Benjamin Henne wrote:
Hi.
To query a MDS, for example with
wsrf-query -x -s
https://myhost.mydomain.tld:8443/wsrf/services/DefaultIndexService,
I have to do this with an user who has a valid proxy certificate.
Actually, that's not necessarily true. It's possible to configure MDS
(and in fact, this is the default configuration out of the box) to
accept anonymous accesses (accesses that are not authenticated with
client credentials). To attempt to access an MDS service anonymously,
add the "-a" option to the wsrf-query command line.
So far I have worked with MDS.
I have some (theoretical) questions about MDS and authorization.
Can I exactly specify which users may or may not access resource
information at a MDS?
Yes. You can do that via a gridmap file or any other mechanism
supported by the globus authorization framework
(http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descriptor.html#s-authzframe-server-secdesc-descFile).
You can also restrict access by operation, for example to say that one
group of users can query information and another group can create
registrations.
Ok, but furthermore, is there a way to restrict access to resource
information, so that one user can only see some parts while another
can see all?
No, not within a single index resource. However, you can set up
multiple indexes within the same container with different contents and
different access control policies if you want.
-- Laura
I am thinking about something like LDAP's possibility to restrict
access to attributes depending on user authorization.
I came to this question when thinking about usage of resource
information with maybe different "security levels". Of course there
could be a scenario where it would be very beneficial to have some
resource information for e.g. a scheduler, but one doesn't want to
announce (all) those information to all users having access to the MDS
this theoretical scheduler uses to get resource information.
Maybe, someone of you may tell me his or her ideas about this.
It is nothing like a feature request, only some theoretical
questions/thoughts.
Regards,
Benjamin
