federation enabled ticketing system
play

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik - PowerPoint PPT Presentation

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007 Jaime Perez <jaime.perez@rediris.es> on behalf of Carlos Fuentes <carlos.fuentes@rediris.es> 1.What is RT? 2.RTIR-WG 3.RT


  1. Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007 Jaime Perez <jaime.perez@rediris.es> on behalf of Carlos Fuentes <carlos.fuentes@rediris.es>

  2. 1.What is RT? 2.RTIR-WG 3.RT Authentication 4.How to federate RT

  3. What is RT 1.Open source “ticketing” system 2.Web/email application 3.Feature-rich and highly customizable 4.Active open source user and developer community 5.Many universities, national research & academic networks and companies world-wide using it

  4. What is RT 1.Written in object-oriented Perl, RT is a high-level, portable, platform independent system that eases collaboration within organizations and makes it easy for them to take care of their customers 2.Database independent 3.Commercial support and custom development available 4.Several add-on components 1. RTFM, a single knowledge base 2. RT-IR, an incident response system

  5. What is RTIR? 1.RT for Incident Response 2.A tool for incident handling 3.Based on Request Tracker RT ( http://www.bestpractical.com) 4.Created by JANET-CERT (Security Team of The UK's education and research network -ja.net- ) 5.Used by many CERTs in Europe and world- wide

  6. RTIR Working Group 1.TF-CSIRT group 2.Several European CERTs involved 1. Chairman: JANET-CSIRT 2. Deputy Chairman and Technical Contact: IRIS- CERT 3.Aims 1. Improve features of RTIR 2. Common workflow of RTIR 3. Run RTIR v.2 project (Jan 08 deadline) 4. Create a user community

  7. RT Authentication 1.Default authentication 1. Login/password form 2. Stored on a database 3. Once authenticated, RT creates a session 2.External authentication also available 1. Different ways to implementing it 2. Credentials managed externally 3. Authentication is delegated 3. Both implementations allow you to fall back to the default authentication system 4.Rights for users are established by ACLs depending on: 1. Role (privileged, non-privileged, everyone, …) 2. User and group (what can be done in the system) 3. Queue (what users or groups can do in the queue)

  8. RT Authentication 1.Credentials in an external source 1. Use the RT web form 2. Just check if authentication was successful 3. Once authenticated, RT creates a session 4. How to implement: 1. Overload a RT::User method 5. Examples 1. LDAP, Active Directory, …

  9. RT Authentication 1.Delegate authentication 2.A third party module takes control: 1. Check credentials 2. Create a session 3. It can also: 1. Create a user 2. Establish default permissions 4. How to implement: 1. Overload the RT authandler with callbacks

  10. How to federate RT 1.Starting point: 1. RT 3.x.x 2. Apache 2.0 3. Installed SP 1. Our case: PAPI PoA 2. Could be Shibboleth SP 4. SP is protecting the whole RT 1. Except /NoAuth. Needed by the system to inject incoming mails Apache RT SP

  11. How to federate RT (II) 1.RT::Authen::Federation 2.Allows federated authentication with Shibboleth, PAPI, … 3.How to implement: 1. Get credentials from HTTP headers 1. Customizable variables in RT Config file 2. Get the group(s) of the user 1. The group will determine the privileges the user will have 2. Customizable mapping between federation groups and RT groups by means of the RT configuration 3. If the user has no group, login as non- privileged

  12. How to federate RT (III) 1. Check if user already exists 1. If not, create it 2. Set up rights depending on privileges 2. Implement mechanisms to fall back to RT Authentication 1. Example: root access! 1. Customizable with RT configuration

  13. How to federate RT (IV) 1.Authentication Workflow Redirect to SP Accessing the RT URL for authentication No No access Authenticated? Yes Yes Special User RT::Authen::Federation Creating the RT session Falling back Getting access RT RT Authentication

  14. Current status 1.It works! 1. http://dagobah.rediris.es:40080/ 2. Use your login/password from your local federation 1. Warning: non-privileged user! 3. Select RedIRIS (stable) and identify yourself as “jra5demo” with password “jra5er” 1. Et voilá! You now have system privileges

  15. Questions Spanish Research & Academic Network Edificio Bronce Tel.: 91 212 76 20 / 25 Plaza Manuel Gómez Moreno s/n Fax: 91 212 76 35 28020 Madrid. España www.red.es

Recommend


More recommend