Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Sunday, April 20, 2008

A sheep in wolf's clothing

My recent post regarding configuring OpenSSH on Windows using Cygwin was written from the perspective of users wanting to exploit ControlTier in a broadly Windows based environment.

In this post, I'm going to document a Unix-centric OpenSSH/Cygwin installation designed to make a Windows server look as much like a Unix system as possible when accessed from the network in order to simplify managing a few Windows based systems in largely Unix based environment.

Cygwin software installation
  • Create a local or domain Windows administrator account that has a POSIX user name (I use the "build" account for these notes).
  • Download and run the Cygwin installer.
  • The cleanest way to install Cygwin in the root of its own dedicated partition since it is absolutely necessary that the Cygwin root directory is synonymous with the Windows file system root for that drive so that Java's platform agnostic path management will work equally well with the Unix or Windows versions of key paths. Using a separate partition is desirable in order to separate the application installation (under ControlTier and Cygwin) from the Windows OS installation (typically on drive C:):
    $ df -k
    Filesystem           1K-blocks      Used Available Use% Mounted on
    E:\bin                20964348    213848  20750500   2% /usr/bin
    E:\lib                20964348    213848  20750500   2% /usr/lib
    E:                    20964348    213848  20750500   2% /
    c:                     8377864   7003552   1374312  84% /cygdrive/c
    $ cd /
    $ ls
    Cygwin.bat  RECYCLER                   bin       dev  home  proc  usr
    Cygwin.ico  System Volume Information  cygdrive  etc  lib   tmp   var
  • If this is not feasible then ignore the warnings and select "C:\" as the installation root directory to create a "hybrid" directory structure:
    $ pwd
    /
    $ ls
    AUTOEXEC.BAT            MSDOS.SYS                  WINDOWS   home          tmp
    CONFIG.SYS              MSOCache                   bin       lib           usr
    Cygwin.bat              NTDETECT.COM               boot.ini  ntldr         var
    Cygwin.ico              Program Files              cygdrive  pagefile.sys
    Documents and Settings  RECYCLER                   cygwin    proc
    IO.SYS                  System Volume Information  etc
  • Beyond the base package set make sure you include "openssh" (and hence its dependencies). Of course, there are many many other useful packages that you'll probably like to include for a practical installation of Cygwin (e.g. "rsync", "unzip", "zip", "vim", etc).
SSH server configuration
  • Cygwin includes a script to configure the SSH service, run from a "Cygwin Bash Shell" (Note the value given to the CYGWIN environment variable. Note also my comment to the original posting regarding W2k3 Server complications) :
    $ ssh-host-config
    Generating /etc/ssh_config file
    Privilege separation is set to yes by default since OpenSSH 3.3.
    However, this requires a non-privileged account called 'sshd'.
    For more info on privilege separation read /usr/share/doc/openssh/README.privsep
    .

    Should privilege separation be used? (yes/no) yes
    Generating /etc/sshd_config file


    Warning: The following functions require administrator privileges!

    Do you want to install sshd as service?
    (Say "no" if it's already installed as service) (yes/no) yes

    Which value should the environment variable CYGWIN have when
    sshd starts? It's recommended to set at least "ntsec" to be
    able to change user context without password.
    Default is "ntsec".  CYGWIN=binmode ntsec tty

    The service has been installed under LocalSystem account.
    To start the service, call `net start sshd' or `cygrunsrv -S sshd'.

    Host configuration finished. Have fun!
  • Start the SSH service:
    $ net start sshd
    The CYGWIN sshd service is starting.
    The CYGWIN sshd service was started successfully.
Java installation
  • Naturally, you can use the Windows system default Java installation so long as its either Java 1.4 or 1.5. However, it may be preferable to install a version of Java specifically for the use of ControlTier. By convention this is installed into "$CTIER_ROOT/pkgs" (usually "$HOME/ctier/pkgs" of the account used to run ControlTier).
  • Note that although Sun distributes its JDK in Windows (graphical) installer format, there's nothing stopping you creating a Zip file of a "reference" installation and using that to setup Java across the network.
  • Wherever Java is installed, set up the JAVA_HOME environment variable ahead of the ControlTier installation.
ControlTier installation
  • As of ControlTier 3.1.5 the Unix install script ("install.sh") is not compatible with Cygwin (possibly due to assumptions built into Sun's JDK on Windows).
  • For this reason, installing the ControlTier software over the network still follows the Windows pattern.
  • Setup the key environment variables with Windows style values:
    $ export CTIER_ROOT=~/ctier
    $ export JAVA_HOME=~/ctier/pkgs/jdk1.5.0_14
  • The key thing is to run the "install.bat" command shell from the Cygwin Bash shell:
    $ cmd.exe /C install.bat -client

