[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
Moreno Marzolla
moreno.marzolla at pd.infn.it
Fri Mar 20 09:55:41 CDT 2009
m.riedel at fz-juelich.de wrote:
> Hi,
>
>> - This is the problem you mentioned which we experienced during the
> OMII-EU project: BES clients were not executing the delegation
> operation, so the service did not have any delegated credentials to use.
> We then implemented a horrible workaround in CREAM which was fine for
> demonstration purposes, but unfortunately can not be applied for any
> real use.
>
>
> ok, that's interesting - if you don't extract the proxy obviously then from TLS level during AuthN steps - why is there still a proxy support needed on the TLS level then?!
I answer your question according to the understanding I just gained from
our security experts, so bear with me :-)
The gLite middleware relies on VOMS extensions to associate roles to
users according to the VO they belong to. If you use plain X509
certificates, of course you don't have any VO information there, so it
is not possible for services to assign roles to the bearer of those
certificates.
Suppose you want to submit a job to CREAM, and the job needs to stage
external data to/from a service which DOES require VO extensions in
order to perform authorization decisions. In this situation you need at
least to delegate to CREAM a certificate with VOMS extensions (the
delegated certificate will be used by CREAM to access external resources
on behalf of the user).
Of course, if you have an X509 certificate signed by a "conventional"
certification authority, you cannot stick VOMS extensions inside it. For
this reasons, when gLite users want to interact with CREAM directly,
they first create a VOMS proxy certificate via the voms-proxy-init
command. Thus, using a proxy to interact with CREAM is only needed to
have VOMS extensions inside the credential used to interact with the
service.
If your job does not require to access any external service, OR if that
external service does not rely on VOMS extensions, then you are
perfectly fine using plain X509 certificates only.
Moreno.
--
Moreno Marzolla
INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy
EMail: moreno.marzolla at pd.infn.it Phone: +39 049 8277103
WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233
More information about the Pgi-wg
mailing list