Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik - - PowerPoint PPT Presentation

federation enabled ticketing system
SMART_READER_LITE
LIVE PREVIEW

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik - - PowerPoint PPT Presentation

Nov 26, 2022 289 likes •461 views

Federation-enabled ticketing system The RT Case EuroCAMP Dubrovnik 14 th - 15 th November 2007 Jaime Perez <jaime.perez@rediris.es> on behalf of Carlos Fuentes <carlos.fuentes@rediris.es> 1.What is RT? 2.RTIR-WG 3.RT

slide-1
SLIDE 1

Federation-enabled ticketing system

The RT Case

Jaime Perez <jaime.perez@rediris.es>

  • n behalf of Carlos Fuentes <carlos.fuentes@rediris.es>

EuroCAMP Dubrovnik 14th - 15th November 2007

slide-2
SLIDE 2

1.What is RT? 2.RTIR-WG 3.RT Authentication 4.How to federate RT

slide-3
SLIDE 3

What is RT

1.Open source “ticketing” system 2.Web/email application 3.Feature-rich and highly customizable 4.Active open source user and developer community 5.Many universities, national research & academic networks and companies world-wide using it

slide-4
SLIDE 4

What is RT

1.Written in object-oriented Perl, RT is a high-level, portable, platform independent system that eases collaboration within

  • rganizations and makes it easy for them

to take care of their customers 2.Database independent 3.Commercial support and custom development available 4.Several add-on components

1. RTFM, a single knowledge base 2. RT-IR, an incident response system

slide-5
SLIDE 5

What is RTIR?

1.RT for Incident Response 2.A tool for incident handling 3.Based on Request Tracker RT ( http://www.bestpractical.com) 4.Created by JANET-CERT (Security Team of The UK's education and research network

  • ja.net-)

5.Used by many CERTs in Europe and world- wide

slide-6
SLIDE 6

RTIR Working Group

1.TF-CSIRT group 2.Several European CERTs involved

1. Chairman: JANET-CSIRT 2. Deputy Chairman and Technical Contact: IRIS- CERT

3.Aims

1. Improve features of RTIR 2. Common workflow of RTIR 3. Run RTIR v.2 project (Jan 08 deadline) 4. Create a user community

slide-7
SLIDE 7

RT Authentication

1.Default authentication

1. Login/password form 2. Stored on a database 3. Once authenticated, RT creates a session

2.External authentication also available

1. Different ways to implementing it 2. Credentials managed externally 3. Authentication is delegated

  • 3. Both implementations allow you to fall back to the

default authentication system

4.Rights for users are established by ACLs depending on:

1. Role (privileged, non-privileged, everyone, …) 2. User and group (what can be done in the system) 3. Queue (what users or groups can do in the queue)

slide-8
SLIDE 8

RT Authentication

1.Credentials in an external source

  • 1. Use the RT web form
  • 2. Just check if authentication was

successful

  • 3. Once authenticated, RT creates a

session

  • 4. How to implement:
  • 1. Overload a RT::User method
  • 5. Examples
  • 1. LDAP, Active Directory, …
slide-9
SLIDE 9

RT Authentication

1.Delegate authentication 2.A third party module takes control:

  • 1. Check credentials
  • 2. Create a session
  • 3. It can also:
  • 1. Create a user
  • 2. Establish default permissions
  • 4. How to implement:
  • 1. Overload the RT authandler with callbacks
slide-10
SLIDE 10

How to federate RT

1.Starting point:

  • 1. RT 3.x.x
  • 2. Apache 2.0
  • 3. Installed SP
  • 1. Our case: PAPI PoA
  • 2. Could be Shibboleth SP
  • 4. SP is protecting the whole RT
  • 1. Except /NoAuth. Needed by the system to

inject incoming mails

Apache SP RT

slide-11
SLIDE 11

How to federate RT (II)

1.RT::Authen::Federation 2.Allows federated authentication with Shibboleth, PAPI, … 3.How to implement:

1. Get credentials from HTTP headers

  • 1. Customizable variables in RT Config file

2. Get the group(s) of the user

  • 1. The group will determine the privileges the user

will have

  • 2. Customizable mapping between federation groups

and RT groups by means of the RT configuration

  • 3. If the user has no group, login as non-

privileged

slide-12
SLIDE 12

How to federate RT (III)

  • 1. Check if user already exists
  • 1. If not, create it
  • 2. Set up rights depending on privileges
  • 2. Implement mechanisms to fall back to

RT Authentication

  • 1. Example: root access!
  • 1. Customizable with RT configuration
slide-13
SLIDE 13

How to federate RT (IV)

1.Authentication Workflow

Redirect to SP for authentication

Authenticated?

RT::Authen::Federation Creating the RT session

Accessing the RT URL

Yes Yes Special User

No access

RT Authentication

RT

No Falling back Getting access

slide-14
SLIDE 14

Current status

1.It works!

  • 1. http://dagobah.rediris.es:40080/
  • 2. Use your login/password from your

local federation

  • 1. Warning: non-privileged user!
  • 3. Select RedIRIS (stable) and identify

yourself as “jra5demo” with password “jra5er”

  • 1. Et voilá! You now have system privileges
slide-15
SLIDE 15

Edificio Bronce Plaza Manuel Gómez Moreno s/n 28020 Madrid. España Tel.: 91 212 76 20 / 25 Fax: 91 212 76 35 www.red.es

Questions

Spanish Research & Academic Network