GT 3.9.5 Authorization Framework: System Administrator's Guide

Introduction

This guide contains advanced configuration information for system administrators working with the Authorization Framework. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.

This information is in addition to the basic installation instructions in the GT 3.9.5 System Administrator's Guide.

This component determines the authorization enforced on the server and the client side. Admin configuration could include, determining container/service level authorization mechanism, and setting up and managing authorization policy, for instance entries in gridmap file and so on.

The Security Descriptors document describes configuring an authorization mechanism and also the configuration required for each of the schemes that are distributed with GT 3.9.5.

Building and Installing

This component is built and installed as a part of Java WS Core.

Configuring

Configuration overview

The authorization framework can be configured at resource, service or container level using security descriptors. The descriptors can be read off a file or can be created programatically. Refer to Configuring security descriptors for more details.

The authorization configuration involves setting a chain of authorization schemes (also known as Policy Decision Point (PDP)), that are then evaluated to a permit/deny decision.

Syntax of the interface

Refer to Configuring authorization mechanism.

Deploying

This component is deployed as a part of Java WS Core.

Testing

To execute security tests ensure that Ant with JUnit are configured.

All the security tests require a valid credential. FILLME: some notes on how to get a user credential ?

The security tests are included in $GLOBUS_LOCATION/lib/wsrf_test_unit.jar - contains all other tests

To execute the tests pass the said jar file from the above to the test script as described in the Java WS Core Developer's Guide. To ensure that only security tests are run, set -DsecurityTestsOnly=true. These run WS Authentication and WS Authorization tests.

These tests by default, require that the container and tests run using the same credentials, i.e self authorization is done on secure calls.

The tests allow for one another configuration where in the container can be configured with host credentials and the tests can be run with any credentials.

  • Configure container to use host credentials using security descriptor as described in container descriptor section.
  • Edit $GLOBUS_LOCATION/etc/globus_wsrf_test_unit/server-config.wsdd
    • Comment out the configured descriptor in SecurityTestService and AuthzCalloutTestService that specified self authorization. 
         <!-- Does self authz by default -->
      
   <!-- parameter name="securityDescriptor" value="@config.dir@/security-config.xml"/ -->
    • Uncomment configuration for identity authorization and set the value of property idenAuthz-identity to the subject DN of the credentials used to run the tests. 
              <!-- For use only when identity authz is used-->
      
        <parameter name="securityDescriptor" value="@config.dir@/identity-security-config.xml"/>
      
        <parameter name="idenAuthz-identity" value="Identity used by client"/>
  • To run tests without starting up an external container, run 
     ant test -Dsecurity.test.client.authz=host

    To run tests on starting up external container, secure and insecure, on localhost port 8180 and 8181 respectively, the command would be 
    ant testServer -Dsecurity.test.client.authz=host -Dtest.server.url=http://127.0.0.1:8181/wsrf/services/ -Dsecure.test.server.url=https://127.0.0.1:8180/wsrf/services/

Security Considerations

[describe security considerations relevant for this component]

Troubleshooting

[help for common problems sysadmins may experience]