Hyrax - Managed Access (Authorization): Difference between revisions
From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
(→Policy) |
|||
| Line 199: | Line 199: | ||
</source> | </source> | ||
=== Memberships: Users, Groups, and Roles === | ==== Memberships: Users, Groups, and Roles ==== | ||
<source lang="xml"> | <source lang="xml"> | ||
Revision as of 14:01, 21 November 2014
Overview
The authentication and authorization mechanisms in both the Apache Web Server (httpd) and the Tomcat Servlet container are well documented and widely used.
We hope to address the following perceived shortcomings of the apache product's authorization components:
- Difficult to specify fine grain access control policies for complex heterogeneous service stacks.
- The option to centralize the PDP so that multiple services can be controlled from a single policy profile.
A simple policy decision point (SimplPDP) was coded that can accommodate many different types of policies. A simple regex policy was implemented that uses regex matching to white list users, resources, http verbs, and queries.
The remainder of this document describes how to get, build, install, configure, and run the Hyrax Managed Access prototype.
Terms
- Authentication
- This is the process of confirming the identity of the user. The end result is a User ID (uid or UID) which may be accessed by the software components via (both?) the Apache API (mod_*) and the Java ServletAPI (Tomcat servlets) used to trigger authorization policy chains or may be logged along with relevant request information.
- Authorization
- Authorization is the function of specifying access rights to resources. A user may be authorized (some say permitted) to access a resource.
- Identity Provider (IdP)
- Also known as an Identity Assertion Provider an Identity Provider (IdP) is a service that provides authentication and identity information services. An IdP is a kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
- Policy Administration Point (PAP)
- Point which manages access authorization policies
- Policy Decision Point (PDP)
- Point which evaluates access requests against authorization policies before issuing access decisions
- Policy Enforcement Point (PEP)
- Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision
- Policy Information Point (PIP)
- The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
- Policy Retrieval Point (PRP)
- Point where the XACML access authorization policies are stored, typically a database or the filesystem.
- Service Provider (SP)
- A Service Provider (SP) is a Web Service that utilizes an IdP service to determine the identity of it's users. Or more broadly, a role donned by a system entity where the system entity provides services to principals or other system entities.
See Service Providers, Identity Providers & Security Token Services explained for more.
Requirements
- JDK-1.6.x or higher for your target system.
- ANT 1.7.0 or newer
- Hyrax 1.9.7 or greater
Git
- Download the managed-access branch of the OLFS from GitHub.
- The branch is here: https://github.com/OPENDAP/olfs/tree/managed-access
- And the download URL is: https://github.com/OPENDAP/olfs/archive/managed-access.zip
- Unzip the file, open a terminal (if you haven't yet), and cd into the managed-access directory that was created when you unzipped the file.
Build
- In your terminal enter the command
ant -f server
- If successful, this will create the file build/dist/opendap.war
Install
- Copy the new WebArchive (.war) file into the Tomcat web apps directory
cp build/dist/opendap.war $CATALINA_HOME/webapps
- Restart Tomcat
Web Service Configuration
- Copy the configuration file from the web application into the Hyrax persistent content directory:
cp $CATALINA_HOME/webapps/opendap/initialContent/PEPFilter.xml $CATALINA_HOME/content/opendap/
- Edit the Hyrax web.xml file and make sure the PEPFilter config parameter's value is set to the fully qualified path to the file you copied in the previous step.
Example:
<filter>
<filter-name>PEP</filter-name>
<filter-class>opendap.auth.PEPFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>/usr/local/hyrax/tomcat/content/opendap/PEPFilter.xml</param-value>
</init-param>
</filter>
This excerpt from the web.xml file shows the <filter> element. The PEPFilter will look for it's configuration in the file: /usr/local/hyrax/tomcat/content/opendap/PEPFilter.xml
PEP/PDP Configuration
Edit the PEPFilter.xml file that you referenced in the web.xml file above. It should look something like this:
<PolicyEnforcementPointFilter>
<!-- You can use a RemotePDP -->
<!-- PolicyDecisionPoint class="opendap.auth.RemotePDP">
<PDPServiceEndpoint>http://localhost:8080/pdp</PDPServiceEndpoint>
</PolicyDecisionPoint -->
<!-- You can use an in memory local PDP -->
<PolicyDecisionPoint class="opendap.auth.SimplePDP">
<Policy class="opendap.auth.RegexPolicy">
<role>.*</role>
<resource>.*(/|\.(css|png|jpg|ico|gif|xsl|jsp)|/contents.html|/catalog.html|/catalog.xml)$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
</Policy>
<Policy class="opendap.auth.RegexPolicy">
<role>guest</role>
<resource>.*\.(dds|html|das|ddx)$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
</Policy>
<Policy class="opendap.auth.RegexPolicy">
<role>manager</role>
<resource>.*$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
<allowedAction>POST</allowedAction>
</Policy>
<Memberships>
<group id="guest" >
<user id="GUEST" />
</group>
<group id="users" >
<user id="ndp_opendap" />
<user id="jhrg" />
</group>
<group id="cmip" >
<user id="ndp_opendap" />
</group>
<group id="managers" >
<user id="root" />
<user id="ndp_opendap" />
<user id="jhrg" />
</group>
<role id="manager">
<group id="managers" />
<group id="cmip" />
</role>
<role id="guest">
<group id="guest" />
</role>
</Memberships>
</PolicyDecisionPoint>
</PolicyEnforcementPointFilter>
The PEP must be associated with a PDP. In this example the PEP is configured to use an in memory instance of the SimplePDP class.
Policy Decision Point
The PolicyDecisionPoint element identifies the PDP that will be used by the PEP filter, and provides the configuration for the PDP class referenced.
This PolicyDecisionPoint element identifies the opendap.auth.SimplePDP class as the PDP to use.
<PolicyDecisionPoint class="opendap.auth.SimplePDP">
.
.
.
</PolicyDecisionPoint>
Here, the SimplePDP class is identified as the PDP implementation to use. The contents of the PolicyDecisionPoint> element are the specific configuration components for the named class, in this case opendap.auth.SimplePDP.
SimplePDP
Policy
<Policy class="opendap.auth.RegexPolicy">
<role>.*</role>
<resource>.*(/|\.(css|png|jpg|ico|gif|xsl|jsp)|/contents.html|/catalog.html|/catalog.xml)$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
</Policy>
<Policy class="opendap.auth.RegexPolicy">
<role>guest</role>
<resource>.*\.(dds|html|das|ddx)$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
</Policy>
<Policy class="opendap.auth.RegexPolicy">
<role>user</role>
<resource>.*$</resource>
<queryString>.*$</queryString>
<allowedAction>GET</allowedAction>
<allowedAction>POST</allowedAction>
</Policy>
Memberships: Users, Groups, and Roles
<Memberships>
<group id="guest" >
<user id="GUEST" />
</group>
<group id="users" >
<user id="ndp_opendap" />
<user id="jhrg" />
</group>
<group id="cmip" >
<user id="ndp_opendap" />
</group>
<group id="manager" >
<user id="root" />
<user id="ndp_opendap" />
<user id="jhrg" />
</group>
<role id="manager">
<group id="managers" />
<group id="cmip" />
</role>
<role id="guest">
<group id="guest" />
</role>
</Memberships>
