Hi I am looking for the information extracted by VOMS plugins. I could find only the FQANs, host:port and VO. But I am interested in the voms server DN and not just the host:port name.
Is there a way to get the voms extension issuer DN rather than just the host:port information? Regards Bassem -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Freeman Sent: 31 May 2007 16:15 To: [EMAIL PROTECTED] Cc: [email protected]; [EMAIL PROTECTED] Subject: Re: [gt-user] VOMS and Globus On Thu, 31 May 2007 09:24:47 -0400 "Tom Scavo" <[EMAIL PROTECTED]> wrote: > [adjusting target mailing lists] > > On 5/31/07, Bassem Nasser <[EMAIL PROTECTED]> wrote: > > > > I am looking for documentation about VOMS authorization plugins. > > I found only this page http://dev.globus.org/wiki/VOMS but it is not > > a development guide, it doesn't show: > > > > - how the PIP and PDP works > > - how the VOMS credentials are returned from the VOMS PIP? What format? > > - what if I want to use another PDP? > > Sorry, I can answer only your last question. GridShib for GT v0.5.2 > introduces a PDP with combined VOMS functionality. This is described > in the docs > > http://gridshib.globus.org/docs/gridshib-gt-0.5.2/admin-index.html > > and implemented in the following interceptor: > > http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/so > urce/src/org/globus/gridshib/gt/authorization/ShibbolethPDP.java?view= > log Hello, If you want to develop against the GT development release instead of GT4.0.x, please tell us because much has changed there, this mail assumes you are working with GT4.0.x. Tom's link is a little complicated of an example since it uses reflection in order to run without needing the VOMS interceptors installed. Instead I would suggest looking at the sample PDP code in the VOMS package, it is fairly simple. Here is a general developer introduction to PIPs and PDPs: http://www-128.ibm.com/developerworks/grid/library/gr-gt4auth/ Understanding the examples there should mean you have the majority of what you need to know to develop with the VOMS and most other interceptors (excluding the authorization mechanism specific things you would need to know). The VOMS PIP and sample PDP are straightforward to follow once understanding that simple model (as opposed to something more complicated like GridShib). If the VOMS PIP is configured in the authorization chain its collectAttributes method is invoked. If the VOMS PDP is also configured, its isPermitted method is invoked. The PIP and PDP are not dependent on each other for compiling or running, but the PIP will deposit VOMS attributes into the MessageContext by way of the caller's public credentials. So when you say "returned" by the PIP, that is not quite what is happening, the PIP instead places the information where other classes (including services) can access it. Here is the stored object, houses mainly an ordered list of Strings (the VOMS attribute strings): http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/voms/src/or g/globus/voms/impl/VomsCredentialInformation.java?revision=1.1&view=markup The PIP and sample PDP can be found here: http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/voms/src/or g/globus/voms/impl/ Creating another PDP should be straightforward, copy code from the VomsPDP class at that link, in particular this retrieval part: AttributeInformation info = null; Set credSet = peer.getPublicCredentials(); Iterator creds = credSet.iterator(); while (creds.hasNext()) { Object o = creds.next(); if (o instanceof AttributeInformation) { info = (AttributeInformation) o; break; } } Vector rolesVector = null; VomsCredentialInformation vomsinfo = null; if (info == null) { logger.info("cannot retrieve credential info from message context"); } else { if (!(info instanceof VomsCredentialInformation)) { throw new Exception("credenital info from " + "message context is not VOMS: incompatible PIP"); } else { vomsinfo = (VomsCredentialInformation) info; } rolesVector = vomsinfo.getAttrs(); } If you have any specific questions, don't hesitate to ask here. If you have requirements that these classes and interfaces don't satisfy, please tell us because we can probably help solve issues and/or change things for the next release to accomodate new requirements if that is necessary. Tim > > Hope this helps, > Tom > ----------------------------------------- Tim Freeman - [EMAIL PROTECTED] http://www-unix.mcs.anl.gov/~tfreeman/ Grid Search: http://www.gridindex.org
