Access Keys:
Skip to content (Access Key - 0)

Introduce

CSM Integration into Introduce

Introduce 1.3 and newer supports authorization plugins that enable the Introduce PDP to be extended to use authorization techniques. The CSM Authorization Plugin is an Introduce Authorization Extension that enables introduce generated services to leverage an installation of the CSM to protect service, method, and resource level access. Introduce 1.3 supports using the CSM 4.X release. Introduce will enable the configuration of the grid service to use the CSM api to check user access based on the triplet containing protection element, user id, and privilege to be validated against the CSM. For more information on how the CSM works please refer to the CSM documentation http://ncicb.nci.nih.gov/NCICB/infrastructure/cacore_overview/csmhttp://ncicb.nci.nih.gov/NCICB/infrastructure/cacore_overview/csm .


CSM Integration

The CSM Authorization Plugin will allow the CSM to be used to help authorize access to service, method, and resource level access. The integration uses the CSM API's AuthorizationManager in order to call into the CSM and ask permission or particular access for a particular protection elements based on grid service user. To do this three attributes are used for authorization (user id, protection element, and privilege). A description of how these three attribute values are generated or provided to be used in the authorization process is described below.

User Mapping

The CSM Authorization Plugin will use the grid identity of the caller as the user id to pass into the CSM for authorization. The grid identity of any expected callers will need to be added to the CSM being used by adding the identity string as the new user id in the cCSM. For instance, if the grid user Jim Smith wanted access to a particular protection element the CSM would have to have a user in it with the id /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=jsmith and that user would have to be associated with the particular protection elements they would have access to.

Protection Element Usage

Introduce will enable the user to determine which protection element to use to determine whether or not access is granted. When building the grid service the user has the ability to choose from standard types of protection elements such as:

  1. Service - protection element id must be in the form of <ServiceName> for service level and <ServiceName>:<MethodName> for methed level.
  2. ServiceURI-- protection element id must be in the form of <ServiceDeploymentURL> for service level and <ServiceDeploymentURL>:<MethodName> for method level.

If these types of protection elements are chosen it is expected that the CSM is populated with the correct protection elements so that the query CSM api will pass or fail based on the check against the particular protection element. This can be done with the UPT tool from the CSM. If the user does not want to use these types of protection elements, however, would like to map to existing elements or create custom ones the user can select the Custom Protection Element drop down in the Introduce CSM Authorization tab and enter the id of the protection element manually.

Privilege Usage

Introduce enables mapping to the standard type of access rights that are found in the CSM. The user can select this in the dropdown.

Container Configuration

The CSM Authorization plugin for Introduce needs to communicate with the CSM database to determine successfull authorization. In order for the deployed service to do this the container the service is running in must be properly configured. Ask your CSM administrator for ApplicationSecurityConfig.xml and hibernate.cfg.xml that are required to communicate with the CSM. Below are examples of these files. The ApplicationSecurityConfiguration.xml will point to the hibernate.cfg.xml file so be sure the path inside the ApplicationSecurityConfiguration.xml is set appropriately for where these files will reside on the machine.
Once these files are obtained and placed on the machine where appropriate and further configured if neccessary, the next step is to set a property in the container so that the CSM API can find the ApplicationSecurityConfiguration.xml file. In cagrid we support both Tomcat and JBoss. Be sure that you do this configuration before trying to use the service in the container and restart the container after these changes have been made. Below are the descriptions of how to set the system property on either container:

Application Security Configuration

<security-config>
 <upt-context-name>csmupt</upt-context-name>
 <application-list>
 <!-- For every application using the security api an entry should be made here -->
  <application>
   <context-name>cagrid_csm</context-name>
   <authorization>
    <authorization-provider-class></authorization-provider-class>
    <hibernate-config-file>/Users/hastings/Desktop/cagrid_csm.new.csm.hibernate.xml</hibernate-config-file>
   </authorization>
  </application>
 </application-list>
</security-config>


Hibernate Configuration

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE hibernate-configuration PUBLIC  "-//Hibernate/Hibernate Configuration DTD  2.0//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-2.0.dtd">
<hibernate-configuration>
    <session-factory>
        <property name="connection.url">jdbc:mysql://csm.bmi.ohio-state.edu:3306/csm_db</property>
        <property name="dialect">org.hibernate.dialect.MySQLDialect</property>
        <property name="connection.username">foo</property>
        <property name="connection.password">bar</property>
        <property name="connection.driver_class">org.gjt.mm.mysql.Driver</property>
         <property name="hibernate.show_sql">false</property>
        <property name="connection.zeroDateTimeBehavior">convertToNull</property>
          <property name="hibernate.cache.use_query_cache">false</property>
        <property name="hibernate.cache.use_second_level_cache">false</property>

        <mapping resource="gov/nih/nci/security/authorization/domainobjects/Privilege.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/Application.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/FilterClause.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/Role.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/dao/hibernate/RolePrivilege.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/dao/hibernate/UserGroup.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/dao/hibernate/ProtectionGroupProtectionElement.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/Group.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/User.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/ProtectionGroup.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/ProtectionElement.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/UserGroupRoleProtectionGroup.hbm.xml"/>
        <mapping resource="gov/nih/nci/security/authorization/domainobjects/UserProtectionElement.hbm.xml"/>
    </session-factory>
</hibernate-configuration>


JBoss

In your <JBOSS_HOME>/server/default/deploy/properties-service.xml add the system property gov.nih.nci.security.configFile under the SystemProperties mbean:

<attribute name="Properties">
     gov.nih.nci.security.configFile=''<path to ApplicationSecurityConfig.xml>''
</attribute>


Tomcat

In Tomcat add the system property gov.nih.nci.security.configFile to the <CATALINA_HOME>/conf/catalina.properties file:

     gov.nih.nci.security.configFile=''<path to ApplicationSecurityConfig.xml>''
Last edited by
Justin Permar (1179 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence