Hi again First, I fixed this bit of code to have multiple VomsCredentialInformation (each with vo, issuer DN, and FQANs).
Now, I am looking how to get the generic attributes (or tags)inside the AC. It seems that the code doesn't extract these attributes. Any ideas how to do that? Bassem > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tim Freeman > Sent: 05 June 2007 21:32 > To: Bassem Nasser > Cc: [email protected]; [EMAIL PROTECTED] > Subject: Re: [gt-user] VOMS and Globus > > Yes, that is correct. It should be per attribute instead of > course. This code was only ever used in practice with one > VOMS server, the code was developed in a specific context. > We'll release a new version soon with this fix depending on > when there are cycles available, I'll get back to you with > more information soon. Thanks for pointing out this problem! > > Tim > > On Tue, 5 Jun 2007 21:18:13 +0100 > "Bassem Nasser" <[EMAIL PROTECTED]> wrote: > > > > > Hi again > > > > Would you please correct me if I am wrong? > > > > The VOMs PIP extracts the user FQAN attributes and creates a > > VomsCredentialInformation including VO name, hostport and > all the FQANs. > > Then this information is added to the subject as in: > > peerSubject.getPublicCredentials().add(info); > > > > However; if the user contacts more than one VOMS server, > and thus has > > more than hostport, and may be more than one VO, the PIP will not > > offer this information to the PDP !! Since it passes only one > > VomsCredentialInformation !! > > So the PDP may get all the FQANs but only one hostport and Voname!! > > > > Regards > > Bassem > > > > -----Original Message----- > > From: Tim Freeman [mailto:[EMAIL PROTECTED] > > Sent: 05 June 2007 14:22 > > To: [EMAIL PROTECTED] > > Cc: Vincenzo Ciaschini; [email protected]; [EMAIL PROTECTED] > > Subject: Re: [gt-user] VOMS and Globus > > > > On Tue, 05 Jun 2007 10:06:18 +0200 > > Vincenzo Ciaschini <[EMAIL PROTECTED]> wrote: > > > > > Bassem Nasser wrote: > > > > > > > Hi > > > > > > > > I am looking for the information extracted by VOMS plugins. I > > > > could find only the FQANs, host:port and VO. > > > > But I am interested in the voms server DN and not just the > > > > host:port > > name. > > > > > > > > Is there a way to get the voms extension issuer DN rather than > > > > just the host:port information? > > > > > > Yes. That information is included in the AC. Since you > are using > > > Java, you may want to look at VOMSAttribute.getIssuer() and > > > VOMSAttribute.getIssuerX509(). > > > > > > Ciao, > > > Vincenzo > > > > > > > Thanks Vincenzo. > > > > We will extend the VomsCredentialInformation object to contain this > > but for now you'd to edit the PIP to get this from the > parser directly. > > > > Tim > > > > > > > > > > > > > > > > > > > > Regards > > > > Bassem > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > > > On Behalf Of Tim Freeman > > > > Sent: 31 May 2007 16:15 > > > > To: [EMAIL PROTECTED] > > > > Cc: [email protected]; [EMAIL PROTECTED] > > > > Subject: Re: [gt-user] VOMS and Globus > > > > > > > > On Thu, 31 May 2007 09:24:47 -0400 "Tom Scavo" > <[EMAIL PROTECTED]> > > > > wrote: > > > > > > > > > > > >>[adjusting target mailing lists] > > > >> > > > >>On 5/31/07, Bassem Nasser <[EMAIL PROTECTED]> wrote: > > > >> > > > >>>I am looking for documentation about VOMS > authorization plugins. > > > >>>I found only this page http://dev.globus.org/wiki/VOMS > but it is > > > >>>not a development guide, it doesn't show: > > > >>> > > > >>>- how the PIP and PDP works > > > >>>- how the VOMS credentials are returned from the VOMS > PIP? What format? > > > >>>- what if I want to use another PDP? > > > >> > > > >>Sorry, I can answer only your last question. GridShib for GT > > > >>v0.5.2 introduces a PDP with combined VOMS > functionality. This is > > > >>described in the docs > > > >> > > > > >>http://gridshib.globus.org/docs/gridshib-gt-0.5.2/admin-index.html > > > >> > > > >>and implemented in the following interceptor: > > > >> > > > > >>http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/jav > > > >>a/ > > > >>so > > > > >>urce/src/org/globus/gridshib/gt/authorization/ShibbolethPDP.java?v > > > >>ie > > > >>w= > > > >>log > > > > > > > > > > > > Hello, > > > > > > > > If you