Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group

<Web-Based Access Control for=”ITS Web Services Present and Future” version=”2008” />
Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Consulting and Support Services (CSS), a unit of Information Technology Services (ITS)

<Web-Based Access Control for=”ITS Web Services (Past) Present and Future” version=”2008” />
Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Consulting and Support Services (CSS), a unit of Information Technology Services (ITS)

Agenda Concepts Level set: Core Infrastructure
Past: Evolution of Access Control Tools Present: Access Control Practical Techniques Changes: PASS Migration, Directory Updates Future Directions

What does “Access Control” mean to you?
What do you think? What does “Access Control” mean to you?

The Access Control Continuum
Data that wants to be FREE

Data that wants to be FREE Data that wants to be private

Data that wants to be FREE Data in the middle! Data that wants to be private

Access Control Concepts
Identification and Authentication (AuthN) Authorization (AuthZ) Roles and Groups

Access Control Methods
File Permissions When applied to the Web: all or nothing? Special cases: file permissions = Web permissions PASS Explorer Database restrictions (SQL GRANT) Web server control (.htaccess) Roles and Groups

ITS Web hosting in PASS www.personal.psu.edu
protected.personal.psu.edu blogs.psu.edu (COLA)

PASS / Web Core Infrastructure

What are our 3 Core Technologies?
Penn State Access Account Storage Space (PASS) serves as 1 of 3 key components of Penn State's IT infrastructure: STORAGE: PASS provides universally-accessible disk space/file storage for use by anyone in the University community. AUTHENTICATION: PASS works with Penn State’s central authentication system to prove who you are and leverage your digital identity. Enterprise Directory Services: PASS works with the Enterprise Directory Service for authorization to grant access to files and services once you prove your identity.

What is changing with our 3 Core Technologies?
STORAGE: The Distributed File System (DFS) technology behind PASS is being replaced with the General Parallel File System (GPFS). AUTHENTICATION: The Distributed Computing Environment (DCE) authentication service used by DFS (today's PASS) is being replaced by the MIT brand of Kerberos already in use today. Enterprise Directory Services: The security group information stored in DCE for use by DFS is being transferred to the Lightweight Directory Access Protocol (LDAP) based Enterprise Directory Service. DCE/DFS => Kerberos/LDAP/GPFS

PASS / Web Core Infrastructure

Our Core Infrastructure: Authorization

Our Core Infrastructure PASS Storage Systems

Core Infrastructure: 3 Parts

Data that wants to be private -->

Data that wants to be FREE -->

Data that wants to be FREE --> Data in the middle! -->

Evolution of Access Control Tools
chmod

chmod instruction from WordPress

.htaccess

.htaccess AuthUserFile /.../dce.psu.edu/fs/users/m/c/mcr/www/party/.htpasswd AuthGroupFile /.../dce.psu.edu/fs/users/m/c/mcr/www/party/.htgroup AuthName "private directory" AuthType Basic Require group allowed

.htpasswd Peggy:ScPZpSSk3v.YQ Danette:ScPZpSSk3v.YQ Bill:ScPZpSSk3v.YQ

.htgroup allowed: Peggy Danette Bill

AFS ACL Explorer

AFS: Command line tools

$ /usr/afsws/bin/fs la /afs/psu.edu/users/j/c/jcd/www Access list for /afs/psu.edu/users/j/c/jcd/www is Normal rights: jcd rlidwka group. rlidwk group. rlidwka system:administrators rlidwka system:authuser rlk system:anyuser l

Restrict Access to COLA

Restrict Access to COLA -> “Restrict Access to COLA”

-> “Restrict Access to COLA”

DFS ACL Explorer

-> “Manage PASS File Permissions (ACL Explorer)”

DFS ACL Explorer -> “Manage PASS File Permissions (ACL Explorer)”

