CAS: System Administrator's Guide
Overview
Client Options
>Using CAS administrator command line clients
Using CAS Query command line clients
Example of CAS Server Administration
CAS-enabled GridFTP Server
Using CAS Administrator Command Line Clients
This document describes the set of command line clients that can be used by the administrator of the CAS server to manage the users. Following are links to the description of avaliable types of clients and their usage:
- Enrolling and Un-enrolling Trust Anchors
- Enrolling and Un-enrolling Users
- Enrolling and Un-enrolling Namespaces
- Enrolling and Un-enrolling Objects
- Enrolling and Un-enrolling Service Types
- Maintaining Service Types
- Maintaining User Groups
- Maintaining Object Groups
- Maintaining Service/Action Groups
- Maintaining Permissions
Enrolling and Un-enrolling Trust Anchors
Enrolling trust anchors
To enroll a trust anchor, the user must have cas/enroll_trustAnchor permission on that CAS server object (that is, must have permission to perform the enroll_trustAnchor action on the CAS service type.) The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The nickname should be unique across the CAS database and is used to refer to this trust anchor.
casAdmin$ cas-enroll [options] trustAnchor userGpName nickname authMethod authData
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity |
| nickname | Trust anchor nickname |
| authMethod | Authentication method used by the trust anchor |
| authData | Data used for authentication, typically the DN |
Un-enrolling trust anchors
To un-enroll a trust anchor, the user must have cas/unenroll permission on that trust anchor. The trust anchor must also be unused, that is there may not be any users in the database that have this trust anchor and it may not be a part of any object group.
casAdmin$ cas-remove [options] trustAnchor nickname
| where: | |
| options | See client options |
| nickname | The nickname of the trust anchor to be un-enrolled. |
If the trust anchor nickname specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that trust anchor is purged.
Enrolling and Un-enrolling Users
Enrolling users
To enroll a user, the user must have cas/enroll_user permission (that is, must have permission to perform the enroll_user action on the CAS service type). The enroll operation allows the user to choose a user group to which cas/grantAll permission on the enrolled object should be granted. The enrolled user also gets all the privileges granted to the community. The nickname should be unique across the CAS database and is used to refer to this user.
casAdmin$ cas-enroll [options] user userGpName nickname subjectName trustAnchorNick
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| nickname | The user's nickname |
| subjectName | The subject name from the user's credentials. |
| trustAnchorNick | Name of the user's trust anchor (must already exist in the CAS database.) |
Un-enrolling users
To un-enroll a user, the user must have cas/unenroll permission on that user. The user must also be unused, that is, there may not be any user groups in the database that have this user as a member.
casAdmin$ cas-remove [options] user nickname
| where: | |
| options | See client options |
| nickname | The nickname of the user to be un-enrolled. |
If the user nickname specified does not exist, an error is not thrown. If the unenroll operation is successfull all policy data on that user is purged.
Enrolling and Un-enrolling Namespaces
Enrolling namespaces
To enroll a namespace, the user must have cas/enroll_namespace permission (that is, must have permission to perform the enroll_namespace action on the CAS service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The comparison algorithm specified should be the name of the Comparison class that needs to be used to compare objects that belong to this namespace. The nickname should be unique across the CAS database and is used to refer to this user.
casAdmin$ cas-enroll [options] namespace userGpName nickname basename comparisonAlg
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| nickname | The nickname of the namespace. |
| basename | The base URL for the namespace. |
| comparisonAlg | Comparison algorithm to be used. Unless the standard comparison algorithms described below are used, the fully qualified name of the class that needs to be used should be given. The class needs to extend from the abstract class org.globus.ogsa.impl.base.cas.server.ObjectComparison. |
The two comparison classes provided as a part of the distribution are:
- ExactComparison: This class does a case-sensitive exact comparison
of the object names. If comparisonAlg in the above method is set to
"ExactComparison", the class in the distribution is loaded and used.
- WildcardComparison: This class does wild card matching as described in CAS Simple Policy Language. It assumes that the wild card character is "*" and "/" is file separator. If comparisonAlg in the above method is set to "WildCardComparison", the class in the distribution is loaded and used.
Also two namespaces are added to the CAS database at boot up time, other than the inherent CAS Namespace.
- FTPDirectoryTree: Uses the WildCardComparison Algorithm and has
the base URL set to the current directory.
- FTPExact: Uses the ExactComparison Algorithm and has the base URL set to the current directory.
Un-enrolling namespaces
To un-enroll a namespace, the user must have cas/unenroll permission on that namespace. The namespace must also be unused, that is, there may not be any object in the database that belongs to this namespace.
casAdmin$ cas-remove [options] namespace nickname
| where: | |
| options | See client options |
| nickname | The nickname of the namespace to be un-enrolled. |
If the namespace nickname specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that namespace is purged.
