Home -> Toolkit -> Docs -> 3.2 -> Cas -> Admin

CAS: System Administrator's Guide

Overview
Client Options
Using CA administrator command line clients
Using CAS Query command line clients
>Example of CAS Server Administration
CAS-enabled GridFTP Server

Example of CAS Server Administration

Alice, Bob and Carol are three members of a community who have set up a Community Authorization Service (CAS). Alice's role is primarily to administer the CAS server. Bob is an analyst who needs read access to much of the community data. Carol is a scientist who needs to be able to both read and write community data.

These examples show how Alice adds the users Bob and Carol to the CAS server, then adds an FTP server with some data available to the community and then adds permissions for the users of the CAS administration clients.

These examples assume that Alice has installed the CAS server and bootstrapped the database with herself as super user. Please refer to the installation documentation for details.

Assume Alice's nickname on the CAS server is alice and at bootstrap she created a user group suGroup, which has super user permissions on the database. Say, the CAS service URL is http://localhost:8080/ogsa/services/base/cas/CASService

All commands listed below assume that the environment variable GLOBUS_LOCATION has been set to point to the GT3.2 core install and that the commands are run from GLOBUS_LOCATION/bin. Also, we assume an environment variable CAS_SERVER_URL has been set to point to the CAS server URL: http://localhost:8080/ogsa/services/base/cas/CASService

1. Adding a user group

Since at the time of booting up the CAS server, only one user group that has super user permissions on the CAS server is created, Alice might want to create another user group to which new users may be added and permissions to newly enrolled CAS entities may be given. This also eases the process of giving the same rights to many users. Given they are two types of roles in the community, she might want to create two groups, analysts and scientists.

All permissions on the newly created group will be given to users of a particular user group. Alice would like all users of the user group analysts to be able to manipulate the group.

To create a new user group, Alice uses the cas-group-admin client. It requires a name for the new group being created, so she uses analysts.

alice%  cas-group-admin user create analysts analysts

This will create a user group analysts that gives all users in that group the permission to manage the group (i.e., add users, remove users and so on.) She can similarly create a group called scientist.

2. Adding trust anchor

Before she can add Bob and Carol to the CAS server, Alice needs to ensure that the trust anchors for both have been added. If they share the same trust anchor with Alice, she can skip this step since Alice's trust anchor would have been added to the database at bootstrap.

But in this example, Alice and Carol share a trust anchor different from Bob's. Alice needs to add the trust anchor used by Bob by using cas-enroll client with the trustAnchor option. She needs to provide details about the trust anchor such as the authentication method and authentication data used.

alice%  cas-enroll trustAnchor analysts AbcTrust X509 "/C=US/O=some/CN=ABC CA"

The above will enroll a trust anchor with the nickname AbcTrust, who uses the X509 authentication method and has the DN specified in the command. The members of the analysts user group are given all rights on this object. This implies that any user who has this trust anchor presents credentials signed by this trust anchor.

3. Adding users

Alice can now add Bob and Carol as users using the cas-enroll command with the user option. She needs to provide the user's subject DN and reference to the user's trust anchor. As with any entity added to the CAS server, Alice needs to choose a user group whose members will have all permissions on that entity. Alice would like the members of user group suUser to be able to manipulate the user entity Bob, so she enters:

alice% cas-enroll user suUser bob "/O=Our Community/CN=Bob Foo" AbcTrust

Alice uses a similar command to add Carol to the CAS database.

4. Adding users to user group

The CAS server only allows rights to be assigned to user groups and not to individual users. Hence, before Alice can assign rights to Bob or Carol, she needs to add them to a user group. She does this by using the  cas-group-add-entry client with the user option to indicate she is adding a user to a user group. This client requires the group name and nickname of the user to be added. So to add Bob to the analysts group, Alice enters:

alice% cas-group-add-entry user analysts bob

If a user group scientists was created, Carol could be added as a member in the same way.

4. Adding a new FTP server

So far, Alice has the community users in the database and organized. She now wants to add some resources. The community currently has a single FTP server available, called foo.bar.edu, so she will add this to the CAS database.

Each resource or object in the CAS server has a namespace associated to it that defines certain features (like the comparison algorithm.) When the object name is used, the namespace is also called for comparison. The base URL that should be prefixed to the object connected to this namespace may also be used.

In this case, Alice uses the FTPDirectoryTree namespace that is added to the CAS server at boot up. Now, she adds the FTP server to the CAS database, using the cas-enroll client with the object option.

alice% cas-enroll object suGroup ftp://foo.bar.edu/* FTPDirectoryTree

This adds the FTP server as an object and gives all members of the suGroup rights to manipulate the object.

To be able to grant/revoke access on indiviual directories, objects with the directory. Say, if Alice would like to be able to manipulate the data on the server as a separate entity, the the following will add an object for that.

alice% cas-enroll object suGroup ftp://foo.bar.edu/data/* FTPDirectoryTree

4. Creating an object group

Alice suspects the community will end up have more directories containing data on other servers that will have identical polices as the /data directory on foo.bar.edu. So she is going to create an object group called data and assign foo.bar.edu/data to this group. This will allow her to grant rights on this group and easily add other directories to this group later

To create a group called data she uses the cas-group-admin client with group and create option.

alice% cas-group-admin object create suGroup data

This creates an object group called data and the members of suGroup get all rights on this group and hence should be able to add/remove members, grant rights to add/delete from this group to others and also delete this group.

5. Adding members to object group

Alice now can add foo.bar.edu/data to the data group. She can do this by using the cas-group-add-entry with the object option. To add the above described object, ftp://foo.bar.edu/data/* in namespace FooFTPNamespace, to object group data, the following would be the command.

alice% cas-group-add-entry object data object FooFTPNamespace ftp://foo.bar.edu/data/*

In the above command, the first object refers to the group type, data is the name of the object group, object refers to the type of CAS entity that is being added as memeber and the last two parameters define the namespace and the object that needs to be added.

6. Adding service types

Alice now needs to add information about the kind of rights that can be granted for these objects. These are stored as service types and relevant actions are mapped to these service types.

In this scenario, the kind of service types that Alice should add would be file, directory and so on. To do so, the cas-enroll client with serviceType option maybe used. To add a service type called file and give members of suGroup all rights on this service type, she uses the following command.

alice% cas-enroll serviceType suGroup file

7. Adding action mappings

The relevant action mappings to the above mentioned service types would be read, write and so on. Alice needs to add these mappings to the database so that she can grant rights that allow a user to have file/read or file/write permissions on some object.

To add action mappings to a service type, she uses the cas-action client with add option. The following command should add a mapping of action read to service type file.

alice% cas-action add file add

Similarly she can add other mapping like write to this service type.

8. Grant permissions.

Alice now has resources in the object group data and users in the user groups analysts and scientists. She now wants to grant permissions on data group to the analysts and scientists, namely read permissions to the analysts and read and write permissions to the scientists.

To grant permissions the cas-rights-admin with the grant option needs to be used. To give read permissions to the analysts group, the command that needs to be run would be

alice% cas-rights-admin grant analysts objectGroup data serviceAction file read

She similarly grants rights to scientists group.

And now Alice is done!