Direct SA1 Links
Etics Portal - Etics Web - EticsAgendas - ETICS 2 SA1 Savannah - SA1Actions (in Savannah) , SA1 Internal


ETICS Privacy Authorization Authentication

Short Description of the Task

Write here a description of the goals input and output and completion of the task and topics

Useful Links

Links to document, attach material needed, external resources, example, etc.

  • item
  • item

Requirements, Ideas, Constraints etc

Any requirement and from where it comes

  • item
  • item

Open Issues

  • item
  • item
  • item

Plans, Dates and Status

Status

General status and current versions, tags, configuration.

01.10.2009 - access filter is implemented.


Usage:
- Works only when HTTPS is used. No action if HTTP is used (HTTP can be disabled in Tomcat)

- It works for EACH single request to the server (all apps and ws)

- It reads the DB at start and creates a access list in memory for high performance

- It allows access to all the certificate DN available AND ACTIVE in the database.

- If a user DN is not present in the memory map, it reads the DB again and refreshes the Map to check whether has been added in the meanwhile. If the DN is still not there, it adds it in the memory map as unauthorized so that from that moment on, no DB read is needed anymore.

- To summarize - Memory Map content: - DN present in DB and active: DN->TRUE - DN present in DB and not active: DN->FALSE - DN not present in cache: DB read and if not there DN->FALSE

- At the moment removing a valid DN from the memory Map requires a server restart after DB update.

- If the person is set as inactive the access is forbidden but the user can re-activate himself if he still has his original activation email with the URL, better to remove the DB entry.

- Only the user table is checked, no verification on the permission tables (userComponent, userConfiguration, userProject, etc).

- The error sent is 403 (Forbidden) and the browser shows the errors:

The certificate with DN 'CN=Lorenzo Dini, CN=660909, CN=ldini, OU=Users, OU=Organic Units, DC=cern, DC=ch' is not authorized to access the ETICS services.

or

A valid certificate is needed to access the ETICS services.


CONFIGURATION:

- copy the two attached JARs in $TOMCAT_HOME/common/lib

- add the following lines in $TOMCAT_HOME/conf/web.xml inside the root tag <web-app>


Experiences during usage:
Complete disabling of http access can be achieved in the following way:

1. restrict access to https only in https.conf. 2. Add the DNs of the server certificates to the user tabe of the ETICS DB. This is important for remote builds, otherwise the client cannot access the server. 3. Add the DNs of the authorized persons to the user table of the ETICS DB

Limitation: the etics.conf located in the src directory of org.etics.build-system.client-py has default settings, which -do not point to any certificate - use https as standard protocol.

After implementing the access filters, the ETICS client cannot access the server as no valid certificates can be found and http access is disabled.


Solution:
1. modify the etics.conf in your local archive in that way that it is by default pointing to the correct certificates of the worker node (which is always expected under /etc/grid-security) 2. insert the userDN of the certificate of the WN in the user table and make it active. Now the WN can identify itself at the etics-server as an autorized user (build machine).

Ongoing work, etc

Future improvements

ToDo

  • date: item:
  • date: item
  • date: item

Done

  • date: item:
  • date: item
  • date: item
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2010-11-11 - MatthiasStein
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ETICS All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback