Hi Rachana,
From your mail, as I understand, Globus 4.1/4.2 grid services like
gridFTP and WS-Gram, can support extraction, parsing and enforcement of CAS
credentials. And this is what can be implemented through SAML Authorization
Assertion PDP. But this is supported only from GT4.2 onwards?
Documentation says that multi-policy authZ. framework is supported
from GT4.0 onwards? But I could see some PDP support only from 4.1 which is
enhanced more in 4.2. Please clarify.
We are using globus 2.4 currently, but have plans to go with 4.0+.
The exact version of Globus(4.0/4.1) would depend on what enhancements are
there in which version. So, when is the planned release date for 4.1 and
4.2?
Thanks & Regards,
Kakoli.
-----Original Message-----
From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 20, 2008 8:39 PM
To: 'Kakoli Sen'
Cc: [EMAIL PROTECTED]
Subject: RE: [cas-users] Query on CAS
Hi Kakoli,
Your general idea of a single CAS per VO to store user rights sounds good.
By "additional CAS credential" I think you mean, a proxy with user rights
from CAS (called assertions) embedded it. So from a client's perspective it
would be:
1.. cas-proxy-init
2.. globus-url-copy or globusrun-ws
From the perspective of services, GridFTP like mentioned has support to
parse the CAS assertions and use that for authorization. WS services
(including WS GRAM and RFT) don't have support out of the box in GT 4.0.x.
We have added the support in 4.1.x, the next version, where it can be
configured. Back porting of this should not be too hard and requires
implementing new authorization pieces called Policy Decision Points (PDP).
It will implement the same interface as say GridMapAuthorization, but the
functionality will be to extract and parse the assertions.
Here are some links to documentation that would be useful, if you plan to
write such a PDP for your deployment:
Writing PDPs in GT 4.0.x:
http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descript
or.html#s-authzframe-secdesc-customAuthz
Samples from GT 4.1.x. The interface is different from 4.0.x, but the
functionality code can be reused.
To extract assertion:
- Document:
http://www.globus.org/toolkit/docs/development/4.2-drafts/security/authzfram
e/developer/authzframe-pip.html#authzframe-pip-samlAuthzAssertionPIP
- Code:
http://viewcvs.globus.org/viewcvs.cgi/authorization/java/saml/source/src/org
/globus/wsrf/impl/security/authorization/SAMLAuthzAssertionPIP.java?view=mar
kup
Authorization using assertion:
- Document:
http://www.globus.org/toolkit/docs/development/4.2-drafts/security/authzfram
e/developer/authzframe-pdp.html#authzframe-pdp-samlAuthz-assertion
- Code:
http://viewcvs.globus.org/viewcvs.cgi/authorization/java/saml/source/src/org
/globus/wsrf/impl/security/authorization/SAMLAuthzAssertionPDP.java?revision
=1.1.1.1&view=markup
Please let us know if you need any help with this. If you are willing to
contribute this work, we would definitely be interested.
Thanks,
Rachana
----------------------------------------------------------------------------
--
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kakoli Sen
Sent: Wednesday, February 20, 2008 1:00 AM
To: Rachana Ananthakrishnan; [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [cas-users] Query on CAS
Hi,
Currently, our grid has no VO(Virtual Organisation) support. So
GRAM job submission or file transfer through GridFTP uses only grid/proxy
credentials.
Once VO is supported in the grid, there would be some VO
management tool like VOMS/CAS which can help in role-based authorisation.
Here is how we think it would work :
The user wil be having an additional CAS/VOMS credential on top of the
usual proxy credential. And if there is job submission/file transfer done
with the CAS credential, then the corresponding grid-service(GRAM/GridFTP)
should extract and parse the CAS credential and then map it onto a local
unix account (or some access control list for more fine-grained control).
Now, is this possible in Globus 4.0? If not, then is it feasible to
implement it through some modifications in Globus GRAM and other grid
services?
Thanking You,
Regards,
Kakoli
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Rachana Ananthakrishnan
Sent: Monday, February 18, 2008 9:09 PM
To: 'Kakoli Sen'; [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [cas-users] Query on CAS
Hi,
> The admin
> guide recommended PostgreSQL. What is the version of PostgreSQL? Globus
> version used is 4.0.4.
It has been tested with PostgreSQL 7.4.7
> Also, I have 2 more queries:
> ## In the documentation, I came across that the GridFTP server is
> CAS-enabled.
> What about the job execution service WS-GRAM? Is that CAS-enabled? If
not,
> then can job
> submission be done in Globus 4.0.4 with CAS credentials?
No, WS-GRAM does not use CAS authorization out of the box. But you can
submit jobs with credentials that have assertions from CAS server embedded
in it. That is, you can use the proxy from cas-proxy-init to submit to
GRAM.
The code will ignore the CAS assertions and use the proxy.
> ## Can CAS work with CAS-unaware grid services? In that case, CAS
> credentials would be
> ignored, but the service call would not fail.
Yes, assertions from CAS which contain the rights are stored as
non-critical
extensions of the credential. So there is no reason to parse it, if the
application does not understand it.
Are you looking to protect WS services distributed with GT using CAS? If
you
can provide some details on what you would like to setup, I can help with
details on how the enforcement can be written. We have done some work with
GT trunk code (4.1.x) to process CAS assertions in the WS container.
Rachana
>
> Regards,
> Kakoli
>
> ________________________________________________________________________
> KAKOLI SEN Ph:91-80-25341909/215(Extn. 309)
> C-DAC Knowledge Park E-mail:
> #1, Old Madras Road [EMAIL PROTECTED]
> Bangalore - 560 038, INDIA [EMAIL PROTECTED]
> ________________________________________________________________________
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
