source: TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config @ 3901

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config@3901
Revision 3901, 10.1 KB checked in by pjkersha, 12 years ago (diff)

Working version with Gatekeeper code moved into it's own package in ndg.security.

All security code now decoupled from ows_server - Single Sign On and Gatekeeper.

ows_server/ndgDiscovery.config: moved Gatekeeper settings into its own NDG_SECURITY.gatekeeper section

ows_server/ows_server/config/ndgMiddleware.py:

  • now initialises PEP class (Policy Enforcement Point aka Gatekeeper) from ndg.security.common.authz.pep and adds as a g var attr.



Index: ows_server/ows_server/controllers/logout.py: remove old commented out code

ows_server/ows_server/controllers/retrieve.py:

ows_server/ows_server/lib/ndgInterface.py: replaced old ndgInterface gatekeeper code with PEP class.

ows_server/ows_server/lib/security_util.py: moved out of ows_server into ndg.security.common

ows_server/ows_server/lib/base.py: tidied up imports

ows_server/ows_server/templates/stubB.kid: code to comment out the CSML entries caused an error for render(). Re-instated commented out section.

Line 
1#
2# NDG Configuration File
3# At deployment time the only pieces that a user ought to need to customise
4# will be
5#    - the server address
6#    - it might be necessary to customise the location of the layout directory
7#    - the localLink, localImage and localAlt in the [layout] section
8#
9[DEFAULT]
10#
11# the following is the server on which this browse/discovery instance runs!
12server:         http://localhost
13#server:       http://superglue.badc.rl.ac.uk:8083
14## This is the proxied server root
15#server: http://superglue.badc.rl.ac.uk/ndg-test
16
17#
18# the following is the server on which the NDG discovery service is running! (Not to be confused with
19# the server on which the NDG discovery web service is running). This can and probably should be the local
20# server (i.e. don't change it!)
21#
22ndgServer:      %(server)s
23#
24# this is the physical file location of the layout directory on this machine
25#
26layoutdir:
27#
28# this should never be changed
29#
30##!NOTE: These are changed to  reflect the proxy prefix
31#layout:         /ndg-test/layout/
32#icondir:        /ndg-test/layout/icons/
33layout:          /layout/
34icondir:         /layout/icons/
35
36#
37mailserver:       xxxoutbox.rl.ac.uk
38metadataMaintainer: b.n.lawrence@rl.ac.uk
39repository:        %(server)s
40tbrecipient:      b.n.lawrence@rl.ac.uk
41
42# The following should only be needed for debugging some parts of the code when running on sandboxes behind a firewall
43proxyServer:      http://wwwcache3.rl.ac.uk:8080/
44disclaimer:       
45
46[SEARCH]
47advancedURL:        %(ndgServer)s/discovery
48discoveryURL:       %(ndgServer)s/discovery
49helpURL:            %(ndgServer)s/discovery?help=1
50
51[logging]
52debuglog:        discovery.log
53
54[layout]
55###### user customisable:
56localLink:      %(ndgServer)s/layout/
57localImage:     %(layout)sndg_logo_circle.gif
58localAlt:       visit badc
59###### ought to be the end of the customisations
60ndgLink:        http://ndg.nerc.ac.uk/
61ndgImage:       %(layout)sndg_logo_circle.gif
62ndgAlt:         visit ndg
63stfcLink:       http://ceda.stfc.ac.uk/
64stfcImage:      %(layout)sstfc-circle-sm.gif
65key:            %(icondir)spadlock.png
66keyGrey:        %(layout)skeyG.gif
67selectI:        %(layout)stick.png
68Xicon:          %(icondir)sxml.png
69plot:           %(icondir)splot.png
70printer:        %(icondir)sprinter.png
71helpIcon:       %(icondir)shelp.png
72HdrLeftAlt:     %(layout)s Natural Environment Research Council
73HdrLeftLogo:    %(layout)sNERC_Logo.gif
74
75pageLogo:       %(layout)s20050502_albert-park_silhouetted-trees-and-clouds_02_cropped.jpg
76
77ndgJavascript:  %(layout)sndgJavascript.js
78
79[HELP]
80helpFile:       %(layoutdir)s%(layout)shelp.html
81
82[NDG_A_SERVICE]
83badc.nerc.ac.uk: http://glue.badc.rl.ac.uk/cgi-bin/dxui
84icon: %(icondir)splot.png
85#%(icondir)sdata_aservice.png
86icon_alt: A Service
87service_name: A