    -check-prereqs:
         [echo] Using compatible Java version: 1.5

    -load-props:
         [echo] Using CTIER_ROOT: /home/build/ctier
    .
    .
    .
         [echo]     if [ -f ~/.ctierrc ]; then
         [echo]     . ~/.ctierrc
         [echo]     else
         [echo]     echo ~/.ctierrc not found 1>&2
         [echo]     fi

    install-client:
         [echo] Install Complete
  • Next, manually setup the ".ctierrc" file in the Cygwin user's home directory to ensure the correct shell environment is available:
    $ pwd
    /home/build
    $ cat .ctierrc
    # this file was generated by ControlTier installer.
         
    export CTIER_ROOT=~/ctier

    export ANTDEPO_HOME=~/ctier/pkgs/antdepo-1.3.1
    export ANTDEPO_BASE=~/ctier/antdepo

    # Server settings
    export JOBCENTER_HOME=~/ctier/pkgs/jobcenter-0.7
    export CATALINA_HOME=~/ctier/workbench
    export CATALINA_BASE=~/ctier/workbench

    export JAVA_HOME=~/ctier/pkgs/jdk1.5.0_14

    export PATH=$JOBCENTER_HOME/bin:$ANTDEPO_HOME/bin:$CATALINA_HOME/bin:$PATH

    if [ -n "$BASH" ] ; then
    . $ANTDEPO_HOME/etc/bash_completion.sh ;
    if [ -t 0 -a -z "$ANTDEPO_CLI_TERSE" ]
    then
    ANTDEPO_CLI_TERSE=true
    export ANTDEPO_CLI_TERSE
    fi
    fi
  • Finally, override the "depot-setup" and "ad" scripts to invoke their Windows counterparts:
    $ cat $ANTDEPO_HOME/bin/depot-setup
    #!/bin/sh

    exec cmd.exe /C depot-setup.bat "$@"
    $ cat $ANTDEPO_HOME/bin/ad
    #!/bin/sh

    exec cmd.exe /C ad.bat "$@"
With this "sleight of hand" in place, it is possible to manage Windows systems on the network in the same way as their Unix/Linux counterparts taking full advantage of the Cygwin and Java/Ant abstractions of the underlying OS facilities.

(By the way, a future version of ControlTier will resolve the script and JDK compatibility issues that result in the customizations in this posting).

Anthony Shortland,
anthony@controltier.com
Posted by at 2 comments:
Labels: , , ,

Monday, April 14, 2008

Integrating ControlTier with Active Directory

I recently posted a pretty comprehensive set of notes on using LDAP based authentication and authorization to control access to the ControlTier server applications (Workbench, WebDAV, and Jobcenter).

It turns out that, more often than not, our clients have a Microsoft Active Directory server to provide enterprise-wide authentication and authorization services. Fortunately, AD is an excellent LDAP compliant directory server, and so it is possible to configure ControlTier to directly us it as follows.

The key thing to note is that not possible to authenticate the AD using "bind mode" as described on the Tomcat 4.1 JNDI realm documentation. For this reason it is necessary explicitly setup an AD account to serve as the "connectionName" for "comparison mode" authentication. (Note that as a side benefit, this account can be used as the ControlTier client framework account if it is given "admin" role membership - see below).

(By the way, this screencast posted by Alex Tcherniakhovski provides an excellent overview of hooking up Tomcat to Active Directory - you'll need a Microsoft viewer to see it).

Note that these instructions only work with ControlTier 3.1.5 or later.

