SWITCH Group Management Tool - SWITCH Forge

4 downloads 231 Views 737KB Size Report
Jul 8, 2009 - random password generator that will generate secure passwords. Moreover, only the first few ... to a group
SWITCH Group Management Tool Lukas H¨ammerle July 8, 2009 Abstract The ’Group Management Tool’ (GMT) is a light-weight Shibbolethprotected web application to manage groups of users in order to restrict access to web server directories or web application functions. The tool is used to create and manage groups of users and their roles, which then can be used by web applications to make access control decisions. The GMT is not an enterprise-level tool but rather aimed at smaller groups and applications to protect. Local or remote web applications can authorize users using the GMT. Either by automatically generated Apache .htaccess or XMLAccessControl files or over an API that also can securely query the GMT from remote hosts. This document describes GMT’s features, how to create and how to manage groups.

1

Contents 1 Introduction

3

2 Installation 2.1 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Security Remarks . . . . . . . . . . . . . . . . . . . . . . . . .

3 3 3

3 Roles and Role classes

5

4 Using the GMT 4.1 Adding New Groups . . . 4.2 Modifying Group Settings 4.3 Adding Users to Groups . 4.4 Managing groups . . . . . 4.5 Assigning Global or Group 4.6 Removing Groups . . . . . 4.7 Logging . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrators . . . . . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

6 6 7 8 11 12 13 13

5 Protecting Applications 14 5.1 Protecting Local Applications with Apache . . . . . . . . . . . 14 5.2 Protecting Remote Applications . . . . . . . . . . . . . . . . . 15 6 GMT File Format

17

2

1

Introduction

The Group Management Tool [1] (GMT) is a PHP [6] web application that allows administrators to create and manage groups of users. Using an API, web applications running locally or on remote hosts can use the GMT to perform access control decisions. The GMT doesn’t require a encoding="UTF-8"?> [email protected] Each time a member is added or removed from a group, the .htaccess or XMLAccessControl files are updated (provided the web server user has write privileges to modify the .htaccess file). After the files were created initially by the GMT, they can be modified by hand in order to add additional statements outside the group blocks. It is also possible (for a Global Administrator) to have an .htaccess or XMLAccessControl file that contains multiple groups. This gives an administrator additional flexibility to shape the authorization files to his needs. The .htaccess and XMLAccessControl files won’t be removed even if all connections between a group and an authorization file are disconnected. In such a case the files will still contain default place holder rules like in the two examples above.

5.2

Protecting Remote Applications

Applications on remote hosts or local applications that are not straightforward to protect with Apache .htaccess files can use the GMT modules for PERL [3], PHP [6] and Java [5] in order to access the group information. The applications only have to import the object that provides the following read functions: 15

Figure 13: Associated .htaccess files • Is a user U in a group G? • Get all groups of a user U • Get the group administration URL of group G • Get the application URL of group G • Get all available roles • Get all available groups • Get all known users • Get user data of user U • Get all users with role R of group G • Get all users of group G • Return the status code of the last operation • Return the error message of the last operation if there was any In addition it is also possible to execute the following write functions: • Add a new group G • Remove group G 16

• Register a new user U with given name, surname and email • Add user U to group G with role R • Remove user U from group G • Set role to R for user U in group G • Get all known users • Set application URL of group G to U In order to get an idea how to use the modules, have a look at the example scripts in the ’AAIgmt/modules’ directory. These scripts are automatically generated during installation. Also have a look at the ’API-README ’ file that contains the specification of the modules. To secure the queries from remote hosts the modules can either be configured to use https queries or http queries with an RC4 [4] shared-key encryption. A random 512 bit key is generated during the installation process as well as two example scripts that illustrate the use of the modules. In addition, the host IPs allowed to query the GMT interface must be configured in the configuration file. Hosts that are allowed to execute write queries must be specifically mentioned in the configuration.

6

GMT File Format

All files used to store data are UTF8-encoded tab-separated value files that easily can be read and edited by hand. Usually, the first row contains a unique value like the user’s unique ID or a unique token. All relevant data is storend in the data directory, which should be read and write protected so that only the web-server user (e.g. www-data) can access it.

17

References [1] GMT, SWITCH Group Management Tool. http://www.switch.ch/support/tools/gmt.html [2] Apache Web Server, Apache HTTP Server Project. http://httpd.apache.org/ [3] PERL Practical Extraction and Report Language. http://www.perl.org/ [4] RC4 Stream Cipher RC4 Encryption Algorithm. http://en.wikipedia.org/wiki/RC4/ [5] Java Platform independent programming language. http://www.java.com/ [6] PHP Hypertext Preprocessor. http://www.php.net/

18