Thanks a lot..............that was really helpful......... So without extending GT Plug-in, I cannot use Generic Attributes for authorization.
thanks once again Arpit On Thu, Sep 18, 2008 at 5:40 PM, Benjamin Henne <[EMAIL PROTECTED]>wrote: > arpit jain schrieb: > >> >> On Thu, Sep 18, 2008 at 2:59 PM, Benjamin Henne >>> >> >> > >> I guess you currently cannot use those generic attributes with the >>> GT VOMS-PDP. As I remember this only maps FQAN to users, but the >>> generic attributes are not part of users' FQAN in contrast to the VO >>> groups and roles. >>> >> >> That is exactly what I want to know whether I can make authorization >> decision based on these Generic Attributes. >> Does Globus-plugin for VOMS supports authorization based on these >> attributes like it supports for ROLES?? >> > > If you look into the source code of the GT VOMS authorization plugin > (tarball at http://dev.globus.org/wiki/VOMS#Source_installation), more > precisely into the PIP source, you see that only FQAN/roles are extracted > from the credential. Please correct me if I err. There seems to be no > support for generic attributes at the moment. For using those one would have > to extend the current plugin. Do not forget the current release v0.2 is from > Feb 15, 2007. > > User mapping based on generic attributes would not make sence I guess, but > one could use those attributes to extend the Access Control via > vomsAttrAuthzFile in the way of attribute white and black lists. > Or how would you like to use generic attributes? > > But, before extending this plugin one should have a look at the upcoming > release of the VOMS SAML service and if it would be easier to use SAML > assertions containg the VOMS information to base such authorization > decisions on. > > Regards, > Benjamin >