want to develop against the GT development > release instead > > > > of GT4.0.x, please tell us because much has changed there, this > > > > mail assumes you are working with GT4.0.x. > > > > > > > > Tom's link is a little complicated of an example since it uses > > > > reflection in order to run without needing the VOMS interceptors > > installed. > > > > > > > > Instead I would suggest looking at the sample PDP code > in the VOMS > > > > package, it is fairly simple. Here is a general developer > > > > introduction to PIPs and > > > > PDPs: > > > > > > > > > http://www-128.ibm.com/developerworks/grid/library/gr-gt4auth/ > > > > > > > > Understanding the examples there should mean you have > the majority > > > > of what you need to know to develop with the VOMS and > most other > > > > interceptors (excluding the authorization mechanism specific > > > > things you would need to know). > > > > > > > > The VOMS PIP and sample PDP are straightforward to follow once > > > > understanding that simple model (as opposed to something more > > complicated like GridShib). > > > > > > > > If the VOMS PIP is configured in the authorization chain its > > > > collectAttributes method is invoked. If the VOMS PDP is also > > > > configured, its isPermitted method is invoked. The PIP > and PDP are > > > > not dependent on each other for compiling or running, > but the PIP > > > > will deposit VOMS attributes into the MessageContext by > way of the > > > > caller's public credentials. So when you say "returned" by the > > > > PIP, that is not quite what is happening, the PIP > instead places > > > > the information where other classes (including > services) can access it. > > > > > > > > Here is the stored object, houses mainly an ordered list of > > > > Strings (the VOMS attribute strings): > > > > > > > > > > > > > http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/v > > > > om > > > > s/src/or > > > > > g/globus/voms/impl/VomsCredentialInformation.java?revision=1.1&vie > > > > w= > > > > markup > > > > > > > > The PIP and sample PDP can be found here: > > > > > > > > > > > > > http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/v > > > > om > > > > s/src/or > > > > g/globus/voms/impl/ > > > > > > > > Creating another PDP should be straightforward, copy > code from the > > > > VomsPDP class at that link, in particular this retrieval part: > > > > > > > > AttributeInformation info = null; > > > > Set credSet = peer.getPublicCredentials(); > > > > Iterator creds = credSet.iterator(); > > > > while (creds.hasNext()) { > > > > Object o = creds.next(); > > > > if (o instanceof AttributeInformation) { > > > > info = (AttributeInformation) o; > > > > break; > > > > } > > > > } > > > > > > > > Vector rolesVector = null; > > > > VomsCredentialInformation vomsinfo = null; > > > > if (info == null) { > > > > logger.info("cannot retrieve credential info from > > > > message context"); > > > > } else { > > > > if (!(info instanceof VomsCredentialInformation)) { > > > > throw new Exception("credenital info from " + > > > > "message context is not VOMS: > incompatible > > PIP"); > > > > } else { > > > > vomsinfo = (VomsCredentialInformation) info; > > > > } > > > > > > > > rolesVector = vomsinfo.getAttrs(); > > > > } > > > > > > > > > > > > > > > > If you have any specific questions, don't hesitate to ask here. > > > > > > > > If you have requirements that these classes and > interfaces don't > > > > satisfy, please tell us because we can probably help > solve issues > > > > and/or change things for the next release to accomodate new > > > > requirements if that is necessary. > > > > > > > > Tim > > > > > > > > > > > > > > > >>Hope this helps, > > > >>Tom > > > >> > > > > > > > > > > > > > > > > ----------------------------------------- > > > > Tim Freeman - [EMAIL PROTECTED] > > > > http://www-unix.mcs.anl.gov/~tfreeman/ > > > > Grid Search: http://www.gridindex.org > > > > > > > > > > > > > > > > > ----------------------------------------- > > Tim Freeman - [EMAIL PROTECTED] > > http://www-unix.mcs.anl.gov/~tfreeman/ > > Grid Search: http://www.gridindex.org > > > > > ----------------------------------------- > Tim Freeman - [EMAIL PROTECTED] > http://www-unix.mcs.anl.gov/~tfreeman/ > Grid Search: http://www.gridindex.org > >
