Hi, As a general answer, any interceptor (PDP/PIP) that is invoked can add mappings. That is multiple mappings can be added to the peer subject, the location from which services like GRAM pick up the local user name.
I don't think any of the existing algorithms will provide the functionality you are looking for, which I understand as: process all PDPs and PIPs and return a permit if atleast one mapping was found. The reason PermitOverride (the default one does not work) is that it tries to create a chain of decisions from the resource owner (container) to the requestor (the client). In your case, GridMap PDP and VOMS PDP probably both have decisions asserted by container, the resource owner. One way I can see this being used is if you configure things as follows: - Gridmap PIP (not a PDP), which just obtains a mapping if present and adds it to peer subject - VOMS PIP, which extracts mapping if present and adds it to peer subject - Custom PDP, which looks for atleast one mapping in peer subject and returns a permit or deny You can use the above with a PermitOverride algorithm. Another alternative is to write your own combining algorithm and plugging it in. If you are interested in any of the above approaches and require help writing interceptors or configuring them, I would be glad to help. Rachana > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Benjamin Henne > Sent: Tuesday, December 09, 2008 9:02 AM > To: GT User > Subject: [gt-user] authzChain combining algorithms in GT 4.2.1 > > Hi, > > is there a way to combine different user mappings from different > interceptos and let users choose which mapping to use? I think one > cannot do this with current combining algorithms, can one? > > When I tried combining VOMS interceptor with gridmap authz I realized > that the current algorithms do not work as I expected them to work. > > Am I right? > * PermitOverride uses _first_ permit decision and its mapping > * DenyOverride denies based on _first_ deny decision > * both do not evaluate following decisions > * FirstApplicable returns first deny or permit decision > > What about following scenario: > One wants to check VOMS credentials and DN-based user > mapping. The user > shall be capabale to choose the mapping (localUserId for > GRAM) if there > are more than one, independent of the user got only mappings from > grid-mapfile, VOMS interceptor, or both. > > This scenario is not possible to realize, is it? > DenyOverride and FirstApplicable are not applicable. > Using PermitOverride, if the user has both credentials (DN is in > grid-mapfile and he has valid VOMS credentials), always the mapping of > the first PDP is used. The user can only influence decision > by changing > his proxy (include and exclude VOMS credentials). > > I would be pleased about any comments or suggestions. > > Regards, > Benjamin >
