Bugzilla – Bug 6214
release GT4.2-compatible version of GS4GT
Last modified: 2008-12-14 16:23:42
You need to
before you can comment on or make changes to this bug.
This is an aggregator bug for the eventual release of a GT4.2-compatible
version of GridShib for GT. Jim lays it out nicely below.
On Wed, Jul 9, 2008 at 1:32 PM, Jim Basney <email@example.com> wrote:
> What'd be really helpful would be if you could create a tracking bug for
> GridShib GT 4.2 support that lists what needs to be done.
> Then, I'd like to see if we can come to some estimate regarding the amount
> of work required. That may require some initial investigation.
> Then, I'd like us to discuss schedule and priorities and see where 4.2
> support falls.
> The result hopefully being that we have an idea whether we expect GridShib
> to support GT 4.2 by September, or not until December, or not until sometime
> in 2009.
Found this old wiki article that needs serious updating:
A deny-overrides combining algorithm has been implemented (Bug 6033). This
will significantly ease the transition to GT4.2. In fact, I consider it no
less than a requirement so I've added this to the dependency list.
For compatibility, upgrade to CoG jglobus 1.5.0:
This means that GS-ST should also be upgraded to CoG jglobus 1.5.0.
See these recent mods to the VOMS 4.1+ interceptors:
Compare with the GS4GT 4.1+ interceptors.
Note: As I understand it, the GT4.2 authz framework allows an administrative
security descriptor (for lack of a better word) at the container level that
ALWAYS executes regardless of the security configuration at the service. This
is a significant new feature. It would allow us to break the GridShibPDP authz
chain in half, configuring the SAMLAssertionPushPIP, AttributeAcceptancePIP,
and SAMLBlacklistPDP at the container level, and optionally the GridmapPDP,
SAMLMapPIP, and SAMLAttributePDP at the service level. I think that would be a
great improvement, but I'm not sure it could be done with what we have today.
It might require some tweaks to the code.
There are two major differences between the GT4.0 and GT4.2 authz frameworks:
1. A GT4.0 PDP has two return values (true/false) while a GT4.2 PDP has four
return values (PERMIT, INDETERMINATE, NOT_APPLICABLE, DENY).
2. GT4.0 supports one combining algorithm (deny-overrides) while GT4.2 supports
no less than three (deny-overrides, permit-overrides, first-applicable).
These differences force us to rewrite our documentation (at least) and may
require modifications to the code.
I believe the GT4.2 authz framework supports the notion of a security context,
so we'll have reconcile this with the SAMLSecurityContext implemented in GS4GT.
This bug is being reclassified as a GridShib Roadmap item.
GT 4.2.1 Java WS A&A Developer's Guide