On Tue, Aug 12, 2008 at 5:25 AM, arpit jain <[EMAIL PROTECTED]> wrote: > > I created an attribute "ID" and assigned a value 100 for that user.
How exactly did you do that? > I have followed the below mentioned guide written by Denis to authorize the > service and it is working fine. > http://www.nikhef.nl/~dennisvd/ws_voms_authz_howto.pdf Cool :-) > The above guide authorize based on the ROLE. It specifies the ROLE in the > below file: > > /usr/local/globus-4.0.7/etc/org_vlescience_webservices_deployment/attr-authz > > The content of the attr-authz is : > /test_vo_mysql/Role=VO-Admin > > and the output of voms-proxy-init --vo > test_vo_mysql:/test_vo_mysql/Role=VO-Admin is: > . > timeleft : 0:00:00 > === VO test_vo_mysql extension information === > VO : test_vo_mysql > subject : > /O=Grid/OU=GlobusTest/OU=simpleCA-sukeshini.cdacb.ernet.in/OU=cdacb.ernet.in/CN=Arpit > Jain > issuer : > /O=Grid/OU=GlobusTest/OU=simpleCA-sukeshini.cdacb.ernet.in/CN=host/arpitjain.cdacb.ernet.in > attribute : /test_vo_mysql > attribute : /test_vo_mysql/Role=VO-Admin > attribute : ID = 100 (test_vo_mysql) > timeleft : 0:00:00 > > My question is whether I can authorize a service based on this attribute > "ID" and how? Well, last time I looked, the Globus VOMS PDP did an exact string match between the attributes in the credential and the attributes in the policy file. So in principle you should be able to put this "ID" attribute in the policy file. Did you try that? I didn't realize you could define arbitrary attributes in VOMS, and I'm even more surprised voms-proxy-init picked it up. I wonder how much of that output line "ID = 100 (test_vo_mysql)" is true attribute and how much is artifact. I need to know that before I can say what line needs to be added to the policy file. Can you run openssl on your VOMS proxy? $ openssl x509 -text -certopt ext_parse < /tmp/x509up_u$UID Does the string "ID = 100 (test_vo_mysql)" appear in the output or something else? Tom
