source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/authorisationservice/authorisation-service.ini_tmpl @ 7756

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/authorisationservice/authorisation-service.ini_tmpl@7756
Revision 7756, 6.8 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

Line 
1#
2# Title: INI file for NDG Security SAML Authorisation Service with XACML PDP 
3#
4# Description: Paster template
5#
6# Author: P J Kershaw
7#
8# Date: 16/11/10
9#
10# Copyright: STFC 2010
11#
12# Licence: BSD - See top-level LICENCE file for licence details
13#
14# The %(here)s variable will be replaced with the parent directory of this file
15#
16[DEFAULT]
17
18
19# This apply if the service is run with paster otherwise it's ignored e.g. if
20# the service is run in mod_wsgi
21port = 5000
22baseURI = localhost:%(port)s
23authorisationDecisionFuncEnvironKeyName = saml.authz.queryInterfaceEnvironKey
24
25# Name of this authorisation service and the format of name.  Both are used in
26# SAML query/responses
27
28# This name must follow X.509 Subject Name format if following 'samlIssuerFormat'
29# is set as shown
30samlIssuerName = ${issuerName}
31samlIssuerFormat = ${issuerFormat}
32
33[server:main]
34use = egg:Paste#http
35host = 0.0.0.0
36port = %(port)s
37
38[pipeline:main]
39pipeline = AuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter TestApp
40
41[app:TestApp]
42paste.app_factory = ndg.saml.test.binding.soap:TestApp
43
44#______________________________________________________________________________
45# SAML/SOAP query interface to the Authorisation Service
46[filter:SAMLSoapAuthzDecisionInterfaceFilter]
47paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
48prefix = saml.
49
50# The URI path for this service
51saml.mountPath = ${mountPoint}
52
53# The key name in environ which the upstream authorisation service must assign
54# to its authorisation query callback
55saml.queryInterfaceKeyName = %(authorisationDecisionFuncEnvironKeyName)s
56
57# ElementTree based XML parsing and serialisation used for SAML messages
58saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
59saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
60
61# Sets the identity of THIS authorisation service when filling in SAML responses
62saml.issuerName = /O=Test/OU=Authorisation Service
63saml.issuerFormat = %(samlIssuerFormat)s
64
65#______________________________________________________________________________
66# Authorisation Service WSGI settings
67[filter:AuthorisationServiceFilter]
68# This filter is a container for a binding to a SOAP/SAML based interface to the
69# Authorisation Service.  It contains a XACML Context handler which manages
70# requests from Policy Enforcement Points to the PDP and also enables the PDP
71# to make attribute queries to Policy Information Point
72paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
73prefix = authz.
74authz.queryInterfaceKeyName = %(authorisationDecisionFuncEnvironKeyName)s
75
76# Lifetime for authorisation assertions issued from this service
77authz.xacmlContext.assertionLifetime = 86400
78
79#
80# XACML Context handler manages PEP (Policy Information Point) requests and the
81# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point)
82#
83
84# XACML Policy file
85authz.ctx_handler.policyFilePath = %(here)s/policy.xml
86
87# Settings for SAML authorisation decision response to a Policy Enforcement Point
88# making a decision query
89authz.ctx_handler.issuerName = %(samlIssuerName)s
90authz.ctx_handler.issuerFormat = %(samlIssuerFormat)s
91authz.ctx_handler.assertionLifetime = 86400
92
93# Add Earth System Grid custom types and functions to XACML
94authz.ctx_handler.xacmlExtFunc = ndg.security.server.xacml.esgf_ext:addEsgfXacmlSupport
95
96#
97# Policy Information Point interface settings
98#
99# The Context handler is a client to the PIP, passing on attribute queries
100# on behalf of the PDP onwards to the PIP
101
102# The PIP can cache assertions retrieved from Attribute Authority calls to
103# optimise performance.  Set this flag to True/False to enable/disable caching
104# respectively.  If this setting is omitted it defaults to True
105#authz.ctx_handler.pip.cacheSessions = True
106
107# Set the directory for cached information to be stored.  This options is
108# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
109# sessions will be cached in memory only.  If the service is stopped all cached
110# information would be lost
111#authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
112
113# Set timeout (seconds) for a cached session - following the timeout any existing
114# session will be deleted.  This option is ignored if
115# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is
116# omitted, no timeout is set.  If none is set and
117# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively
118# cached permanently(!) only an assertion expiry could invalidate a given assertion
119# previously cached.
120#authz.ctx_handler.pip.sessionCacheTimeout = 3600
121
122# Allow for a clock skew of +/- 3 seconds when checking validity times of
123# SAML assertions cached from attribute service queries
124authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0
125
126#
127# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
128# query from the XACML context handler, checks the attribute(s) being queried
129# for and looks up this mapping to determine which attribute authority to query
130# to find out if the subject has the attribute in their entitlement
131authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
132
133# The attribute ID of the subject value to extract from the XACML request
134# context and pass in the SAML attribute query
135authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
136
137# The context handler
138authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
139authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
140
141# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries
142authz.ctx_handler.pip.attributeQuery.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
143authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
144
145# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
146authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(here)s/pki/localhost.crt
147authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(here)s/pki/localhost.key
148authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(here)s/pki/ca
149
150
151# Logging configuration
152[loggers]
153keys = root, ndg
154
155[handlers]
156keys = console, logfile
157
158[formatters]
159keys = generic
160
161[logger_root]
162level = INFO
163handlers = console
164
165[logger_ndg]
166level = DEBUG
167handlers =
168qualname = ndg
169
170[handler_console]
171class = StreamHandler
172args = (sys.stderr,)
173level = NOTSET
174formatter = generic
175
176[formatter_generic]
177format = %(asctime)s.%(msecs)03d %(levelname)-8.8s [%(name)s:%(lineno)d] %(message)s
178datefmt = %Y/%m/%d %H:%M:%S
179
180[handler_logfile]
181class = handlers.RotatingFileHandler
182level=NOTSET
183formatter=generic
184args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2)
Note: See TracBrowser for help on using the repository browser.