Re: [gt-user] PIPs and PEPs

Tue, 29 Sep 2009 07:03:32 -0700 

Hi,
From your description it looks like you will need to write custom authorization modules for your service, that looks at the client's credential and the SAML attributes to determine if the operation is allowed and the account to use for the operation. The exact policy is unclear to me. It appears to me that you want either certificates signed by a particular service certificate or some specific SAML attributes to determine if the user can perform an operation and the local account to use - is this correct? 


Here is reference to the general documentation on the server side  
authorization piece: http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#id2483303



This talks about writing custom server side authorization  modules: http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#wsaajava-domain-serverAuthz-custom 
.


Configuration is described here: 
http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/#wsaajava-domain-serverAuthz-custom


You could approach this by writing a PIP to handle the SAML attribute,  
a PDP to validate that the certificate is signed by some trusted  
identity and another PDP that enforces policy about the SAML  
attributes. The combining algorithm described in the documentation can  
be used to determine how you want to combine the policy across the PDPs.


Hope this helps,
Rachana

On Sep 29, 2009, at 5:27 AM, Stefan E. Funk wrote:


Dear Globus Users,


I just installed a brandnew Globus Toolkit 4.2.1 and I wonder, if I  
can use

some PEPs and PIPs to decide the following:


Working with Grid user certificates and a server certificate I want  
to map all
user certificates to a certain Unix user (from the grid-mapfile),  
that are
either signed by the above mentioned server certificate, or maybe  
have instead

some additional SAML attributes in the user certificate.


We are using a CreateReadUpdateDelete service in the TextGrid  
project to write
to the Grid, and want to allow this service to write to the Grid  
only if users
address that service, that are owning a Grid certificate (because  
our resource
providers want to know exactly, who accesses the Grid). So we want  
to write as
the service Grid user (to access the services' directory), if the  
user's
certificate is signed by the services' certificate and to write as  
the user

(to access the user's home directory), if not.

Has someone experience with those issues or does someone know, how to

configure the PEPs and PIPs? I couldn't find much information  
concerning those

issues.

Thank you for any help.
All the best.
Stefan.


--
-----------------------------------------------------------------------
Stefan E. Funk

DAASI International GmbH            Phone DAASI :     +49 7071  
407109-6
Europaplatz 3                         Phone SUB : +49 551  
39-7700/12170
D-72072 Tübingen                          Email :   
[email protected]
Germany                                   Web   :   http:// 
www.daasi.de



Directory Applications for Advanced Security and Information  
Management

-----------------------------------------------------------------------
























					Reply via email to