Yes, that is correct. It should be per attribute instead of course. This code was only ever used in practice with one VOMS server, the code was developed in a specific context. We'll release a new version soon with this fix depending on when there are cycles available, I'll get back to you with more information soon. Thanks for pointing out this problem!
Tim On Tue, 5 Jun 2007 21:18:13 +0100 "Bassem Nasser" <[EMAIL PROTECTED]> wrote: > > Hi again > > Would you please correct me if I am wrong? > > The VOMs PIP extracts the user FQAN attributes and creates a > VomsCredentialInformation including VO name, hostport and all the FQANs. > Then this information is added to the subject as in: > peerSubject.getPublicCredentials().add(info); > > However; if the user contacts more than one VOMS server, and thus has more > than hostport, and may be more than one VO, the PIP will not offer this > information to the PDP !! Since it passes only one VomsCredentialInformation > !! > So the PDP may get all the FQANs but only one hostport and Voname!! > > Regards > Bassem > > -----Original Message----- > From: Tim Freeman [mailto:[EMAIL PROTECTED] > Sent: 05 June 2007 14:22 > To: [EMAIL PROTECTED] > Cc: Vincenzo Ciaschini; [email protected]; [EMAIL PROTECTED] > Subject: Re: [gt-user] VOMS and Globus > > On Tue, 05 Jun 2007 10:06:18 +0200 > Vincenzo Ciaschini <[EMAIL PROTECTED]> wrote: > > > Bassem Nasser wrote: > > > > > Hi > > > > > > I am looking for the information extracted by VOMS plugins. I could > > > find only the FQANs, host:port and VO. > > > But I am interested in the voms server DN and not just the host:port > name. > > > > > > Is there a way to get the voms extension issuer DN rather than just > > > the host:port information? > > > > Yes. That information is included in the AC. Since you are using > > Java, you may want to look at VOMSAttribute.getIssuer() and > > VOMSAttribute.getIssuerX509(). > > > > Ciao, > > Vincenzo > > > > Thanks Vincenzo. > > We will extend the VomsCredentialInformation object to contain this but for > now you'd to edit the PIP to get this from the parser directly. > > Tim > > > > > > > > > > > > > Regards > > > Bassem > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > > Behalf Of Tim Freeman > > > Sent: 31 May 2007 16:15 > > > To: [EMAIL PROTECTED] > > > Cc: [email protected]; [EMAIL PROTECTED] > > > Subject: Re: [gt-user] VOMS and Globus > > > > > > On Thu, 31 May 2007 09:24:47 -0400 > > > "Tom Scavo" <[EMAIL PROTECTED]> wrote: > > > > > > > > >>[adjusting target mailing lists] > > >> > > >>On 5/31/07, Bassem Nasser <[EMAIL PROTECTED]> wrote: > > >> > > >>>I am looking for documentation about VOMS authorization plugins. > > >>>I found only this page http://dev.globus.org/wiki/VOMS but it is > > >>>not a development guide, it doesn't show: > > >>> > > >>>- how the PIP and PDP works > > >>>- how the VOMS credentials are returned from the VOMS PIP? What format? > > >>>- what if I want to use another PDP? > > >> > > >>Sorry, I can answer only your last question. GridShib for GT v0.5.2 > > >>introduces a PDP with combined VOMS functionality. This is > > >>described in the docs > > >> > > >>http://gridshib.globus.org/docs/gridshib-gt-0.5.2/admin-index.html > > >> > > >>and implemented in the following interceptor: > > >> > > >>http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/ > > >>so > > >>urce/src/org/globus/gridshib/gt/authorization/ShibbolethPDP.java?vie > > >>w= > > >>log > > > > > > > > > Hello, > > > > > > If you want to develop against the GT development release instead of > > > GT4.0.x, please tell us because much has changed there, this mail > > > assumes you are working with GT4.0.x. > > > > > > Tom's link is a little complicated of an example since it uses > > > reflection in order to run without needing the VOMS interceptors > installed. > > > > > > Instead I would suggest looking at the sample PDP code in the VOMS > > > package, it is fairly simple. Here is a general developer > > > introduction to PIPs and > > > PDPs: > > > > > > http://www-128.ibm.com/developerworks/grid/library/gr-gt4auth/ > > > > > > Understanding the examples there should mean you have the majority > > > of what you need to know to develop with the VOMS and most other > > > interceptors (excluding the authorization mechanism specific things > > > you would need to know). > > > > > > The VOMS PIP and sample PDP are straightforward to follow once > > > understanding that simple model (as opposed to something more > complicated like GridShib). > > > > > > If the VOMS PIP is configured in the authorization chain its > > > collectAttributes method is invoked. If the VOMS PDP is also > > > configured, its isPermitted method is invoked. The PIP and PDP are > > > not dependent on each other for compiling or running, but the PIP > > > will deposit VOMS attributes into the MessageContext by way of the > > > caller's public credentials. So when you say "returned" by the PIP, > > > that is not quite what is happening, the PIP instead places the > > > information where other classes (including services) can access it. > > > > > > Here is the stored object, houses mainly an ordered list of Strings > > > (the VOMS attribute strings): > > > > > > > > > http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/vom > > > s/src/or > > > g/globus/voms/impl/VomsCredentialInformation.java?revision=1.1&view= > > > markup > > > > > > The PIP and sample PDP can be found here: > > > > > > > > > http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/vom > > > s/src/or > > > g/globus/voms/impl/ > > > > > > Creating another PDP should be straightforward, copy code from the > > > VomsPDP class at that link, in particular this retrieval part: > > > > > > AttributeInformation info = null; > > > Set credSet = peer.getPublicCredentials(); > > > Iterator creds = credSet.iterator(); > > > while (creds.hasNext()) { > > > Object o = creds.next(); > > > if (o instanceof AttributeInformation) { > > > info = (AttributeInformation) o; > > > break; > > > } > > > } > > > > > > Vector rolesVector = null; > > > VomsCredentialInformation vomsinfo = null; > > > if (info == null) { > > > logger.info("cannot retrieve credential info from > > > message context"); > > > } else { > > > if (!(info instanceof VomsCredentialInformation)) { > > > throw new Exception("credenital info from " + > > > "message context is not VOMS: incompatible > PIP"); > > > } else { > > > vomsinfo = (VomsCredentialInformation) info; > > > } > > > > > > rolesVector = vomsinfo.getAttrs(); > > > } > > > > > > > > > > > > If you have any specific questions, don't hesitate to ask here. > > > > > > If you have requirements that these classes and interfaces don't > > > satisfy, please tell us because we can probably help solve issues > > > and/or change things for the next release to accomodate new > > > requirements if that is necessary. > > > > > > Tim > > > > > > > > > > > >>Hope this helps, > > >>Tom > > >> > > > > > > > > > > > > ----------------------------------------- > > > Tim Freeman - [EMAIL PROTECTED] > > > http://www-unix.mcs.anl.gov/~tfreeman/ > > > Grid Search: http://www.gridindex.org > > > > > > > > > > > ----------------------------------------- > Tim Freeman - [EMAIL PROTECTED] > http://www-unix.mcs.anl.gov/~tfreeman/ > Grid Search: http://www.gridindex.org > ----------------------------------------- Tim Freeman - [EMAIL PROTECTED] http://www-unix.mcs.anl.gov/~tfreeman/ Grid Search: http://www.gridindex.org
