okoeroo/lcmaps-rest
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
==============================================================================
__ ______ .___ ___. ___ .______ _______.
| | / || \/ | / \ | _ \ / |
| | | ,----'| \ / | / ^ \ | |_) | | (----` ______
| | | | | |\/| | / /_\ \ | ___/ \ \ |______|
| `----.| `----.| | | | / _____ \ | | .----) |
|_______| \______||__| |__| /__/ \__\ | _| |_______/
.______ _______ _______.___________.
| _ \ | ____| / | |
| |_) | | |__ | (----`---| |----`
| / | __| \ \ | |
| |\ \----.| |____.----) | | |
| _| `._____||_______|_______/ |__|
==============================================================================
Description: a REST-API to LCMAPS
Author: Oscar Koeroo, okoeroo at gmail () com
LICENCE: Apache 2 licence
Purpose: Provide Unix account mappings based on input credentials
Currently LCMAPS is focussed on X.509 based credentials,
including RFC3820 and old-style proxy certificates.
Run-modes:
Full SSL : Push the credentials to map in LCMAPS through SSL
SSL+HTTP : Connect with SSL, push credentials in the HTTP headers
HTTP : Push credentials with HTTP headers
Dependencies:
libevhtp : https://github.com/ellzey/libevhtp
requires: libevent2, OpenSSL
lcmaps : http://software.nikhef.nl/security/lcmaps/
requires: OpenSSL, and
Globus - http://www.globus.org
VOMS API - See EMI website for details
More info: http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/LCMAPS
Listening:
8443 - The Full SSL-based interfaces listen on port 8443
The expected input is a client certificate (chain) will feature classic
and RFC3820 proxy certificate support.
7443 - The session SSL-based interfaces listen on port 7443
The expected input is the same as the plain-HTTP interfaces, being REST
based using the query featured name/value pairs.
8008 - The plain-HTTP (unsecured, but fast) interfaces listen on port 8008
The expected input is REST based, meaning that the query featured
name/value pairs are used for input. See below for details.
URI:
https://localhost:8443/lcmaps/mapping/ssl
https://localhost:7443/lcmaps/mapping/rest
http://localhost:8008/lcmaps/mapping/rest
Queries for all URI:
?format=json : Mapping output in JSON
(JSON is the default when absent)
?format=xml : Mapping output in XML
?format=html : Mapping output in HTML
Queries specific to the "/lcmaps/mapping/rest" URI:
?subjectdn=<value> : URL encoded (X.509) Subject DN.
?fqan=<value> : URL encoded VOMS FQANs.
Note: Add FQANs multiple times for mulitple group
and role affiliations.
FQANs MUST be combined with a subjectdn=
Example input (based on certificates):
#using a certificate
curl \
--capath /etc/grid-security/certificates/ \
--cert `pwd`/.globus/terena/terena-cert.pem \
--key `pwd`/.globus/terena/terena-key.pem \
https://localhost:8443/lcmaps/mapping/ssl
#using a proxy certificate
curl \
--capath /etc/grid-security/certificates/ \
--cacert `pwd`/.globus/terena/terena-key.pem \
--cert /tmp/x509up_u501 \
--key /tmp/x509up_u501 \
https://localhost:8443/lcmaps/mapping/ssl
JSON output:
Content-Type: application/json
Sample output JSON:
{"lcmaps": {
"mapping": {
"posix": {
"uid": { "id": 501 },
"pgid": { "id": 501 },
"sgid": [
{ "id": 31 },
{ "id": 32 },
{ "id": 79 },
{ "id": 80 },
{ "id": 81 },
{ "id": 402 },
{ "id": 403 },
{ "id": 507 }
]
}
}
}
}
XML output:
Content-Type: text/xml
Sample output XML:
<!DOCTYPE glossary PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<lcmaps>
<mapping>
<posix>
<uid>
<id>501</id>
</uid>
<pgid>
<id>501</id>
</pgid>
<sgid>
<array>
<id>31</id>
<id>32</id>
<id>79</id>
<id>80</id>
<id>81</id>
<id>402</id>
<id>403</id>
<id>507</id>
</array>
</sgid>
</posix>
</mapping>
</lcmaps>
HTML output:
Content-Type: text/html
Sample output HTML (tentative to change):
<html><body>
uid: 501<br>
gid: 501<br>
secondary gid: 31<br>
secondary gid: 32<br>
secondary gid: 79<br>
secondary gid: 80<br>
secondary gid: 81<br>
secondary gid: 402<br>
secondary gid: 403<br>
secondary gid: 507<br>
</body></html>
To do:
Proxy certificate support:
Accept classic proxy certificates and RFC3820 certificates for
authentication and as input to LCMAPS from the SSL handshake on the
Full SSL URI.
Add VOMS attribute parsing:
The VOMS attributes can be encoded in the URI. This needs to be parsed
and feed to the LCMAPS interface as input for a VOMS specific mapping
decision. Note: the Full SSL interfaces already features VOMS AC
support.
Full SSL + REST for Multi User Pilot Job use case:
Combining the Full SSL interface with the REST based interface to
support Multi User Pilot Job use cases in wLCG projects.
About
REST interface to LCMAPS (identity credential in, Unix credential out)
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published