Direct SA1 Links
Etics Portal
- Etics Web - EticsAgendas - ETICS 2 SA1 Savannah - SA1Actions (in Savannah) , SA1 Internal
Usage:
- Works only when HTTPS is used. No action if HTTP is used (HTTP can be disabled in Tomcat) - It works for EACH single request to the server (all apps and ws) - It reads the DB at start and creates a access list in memory for high performance - It allows access to all the certificate DN available AND ACTIVE in the database. - If a user DN is not present in the memory map, it reads the DB again and refreshes the Map to check whether has been added in the meanwhile. If the DN is still not there, it adds it in the memory map as unauthorized so that from that moment on, no DB read is needed anymore. - To summarize - Memory Map content: - DN present in DB and active: DN->TRUE - DN present in DB and not active: DN->FALSE - DN not present in cache: DB read and if not there DN->FALSE - At the moment removing a valid DN from the memory Map requires a server restart after DB update. - If the person is set as inactive the access is forbidden but the user can re-activate himself if he still has his original activation email with the URL, better to remove the DB entry. - Only the user table is checked, no verification on the permission tables (userComponent, userConfiguration, userProject, etc). - The error sent is 403 (Forbidden) and the browser shows the errors: The certificate with DN 'CN=Lorenzo Dini, CN=660909, CN=ldini, OU=Users, OU=Organic Units, DC=cern, DC=ch' is not authorized to access the ETICS services. or A valid certificate is needed to access the ETICS services.
CONFIGURATION:
- copy the two attached JARs in $TOMCAT_HOME/common/lib - add the following lines in $TOMCAT_HOME/conf/web.xml inside the root tag <web-app>
Experiences during usage:
Complete disabling of http access can be achieved in the following way: 1. restrict access to https only in https.conf. 2. Add the DNs of the server certificates to the user tabe of the ETICS DB. This is important for remote builds, otherwise the client cannot access the server. 3. Add the DNs of the authorized persons to the user table of the ETICS DB Limitation: the etics.conf located in the src directory of org.etics.build-system.client-py has default settings, which -do not point to any certificate - use https as standard protocol. After implementing the access filters, the ETICS client cannot access the server as no valid certificates can be found and http access is disabled.
Solution:
1. modify the etics.conf in your local archive in that way that it is by default pointing to the correct certificates of the worker node (which is always expected under /etc/grid-security) 2. insert the userDN of the certificate of the WN in the user table and make it active. Now the WN can identify itself at the etics-server as an autorized user (build machine). Ongoing work, etc Future improvements
Etics Portal
- Etics Web - EticsAgendas - ETICS 2 SA1 Savannah - SA1Actions (in Savannah) , SA1 Internal
ETICS Privacy Authorization Authentication
Short Description of the Task
Write here a description of the goals input and output and completion of the task and topicsUseful Links
Links to document, attach material needed, external resources, example, etc.- item
- item
Requirements, Ideas, Constraints etc
Any requirement and from where it comes- item
- item
Open Issues
- item
- item
- item
Plans, Dates and Status
Status
General status and current versions, tags, configuration. 01.10.2009 - access filter is implemented.Usage:
- Works only when HTTPS is used. No action if HTTP is used (HTTP can be disabled in Tomcat) - It works for EACH single request to the server (all apps and ws) - It reads the DB at start and creates a access list in memory for high performance - It allows access to all the certificate DN available AND ACTIVE in the database. - If a user DN is not present in the memory map, it reads the DB again and refreshes the Map to check whether has been added in the meanwhile. If the DN is still not there, it adds it in the memory map as unauthorized so that from that moment on, no DB read is needed anymore. - To summarize - Memory Map content: - DN present in DB and active: DN->TRUE - DN present in DB and not active: DN->FALSE - DN not present in cache: DB read and if not there DN->FALSE - At the moment removing a valid DN from the memory Map requires a server restart after DB update. - If the person is set as inactive the access is forbidden but the user can re-activate himself if he still has his original activation email with the URL, better to remove the DB entry. - Only the user table is checked, no verification on the permission tables (userComponent, userConfiguration, userProject, etc). - The error sent is 403 (Forbidden) and the browser shows the errors: The certificate with DN 'CN=Lorenzo Dini, CN=660909, CN=ldini, OU=Users, OU=Organic Units, DC=cern, DC=ch' is not authorized to access the ETICS services. or A valid certificate is needed to access the ETICS services.
CONFIGURATION:
- copy the two attached JARs in $TOMCAT_HOME/common/lib - add the following lines in $TOMCAT_HOME/conf/web.xml inside the root tag <web-app>
Experiences during usage:
Complete disabling of http access can be achieved in the following way: 1. restrict access to https only in https.conf. 2. Add the DNs of the server certificates to the user tabe of the ETICS DB. This is important for remote builds, otherwise the client cannot access the server. 3. Add the DNs of the authorized persons to the user table of the ETICS DB Limitation: the etics.conf located in the src directory of org.etics.build-system.client-py has default settings, which -do not point to any certificate - use https as standard protocol. After implementing the access filters, the ETICS client cannot access the server as no valid certificates can be found and http access is disabled.
Solution:
1. modify the etics.conf in your local archive in that way that it is by default pointing to the correct certificates of the worker node (which is always expected under /etc/grid-security) 2. insert the userDN of the certificate of the WN in the user table and make it active. Now the WN can identify itself at the etics-server as an autorized user (build machine). Ongoing work, etc Future improvements
ToDo
- date: item:
- date: item
- date: item
Done
- date: item:
- date: item
- date: item
Topic revision: r3 - 2010-11-11 - MatthiasStein
- ETICS Web
- ETICS Web Home
- Changes
- Index
- Search
- Support Knowledge Base
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback