turned off and you want to turn it back on, this is how it is configured:
There is a jndi resource defined in $GLOBUS_LOCATION/etc/globus_cas_service/jndi-config.xml
as follows :
<resource name="mdsConfiguration" type="org.globus.wsrf.impl.servicegroup.client.MDSConfiguration"> <resourceParams> <parameter> <name>reg</name> <value>true</value> </parameter> <parameter> <name>factory</name> <value>org.globus.wsrf.jndi.BeanFactory</value> </parameter> </resourceParams> </resource>
To configure the automatic registration of CAS to the default WS MDS Index Service, change the value of the parameter
<reg>
as follows:
true
turns on auto-registration; this is the default in GT 4.0.1.false
turns off auto-registration; this is the default in GT 4.0.0.
By default, the VoDescription
resource property (which describes the virtual organization relevant to the CAS Service) is sent to the default Index Service.
You can configure which resource properties are sent in the registration.xml file, $GLOBUS_LOCATION/etc/globus_cas_service/registration.xml
.
The following is the relevant section of the file:
<Content xsi:type="agg:AggregatorContent" xmlns:agg="http://mds.globus.org/aggregator/types"> <agg:AggregatorConfig xsi:type="agg:AggregatorConfig"> <agg:GetResourcePropertyPollType xmlns:cas="http://www.globus.org/07/2004/cas"> <!-- Specifies that the index should refresh information every 8 hours (28800000ms) --> <agg:PollIntervalMillis>28800000</agg:PollIntervalMillis> <!-- specifies that all Resource Properties should be collected from the RFT factory --> <agg:ResourcePropertyName>cas:VoDescription</agg:ResourcePropertyName> </agg:GetResourcePropertyPollType> </agg:AggregatorConfig> <agg:AggregatorData/> </Content>
If a third party needs to register an CAS service manually, see Registering with mds-servicegroup-add in the WS MDS Aggregator Framework documentation.
All CAS client programs use the following environment variables to determine the appropriate URL to connect to and server identity to expect. In all cases, the command line options takes precedence over the environment variables.
The URL is determined using this algorithm:
- If the
-c
command line option was specified, the URL specified with that option is used. - Otherwise, the
CAS_SERVER_URL
environment variable must be set, and its value is used.
- If the
The server identity (i.e. the expected subject name of the CAS server certificate) is determined as follows:
- If the
-s
command line option was specified, the value specified with that option is used as the identity - Otherwise, if the
CAS_SERVER_IDENTITY
environment variable is set, the value of that variable is used as the expected server identity. Ensure that the value is enclosed within double quotes if there are spaces in the DN. The double quotes are required by the CAS scripts when they are run from a Windows shell, although the shell does not require it even if the value has spaces. - If neither is set, host authorization is done and the expected server credential is
cas/<fqdn>
, where <fqdn> is the fully qualified domain name of the host on which the CAS service is up.
- If the