Active Directory configuration
  • Create a simple user account (e.g. "controltier") with a non-expiring password and minimal Domain access rights and delegate "Read all user information" to it using the delegation control wizard of the "Active Directory Users and Computers" management utility.
  • Make sure to take a note of the distinguished name ("DN") of the account (e.g. "CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com").
  • Create "admin" and "manager" groups using the AD management utility to enable Tomcat administration.
  • Also add "user" and "architect" groups to complete the minimal set up roles necessary to support the ControlTier server.
  • Add user accounts to the various groups to assign authority as required. (Make sure that the simple user account created above is in the "admin" role so that it can serve as the ControlTier framework account).
Tomcat configuration
  • Switch the realm configuration in "$CATALINA_BASE/conf/server.xml" to use the JNDIRealm with attributes appropriate for your AD setup (note that the "role" groups have been established under their own organizational unit - OU - called "ControlTierRoles" in this case):
    <Realm className="org.apache.catalina.realm.JNDIRealm" debug="4"
       connectionURL="ldap://ad.mycompany.com:389/"
       connectionName="CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"
       connectionPassword="********"
       roleBase="OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"
       roleName="CN"
       roleSearch="member={0}"
       userPattern="CN={0},OU=Users,OU=MyBusiness,DC=mycompany,DC=com"/>
Workbench configuration
  • Update "$CATALINA_BASE/webapps/itnav/WEB-INF/classes/auth.properties" to facilitate Workbench role administration:
    ngps.workbench.auth.type=jndi
    ngps.workbench.auth.jndi.connectionName=CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    ngps.workbench.auth.jndi.connectionPassword=********
    ngps.workbench.auth.jndi.connectionUrl=ldap://ad.mycompany.com:389/
    ngps.workbench.auth.jndi.roleBase=OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    ngps.workbench.auth.jndi.roleNameRDN=CN
    ngps.workbench.auth.jndi.roleMemberRDN=member
    ngps.workbench.auth.jndi.userBase=OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    ngps.workbench.auth.jndi.userNameRDN=CN
  • Update "$CATALINA_BASE/webapps/itnav/WEB-INF/classes/runtime.properties" and set the "dav.user" and "dav.password" properties to the credentials of the account setup above.
WebDAV configuration
  • Update "$CATALINA_BASE/webapps/webdav/WEB-INF/web.xml" to configure BASIC authentication and general access for "admin" role/group members (per the original posting).
Jobcenter configuration
  • Update "$JOBCENTER_HOME/bin/start-jobcenter.sh" and switch the "java.security.auth.login.config" Java option to use "jaas-jndi.conf" (per the original posting).
  • Update "$JOBCENTER_HOME/webapps/jobcenter/WEB-INF/jaas-jndi.properties" with the AD connection information:
    jobcenter.auth.jndi.authType=bind
    jobcenter.auth.jndi.connectionName=CN=controltier,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    jobcenter.auth.jndi.connectionPassword=********
    jobcenter.auth.jndi.connectionUrl=ldap://ad.mycompany.com:389/
    jobcenter.auth.jndi.roleBase=OU=ControlTierRoles,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    jobcenter.auth.jndi.roleNameRDN=CN
    jobcenter.auth.jndi.roleMemberRDN=member
    jobcenter.auth.jndi.userBase=OU=SBSusers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com
    jobcenter.auth.jndi.userNameRDN=CN
Antdepo configuration
  • Update "$ANTDEPO_BASE/etc/framework.properties" and set the framework user name and password on every client system:
    framework.server.username = controltier
    framework.server.password = ********
    framework.webdav.username = controltier
    framework.webdav.password = ********
Finally, fire up Workbench and Jobcenter and test connectivity. Try some Antdepo commands to make sure client-side authentication is working too.

Anthony Shortland,
anthony@controltier.com
Posted by at 1 comment:
Labels: , ,

Monday, March 31, 2008

Configuring LDAP authentication and authorization on the ControlTier server

The Open.ControlTier documentation on configuring LDAP authentication and authorization has not yet been updated for the 3.1 release and so only covers configuring Workbench, and not support for Jobcenter.