Command line tools: dcecp, acl_edit, dcerchacl

: cbs3[jcd/jcd_admin/pts/5/3] ~/www; dcecp -c acl show /:/users/j/c/jcd/www {mask_obj rwxcid} {user_obj rwxcid} {user jcd144 rwxcid} {user cell_admin rwxcid} {user kellogg r-x---} {user jcd rwxcid} {user portfol --x---} {group_obj r-x---} {group sysadmins rwxcid} {other_obj } {any_other }

: cbs3[jcd/jcd_admin/pts/5/3] ~/www; acl_edit /:/users/j/c/jcd/www -l # SEC_ACL for .: # Default cell = /.../dce.psu.edu mask_obj:rwxcid user_obj:rwxcid user:jcd144:rwxcid user:cell_admin:rwxcid user:kellogg:r-x--- user:jcd:rwxcid user:portfol:--x--- group_obj:r-x--- group:sysadmins:rwxcid other_obj:------ any_other:------

DFS ACL Reset

-> “Reset PASS Permissions to default (ACL Reset)”

User Managed Groups

PASS Shares

Protected Personal - Access Control Manager

(an aside) Friends of Penn State

: cbs3[jcd/jcd_admin/pts/5/3] ~; cat www_protected/Photos/.htaccess require user jcd jvuccolo hjd109 hjd5009 jyd5022 require group cn=umg/clubs.ait.ninja : cbs3[jcd/jcd_admin/pts/5/3] ~; cat www_protected/Photos/.fps_user hjd109 hjd5009 jyd5022

GPFS:

GPFS: ACL Explorer / ACL Reset

GPFS:

GPFS: PASS Explorer

GPFS: PASS Explorer Web-based Permissions Tool

GPFS: PASS Explorer Web-based Permissions Tool Wizard based design (like the ACM)

-> “Manage PASS File Permissions (ACL Explorer)”

PASS Explorer:

PASS Explorer: Tool for PASS (file storage)

PASS Explorer: Tool for PASS (file storage) Tool for file sharing

PASS Explorer: Tool for PASS (file storage) Tool for file sharing Tool for Web hosting

PASS Explorer: Tool for PASS (file storage) Tool for file sharing Tool for Web hosting Tool for file sharing (over the Web)

GPFS: command line tools?

tr27n02# aclget /pass/users/j/c/jcd/www * * ACL_type NFS4 * Owner: jcd * Group: jcd a rwpxDaAcCos a rwpxDaAcCos dioi a rwpxaAcCos fioi a rxacs a rxacs dioi a rxacs fioi u:jcd: a rwpxDaAcCos u:jcd: a rwpxDaAcCos dioi u:jcd: a rwpaAcCos fioi g:sysadmins: a rwpxDaAcCos g:sysadmins: a rwpxDaAcCos dioi g:sysadmins: a rwpaAcCos fioi a rxacs a rxacs dioi a rxacs fioi g:test.scripts.psu.edu: a rxacs g:test.scripts.psu.edu: a rxacs dioi g:test.scripts.psu.edu: a racs fioi g:php.scripts.psu.edu: a rwpxDaAcs g:php.scripts.psu.edu: a rwpxDaAcs dioi g:php.scripts.psu.edu: a rwpaAcs fioi u:kellogg: a rxacs u:kellogg: a rxacs dioi u:kellogg: a racs fioi u:jvuccolo: a rwpxDaAcs u:jvuccolo: a rwpxDaAcs dioi u:jvuccolo: a rwpaAcs fioi g:umg/its.aset.ait: a rwpxDaAcs g:umg/its.aset.ait: a rwpxDaAcs dioi g:umg/its.aset.ait: a rwpaAcs fioi

tr27n02# pacl -view /pass/users/j/c/jcd/www file: . flags: file-exec s:owner:FULL_CONTROL s:group:READ_ONLY u:jcd:FULL_CONTROL g:sysadmins:FULL_CONTROL s:everyone:READ_ONLY g:test.scripts.psu.edu:READ_ONLY g:php.scripts.psu.edu:READ_WRITE u:kellogg:READ_ONLY u:jvuccolo:READ_WRITE g:umg/its.aset.ait:READ_WRITE

