Prev   Next

Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

A Globus Primer
Globus Is Modular!
Installing GT
Quickstart
Platform Notes
GT Developer's Guide
GT User's Guide
Migrating Guides

Reference

Best Practices
Coding Guidelines
API docs
GT Commands
Public Interfaces
Resource Properties
Samples
Glossary

Manuals

Common Runtime

Java WS Core
C WS Core
Python WS Core
XIO
CoG jGlobus
pyGlobus
C Common Libs

Security

GSI C
GSI Java
Java WS A&A
C WS A&A
CAS
Delegation Service
MyProxy
GSI-OpenSSH
SimpleCA

Data Mgt

GridFTP
RFT
RLS
WS RLS
DRS

WS MDS

Index Service
Trigger Service
WebMDS
Aggregator Framework
UsefulRP
Info Providers

Execution Mgt

GRAM4
GridWay
GRAM2 (legacy)

Chapter 2. XACML Authz Profile PIP (Since GT 4.2.1)

Table of Contents

1. Class name
2. Overview
3. Installation
4. Configuration
5. Attributes Collected
6. Related interceptors

1. Class name

org.globus.wsrf.impl.security.authorization.AuthzProfilePIP

2. Overview

The PIP is used to collect information about the subject and resource being accessed to comply with theOSG/EGEE Authorization Interoperability Profile. The PIP collects attributes that are common across any resource/action access as described in the interoperability profile. Two sets of attributes are collected:

  • Subject attributes: Subject DN and Issuer DN of the client certificate.

    Resource attributes: Host name of resource, resource DN and resource credential issuer's DN

Addiional PIPs that collect attributes for resource and action being accessed will be required for this to work with XACML Authorization Callout. FIXME: link to OSG doc for working GUMS/SCAS example.

3. Installation

This component is installed part ofSection 3, “Installation”.

4. Configuration

No additional configuration is required for this PIP.

5. Attributes Collected

This PIP collects the following attributes described in the following tables:

Table 2.1. Attribute I

Description of attributeSubject DN of the client
Identity attributeTrue
Attribute ID org.globus.wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ID
Datatype org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 2.2. Attribute II

Description of attributeSubject DN of the issuer of client credential
Identity attributeNo
Attribute ID org.globus.wsrf.impl.security.authorization.XACMLConstants.SUBJECT_X509_ISSUER
Datatype org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 2.3. Attribute III

Description of attributeHost name of the resource being accessed
Identity attributeFalse
Attribute ID org.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_DNS_HOST_NAME
Datatype org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 2.4. Attribute IV

Description of attributeDN of the resource credential
Identity attributeFalse
Attribute ID org.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_X509_ID
Datatype org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

Table 2.5. Attribute V

Description of attributeDN of issuer of the resource credential
Identity attributeFalse
Attribute ID org.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_X509_ISSUER
Datatype org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE
IssuerContainer Issuer Entity
Validity fromCurrent time
Validity toInfinity

6. Related interceptors

This PIP can be used in tandem with XACML Authorization Callout PDP to obtain authorization decision from a XACML Authorization Callout about the service access.

Prev   Next
Chapter 1. Container PIP Home Chapter 3. X509Bootstrap