This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.
CAS: System Administrator's Guide
Overview
Client Options
Using CA administrator command line clients
Using CAS Query command line clients
Example of CAS Server Administration
>CAS-enabled GridFTP Server
CAS-enabled GridFTP Server
This page contains the following topics:- Enabling CAS Support in the GridFTP Server
- Configuring the GridFTP Server to Trust a CAS Server
- Setting CAS permissions that the GridFTP Server Will Understand
- Using a GridFTP Client with a CAS-Enabled GridFTP Server
Enabling CAS Support in the GridFTP Server
The Globus Toolkit 3.2 GridFTP Server
reads two files (gsi-authz.conf and gsi-gaa.conf) to determine how to perform certain
authorization and mapping functions.
If these files are not present (as is the case after a standard Globus Toolkit
installation), the GridFTP server will not support CAS authorization (that is,
the GridFTP server will ignore the CAS policy assertions in the user's credential
and determine the user's permissions based solely on the user's identity).
The setup-globus-gaa-authz-callout command creates
gsi-authz.conf and gsi-gaa.conf files that
will cause the GridFTP server to honor CAS policy assertions. There
are two ways to run this command. Running:
$GLOBUS_LOCATION/setup/globus/setup-globus-gaa-authz-callout
as root will create these configuration files
and gsi-gaa.conf in the directory /etc/grid-security,
where the GridFTP server looks for them by default. Running:
$GLOBUS_LOCATION/setup/globus/setup-globus-gaa-authz-callout -d mydir
will create these configuration files in mydir. To get the GridFTP
server to find these files, set the environment variable GSI_AUTHZ_CONF to mydir/gsi-authz.conf and GSI_GAA_CONF to mydir/gsi-gaa.conf before starting the GridFTP server.
By default, setup-globus-gaa-authz-callout will not overwrite
an existing configuration file. The -force option will cause
it to overwrite an existing gsi-authz.conf file, and the
-overwrite_gaa_config option will cause it to overwrite an
existing gsi-gaa.conf file.
Configuring the GridFTP Server to Trust a CAS Server
The steps above configure the GridFTP server to understand CAS credentials. However, the GridFTP server will not allow a user authenticating with a CAS credential to perform any action that it would not allow the CAS server itself to perform. To configure the GridFTP server to trust a particular CAS server, create a local user account corresponding to the CAS server, use file permissions to allow that user account to have the desired level of file access, and create a gridmap entry mapping the CAS server's distinguished name to that local account.
Setting CAS permissions that the GridFTP Server Will Understand
Object Names
CAS objects created using the object namespace FTPDirectoryTree
are recognized by the GridFTP server. An object in that namespace with
the name:
ftp://somehost.edu/some_pathwill be recongized by the CAS-enabled GridFTP server at somehost.edu as referring to the file or directory named some_path. An object in the
FTPDirectoryTree name space with the name:
ftp://somehost.edu/some_directory_path/*
will be recognized by the CAS-enabled GridFTP server at somehost.edu as referring to all files and directories under some_directory_path.
In some cases, it may be desirable to have a GridFTP server recognize CAS assertions that use a hostname other than the server's fully qualified domain name. Starting the GridFTP server with the option "-H otherhost" will cause the GridFTP server to recognize objects with names that start with "ftp://otherhost/" instead.
Permissions recognized by GridFTP
The GridFTP server recognizes permissions with the service
service type. The following table summarizes the recognized permissions
within that service type, and their meanings:
| Action | Meaning |
| read | For a file, gives permission to read the file. For a directory, gives permission to chdir to the directory. |
| lookup | For a file, gives the right to get Unix stat() information. For a directory, gives the right to chdir to and to list the contents of the directory. |
| write | For a file, allows modification of an existing file. For a directory, gives the right to chdir to the directory. |
| create | For a file, allows creation of the file if it does not exist. For a directory, allows creation of the directory if it does not exist and gives the right to chdir to the directory if it does exist. |
| delete | For a file, allows deletion of the file. For a directory, allows deletion of the directory, if empty; also gives the right to chdir to the directory. |
| chdir | For a file, this right is meaningless. For a directory, allows making the directory the current default directory. |
The following is a summary of ftp commands supported, and what permissions they require:
| Typical Client Comand | FTP Protocol Command | Rights Required |
| get | RETR | read |
| put | STOR | write, if file exists; create, if file does not exist |
| delete | DELE | delete |
| ls | LIST | lookup |
| chdir | CWD | any of: chdir, lookup, read, write, create, or delete |
| mkdir | MKD | create |
| rmdir | RMD | delete |
| rename | RNFR / RNTO | read and delete on old file; write on new file, if it exists, create on new file, if it does not exist |
Using a GridFTP Client with a CAS-Enabled GridFTP Server
The CAS User's Guide describes how to acquire and use a CAS credential.
If a client connects using "normal" (non-CAS) credentials, the behavior of the CAS-enabled GridFTP server should be the same as the behavior of a non-CAS-enabled GridFTP server.