Techniques for Web Developers
Enable Penn State WebAccess Protection for: your own Web server your ITS Hosted Web site .htaccess Authorization Controls Restrict to just Access Accounts / deny FPS Restrict to specific Userids Restrict to Classes, Roles and Groups Application Encoded Authorization Directory Integration

Enable WebAccess with Your Site
WebAccess directions for your own Web server: To use on php.scripts.psu.edu: Send to Choose “secure” folder to be linked To use WebAccess with dept space (no PHP): Use Put “CosignProtected On” in .htaccess deprecated

.htaccess based AuthZ Restrict to just Access Accounts / deny FPS
SSLRequire ( %{ENV:REMOTE_REALM} == "dce.psu.edu" || %{ENV:REMOTE_REALM} == "" ) # Cannot undo at lower level Restrict to specific Userids require user xyz123 Restrict to Classes, Roles and Groups require group cn=umg/course.up.ist require group cn=wfg.010.notify.steward require group cn=umg/up.somedept.group # Only available now on protected.personal.psu.edu

Application Encoded Authorization
<?php $valid_users = array( "xyz123" => 1, "jvuccolo" => 1, "jcd" => 1, ); if( ! isset($_SERVER['REMOTE_REALM']) or ! isset($_SERVER['REMOTE_USER'])){ /*** A simplified version. Failsafe to avoid exposure from unsecured URLs. ***/ ?>Error – Authentication system failure<?php }elseif($_SERVER['REMOTE_REALM'] !== "dce.psu.edu"){ /*** This isn't necessary if you check specific userids. ***/ ?>Sorry, only Penn State Access Accounts are allowed, not FPS<?php }elseif( ! isset($valid_users[$_SERVER['REMOTE_USER']]) ){ ?>Sorry, you are not authorized to view this page.<?php }else{ print_welcome(); } ?>

Directory Integration
<?php $directory_connection = ldap_connect("dirapps.aset.psu.edu"); if($directory_connection){ // an anonymous bind for read/only access $binding = ldap_bind($directory_connection); // Base Distinguished Name (DN) for Penn State $base_dn = "dc=psu,dc=edu"; $search_results = ldap_search($directory_connection, $base_dn, “uid=” . $_SERVER['REMOTE_USER']); $results = ldap_get_entries($directory_connection,$search_results); if( $results['count'] > 0 && isset($results[0][“cn”][0]) ){ // Print the user's full name print “Hello, “ . $results[0][“cn”][0] . “\n”; } ?>

Directory Based AuthZ <?php $directory_connection = ldap_connect("dirapps.aset.psu.edu"); if($directory_connection){ // an anonymous bind for read/only access $binding = ldap_bind($directory_connection); // Base Distinguished Name (DN) for Penn State $base_dn = "dc=psu,dc=edu"; $search_results = ldap_search($directory_connection, $base_dn, “uid=” . $_SERVER['REMOTE_USER']); $results = ldap_get_entries($directory_connection,$search_results); if( $results['count'] > 0 && isset($results[0][“psmemberof”]) && array() != ){ // User is authorized print “Welcome, valid user.\n”; exit; } }else{ ?>Not authorized.<?php } ?>

Gotcha!-s Protected Personal ACM != PHP
PHP authZ is “roll your own .htaccess” mm_mod_auth_ldap Not compatible with .htgroup (right now...) Not available on other ITS Web hosting services (only protected.personal right now...) Method not require SSL (but OK with SSL) WebAccess generally requires SSL

Changes to the Directory
February 11: Change of DN (alert-596) PSDirIDN => UID March 15: Change of Groups (alert-628) Copy all groups from DCE => LDAP & AD LDAP becomes master Create PASS homedir quota groups New OU for groups: ou=groups,dc=psu,dc=edu Add new attribute MemberUID