As an interim solution to this omission, this blog entry records the steps necessary to achieve a "state-of-the-art" configuration based on OpenLDAP, which is both useful in itself and also a crucial step toward integrating with Microsoft's Active Directory services which are broadly deployed in larger enterprise infrastructures.

Modest design goal

While it is feasible to exploit LDAP authentication and authorization "pervasively" across all nodes upon which the various ControlTier components are installed, what is documented here is the more modest design goal of using LDAP to secure access only to the centralized ControlTier server conventionally deployed to provide a single point of administration in the network.

This is a practical compromise when you consider that more often than not, command execution on remote client systems is tied to one or more system level "application" accounts as opposed to individual user's logins. These accounts are used to construct the network of public key based passwordless secure shell access from the ControlTier server.

Comprehensive authentication and authorization for ControlTier is therefore achieved at two levels:
  1. At the system level, login access to the server and client systems must be restricted to the set of individuals authorized to use the ControlTier and "application" accounts that provide unfettered access to executing build and deployment commands in the distributed infrastructure.
  2. At the project level, access to the Workbench model, and Jobcenter command interface must be filtered by the user and role-based authentication and authorization scheme intrinsic to those applications.
It is in the latter case that this posting covers using LDAP to manage levels of access to ControlTier's web based services.

Deploying an LDAP instance

You can skip this section if you have an LDAP server available on your network that is accessible from the ControlTier server.

Assuming such a service does not already exist, the first step is to setup an LDAP server instance on a system that is accessible to the ControlTier server. There are many LDAP server implementations available, but here's how to setup the most popular Open Source version: OpenLDAP.

The OpenLDAP Quick Start Guide proposes building the officially released software from source. There are a number of binary distributions available on the Internet, of course, and many Unix variant OSes package OpenLDAP with their releases.

In this case, I used a CentOS 4.5 instance.

These instructions assume you wish to configure and deploy a non-superuser based LDAP server instance to support ControlTier:
  • Acquire, or build OpenLDAP from source. In this case, the software is built from source and installed under $CTIER_ROOT/pkgs to facilitate executing as the ControlTier server account (e.g. "ctier"):
    $ cd $CTIER_ROOT/src
    $ tar zxf openldap-2.4.8.tgz
    $ cd openldap-2.4.8
    $ ./configure --prefix=$CTIER_ROOT/pkgs/openldap-2.4.8
    Configuring OpenLDAP 2.4.8-Release ...
    checking build system type... i686-pc-linux-gnu
    checking host system type... i686-pc-linux-gnu
    checking target system type... i686-pc-linux-gnu
    .
    .
    .
    Making servers/slapd/overlays/statover.c
    Add seqmod ...
    Add syncprov ...
    Please run "make depend" to build dependencies
    $ make depend
    .
    .
    .
    $ make
    .
    .
    .
    $ make install
    .
    .
    .
    $ file $CTIER_ROOT/pkgs/openldap-2.4.8/libexec/slapd
    .../slapd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
  • Customize the "slapd.conf" configuration file (in this case using the "controltier.com" domain):
    $ cd $CTIER_ROOT/pkgs/openldap-2.4.8/etc/openldap
    $ diff slapd.conf slapd.conf.orig
    54,55c54,55
    < suffix                "dc=controltier,dc=com"
    < rootdn                "cn=Manager,dc=controltier,dc=com"
    ---
    > suffix                "dc=my-domain,dc=com"
    > rootdn                "cn=Manager,dc=my-domain,dc=com"
  • Start the LDAP server on a non-privileged port:
    $ $CTIER_ROOT/pkgs/openldap-2.4.8/libexec/slapd -h ldap://*:3890/
  • Check that the server is up and running:

    $ $CTIER_ROOT/pkgs/openldap-2.4.8/bin/ldapsearch -h localhost -p 3890 -x -b '' -s base '(objectclass=*)' namingContexts
    # extended LDIF
    #
    # LDAPv3
    # base <> with scope baseObject
    # filter: (objectclass=*)
    # requesting: namingContexts
    #

