arpit jain schrieb:
On Thu, Sep 18, 2008 at 2:59 PM, Benjamin Henne
>>
I guess you currently cannot use those generic attributes with the GT VOMS-PDP. As I remember this only maps FQAN to users, but the generic attributes are not part of users' FQAN in contrast to the VO groups and roles.That is exactly what I want to know whether I can make authorization decision based on these Generic Attributes. Does Globus-plugin for VOMS supports authorization based on these attributes like it supports for ROLES??
If you look into the source code of the GT VOMS authorization plugin (tarball at http://dev.globus.org/wiki/VOMS#Source_installation), more precisely into the PIP source, you see that only FQAN/roles are extracted from the credential. Please correct me if I err. There seems to be no support for generic attributes at the moment. For using those one would have to extend the current plugin. Do not forget the current release v0.2 is from Feb 15, 2007.
User mapping based on generic attributes would not make sence I guess, but one could use those attributes to extend the Access Control via vomsAttrAuthzFile in the way of attribute white and black lists.
Or how would you like to use generic attributes?But, before extending this plugin one should have a look at the upcoming release of the VOMS SAML service and if it would be easier to use SAML assertions containg the VOMS information to base such authorization decisions on.
Regards, Benjamin
smime.p7s
Description: S/MIME Cryptographic Signature