Enrolling and Un-enrolling Objects
Enrolling objects
To enroll an object, the user must have cas/enroll_object permission (that is, must have permission to perform the enroll_object action on the CAS service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled object. The name of the object and the namespace this object belongs to identifies an object in the database and should be unique across the CAS database.
casAdmin$ cas-enroll [options] object userGpName objectName namespaceNick
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| objectName | The name of the object. |
| namespaceNick | The nickname of the namespace this object belongs to. |
Un-enrolling objects
To un-enroll an object, the user must have cas/unenroll permission on that object. The object must also be unused, that is, there may not be any object group in the database that this object belongs to
casAdmin$ cas-remove [options] object objName namespaceNick
| where: | |
| options | See client options |
| objName | The name of the object to be un-enrolled. |
| namespaceNick | The nickname of the namespace to which this object belongs. |
If the object specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that object is purged.
Enrolling and Un-enrolling Service Types
Enrolling service types
To enroll a service type, the user must have cas/enroll_serviceType permission (that is, must have permission to perform the enroll_serviceType action on the CAS service type). The enroll operation allows the user to choose a userGroup to have cas/grantAll permission on the enrolled service type. The service type name should be unique across the CAS database.
casAdmin$ cas-enroll [options] serviceType userGpName serviceTypeName
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| serviceTypeName | The name of the service type. |
Un-enrolling service types
To un-enroll a service type, the user must have cas/unenroll permission on that service type. The service type must also be unused, that is, there may not be any service-type-to-action mapping.
casAdmin$ cas-remove [options] serviceType serviceTypeName
| where: | |
| options | See client options |
| serviceTypeName | The name of the service type. |
If the service type specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that service type is purged.
Maintaining Service Types
Adding an action mapping to a service type
To add an action mapping to a service type, the user must have cas/create_group_entry permission on the service type.
casAdmin$ cas-action [options] add serviceTypeName actionName
| where: | |
| options | See client options |
| serviceTypeName | The name of the service type. |
| actionName | The name of the action |
Removing a service type action mapping
To remove a service type action mapping, the user must have cas/delete_group_entry permission on the service type.
casAdmin$ cas-action [options] remove serviceTypeName actionName
| where: | |
| options | See client options |
| serviceTypeName | The name of the service type. |
| actionName | The name of the action |
If the group member being removed does not exist, an error is not thrown.
Maintaining User Groups
Creating user groups
To create a new user group, the user must have cas/create_user_group permission (that is, must have permission to perform create_user_group action on cas service type). The user group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created user group. If the user group that is chosen to have cas/grantAll permission is the new group created, then the user making this request is added to the new group.
casAdmin$ cas-group-admin [options] user create userGpName groupName
| where: | |
| options | See client options. |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| groupName | The name of the user group being created. |
Adding users to a user group
To add to a user to a user group, the user must have cas/add_group_entry permission on that particular user group. Only user nicknames that exist in the CAS database can be valid members.
casAdmin$ cas-group-add-entry [options] user groupName nickname
| where: | |
| options | See client options |
| groupName | The name of the user group to which you want to add the user. |
| nickname | The nickname of the user to be added to this group. |
Removing users from a user group
To remove a user from a user group, the user must have cas/remove_group_entry permission on that particular user group.
casAdmin$ cas-group-remove-entry [options] user groupName nickname
| where: | |
| options | See client options |
| groupName | The name of the user group from which you want to remove the user. |
| nickname | The nickname of the user you want to remove from the user group. |
If the group member being removed does not exist, an error is not thrown.
Deleting a user group
To delete a user group, the user must have cas/delete_user_group entry permission on that user group. The group must be empty and also must not be referenced from other entities in the database (for example, it should not belong to an object group).
casAdmin$ cas-group-admin [options] user delete groupName
| where: | |
| options | See client options |
| groupName | The name of the user group you want to delete. |
If the user group specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that user group is purged.
