Security Plugins Table

From Gcube Wiki
Jump to: navigation, search

Introduction

In this section some tables about the security modules are provided. The main infrastructure includes the essential security modules with some minimal Security Managers and Controllers. The plugins used for particular operation are provided in different jars. For every module the java class, the description and the configurations steps required are reported. In particular, in the field Configuration only the module-related configurations are provided (if required): the presence of a Security Descriptor service based or, at least, a Default Services Security Configuration is considered mandatory and is explained in the section GHN Security Configuration.

The plugins are grouped in Security Managers, Authentication Controllers and Authorization Controller and are presented in different subsections grouped by the belonging jar.

GCore Framework

The following Security Managers and Controllers are shipped in org.gcube.common.core.jar. It contains the essential security modules that should not be considered as plugins because they provide only basic, fundamental features.

Security Managers

Service
Name Java Class Description Configuration
Basic Security Manager org.gcube.common.core.security.impl.GCUBESimpleServiceSecurityManager Sets the security protocol (TLS) and security level (Signature, Encryption or all), used for backward compatibility Not required

Authentication controllers

Name Java Class Description Configuration
Basic Authentication Controller org.gcube.common.core.security.impl.GCUBESimpleServiceAuthController Does nothing: the TLS Authentication controls are performed by underlying API by default Not required


Authorization controllers

Name Java Class Description Configuration
Authorization Chain Controller org.gcube.common.core.security.impl.GCUBEAuthzChainAuthorizationController Sets an Authorization Chain for Authorization controls Explained in the section Authorization Chain configuration

Main Security Library

The plugins of this section are shipped in the Main Security Library, that contains all the modules required for gCube internal infrastructure security . The jar of the distribution is: org.gcube.common.vomanagement.security.jar.


Security Managers

Service
Name Java Class Description Configuration
Assertion Based Security Manager org.gcube.common.vomanagement.security.configuration.GCUBESamlAssertionServiceSecurityManager Sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role Not required
Host Credentials Security Manager org.gcube.common.vomanagement.security.configuration.GCUBEHostCredentialServiceSecurityManager Sets the transport level security with host certificate Not required


'

Client
Name Java Class Description Configuration
Assertion Based Security Manager org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager It is the client counterpart of GCUBESamlAssertionServiceSecurityManager. It sets the transport level security (with host certificate) and manages the SAML Assertion used to identify the service role or the caller role The client that uses this security manager should set as identity the role of the user.
Host Credentials Security Manager org.gcube.common.vomanagement.security.configuration.client.GCUBEHostCredentialClientSecurityManager Sets the transport level security using the GHN host certificate of the Node where client runs Not required
Proxy Credentials Security Manager org.gcube.common.vomanagement.security.configuration.client.GCubeProxyCertificateClientSecurityManager Sets the transport level security with a proxy certificate The client that uses this security manager should set as identity the path to a proxy certificate file.

Authentication controllers

Name Java Class Description Configuration
DN List Controller org.gcube.common.vomanagement.security.authentication.DNListAuthenticationController Authenticates the requests with a certificate signed by a CA present in a list the parameter trustedca a list of CA DN: every DN is separated by a |


Authorization controllers

Name Java Class Description Configuration
Equal DN Controller org.gcube.common.vomanagement.security.authorisation.control.impl.EqualDNAuthorizationController Authorizes only the calls signed by the server GHN host certificate (i.e. local calls) Not required
DN Selection Controller org.gcube.common.vomanagement.security.authorisation.control.impl.DNSelectionAuthorizationController Is composed by the Equal DN Controller and the Auth Chain controller: if the call is local, it is authorized, otherwise the Authorization Chain is called Only the Authorization Chain configuration.

VOMS Based Security Library

This extension security library provides a security manager to obtain automatically a VOMS Proxy Certificate starting from a local certificate. The jar is org.gcube.vomanagement.voms-api.jar.


Security Manager

Service
Name Java Class Description Configuration
VOMS Based Security Manager org.gcube.vomanagement.vomsapi.securitymanager.VOMSServiceCredentialsSecurityManager Loads a local certificates, generates a VOMS Proxy contacting a VOMS Server and used it to sign the request Described in Extension Security Libraries section

DN Based Security Controller

This controller is used when our services are contacted by external infrastructures: the requests are recognized only from the DN, that must belong to one of our infrastructure's users. To perform this check the user management service of the Portal must be contacted, so this controller could also be called Portal Based Authorization Controller or Edge Authorization Controller. It is contained in the jar org.gcube.common.vomanagement.edge.sec.controller.jar.


Authorization controller

The table's caption
Name Java Class Description Configuration
User DN Authorization Controller org.gcube.common.vomanagement.security.authorisation.control.IncomingMessageEdgeServiceDNAuthorizationController Checks if the caller DN belongs to a user of our infrastructure: if the user is found his roles are loaded and a SAML Assertion is generated for every further call Described in Extension Security Libraries section