Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
gplazma-fermi: add mapping plugin to support VO group and username fr…
…om file Motivation: Fermilab's authorization system has decided to move away from the centralized GUMS-XACML interaction and substitute for it reliance on .json file which is refreshed periodically from a service by a system cron. Modification: Add a mapping plugin to capture the FQAN to GID mapping, and optionally, to user name. If no FQAN is present, it fails. Otherwise it adds the GID. If it finds a username, it also add that, replacing any previous username in the set of principals. For this reason, it should be run as optional, with other mapping plugins (such as the gridmap) serving as failover for the missing username. A Junit test is included. Result: Authorization should work (with the example conf file) so that, depending on how the FQAN is mapped, a user can get access either as part of a group user or as individual user. Target: master Request: 4.1 Request: 4.0 Request: 3.2 Request: 3.1 Request: 2.16 Acked-by: Dmitry Require-notes: yes Require-book: yes
- Loading branch information
Showing
9 changed files
with
730 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <parent> | ||
| <artifactId>dcache-parent</artifactId> | ||
| <groupId>org.dcache</groupId> | ||
| <version>4.2.0-SNAPSHOT</version> | ||
| <relativePath>../../pom.xml</relativePath> | ||
| </parent> | ||
|
|
||
| <artifactId>gplazma2-fermi</artifactId> | ||
| <packaging>jar</packaging> | ||
|
|
||
| <name>gPlazma 2 Fermi plugin</name> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>org.dcache</groupId> | ||
| <artifactId>gplazma2</artifactId> | ||
| <version>4.2.0-SNAPSHOT</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.google.code.gson</groupId> | ||
| <artifactId>gson</artifactId> | ||
| <version>2.8.0</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.google.code.findbugs</groupId> | ||
| <artifactId>jsr305</artifactId> | ||
| <version>2.0.1</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.springframework</groupId> | ||
| <artifactId>spring-beans</artifactId> | ||
| </dependency> | ||
| </dependencies> | ||
| </project> |
141 changes: 141 additions & 0 deletions
141
modules/gplazma2-fermi/src/main/java/org/dcache/gplazma/plugins/FileBackedVOGroupMap.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,141 @@ | ||
| /* | ||
| COPYRIGHT STATUS: | ||
| Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
| software are sponsored by the U.S. Department of Energy under Contract No. | ||
| DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
| non-exclusive, royalty-free license to publish or reproduce these documents | ||
| and software for U.S. Government purposes. All documents and software | ||
| available from this server are protected under the U.S. and Foreign | ||
| Copyright Laws, and FNAL reserves all rights. | ||
| Distribution of the software available from this server is free of | ||
| charge subject to the user following the terms of the Fermitools | ||
| Software Legal Information. | ||
| Redistribution and/or modification of the software shall be accompanied | ||
| by the Fermitools Software Legal Information (including the copyright | ||
| notice). | ||
| The user is asked to feed back problems, benefits, and/or suggestions | ||
| about the software to the Fermilab Software Providers. | ||
| Neither the name of Fermilab, the URA, nor the names of the contributors | ||
| may be used to endorse or promote products derived from this software | ||
| without specific prior written permission. | ||
| DISCLAIMER OF LIABILITY (BSD): | ||
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
| FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
| OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
| FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
| CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
| OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
| BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
| LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
| NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
| SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| Liabilities of the Government: | ||
| This software is provided by URA, independent from its Prime Contract | ||
| with the U.S. Department of Energy. URA is acting independently from | ||
| the Government and in its own private capacity and is not acting on | ||
| behalf of the U.S. Government, nor as its contractor nor its agent. | ||
| Correspondingly, it is understood and agreed that the U.S. Government | ||
| has no connection to this software and in no manner whatsoever shall | ||
| be liable for nor assume any responsibility or obligation for any claim, | ||
| cost, or damages arising out of or resulting from the use of the software | ||
| available from this server. | ||
| Export Control: | ||
| All documents and software available from this server are subject to U.S. | ||
| export control laws. Anyone downloading information from this server is | ||
| obligated to secure any necessary Government licenses before exporting | ||
| documents or software obtained from this server. | ||
| */ | ||
| package org.dcache.gplazma.plugins; | ||
|
|
||
| import com.google.common.annotations.VisibleForTesting; | ||
| import com.google.common.base.Throwables; | ||
| import com.google.gson.GsonBuilder; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| import javax.annotation.concurrent.GuardedBy; | ||
|
|
||
| import java.io.File; | ||
| import java.io.FileReader; | ||
| import java.io.IOException; | ||
| import java.nio.file.Path; | ||
| import java.nio.file.Paths; | ||
| import java.util.HashMap; | ||
| import java.util.Map; | ||
| import java.util.stream.Stream; | ||
|
|
||
| import org.dcache.gplazma.AuthenticationException; | ||
|
|
||
| /** | ||
| * <p>In-memory version of the VO Group map file. Loads once, and thereafter | ||
| * anytime the timestamp of lastModified has changed. Timestamp is | ||
| * checked on each get().</p> | ||
