There may be times when you need to manage approval for a client. Initially, clients do not have access approved. It may also be the case someday that a client’s security is compromised and you need to disallow all actions with it. This section describes how to manually change the approval of a client. In the initial release of OAuth for MyProxy, there are two methods for approving client request. The first is to use a command line tool that is supplied, the second which only works for mysql-backed stores that directly accesses the database. Administrators are strongly encouraged, if possible, to configure email notifications in all cases.
The CLI allows an administrator to approve or disapprove a client from a the command line, independent of whether the server is running. The two methods are directly, in which the CLI accesses the store and updates it and indirectly, in which the CLI deposits a request that the server picks up. In the indirect case, the server polls a given directory. This is transparent and is taken from the server's configuration. The CLI works with all stores.
The easiest way to run the CLI is to check out the module oa4mp-server-api (see the getting started page for how to download it) from svn and build it, then start it from the command line. The build creates two jars, oa4mp-approver.jar, which is the actual program, and oa4mp-server-api-xxx.jar which is the current build. As with all command line java programs, you need to set the class path (Note: This code currently lives in the main trunk of svn. Make sure you have the correct copy. Two samples should suffice. Note that maven will generate its usual informational messages which I am omitting.
Running the jar. There is currently one way to get a jar:
> mvn clean install -P approver
> cd target
> java -jar oa4mp-approver.jar -cfg /home/ncsa/dev/csd/config/oa4mp-server.xml -name in-memory
This points it to the server config file, oa4mp-server.xml and the tells it to invoke the named configuration in that file called in-memory. In this case, the configuration file points to a memory store, there will not be any approvals found. You should see the following scroll past:
logging to file /home/ncsa/dev/main/ncsa-security-all/myproxy/oa4mp-server-api/log.xml
(No entries found. You will need to manually enter the id.)
Enter the number of the client to approve or disapprove, OR, enter an id, starting with a /
/myproxy:oa4mp,2012:/client/77be5883050848c7bb45484cb8567c8e
Enter your approver name:
jeff
Enter Approve or Deny (A/D)
A
Commit changes? (y/n)
y
My responses are in bold-faced. The server must have polling configured or the approval will never be found.
> java -cp oa4mp-server-api-1.0.6.jar -jar oa4mp-approver.jar -cfg /home/ncsa/dev/csd/config/oa4mp-server.xml -name filestore logging to file /home/ncsa/dev/main/ncsa-security-all/myproxy/oa4mp-server-api/log.xml 0. (D) myproxy:oa4mp,2012:/client/3af1b61bae834e9e373bbd774535ef43 1. (A) myproxy:oa4mp,2012:/client/77be5883050848c7bb45484cb8567c8e 2. (A) myproxy:oa4mp,2012:/client/2ed8e10c4932b284de9fd3d8bdcfc830 3. (A) myproxy:oa4mp,2012:/client/29d1d2b95a29848f77b22b0af129b611 Enter the number of the client to approve or disapprove, OR, enter an id, starting with a / 0 Enter your approver name: jeff Enter Approve or Deny (A/D) A Commit changes? (y/n) y
This lists all the approvals in the store and indicates with an A or D if the request has been approved or disapproved. Entering the line number (these are printed on the left) will select the record. You may approve an pending request or disapprove it. Selecting y at the end commits the changes. This also works for any SQL-backed store as well.
To allow for client approval polling in the service, you need to set a polling directory and, if desired a polling interval (default is 60000 ms or 1 minute.) What is polling? simply put, for stores where there is no way to directly notify the server of approvals (such as a memory or file store), polling tells the server to check for new approvals at a given interval in a specific location. This does, however, work for any configured storage method including SQL stores, so this mechanism can be used generally. Attributes are set in the server configuration file. For instance, here is a server configuration with polling enabled and email notifications off:
<config>
<server
pollingDirectory="/var/www/config/polling"
pollingInterval="5000"/>
<-- bunch of other stuff -->
</config>
which stores all transactions, request and approvals in memory and specifies a MyProxy server other than localhost. The server polls the directory every 5 seconds, (which is very often indeed.) You should have the same polling directory specified for the CLI and the server. The CLI puts the approvals there, and the server eventually reads them.
If no polling directory is given, then polling is disabled.
This consists of replacing the RegistrationServlet in the web.xml file with the AutoRegistrationServlet. The effect is to automatically approve every client request. This is an inherently insecure system but is of great use when debugging a server deploy. Administrators should feel free to use this but simply revert to the standard servlet when deployment ready.
The steps for manually toggling the approval bit in the either Maria DB or MySQL stores are as follows.
Note:Both Maria DB and MySQL allows access per host and localhost access should work but any other should not unless specifically configured to do so.
mysql -u oa4mp-approver -p oauth
Note:This sets you to use the oauth database and will prompt your for the approver’s password.
UPDATE client_approvals set approved=true where oauth_consumer_key=’myproxy:oa4mp,2012:/client/274ab37ef365b7c384a003bc7’;
Note the single quotes around the id. You should also identify yourself as the approver (usually this is just you email address):
UPDATE client_approvals set approver=’your.name@whatever.org’ where oauth_consumer_key=’myproxy:oa4mp,2012:/client/274ab37ef365b7c384a003bc7’;
In a similar way, you could set the approved flag to false and disallow the client from any future actions. You can check that the update took by issuing
select * from client_approvals;
This will display everything in the database. You could also restrict it to the single entry by issuing
select * from client_approvals where oauth_consumer_key=’myproxy:oa4mp,2012:/client/274ab37ef365b7c384a003bc7’;