    #
    dn:
    namingContexts: dc=controltier,dc=com

    # search result
    search: 2
    result: 0 Success

    # numResponses: 2
    # numEntries: 1
One thing to note is that the Elements module library contains an OpenLDAP module that can be used to facilitate management of the LDAP instance. Here's sample project object XML to configure a OpenLDAP instance for use with the setup described above:
<project>
   <deployment type="OpenLDAP" name="openLDAP" description="Sample Open LDAP service object" installRoot="${env.CTIER_ROOT}/pkgs/openldap-2.4.8" basedir="${env.CTIER_ROOT}/pkgs/openldap-2.4.8" startuprank="1">
      <referrers replace="false">
         <resource type="Node" name="localhost"/>
      </referrers>
   </deployment>
</project>
... and sample command output:
$ ad -p TestProject -t OpenLDAP -o openLDAP -c Stop
running command: assertServiceIsDown
Running handler command: stopService
stopService: openLDAP OpenLDAP on localhost stopped.
[command.timer.OpenLDAP.stopService: 0.565 sec]
true. Execution time: 0.565 sec
[command.timer.Service.Stop: 2.998 sec]
command completed successfully. Execution time: 2.998 sec
$ ad -p TestProject -t OpenLDAP -o openLDAP -c Start
running command: assertServiceIsUp
Running handler command: startService
startService: openLDAP OpenLDAP on localhost started.
[command.timer.OpenLDAP.startService: 0.146 sec]
true. Execution time: 0.146 sec
[command.timer.Service.Start: 2.185 sec]
command completed successfully. Execution time: 2.185 sec
$ ad -p TestProject -t OpenLDAP -o openLDAP -c Status
running assertServiceIsUp command
assertServiceIsUp: /proc/4842 found. openLDAP OpenLDAP on localhost is up.
[command.timer.Service.Status: 2.017 sec]
command completed successfully. Execution time: 2.017 sec
Note that this sample configuration is not particularly sophisticated. There are much more flexible (and secure) ways to deploy OpenLDAP documented on their site.

Populating the directory

Workbench's use of LDAP is pretty straightforward. The Open ControlTier site documents the capabilities of three roles that must exist in the directory:

user - readonly access
admin - can create object
architect - can create objects and create types

Note that both administration and architect users should also be assigned the user role since some elements of the UI assume this (e.g. checks for user role membership are embedded in some of the JSPs).

Note also, that only users with assigned both the admin and architect roles can create new projects.

Please ignore the sample LDIF file on Open.ControlTier, and use the following file as a guideline to structuring your directory:

$ cat users.ldif
# Define top-level entry:
dn: dc=controltier,dc=com
objectClass: dcObject
objectClass: organization
o: ControlTier, Inc.
dc: controltier

# Define an entry to contain users:
dn: ou=users,dc=controltier,dc=com
objectClass: organizationalUnit
ou: users

# Define some users:
dn: cn=user1, ou=users,dc=controltier,dc=com
userPassword: password
objectClass: person
sn: A user account with simple user privileges
cn: user1

dn: cn=user2, ou=users,dc=controltier,dc=com
userPassword: password
objectClass: person
sn: A user account with user and administrator privileges
cn: user2

dn: cn=user3, ou=users,dc=controltier,dc=com
userPassword: password
objectClass: person
sn: A user account with user, administrator and architect privileges
cn: user3

dn: cn=default, ou=users,dc=controltier,dc=com
userPassword: default
objectClass: person
sn: The default account for the ControlTier client to use
cn: default

dn: ou=roles, dc=controltier,dc=com
objectClass: organizationalUnit
ou: roles

dn: cn=architect, ou=roles,dc=controltier,dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=user3,ou=users,dc=controltier,dc=com
cn: architect

dn: cn=admin, ou=roles,dc=controltier,dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=user2,ou=users,dc=controltier,dc=com
uniqueMember: cn=user3,ou=users,dc=controltier,dc=com
uniqueMember: cn=default,ou=users,dc=controltier,dc=com
cn: admin

dn: cn=user, ou=roles,dc=controltier,dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=user1,ou=users,dc=controltier,dc=com
uniqueMember: cn=user2,ou=users,dc=controltier,dc=com
uniqueMember: cn=user3,ou=users,dc=controltier,dc=com
cn: user
Here's the command used to load the records into OpenLDAP:
$ ldapadd -x -H ldap://localhost:3890/ -D "cn=Manager,dc=controltier,dc=com" -w secret -f users.ldif
You can see that it is important to use OS access controls to safeguard the contents of this file from unauthorized access.