Maintaining Object Groups
Creating object groups
To create a new object group, the user must have cas/create_object_group permission (that is, must have permission to perform create_object_group action on CAS service type). The object group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created object group.
casAdmin$ cas-group-admin [options] object create userGpName groupName
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity |
| groupName | The name of the object group being created. |
Adding members to an object group
An object group can have the following CasObjects as members:
- object
- user
- user group
- service type
- namespace
- trust anchor
To add a member to an object groups, the user must have cas/add_group_entry permission for that particular object group.
casAdmin$ cas-group-add-entry [options] object groupName objectSpecDesc objcetSpec
| where: | |
| options | See client options |
| groupName | The name of the object group to which you want to add the member. |
| objectSpecDesc | The type of CasObject (enter one of the following):
|
| objectSpec | The identifier for the CasObject the user is adding (enter one of
the following):
|
Removing an object from an object group
To remove an object from a object group, the user must have cas/remove_group_entry permission on that particular object group:
casAdmin$ cas-group-remove-entry [options] object groupName objectSpec objectSpecDesc
| where: | |
| options | See client options |
| groupName | Name of the object group from which you want to remove the object. |
| objectSpecDesc | The type of CasObject (enter one of the following):
|
| objectSpec | The identifier for the CasObject the user is adding (enter one of
the following):
|
If the group member being removed does not exist, an error is not thrown.
Deleting an object group
To delete an object group, the user must have cas/delete_user_group entry permission on that object group. The group must be empty.
casAdmin$ cas-group-admin [options] object delete groupName
| where: | |
| options | See client options |
| groupName | Name of the object group you want to delete. |
If the object group specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that object group is purged.
Maintaining Service/Action Groups
Creating service/action groups
To create a new service/action group, the user must have cas/create_serviceAction_group permission (that is, must have permission to perform create_serviceAction_group action on CAS service type). The serviceAction group name should be unique across the CAS database. The create operation allows the user to choose a user group to have cas/grantAll permission on the created serviceAction group.
casAdmin$ cas-group-admin [options] serviceAction create userGpName groupName
| where: | |
| options | See client options |
| userGpName | The user group to which cas/grantAll permission should be granted on this trust anchor entity. |
| groupName | The name of the serviceAction group you want to create. |
Adding a service/Action to a serviceAction group
To add to a service/Action to a serviceAction group, the user must have cas/add_group_entry permission on that particular serviceAction group (that is, must have permission to perform add_group_entry action on that service action group.)
casAdmin$ cas-group-add-entry [options] serviceAction groupName serviceTypeName actionName
| where: | |
| options | See client options |
| groupName | Name of the user group to which you want to add the member |
| serviceTypeName | The service type name part of mapping to be added to the serviceAction group (??) |
| actionName | The action name part of mapping to added to the serviceAction group (??) |
Removing a service/Action from a serviceAction group
To remove a service/Action from a serviceAction group, the user must have cas/remove_group_entry permission on that particular serviceAction group.
casAdmin$ cas-group-remove-entry [options] serviceAction groupName serviceTypeName actionName
| where: | |
| options | See client options |
| groupName | Name of the serviceAction group to which you want to add a service/Action |
| serviceTypeName | The service type name part of mapping to be removed from the serviceAction group (??) |
| actionName | The action name part of mapping to removed from the serviceAction group (??) |
If the action being removed does not exist, an error is not thrown.
Deleting a serviceAction group
To delete a serviceAction group, the user must have cas/delete_user_group entry permission on that serviceAction group. The group must be empty and also must not be referenced from any other entity in the database. (for example should not be a member of an object group.)
casAdmin$ cas-group-admin [options] serviceAction delete groupName
| where: | |
| options | See client options |
| groupName | Name of the serviceAction group you want to delete. |
If the service action group specified does not exist, an error is not thrown. If the un-enroll operation is successful, all policy data on that serviceAction group is purged.
Maintaining Permissions
Granting permissions
The user may grant permissions to a user group, object, or object group to perform a service action or service action group (that is to perform any action that is a member of the service action group to which permission is granted), provided the user has both:
- cas/grant permission on the object or object group
- permission to perform the service action or service action group on the object or object group.
casAdmin$ cas-rights-admin [options] grant userGroupName objectSpecDesc objectSpec actionSpecDesc actionSpec
| where: | |
| options | See client options |
| userGroupName | The user group for which you want to grant permission. |
| objectSpec | The identifier for the object or object group |
| objectSpecDesc | The object type (enter one of the following):
|
| actionSpec | The identifier for the action or action group. |
| actionSpecDesc | The action type (enter one of the following):
|
Revoking permissions
The user may revoke a policy in the CAS database provided the user has cas/revoke permission on the object or object group in which the policy is defined.
casAdmin$ cas-rights-admin [options] revoke userGroupName objectSpecDesc objectSpec actionSpecDesc actionSpec
| where: | |
| options | See client options |
| userGroupName | The user group for which you want to grant permission. |
| objectSpec | The identifier for the object or object group |
| objectSpecDesc | The type of CasObject (enter one of the following):
|
| actionSpec | The identifier for the action or action group. |
| actionSpecDesc | The action type (enter one of the following):
|