Bugzilla – Bug 6535
Modify RFT resource authorization to be configurable
Last modified: 2008-11-14 09:50:14
You need to
before you can comment on or make changes to this bug.
Definition: Modify RFT service and resource to provide configurable
authorization and remove dependency on GridMap authorization. Test against an
external authorization service, GUMS. Details on current infrastructure and
requirements are described here:
1. RFT Resource should allow for configurable resource security descriptor,
such that authorization mechanism can be configured. This requires changes to
the Delegation Home, to set up the configured authorization and policy during
2. Dependency on presence of GridMap object should be removed and presence of a
local account mapping in peer subject should be the only requirement.
3. Use of GridMap authorization as resource authorization should be default
configuration for backwards compatibility.
4. Test scenario:
- RFT Service configured with RFT Service PIPs and XACML Authorization Callout
PDP to talk to GUMS
- RFT resources configured with Delegation Service PIPs and two PDPS: XACML
Authorization Callout PDP to talk to GUMS and Local Account Access Control PDP.
Authorization decision involves obtaining mapping from GUMS and validating
presence in the Local Account Access Control PDP.
- Client 1 and Client 2 mapped to same local account in GUMS server.
- Client 1 creates a transfer
- Client 2 queries and destroys the transfer
5. Merge code to 4.2 branch and trunk
6. Documentation update