Note that you can supplement OpenLDAP's command line interface with JXplorer, an Open Source Java LDAP browser/editor client application.

Configuring Workbench to use LDAP

The next piece of the puzzle is to adjust Tomcat's security "Realm" configuration to use the LDAP server. All that's necessary is to replace the default "UserDatabaseRealm" element in "server.xml" with the following "JNDIRealm" setup:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:3890/"
roleBase="ou=roles,dc=controltier,dc=com"
roleName="cn"
roleSearch="uniqueMember={0}"
userPattern="cn={0},ou=users,dc=controltier,dc=com"/>
This configuration specifies the connection URL to the LDAP server, matches the role base and user pattern to the repository structure (you may need to adjust these for your own repository), and uses the "bind method" of authentication described in the Tomcat 4 documentation.

Before restarting Tomcat, a final piece of configuration will make Workbench user management available from the Administration page. Edit the "auth.properties" file to switch from "default" to "jndi" authentication and authorization:
$ cat $CATALINA_BASE/webapps/itnav/WEB-INF/classes/auth.properties
######################################
# auth.properties
# This is the configuration properties file for the User Management feature.
####
# ngps.workbench.auth.type=default
ngps.workbench.auth.type=jndi

######################################
# To enable User Management with JDNI authorization, set the value of ngps.workbench.auth.type to jndi
# then fill in the JNDI configuration below.
######################################
# Configuration for JNDI authorization:
####

ngps.workbench.auth.jndi.connectionName=cn=Manager,dc=controltier,dc=com
ngps.workbench.auth.jndi.connectionPassword=secret
ngps.workbench.auth.jndi.connectionUrl=ldap://localhost:3890/
ngps.workbench.auth.jndi.roleBase=ou=roles,dc=controltier,dc=com
ngps.workbench.auth.jndi.roleNameRDN=cn
ngps.workbench.auth.jndi.roleMemberRDN=uniqueMember
ngps.workbench.auth.jndi.userBase=ou=users,dc=controltier,dc=com
ngps.workbench.auth.jndi.userNameRDN=cn
(Note that with an embedded password this is another file to safeguard with OS access control).

Once JNDI user management is enabled, it is possible to use Workbench user administration to restrict access to individual projects on a user by user basis as well as adjust each user's role assignments:


Configuring WebDAV to use LDAP

Since the ControlTier WebDAV repository is deployed to the same Tomcat instance as Workbench it shares the same authentication realm. Not only is it prudent to protect the WebDAV from general browser based access (e.g. by limiting which users can modify the repository), but, just as importantly, the Antdepo client requires access to the repository to upload packages and download packages and modules.

Tomcat 4.1 includes the Apache Slide WebDAV implementation. Slide security is documented in some detail here. Fine grained access control can be configured both to individual resources and methods. However, from ControlTier's perspective, establishing basic authorization for "admin" role members by adding the following entries to "$CATALINA_BASE/webapps/webdav/WEB-INF/web/xml" and restarting Tomcat is sufficient:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JNDIRealm</realm-name>
</login-config>
Note that as of ControlTier 3.1.4, enabling WebDAV authorization and authentication reveals a bug in the Package module's "upload" command's use of the WebDAV "put" Ant task. The workaround is to fall back to the "scp"-based method of uploading packages to the WebDAV.

Configuring Jobcenter to use LDAP

Jobcenter LDAP configuration is modeled on Workbench's JNDI provider and implemented as a standard JAAS LoginModule integrated with Jobcenter's Jetty web application container.