88icon_title: LINKS to a DATA BROWSE view of this dataset
89instance: datasetURI_%s
90
91[NDG_B_SERVICE]
92#
93#These are the hosts which are publicly available on which the browse
94#service is running. The list should be of the form repository: hostname
95#where repository is the NDG identifier ....
96#
97neodc.nerc.ac.uk: %(server)s
98badc.nerc.ac.uk: %(server)s
99www.npm.ac.uk: http://wwwdev.neodaas.ac.uk/projects/ndg
100grid.bodc.nerc.ac.uk: http://grid.bodc.nerc.ac.uk
101ndg.noc.soton.ac.uk: http://ndg.noc.soton.ac.uk:8001
102icon: %(icondir)sbrowse_bservice.png
103icon_alt: B Service
104icon_title: Links to a METADATA BROWSE view of this dataset
105service_name: B
106instance: SERVICEHOST/view/URI
107
108[NDG_EXIST]
109#
110# following is a list of repository servers, actually only one is needed,
111# at any one location running browse, and that is the local one. The
112# entire purpose of the rest of the list is to simplify updates. These
113# hosts do not need to be visible outside of corporate firewalls.
114# The list should be of the form repository: hostname where repository
115# is the NDG identifier.
116#
117local: chinook.badc.rl.ac.uk
118badc.nerc.ac.uk: chinook.badc.rl.ac.uk
119neodc.nerc.ac.uk: chinook.badc.rl.ac.uk
120grid.bodc.nerc.ac.uk: grid.bodc.nerc.ac.uk
121ndg.noc.soton.ac.uk: ndg.noc.soton.ac.uk
122www.npm.ac.uk: pgsql.npm.ac.uk
123#passwordFile: /home/bnl/sandboxes/ndg/TI05-delivery/ows_framework/trunk/ows_server/passwords.txt
124passwordFile: ./passwords.txt
125
126#
127# NDG Security
128#
129
130# Security settings for configuration as a client to a Single Sign On Service
131# i.e. Where Are You From, login and logout operations are handled by a
132# separate standalone paster instance
133#[NDG_SECURITY.ssoClient]
134## THIS service's address for secure connections - the Single Sign On service
135## returns security parameters to this service along this channel
136#sslServer: https://localhost
137##sslServer: https://ndgbeta.badc.rl.ac.uk
138#
139## THIS service's address for unencrypted connections - when login is complete,
140## the BaseController redirects to an equivalent address under this host name.
141## sslServer and server settings must match for the sharing of cookies.
142#server: http://localhost
143#
144## WAYF running on Single Sign On Service - omit to default to WAYF running on
145## THIS paster instance
146#wayfURI:               https://localhost/sso/wayf
147#
148## Logout URI running on Single Sign On Service - omit to default to WAYF running on
149## THIS paster instance
150#logoutURI:             https://localhost/sso/logout
151
152# Security settings for running a Single Sign On Service from this paster
153# instance.  Either NDG_SECURITY.ssoClient or NDG_SECURITY.ssoService sections
154# should be set but NOT both
155
156# Single Sign On Service Settings
157[NDG_SECURITY.ssoService]
158
159# THIS service's address for secure connections - the Single Sign On service
160# returns security parameters to this service along this channel
161sslServer: https://localhost
162#sslServer: https://ndgbeta.badc.rl.ac.uk
163
164# THIS service's address for unencrypted connections - when login is complete,
165# the BaseController redirects to an equivalent address under this host name.
166# sslServer and server settings must match for the sharing of cookies.
167server: http://localhost
168
169# Redirect SOAP output to a file e.g. open(<somefile>, 'w')
170tracefile: None
171#tracefile: sys.stderr
172
173# Service addresses
174sessionMgrURI: https://localhost/SessionManager
175#sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager
176attAuthorityURI: http://localhost:5000/AttributeAuthority
177#attAuthorityURI: http://aa.ceda.rl.ac.uk
178
179# SSL Connections
180#
181# Space separated list of CA cert. files.  The peer cert.
182# must verify against at least one of these otherwise the connection is
183# dropped.  Include CA certs for all the sites trusted
184sslCACertFilePathList: certs/ndg-test-ca.crt
185
186
187# WS-Security signature handler - set a config file with 'wssCfgFilePath'
188# or omit and put the relevant content directly in here under
