Bug 4895 - Develop a Gridmap callout to enable GridFTP to work with Community Authorization Service (CAS)
: Develop a Gridmap callout to enable GridFTP to work with Community Authorizat...
Status: RESOLVED FIXED
: GridFTP
Campaign
: development
: All All
: P3 normal
: 4.2
Assigned To:
:
:
:
: 4481 4972
  Show dependency treegraph
 
Reported: 2006-12-08 12:26 by
Modified: 2008-11-14 09:45 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-12-08 12:26:06
Definition:
The Gridmap callout to parse the CAS assertion (if it exists) in the proxy to
get the CAS server DN and use it to do the gridmap lookup is missing. Right
now, the gridmap callout uses the userís DN in the proxy to do the gridmap
lookup. So the gridmap lookup and thus the authorization either fails or does
not happen as intended when the GridFTP server is presented with a CAS proxy.
Implement Gridmap callout that recognize CAS proxies and do appropriate gridmap
lookup.

Benefits:
Allows for the GridFTP server to work with CAS credentials. This might even be
useful for Gridshib to integrate with GridFTP as there has been some
discussions in the Gridshib community to do all the policy stuff web services
side and translate it into a CAS credential.

Tasks / Deliverables:
0.    This will require setting up and configuring the CAS server, setting up
the GridFTP server and configuring it to work with CAS or finding a suitable
test installation.
1.    Develop the Gridmap callout for CAS. The authz callout does have code to
parse out the CAS assertion in the proxy. Use that as a sample to parse the
assertion. Find appropriate API to parse the DN from the assertion. 
2.    Test the callout on the platforms supported.
3.    Create/update documentation as needed.
------- Comment #1 From 2006-12-08 21:13:04 -------
Here's the bug motivating this work:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=4481
------- Comment #2 From 2008-11-13 15:31:55 -------
gridmap callout added to existing CAS callout library.  Committed fix to trunk,
globus_4_0_branch, and globus_4_2_branch.  Update packages for 4.0 and 4.2 will
be available at http://www.globus.org/toolkit/advisories.html.
------- Comment #3 From 2008-11-13 19:24:28 -------
(In reply to comment #2)
> Committed fix to trunk,
> globus_4_0_branch, and globus_4_2_branch.  Update packages for 4.0 and 4.2 will
> be available at http://www.globus.org/toolkit/advisories.html.

Mike, since 4.0 and 4.2 incorporate OpenSAML 1.0 and OpenSAML 1.1,
respectively, does this mean that the SAML tokens generated by 4.0 and 4.2 are
SAML V1.0 and SAML V1.1 tokens, respectively?  The reason I ask is that
GridShib deals with SAML V1.1 only, so your answer to the previous question
effectively limits the possible integration points.
------- Comment #4 From 2008-11-14 00:51:46 -------
I don't think I know enough to answer your question.  If you're asking if
tokens generated by either a 4.0 or a 4.2 based service will be compatible with
a 4.0 or 4.2 version of this callout, I think the answer is yes (with the
inclusion of the resolution to bug 6388/5606 which is part of the advisory). 
Otherwise, I don't know if I am the one to ask (being that I am but a
big-picture-unaware steward of this code -- I've CC'd Rachana on this bug as
the most recent person that might have the answer).
------- Comment #5 From 2008-11-14 09:45:25 -------
CAS service sets up property org.opensaml.compatibility-mode to true, which
implies that the assertions should be SAML v1.0 and not v1.1.