|
Bugzilla – Full Text Bug Listing |
| Summary: | Expressing TeraGrid policy requirements | ||
|---|---|---|---|
| Product: | GridShib | Reporter: | Tom Scavo <trscavo@gmail.com> |
| Component: | GT plugin | Assignee: | Tom Scavo <trscavo@gmail.com> |
| Status: | NEW | ||
| Severity: | normal | CC: | gridshib-dev@globus.org, smartin@mcs.anl.gov, trscavo@gmail.com, vwelch@uiuc.edu |
| Priority: | P3 | ||
| Version: | 0.6 | ||
| Target Milestone: | beta | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | 6668 | ||
| Bug Blocks: | |||
The value of the isMemberOf attribute is something like the following: group://gisolve.org/gisolve The above attribute value tells the RP that the end user is a member of the virtual organization (VO) whose name is "gisolve". The string "gisolve.org" is a scope and so the value is a scoped attribute value. In general, the isMemberOf attribute value takes on the following form: group://scope/vo_name/group_name/subgroup_name#role There is an intentionally strong resemblance between such attribute values and VOMS fully qualified attribute values (FQANs).
Raising the discussion to the next level, given today's policy, a request from a science gateway is treated like any other request, that is, the request is accepted if the DN is in the gridmap. This is incorrect. A gateway request should be accepted if the proxy is accompanied by SAML attributes *and* the required attributes (whatever those turn out to be) are present. Only a non-gateway request should be subject to ordinary gridmap short-circuiting. I don't see how to fix this easily. It leads to a dual policy scenario keyed off the identity of the requester. We don't support anything like that at the moment, not even close.
(In reply to comment #2) > > I don't see how to fix this easily. Actually, it is relatively low-hanging fruit to refactor the GridShibPDP so that it handles both cases (i.e., gateways and non-gateways): http://www.globus.org/mail_archive/gridshib-dev/2008/06/msg00131.html
(In reply to comment #0) > > * A SAML identity is required Add an element such as the following to the policy schema: <saml:NameIdentifier Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> I believe an empty NameIdentifier element is schema-valid but this needs to be tested.
The following tasks have been identified: - implement GridmapPDPImpl - implement GridmapPDP (GT4.0) - implement GridmapPDP (GT4.2) - modify GS4GT.java for entity map short circuiting
(In reply to comment #5) > > - implement GridmapPDP (GT4.0) Return true iff GridmapPDPImpl returns PERMIT or NOT_APPLICABLE. Compare with the GT4.0 version of GridmapPDP: http://viewcvs.globus.org/viewcvs.cgi/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/GridMapAuthorization.java?view=log&pathrev=globus_4_0_7
The issue described in Comment #2, Comment #3, Comment #5, and Comment #6 has been siphoned off into a new bug (Bug 6497) since the issue is a general problem not restricted to TeraGrid.
Bug 6497 is separate from this bug since TeraGrid now has its own PDP (Bug 6668).
(In reply to comment #4) > (In reply to comment #0) > > > > * A SAML identity is required > > Add an element such as the following to the policy schema: > > <saml:NameIdentifier Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> In terms of TeraGrid policy requirements, this is the most significant omission from the GridShib policy language. If we could add this single capability to the policy language, it would go a long way. In fact the requirements are slightly different than the above. We need to be able to specify the following in the policy file: <saml:NameIdentifier Format="http://teragrid.org/names/nameid-format/principalname"> ^.+\.teragrid\.org$ </saml:NameIdentifier> In other words, a gateway user identifier must end with ".teragrid.org". (Low-level formatting requirements are enforced by the TGPN format handler referenced in Bug 6679.)