First Last Prev Next    No search results available
Bug 6214 - release GT4.2-compatible version of GS4GT
: release GT4.2-compatible version of GS4GT
Status: NEW
: GridShib
Roadmap
: 0.6
: All All
: P3 normal
: 0.7.0
Assigned To:
:
:
: 5854 6015 6033 6243 6262 6425 6428
: 4133 6536
  Show dependency treegraph
 
Reported: 2008-07-10 10:18 by
Modified: 2008-12-14 16:23 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2008-07-10 10:18:03 
This is an aggregator bug for the eventual release of a GT4.2-compatible
version of GridShib for GT.  Jim lays it out nicely below.

On Wed, Jul 9, 2008 at 1:32 PM, Jim Basney <jbasney@ncsa.uiuc.edu> wrote:
>
> What'd be really helpful would be if you could create a tracking bug for
> GridShib GT 4.2 support that lists what needs to be done.
>
> Then, I'd like to see if we can come to some estimate regarding the amount
> of work required.  That may require some initial investigation.
>
> Then, I'd like us to discuss schedule and priorities and see where 4.2
> support falls.
>
> The result hopefully being that we have an idea whether we expect GridShib
> to support GT 4.2 by September, or not until December, or not until sometime
> in 2009.
>
> Thanks,
> Jim
------- Comment #1 From 2008-07-10 10:18:54 ------- 
Found this old wiki article that needs serious updating:

http://dev.globus.org/wiki/GridShib_GT4.2_Roadmap
------- Comment #2 From 2008-07-10 13:14:59 ------- 
A deny-overrides combining algorithm has been implemented (Bug 6033).  This
will significantly ease the transition to GT4.2.  In fact, I consider it no
less than a requirement so I've added this to the dependency list.
------- Comment #3 From 2008-07-18 10:32:24 ------- 
For compatibility, upgrade to CoG jglobus 1.5.0:

http://dev.globus.org/wiki/CoG_JGlobus_1.5.0

This means that GS-ST should also be upgraded to CoG jglobus 1.5.0.
------- Comment #4 From 2008-08-06 18:47:59 ------- 
See these recent mods to the VOMS 4.1+ interceptors:

http://viewcvs.globus.org/viewcvs.cgi/workspace/vm/plugins/authz/voms/src-proxies/4.1%2B/org/globus/voms/?pathrev=voms_pre_incubator

Compare with the GS4GT 4.1+ interceptors.
------- Comment #5 From 2008-09-17 16:08:19 ------- 
Note: As I understand it, the GT4.2 authz framework allows an administrative
security descriptor (for lack of a better word) at the container level that
ALWAYS executes regardless of the security configuration at the service.  This
is a significant new feature.  It would allow us to break the GridShibPDP authz
chain in half, configuring the SAMLAssertionPushPIP, AttributeAcceptancePIP,
and SAMLBlacklistPDP at the container level, and optionally the GridmapPDP,
SAMLMapPIP, and SAMLAttributePDP at the service level.  I think that would be a
great improvement, but I'm not sure it could be done with what we have today. 
It might require some tweaks to the code.
------- Comment #6 From 2008-09-17 16:16:06 ------- 
There are two major differences between the GT4.0 and GT4.2 authz frameworks:

1. A GT4.0 PDP has two return values (true/false) while a GT4.2 PDP has four
return values (PERMIT, INDETERMINATE, NOT_APPLICABLE, DENY).

2. GT4.0 supports one combining algorithm (deny-overrides) while GT4.2 supports
no less than three (deny-overrides, permit-overrides, first-applicable).

These differences force us to rewrite our documentation (at least) and may
require modifications to the code.
------- Comment #7 From 2008-09-17 16:25:59 ------- 
I believe the GT4.2 authz framework supports the notion of a security context,
so we'll have reconcile this with the SAMLSecurityContext implemented in GS4GT.
------- Comment #8 From 2008-10-27 09:06:33 ------- 
This bug is being reclassified as a GridShib Roadmap item.
------- Comment #9 From 2008-11-10 13:21:03 ------- 
For reference:

GT 4.2.1 Java WS A&A Developer's Guide
http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer/
First Last Prev Next    No search results available