Bugzilla – Bug 6520
Modify WS GRAM resource authorization to be configurable
Last modified: 2012-09-05 13:39:04
You need to
before you can comment on or make changes to this bug.
Definition: Modify WS GRAM services and resource to provide configurable
authorization and remove dependency on GridMap authorization. Test against an
external authorization service, GUMS. Details on current infrastructure and
requirements are described here:
1. Managed Job Resources should allow for configurable resource security
descriptor, such that authorization mechanism can be configured. This requires
changes to the Managed Job Home, to set up the configured authorization and
policy during resource creation.
2. Dependency on presence of GridMap object should be removed and presence of a
local account mapping in peer subject should be the only requirement.
3. Use of GridMap authorization as resource authorization should be default
configuration for backwards compatibility.
4. Test scenario:
- WS GRAM factory configured with Execution Service PIPs and XACML
Authorization Callout PDP to talk to GUMS
- WS GRAM resources configured with Execution Service PIPs and two PDPS: XACML
Authorization Callout PDP to talk to GUMS and Local Account Access Control PDP.
Authorization decision involves obtaining mapping from GUMS and validating
presence in the Local Account Access Control PDP.
- Client 1 and Client 2 mapped to same local account in GUMS server.
- Client 1 creates a job.
- Client 2 queries and destroys the job.
5. Merge code to 4.2 branch and trunk
6. Documentation update
Doing some bugzilla cleanup... Resolving old GRAM3 and GRAM4 issues that are
no longer relevant since we've moved on to GRAM5. Also, we're now tracking
issue in jira. Any new issues should be added here: