Bugzilla – Full Text Bug Listing
|Summary:||Expressing TeraGrid policy requirements|
|Product:||GridShib||Reporter:||Tom Scavo <email@example.com>|
|Component:||GT plugin||Assignee:||Tom Scavo <firstname.lastname@example.org>|
|Severity:||normal||CC:||email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org|
|Bug Depends on:||6668|
On the TeraGrid Science Gateway call (Feb 22, 2008), the following policy requirements were discussed (either directly or indirectly): * A SAML identity is required ** A name identifier with format F1, F2, or F3 is required * An authentication statement (sometimes called an "authentication context") is required ** The age of the authn context (as given by the authnInstant) is limited to N seconds ** An IP address is required * An attribute statement is required ** An isMemberOf attribute is required and its value is restricted to VO1, VO2, or VO3 ** A mail attribute is required Except for the last sub-bullet, GS4GT can't express any of the above policy, so I'm recording it here for future reference.
The value of the isMemberOf attribute is something like the following: group://gisolve.org/gisolve The above attribute value tells the RP that the end user is a member of the virtual organization (VO) whose name is "gisolve". The string "gisolve.org" is a scope and so the value is a scoped attribute value. In general, the isMemberOf attribute value takes on the following form: group://scope/vo_name/group_name/subgroup_name#role There is an intentionally strong resemblance between such attribute values and VOMS fully qualified attribute values (FQANs).
Raising the discussion to the next level, given today's policy, a request from a science gateway is treated like any other request, that is, the request is accepted if the DN is in the gridmap. This is incorrect. A gateway request should be accepted if the proxy is accompanied by SAML attributes *and* the required attributes (whatever those turn out to be) are present. Only a non-gateway request should be subject to ordinary gridmap short-circuiting. I don't see how to fix this easily. It leads to a dual policy scenario keyed off the identity of the requester. We don't support anything like that at the moment, not even close.
(In reply to comment #2) > > I don't see how to fix this easily. Actually, it is relatively low-hanging fruit to refactor the GridShibPDP so that it handles both cases (i.e., gateways and non-gateways): http://www.globus.org/mail_archive/gridshib-dev/2008/06/msg00131.html
(In reply to comment #0) > > * A SAML identity is required Add an element such as the following to the policy schema: <saml:NameIdentifier Format="urn:oid:184.108.40.206.4.1.59220.127.116.11.6"/> I believe an empty NameIdentifier element is schema-valid but this needs to be tested.
The following tasks have been identified: - implement GridmapPDPImpl - implement GridmapPDP (GT4.0) - implement GridmapPDP (GT4.2) - modify GS4GT.java for entity map short circuiting
(In reply to comment #5) > > - implement GridmapPDP (GT4.0) Return true iff GridmapPDPImpl returns PERMIT or NOT_APPLICABLE. Compare with the GT4.0 version of GridmapPDP: http://viewcvs.globus.org/viewcvs.cgi/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/GridMapAuthorization.java?view=log&pathrev=globus_4_0_7
The issue described in Comment #2, Comment #3, Comment #5, and Comment #6 has been siphoned off into a new bug (Bug 6497) since the issue is a general problem not restricted to TeraGrid.
(In reply to comment #4) > (In reply to comment #0) > > > > * A SAML identity is required > > Add an element such as the following to the policy schema: > > <saml:NameIdentifier Format="urn:oid:18.104.22.168.4.1.5922.214.171.124.6"/> In terms of TeraGrid policy requirements, this is the most significant omission from the GridShib policy language. If we could add this single capability to the policy language, it would go a long way. In fact the requirements are slightly different than the above. We need to be able to specify the following in the policy file: <saml:NameIdentifier Format="http://teragrid.org/names/nameid-format/principalname"> ^.+\.teragrid\.org$ </saml:NameIdentifier> In other words, a gateway user identifier must end with ".teragrid.org". (Low-level formatting requirements are enforced by the TGPN format handler referenced in Bug 6679.)