Hi,
Currently, our grid has no VO(Virtual Organisation) support. So GRAM
job submission or file transfer through GridFTP uses only grid/proxy
credentials.
Once VO is supported in the grid, there would be some VO management
tool like VOMS/CAS which can help in role-based authorisation. Here is how
we think it would work :
The user wil be having an additional CAS/VOMS credential on top of the usual
proxy credential. And if there is job submission/file transfer done with the
CAS credential, then the corresponding grid-service(GRAM/GridFTP) should
extract and parse the CAS credential and then map it onto a local unix
account (or some access control list for more fine-grained control).
Now, is this possible in Globus 4.0? If not, then is it feasible to
implement it through some modifications in Globus GRAM and other grid
services?
Thanking You,
Regards,
Kakoli
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Rachana Ananthakrishnan
Sent: Monday, February 18, 2008 9:09 PM
To: 'Kakoli Sen'; [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [cas-users] Query on CAS
Hi,
> The admin
> guide recommended PostgreSQL. What is the version of PostgreSQL? Globus
> version used is 4.0.4.
It has been tested with PostgreSQL 7.4.7
> Also, I have 2 more queries:
> ## In the documentation, I came across that the GridFTP server is
> CAS-enabled.
> What about the job execution service WS-GRAM? Is that CAS-enabled? If not,
> then can job
> submission be done in Globus 4.0.4 with CAS credentials?
No, WS-GRAM does not use CAS authorization out of the box. But you can
submit jobs with credentials that have assertions from CAS server embedded
in it. That is, you can use the proxy from cas-proxy-init to submit to GRAM.
The code will ignore the CAS assertions and use the proxy.
> ## Can CAS work with CAS-unaware grid services? In that case, CAS
> credentials would be
> ignored, but the service call would not fail.
Yes, assertions from CAS which contain the rights are stored as non-critical
extensions of the credential. So there is no reason to parse it, if the
application does not understand it.
Are you looking to protect WS services distributed with GT using CAS? If you
can provide some details on what you would like to setup, I can help with
details on how the enforcement can be written. We have done some work with
GT trunk code (4.1.x) to process CAS assertions in the WS container.
Rachana
>
> Regards,
> Kakoli
>
> ________________________________________________________________________
> KAKOLI SEN Ph:91-80-25341909/215(Extn. 309)
> C-DAC Knowledge Park E-mail:
> #1, Old Madras Road [EMAIL PROTECTED]
> Bangalore - 560 038, INDIA [EMAIL PROTECTED]
> ________________________________________________________________________
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
