[gt-user] Globus Toolkit 4.2.1 and the XACML PDP Callout...

Wed, 15 Sep 2010 03:12:59 -0700 

Dear GT users,

in the frame of the TextGrid project (http://www.textgrid.de) we developed a
centrally managed PDP for authorization decisions (http://www.openrbac.de).
The SOAP based interface now also includes an XACML Service that supports SAML
2.0 Profile of XACML 2.0 (XACMLAuthzDecionQuery).

I now want to use this PDP as an external PDP for authorizing grid resources
managed by our Globus Toolkit (version 4.2.1). My goal is to use the Globus
4.2.1 XACML callout in the following way:


For every GSIFTP call to the Globus Toolkit...

...get the incoming certificate's SubjectDN and the requested resource
(using the org.globus.wsrf.impl.security.authorization.AuthzProfilePIP)

...use the
org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout to ask
our external PDP using the DN and the resource name (and the operation)

...and then grant or deny access to that resource


According to documentation I should be able to reach that goal by only
configuring the existing PIPs and PEPs, right? What I have done so far is:

- installed and tested the
org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout, and I
am stuck now at "5. configuration"

- created a new_security_descriptor.xml copying
/usr/local/globus/etc/globus/globus_wsrf_core/global_security_descriptor.xml

- added (not exchanged with the old global_security_descriptor.xml, that uses
gridmap-authorization) the new_security_descriptor.xml to the 
server-config.wsdd:

        <parameter name="containerSecDesc"
                value="etc/globus_wsrf_core/new_security_descriptor.xml"/>

- added configuration to the new_security_descriptor.xml (see attached file)

- GLOBUS_LOCATION is set correctly and I start the container using the
globus-start-container script as root, and I get the following exception (I
just think, the foo must be replaced??):

2010-09-10T13:02:00.196+02:00 DEBUG axis.MessageContext [main,setService:942]
MessageContext:
setServiceHandler(org.apache.axis.handlers.soap.soapserv...@476dc5c9)
[JWSCORE-114] Failed to start container: [JWSCORE-200] Container failed to
initialize [Caused by:  [Caused by: [JWSSEC-165] Error loading interceptor:
"Interceptor:
xacmlAuthZ:org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout"]]


So I am stuck at this point, and I would be grateful for any help. I
additionally have got some general questions, which I want to post here:

- Is it possible to use the PIPs and PDPs just by configuring or do I have to
implement the functionality myself?

- Are there any examples of XACML PDP and PIP usage with just configuration
(IF it is intended to work that way)?
Or do I have to implement the PDP callout myself as done in the XACML test
cases delivered with the XACML callout code?

I hope the information I provided is complete enough to make sense, if not
please feel free to ask :)


Thanks for any hint you can provide.
Have a nice weekend.
*fu*


-- 
-----------------------------------------------------------------------
Stefan E. Funk
DAASI International GmbH             Phone DAASI :    +49 7071 407109-6
Europaplatz 3                          Phone SUB :      +49 551 39-7700
D-72072 Tübingen                           Email : [email protected]
Germany                                      Web :  http://www.daasi.de

Directory Applications for Advanced Security and Information Management
-----------------------------------------------------------------------


<?xml version="1.0" encoding="UTF-8"?>                                                  
<containerSecurityConfig xmlns="http://www.globus.org/security/descriptor/container";
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="http://www.globus.org/security/XACMLAuthorization xacml_pdp_descriptor_config.xsd"
    xmlns:param="http://www.globus.org/security/XACMLAuthorization";>
    <credential>
        <cert-key-files>
            <key-file value="/etc/grid-security/containerkey.pem"/>
            <cert-file value="/etc/grid-security/containercert.pem"/>
        </cert-key-files>
    </credential>
    <authzChain>
        <pips>
            <interceptor name="pip:org.globus.wsrf.impl.security.authorization.AuthzProfilePIP"/>
        </pips>
        <pdps>
            <interceptor
                name="foo:org.globus.wsrf.impl.security.authorization.XACMLAuthorizationCallout">
                <parameter>
                    <param:xacmlAuthzParameters>
                        <param:authzService url="http://uri-of-my-pdp/xacml.wsdl"/>
                        <param:ObligationHandlers>
                            <param:SupportedObligation>
                                <param:ObligationId>http://authz-interop.org/xacml/obligation/username</param:ObligationId>
                                <param:FQClassName>
                                    org.globus.wsrf.impl.security.authorization.LocalAccountObligationHandler
                                </param:FQClassName>
                            </param:SupportedObligation>
                        </param:ObligationHandlers>
                    </param:xacmlAuthzParameters>
                </parameter>
            </interceptor>
        </pdps>
    </authzChain>
</containerSecurityConfig>

Reply via email to