- Doc Structure
- A Globus Primer
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Performance Studies
Table of Contents
CAS allows a virtual organization to express policy regarding resources distributed across a number of sites. A CAS server issues assertions to the virtual organization users, granting them fine-grained access rights to resources. Servers recognize and enforce the assertions. CAS is designed to be extensible to multiple services and is currently supported by the GridFTP server.
There currently is no support for CAS-based authorization for web services.
Features new in GT 4.1.0:
- Support for OGSA-AuthZ Authorization Service interface
Other Supported Features
- File-level access control for GridFTP
- Issuance of SAML authorization decisions
The following changes have occurred for CAS since the last stable release, 4.0.2:
Grant all access to created groups disables: The previous versions of CAS allowed granting newly created groups grantAll access to itself. This feature has been disabled so that recursive permission issues are prevented.
Update to OpenSAML 1.1: The service has been updated to use OpenSAML 1.1.
Command line client options: The command line client options have been changed to use options that are standard across the toolkit. Note that all features that were supported before are still supported, but some of the option names have changed.
- Bug 3259: Error parsing environment variables set for CAS clients.
- Bug 3371: CAS group delete fails if grant all permissions is made on newly created group.
- Bug 3648: CAS server not prepending ftp://<hostname> to the resource in the assertion
- Bug 3947: CAS Service must release all of its resources on deactivation
The following problems and limitations are known to exist for CAS at the time of the 4.1.0 release:
- Web Service Policy Handling: The current implementation does not lend itself well for supporting Web Service policy handling. While the service can be used with some adhoc processing, it does not work seamlessly, especially when standard interface like the OGSA AuthZ Callout is used. The expectation that object identifiers have two parts, namely the namespace names and object names, requires special handling. This is being addressed currently and enhancements will be a part of next release.
The CAS service depends on the following GT components:
- WS Authentication and Authorization
- Java WS Core
The CAS GridFTP authorization module depends on the following GT components:
- Pre-WS Authentication and Authorization
The CAS service depends on the following 3rd party software:
The CAS GridFTP authorization module depends on the following 3rd party software:
Tested Platforms for CAS
- Windows XP
- Linux (Red Hat 7.3)
Tested Containers for CAS
- Java WS Core container
- Tomcat 5.0.30
Protocol changes in CAS since GT 4.0.2:
API changes since GT 4.0.2
- Added support for OGSA-AuthZ authorization service interface. It does not affect any exisiting interfaces and all interfaces from 4.0.2 are supported.
Exception changes since GT 4.0.2
Schema changes since GT 4.0.2
Associated standards for CAS:
Click here for more information about this component.