Note: that you must have installed at least ControlTier 3.1.4 to follow these Jobcenter configuration instructions!
  • Modify $JOBCENTER_HOME/bin/start-jobcenter.sh script to specify "jaas-jndi.conf" in place of "jaas.conf" (this specifies the use of the "org.antdepo.webad.jaas.JNDILoginModule" JAAS login module class instead of the standard "org.antdepo.webad.jaas.PropertyFileLoginModule").
  • Modify "$JOBCENTER_HOME/webapps/jobcenter/WEB-INF/jaas-jndi.properties". This file has similar configuration properties to the auth.properties used in
    workbench for JNDI authentication/authorization. The "connectionPassword", and "connectionUrl" should be modified as necessary. Other properties should be left alone unless the structure of the LDAP directory differs from that setup above:
    jobcenter.auth.jndi.connectionName=cn=Manager,dc=controltier,dc=com
    jobcenter.auth.jndi.connectionPassword=secret
    jobcenter.auth.jndi.connectionUrl=ldap://localhost:3890/
    jobcenter.auth.jndi.roleBase=ou=roles,dc=controltier,dc=com
    jobcenter.auth.jndi.roleNameRDN=cn
    jobcenter.auth.jndi.roleMemberRDN=uniqueMember
    jobcenter.auth.jndi.userBase=ou=users,dc=controltier,dc=com
    jobcenter.auth.jndi.userNameRDN=cn
Note that, as of ControlTier 3.1, Jobcenter has no intrinsic mechanism to manage authorization rights for job creation, modification or deletion. This means that anyone who has access to the Jobcenter console can change any job's configuration (even if they don't have the right to execute them). This applies to both scheduled and on-demand jobs. This functional gap will be dealt with in a future enhancement.

Controlling Jobcenter command execution authorization with Antdepo

The right of a user to execute a job from Jobcenter is synonymous with their underlying Antdepo authorization - Jobcenter literally exploits the Antdepo access control mechanism.

Antdepo access control is based on configuring the "$ANTDEPO_BASE/etc/acls.xml" file. The following DTD and default acls.xml show the scope for customizing authorization levels:
$ cat acls.dtd
<!ELEMENT accessto ( command ) >

<!ELEMENT acl ( accessto, by, using, when ) >
<!ATTLIST acl description CDATA #REQUIRED >

<!ELEMENT acls ( acl* ) >

<!ELEMENT by ( role ) >

<!ELEMENT command EMPTY >
<!ATTLIST command module CDATA #REQUIRED >
<!ATTLIST command name CDATA #REQUIRED >

<!ELEMENT context EMPTY >
<!ATTLIST context name CDATA #REQUIRED >
<!ATTLIST context type CDATA #REQUIRED >
<!ATTLIST context depot CDATA #REQUIRED >

<!ELEMENT role EMPTY >
<!ATTLIST role name NMTOKEN #REQUIRED >

<!ELEMENT timeandday EMPTY >
<!ATTLIST timeandday day CDATA #REQUIRED >
<!ATTLIST timeandday hour CDATA #REQUIRED >
<!ATTLIST timeandday minute CDATA #REQUIRED >

<!ELEMENT using ( context ) >

<!ELEMENT when ( timeandday ) >

$ cat acls.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE acls SYSTEM "file:///home/ctier/ctier/antdepo/etc/acls.dtd">

<acls>
  <acl description="admin, access to any command using any context at anytime">
    <accessto>
      <command module="*" name="*"/>
    </accessto>
    <by>
      <role name="admin"/>
    </by>
    <using>
      <context depot="*" type="*" name="*"/>
    </using>
    <when>
      <timeandday day="*" hour="*" minute="*"/>
    </when>
  </acl>
</acls>
Antdepo client configuration

Finally, every Antdepo client installation both local and remote from the ControlTier server requires access to both Workbench and the WebDAV. The sample LDIF above specifies a user called "default" with the password "default" which has the "admin" role. This is the client framework account specified in "$ANTDEPO_BASE/etc/framework.properties":
framework.server.username = default
framework.server.password = default
framework.webdav.username = default
framework.webdav.password = default
Naturally you are at liberty (and it is probably advisable) to change this account name and password (they are specified at installation time in "defaults.properties). You should the protect the "framework.properties" file using OS authorization mechanisms.

QED

Anthony Shortland
anthony@controltier.com
Posted by at 5 comments:
Labels: , ,
Subscribe to: Posts (Atom)