Hi,
I created attribute "ID" using the GUI of Voms-Admin where there is an
option available for managing and creating attributes. Then I assigned this
attribute to my user and give it a value 100.
I tried putting this attribute "ID" in policy file,but it doesn't work i.e.
I am not able to access the GT4 service. The only case when I am able to
access the service is when I put following line in Policy file
/test_vo_mysql/Role=VO-Admin
even if I put something like
/test_vo_mysql/Role=VO-Admin
ID = 105(instead of 100)
I am able to access the service.
So I am not able to understand why this attribute is not making any effect
in the authorization?
I checked the "openssl" command and it shows ID there as below:
0000 - 30 52 30 50 30 4e 30 30-86 2e 74 65 73 74 5f 76 0R0P0N00..test_v
0010 - 6f 5f 6d 79 73 71 6c 3a-2f 2f 41 72 70 69 74 6a
o_mysql://Arpitj
0020 - 61 69 6e 2e 63 64 61 63-62 2e 65 72 6e 65 74 2e
ain.cdacb.ernet.
0030 - 69 6e 3a 31 35 30 30 30-30 1a 30 18 04 02 49 44
in:150000.0...*ID*
0040 - 04 03 31 30 30 04 0d 74-65 73 74 5f 76 6f 5f 6d ..*100.*.*
test_vo_m*
0050 - 79 73 71 6c *ysql*
Thanks
Arpit
On Tue, Aug 12, 2008 at 7:01 PM, Tom Scavo <[EMAIL PROTECTED]> wrote:
> On Tue, Aug 12, 2008 at 5:25 AM, arpit jain <[EMAIL PROTECTED]> wrote:
> >
> > I created an attribute "ID" and assigned a value 100 for that user.
>
> How exactly did you do that?
>
> > I have followed the below mentioned guide written by Denis to authorize
> the
> > service and it is working fine.
> > http://www.nikhef.nl/~dennisvd/ws_voms_authz_howto.pdf<http://www.nikhef.nl/%7Edennisvd/ws_voms_authz_howto.pdf>
>
> Cool :-)
>
> > The above guide authorize based on the ROLE. It specifies the ROLE in the
> > below file:
> >
> >
> /usr/local/globus-4.0.7/etc/org_vlescience_webservices_deployment/attr-authz
> >
> > The content of the attr-authz is :
> > /test_vo_mysql/Role=VO-Admin
> >
> > and the output of voms-proxy-init --vo
> > test_vo_mysql:/test_vo_mysql/Role=VO-Admin is:
> > .
> > timeleft : 0:00:00
> > === VO test_vo_mysql extension information ===
> > VO : test_vo_mysql
> > subject :
> > /O=Grid/OU=GlobusTest/OU=
> simpleCA-sukeshini.cdacb.ernet.in/OU=cdacb.ernet.in/CN=Arpit
> > Jain
> > issuer :
> > /O=Grid/OU=GlobusTest/OU=
> simpleCA-sukeshini.cdacb.ernet.in/CN=host/arpitjain.cdacb.ernet.in
> > attribute : /test_vo_mysql
> > attribute : /test_vo_mysql/Role=VO-Admin
> > attribute : ID = 100 (test_vo_mysql)
> > timeleft : 0:00:00
> >
> > My question is whether I can authorize a service based on this attribute
> > "ID" and how?
>
> Well, last time I looked, the Globus VOMS PDP did an exact string
> match between the attributes in the credential and the attributes in
> the policy file. So in principle you should be able to put this "ID"
> attribute in the policy file. Did you try that?
>
> I didn't realize you could define arbitrary attributes in VOMS, and
> I'm even more surprised voms-proxy-init picked it up. I wonder how
> much of that output line "ID = 100 (test_vo_mysql)" is true attribute
> and how much is artifact. I need to know that before I can say what
> line needs to be added to the policy file. Can you run openssl on
> your VOMS proxy?
>
> $ openssl x509 -text -certopt ext_parse < /tmp/x509up_u$UID
>
> Does the string "ID = 100 (test_vo_mysql)" appear in the output or
> something else?
>
> Tom
>
