/
README
169 lines (149 loc) · 6.22 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
==============================================================================
__ ______ .___ ___. ___ .______ _______.
| | / || \/ | / \ | _ \ / |
| | | ,----'| \ / | / ^ \ | |_) | | (----` ______
| | | | | |\/| | / /_\ \ | ___/ \ \ |______|
| `----.| `----.| | | | / _____ \ | | .----) |
|_______| \______||__| |__| /__/ \__\ | _| |_______/
.______ _______ _______.___________.
| _ \ | ____| / | |
| |_) | | |__ | (----`---| |----`
| / | __| \ \ | |
| |\ \----.| |____.----) | | |
| _| `._____||_______|_______/ |__|
==============================================================================
Description: a REST-API to LCMAPS
Author: Oscar Koeroo, okoeroo at gmail () com
LICENCE: Apache 2 licence
Purpose: Provide Unix account mappings based on input credentials
Currently LCMAPS is focussed on X.509 based credentials,
including RFC3820 and old-style proxy certificates.
Run-modes:
Full SSL : Push the credentials to map in LCMAPS through SSL
SSL+HTTP : Connect with SSL, push credentials in the HTTP headers
HTTP : Push credentials with HTTP headers
Dependencies:
libevhtp : https://github.com/ellzey/libevhtp
requires: libevent2, OpenSSL
lcmaps : http://software.nikhef.nl/security/lcmaps/
requires: OpenSSL, and
Globus - http://www.globus.org
VOMS API - See EMI website for details
More info: http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/LCMAPS
Listening:
8443 - The Full SSL-based interfaces listen on port 8443
The expected input is a client certificate (chain) will feature classic
and RFC3820 proxy certificate support.
7443 - The session SSL-based interfaces listen on port 7443
The expected input is the same as the plain-HTTP interfaces, being REST
based using the query featured name/value pairs.
8008 - The plain-HTTP (unsecured, but fast) interfaces listen on port 8008
The expected input is REST based, meaning that the query featured
name/value pairs are used for input. See below for details.
URI:
https://localhost:8443/lcmaps/mapping/ssl
https://localhost:7443/lcmaps/mapping/rest
http://localhost:8008/lcmaps/mapping/rest
Queries for all URI:
?format=json : Mapping output in JSON
(JSON is the default when absent)
?format=xml : Mapping output in XML
?format=html : Mapping output in HTML
Queries specific to the "/lcmaps/mapping/rest" URI:
?subjectdn=<value> : URL encoded (X.509) Subject DN.
?fqan=<value> : URL encoded VOMS FQANs.
Note: Add FQANs multiple times for mulitple group
and role affiliations.
FQANs MUST be combined with a subjectdn=
Example input (based on certificates):
#using a certificate
curl \
--capath /etc/grid-security/certificates/ \
--cert `pwd`/.globus/terena/terena-cert.pem \
--key `pwd`/.globus/terena/terena-key.pem \
https://localhost:8443/lcmaps/mapping/ssl
#using a proxy certificate
curl \
--capath /etc/grid-security/certificates/ \
--cacert `pwd`/.globus/terena/terena-key.pem \
--cert /tmp/x509up_u501 \
--key /tmp/x509up_u501 \
https://localhost:8443/lcmaps/mapping/ssl
JSON output:
Content-Type: application/json
Sample output JSON:
{"lcmaps": {
"mapping": {
"posix": {
"uid": { "id": 501 },
"pgid": { "id": 501 },
"sgid": [
{ "id": 31 },
{ "id": 32 },
{ "id": 79 },
{ "id": 80 },
{ "id": 81 },
{ "id": 402 },
{ "id": 403 },
{ "id": 507 }
]
}
}
}
}
XML output:
Content-Type: text/xml
Sample output XML:
<!DOCTYPE glossary PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<lcmaps>
<mapping>
<posix>
<uid>
<id>501</id>
</uid>
<pgid>
<id>501</id>
</pgid>
<sgid>
<array>
<id>31</id>
<id>32</id>
<id>79</id>
<id>80</id>
<id>81</id>
<id>402</id>
<id>403</id>
<id>507</id>
</array>
</sgid>
</posix>
</mapping>
</lcmaps>
HTML output:
Content-Type: text/html
Sample output HTML (tentative to change):
<html><body>
uid: 501<br>
gid: 501<br>
secondary gid: 31<br>
secondary gid: 32<br>
secondary gid: 79<br>
secondary gid: 80<br>
secondary gid: 81<br>
secondary gid: 402<br>
secondary gid: 403<br>
secondary gid: 507<br>
</body></html>
To do:
Proxy certificate support:
Accept classic proxy certificates and RFC3820 certificates for
authentication and as input to LCMAPS from the SSL handshake on the
Full SSL URI.
Add VOMS attribute parsing:
The VOMS attributes can be encoded in the URI. This needs to be parsed
and feed to the LCMAPS interface as input for a VOMS specific mapping
decision. Note: the Full SSL interfaces already features VOMS AC
support.
Full SSL + REST for Multi User Pilot Job use case:
Combining the Full SSL interface with the REST based interface to
support Multi User Pilot Job use cases in wLCG projects.