189# 'NDG_SECURITY.wssecurity' section
190#wssCfgFilePath: wssecurity.cfg
191
192[NDG_SECURITY.wssecurity]
193
194# Settings for signature of an outbound message ...
195
196# Certificate associated with private key used to sign a message.  The sign
197# method will add this to the BinarySecurityToken element of the WSSE header. 
198# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
199# As an alternative, use 'signingCertChain' parameter
200
201# file path PEM encoded cert
202signingCertFilePath=certs/clnt.crt
203
204# file path to PEM encoded private key file
205signingPriKeyFilePath=certs/clnt.key
206
207# Password protecting private key.  Leave blank if there is no password.
208signingPriKeyPwd=
209
210# Provide a space separated list of file paths.  CA Certs should be included
211# for all the sites this installation trusts
212caCertFilePathList=certs/ndg-test-ca.crt
213
214# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
215# signed message. 
216reqBinSecTokValType=X509v3
217
218# Add a timestamp element to an outbound message
219addTimestamp=True
220
221# For WSSE 1.1 - service returns signature confirmation containing signature
222# value sent by client
223applySignatureConfirmation=False
224
225#
226# Gatekeeper settings
227#
228[NDG_SECURITY.gatekeeper]
229#
230# Policy Enforcement Point calls a Policy Decision Point interface:
231
232# File path to Python module containing the PDP class - leave blank if the
233# module is in PYTHONPATH env var
234pdpModFilePath:
235
236# Name of PDP Python module
237pdpModName: ndg.security.common.authz.pdp.browse
238
239# Name of PDP class used
240pdpClassName: BrowsePDP
241
242# File Path to configuration file used by PDP class (environment variables
243# can be used in this path e.g. $PDP_CONFIG_DIR/pdp.cfg.  Omit this parameter
244# to make the PEP read the PDP settings from THIS config file
245#pdpCfgFilePath:
246
247# Read PDP params from THIS section
248pdpCfgSection: NDG_SECURITY.gatekeeper
249
250#
251# Settings for Policy Decision Point called by the PEP
252
253# Address of Attribute Authority for Data Provider
254aaURI:
255
256# CA certificates used to verify peer certs from Session Manager SSL
257# connections - space delimited list
258sslCACertFilePathList:
259
260# Set to file object to dump SOAP message output for debugging
261tracefile:
262
263# CA certificates used to verify the signature of user Attribute Certificates
264# - space delimited list but note that currently only the CA of this site
265# is needed because only mapped Attribute Certificates may be accepted.
266acCACertFilePathList: certs/ndg-test-ca.crt
267
268# X.509 Distinguished Name for Attribute Certificate issuer - should match with
269# the issuer element of the users Attribute Certificate submitted in order to
270# gain access
271acIssuer: /CN=AttributeAuthority/O=NDG Security Test/OU=Site A
272#acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
273
274# WS-Security signature handler - set a config file with 'wssCfgFilePath'
275# or omit and put the relevant content directly in here under the section name
276# specified by 'wssCfgSection' below
277#wssCfgFilePath: wssecurity.cfg
278
279# Config file section for WS-Security settings - Nb. the gatekeeper shares the
280# same settings as the Single Sign On Service.
281wssCfgSection: NDG_SECURITY.wssecurity
282
283[RELATED]
284icon: %(icondir)srelated_link.png
285icon_alt: Related
286service_name: Related
287icon_title: Links to a RELATED URL
288instance: uri
289
290[DISCOVERY]
291icon: %(icondir)scatalogue_dservice.png
292icon_alt: Catalogue
293service_name: Catalogue
294default: %(server)s
295formatDefault=DIF
296icon_title: Links to the DISCOVERY RECORD for this dataset
297#standalone: True
298standalone: False
299
300[OWS_SERVER]
301#
302# Configure the OWS_SERVER framework here
303#
304
305# exception_type: whether OGC servers should send a valid ExceptionReport on errors
306#     or use pylon's debugger.  Very useful for debugging OWS controllers.  Default is ogc
307#exception_type: ogc
308#exception_type: pylons
309
Note: See TracBrowser for help on using the repository browser.