| */ | ||
| public class FileBackedVOGroupMap { | ||
| private static final Logger LOGGER | ||
| = LoggerFactory.getLogger(FileBackedVOGroupMap.class); | ||
|
|
||
| private final Map<String, VOGroupEntry> cache = new HashMap<>(); | ||
| private final File file; | ||
| private final Path path; | ||
| private long lastModified; | ||
| private long reloadCount; | ||
|
|
||
| public FileBackedVOGroupMap(String path) { | ||
| this.path = Paths.get(path); | ||
| this.file = this.path.toFile(); | ||
| } | ||
|
|
||
| public VOGroupEntry get(String fqan) throws AuthenticationException { | ||
| synchronized (cache) { | ||
| checkFile(); | ||
| if (!cache.containsKey(fqan)) { | ||
| throw new AuthenticationException("No VO group entry matching FQAN: " | ||
| + fqan); | ||
| } | ||
|
|
||
| return cache.get(fqan); | ||
| } | ||
| } | ||
|
|
||
| @VisibleForTesting | ||
| long getReloadCount() { | ||
| synchronized (cache) { | ||
| return reloadCount; | ||
| } | ||
| } | ||
|
|
||
| @GuardedBy("cache") | ||
| private void checkFile() { | ||
| if (!file.exists() || !file.canRead()) { | ||
| LOGGER.error("RELOAD FAILED: Could not read {}.", | ||
| file.getAbsolutePath()); | ||
| } else if (lastModified < file.lastModified()) { | ||
| cache.clear(); | ||
| GsonBuilder builder = new GsonBuilder(); | ||
| try (FileReader reader = new FileReader(file)) { | ||
| VOGroupEntry[] info = builder.create() | ||
| .fromJson(reader, | ||
| VOGroupEntry[].class); | ||
| Stream.of(info).forEach(e -> cache.put(e.getFqan(), e)); | ||
| lastModified = file.lastModified(); | ||
| ++reloadCount; | ||
| } catch (IOException e) { | ||
| LOGGER.error("There was a problem deserializing {}: {}, {}", | ||
| file, e.getMessage(), Throwables.getRootCause(e)); | ||
| } | ||
| } | ||
| } | ||
| } |
104 changes: 104 additions & 0 deletions
104
modules/gplazma2-fermi/src/main/java/org/dcache/gplazma/plugins/VOGroupEntry.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| /* | ||
| COPYRIGHT STATUS: | ||
| Dec 1st 2001, Fermi National Accelerator Laboratory (FNAL) documents and | ||
| software are sponsored by the U.S. Department of Energy under Contract No. | ||
| DE-AC02-76CH03000. Therefore, the U.S. Government retains a world-wide | ||
| non-exclusive, royalty-free license to publish or reproduce these documents | ||
| and software for U.S. Government purposes. All documents and software | ||
| available from this server are protected under the U.S. and Foreign | ||
| Copyright Laws, and FNAL reserves all rights. | ||
| Distribution of the software available from this server is free of | ||
| charge subject to the user following the terms of the Fermitools | ||
| Software Legal Information. | ||
| Redistribution and/or modification of the software shall be accompanied | ||
| by the Fermitools Software Legal Information (including the copyright | ||
| notice). | ||
| The user is asked to feed back problems, benefits, and/or suggestions | ||
| about the software to the Fermilab Software Providers. | ||
| Neither the name of Fermilab, the URA, nor the names of the contributors | ||
| may be used to endorse or promote products derived from this software | ||
| without specific prior written permission. | ||
| DISCLAIMER OF LIABILITY (BSD): | ||
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | ||
| FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FERMILAB, | ||
| OR THE URA, OR THE U.S. DEPARTMENT of ENERGY, OR CONTRIBUTORS BE LIABLE | ||
| FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
| CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT | ||
| OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | ||
| BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
| LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
| NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
| SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| Liabilities of the Government: | ||
| This software is provided by URA, independent from its Prime Contract | ||
| with the U.S. Department of Energy. URA is acting independently from | ||
| the Government and in its own private capacity and is not acting on | ||
| behalf of the U.S. Government, nor as its contractor nor its agent. | ||
| Correspondingly, it is understood and agreed that the U.S. Government | ||
| has no connection to this software and in no manner whatsoever shall | ||
| be liable for nor assume any responsibility or obligation for any claim, | ||
| cost, or damages arising out of or resulting from the use of the software | ||
| available from this server. | ||
| Export Control: | ||
| All documents and software available from this server are subject to U.S. | ||
| export control laws. Anyone downloading information from this server is | ||
| obligated to secure any necessary Government licenses before exporting | ||
| documents or software obtained from this server. | ||
| */ | ||
| package org.dcache.gplazma.plugins; | ||
|
|
||
| import com.google.gson.annotations.SerializedName; | ||
|
|
||
| import java.io.Serializable; | ||
|
|
||
| /** | ||
| * <p>Container for VO Group authorization data.</p> | ||
| */ | ||
| public class VOGroupEntry implements Serializable { | ||
| private static final long serialVersionUID = -4348326595015055203L; | ||
|
|
||
| @SerializedName("fqan") | ||
| private String fqan; | ||
|
|
||
| @SerializedName("mapped_uname") | ||
| private String mappedUname; | ||
|
|
||
| @SerializedName("mapped_gid") | ||
| private String mappedGid; | ||
|
|
||
| public String getFqan() { | ||
| return fqan; | ||
| } | ||
|
|
||
| public String getMappedGid() { | ||
| return mappedGid; | ||
| } | ||
|
|
||
| public String getMappedUname() { | ||
| return mappedUname; | ||
| } | ||
|
|
||
| public void setFqan(String fqan) { | ||
| this.fqan = fqan; | ||
| } | ||
|
|
||
| public void setMappedGid(String mappedGid) { | ||
| this.mappedGid = mappedGid; | ||
| } | ||
|
|
||
| public void setMappedUname(String mappedUname) { | ||
| this.mappedUname = mappedUname; | ||
| } | ||
| } |
Oops, something went wrong.