Just so we can understand your use case a bit more, do all your users submit jobs from the command line? From your description, it sounds like this is the case, but I just wanted to make sure.
By the way, there is a VOMS plugin for GT 4.0: http://dev.globus.org/wiki/VOMS I'll let Rachana answer your questions about CAS. Tom On Feb 20, 2008 2:00 AM, Kakoli Sen <[EMAIL PROTECTED]> wrote: > > Currently, our grid has no VO(Virtual Organisation) support. So GRAM > job submission or file transfer through GridFTP uses only grid/proxy > credentials. > Once VO is supported in the grid, there would be some VO management > tool like VOMS/CAS which can help in role-based authorisation. Here is how > we think it would work : > The user wil be having an additional CAS/VOMS credential on top of the usual > proxy credential. And if there is job submission/file transfer done with the > CAS credential, then the corresponding grid-service(GRAM/GridFTP) should > extract and parse the CAS credential and then map it onto a local unix > account (or some access control list for more fine-grained control). > Now, is this possible in Globus 4.0? If not, then is it feasible to > implement it through some modifications in Globus GRAM and other grid > services? > > Thanking You, > > Regards, > > Kakoli > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Rachana Ananthakrishnan > Sent: Monday, February 18, 2008 9:09 PM > To: 'Kakoli Sen'; [email protected] > Cc: [EMAIL PROTECTED] > Subject: RE: [cas-users] Query on CAS > > > > > Hi, > > > The admin > > guide recommended PostgreSQL. What is the version of PostgreSQL? Globus > > version used is 4.0.4. > > It has been tested with PostgreSQL 7.4.7 > > > Also, I have 2 more queries: > > ## In the documentation, I came across that the GridFTP server is > > CAS-enabled. > > What about the job execution service WS-GRAM? Is that CAS-enabled? If not, > > then can job > > submission be done in Globus 4.0.4 with CAS credentials? > > No, WS-GRAM does not use CAS authorization out of the box. But you can > submit jobs with credentials that have assertions from CAS server embedded > in it. That is, you can use the proxy from cas-proxy-init to submit to GRAM. > The code will ignore the CAS assertions and use the proxy. > > > ## Can CAS work with CAS-unaware grid services? In that case, CAS > > credentials would be > > ignored, but the service call would not fail. > > Yes, assertions from CAS which contain the rights are stored as non-critical > extensions of the credential. So there is no reason to parse it, if the > application does not understand it. > > Are you looking to protect WS services distributed with GT using CAS? If you > can provide some details on what you would like to setup, I can help with > details on how the enforcement can be written. We have done some work with > GT trunk code (4.1.x) to process CAS assertions in the WS container. > > Rachana > > > > > Regards, > > Kakoli > > > > ________________________________________________________________________ > > KAKOLI SEN Ph:91-80-25341909/215(Extn. 309) > > C-DAC Knowledge Park E-mail: > > #1, Old Madras Road [EMAIL PROTECTED] > > Bangalore - 560 038, INDIA [EMAIL PROTECTED] > > ________________________________________________________________________ > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean.