PASS Migration Upgrade of filesystem technology DFS->GPFS
WebMail 2.0 release in 2006 was similar upgrade Many aspects seamless, some unfortunately not Unlike AFS->DFS technology migration, this cannot be done piecemeal Out of time, upgrade can no longer be postponed Affects Web hosting services based on PASS

PASS Migration File permission Access Control Lists (ACLs) completely different: thus new tools Web permissions (.htaccess) unaffected File Paths changed /.../dce.psu.edu/fs, /.:/fs, /: ==> /pass CIFS & NFS gateways require Kerberos July 3, 5pm – July 7, 7am: PASS “read-only” php.scripts.psu.edu / test.scripts.psu.edu / CGI unavailable

PASS Migration php.scripts.psu.edu upgrade Solaris -> Linux
Compiled Apache/PHP -> stock RPM based Apache 1.3 -> 2.0 PHP still (for now) New IP addresses (remote DB & firewall rules may need update) iguana, snail => php1, php2.aset.psu.edu SQLite extension retired

PASS Migration sqlite_open(), sqlite_query(), etc... GONE!
Use PHP Data Objects (PDO) Available now! Access to SQLite version 3 as well as 2 Your code becomes more portable to other databases

SQLite via PDO Example <?php try {
/*** connect to SQLite 3.x database ***/ $dbh = new PDO("sqlite:/path/to/database.sdb"); /*** The SQL SELECT statement ***/ $sql = "SELECT * FROM animals"; foreach ($dbh->query($sql) as $row) { print $row['animal_type'] .' - '. $row['animal_name'] . ' '; } /*** close the database connection ***/ $dbh = null; catch(PDOException $e) echo $e->getMessage(); ?> /* NOTE: Use "sqlite2:” to reach your SQLite 2.x database */

PASS Migration Beta Testers http://css.its.psu.edu/PASSBeta/
Sign up and test your site! Test the new gateway servers! Early adopters For departmental Web hosting Move to new system during June (now!) Wiki (faculty / staff only) Discussion LISTSERV (l-passbeta)

PASS Migration Project – Timeline
Date Milestone How this is defined Estimated Impact Completed March 17, 2008 Open Beta period begins Enrollment for the testing environment is announced for all of Penn State. All the current functionality in PASS space is available to the testers. Beta testing systems are available until the July 4th cutover May 30, 2008 Begin Internal ITS Migration All Production services are operational. The Pre- tag will remain until the Final Cutover. All ITS Units under /dept/its space NO May 30-June 30, 2008 Open Penn State Early Migration We will offer the option to perform a timely migration in advance. Migration for ITS units targeted for mid-June. July Complete Data Migration, PASS is read-only for the 3 day weekend DFS is locked into a read-only state. All systems and data remaining in DFS are moved into GPFS. No turning back. All our dependent systems July-Aug 2008 Decommission DCE/DFS Shut off existing systems. Repurpose Hardware. Plan for next hardware/power issues. Hopefully None

Our Post PASS Migration TODOs
Further ACL tool development Self Serve Kerberos Service Principals/Keytabs Self Serve UMGs (demo) COLA & Course Group Integration LDAP authZ module development UMG based LISTSERV lists chat.psu.edu – Penn State Jabber service UMG based Jabber conferences

Our Post PASS Migration TODOs
Plone service for student orgs (based on admin site)

Your Pre-PASS Migration TODOs
Sign up for the PASS Beta Test access to the new gateways Upload and verify your site's functionality Convert SQLite calls to PDO Consider early adoption with your ITS Consultant

Your Post PASS Migration TODOs
Verify your site still works Verify you can still update your site Replace /.../dce.psu.edu/fs, /.:/fs, /: with /pass

Closing Jeff D'Angelo <jcd@psu.edu>
James Vuccolo

Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group

Similar presentations

Presentation on theme: "Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group

Similar presentations

Presentation on theme: "Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group"— Presentation transcript:

Similar presentations

About project

Feedback