[SAGA-RG] Context attributes
Andre Merzky
andre at merzky.net
Fri Feb 20 13:13:19 CST 2009
Hi Ceriel,
Quoting [Ceriel Jacobs] (Feb 20 2009):
>
>Andre Merzky wrote:
>> Hi Ceriel,
>>
>> Quoting [Ceriel Jacobs] (Feb 06 2009):
>>> Andre Merzky wrote:
>>>
>>>> Again: saga::context instance is not supposed to allow
>>>> the user to create a credential on API level, or to
>>>> manage it, etc - it is solely supposed to _point_ to an
>>>> existing credential, and to deliver additional
>>>> information about it, if available (such as lifetime).
>>>>
>>>> So, there is no reason not to allow the implementation to
>>>> attach additional information, or state attributes, or
>>>> whatever to the context internally. In fact, the
>>>> implementation may need to do credential management - and
>>>> these actions are not expressed at API level at all.
>>>
>>> There recently was an issue with the JavaGAT
>>> implementation, see
>>> https://mail.cct.lsu.edu/mailman/private/gat-devel/2008-December/001234.html,
>>> where an application has a GSSCredential object and needs
>>> to use that object for authentication to a GRAM.
>>> Currently, there is no way in SAGA to deal with this
>>> situation. A SAGA context extends SAGA attributes, and
>>> attributes only deal with strings. So, I guess that even
>>> allowing only string-string attributes in the API can
>>> already be a problem.
>>
>> Can't the JavaSAGA implementation recreate the same
>> GSSCredential object within the adaptor?
>
> How would you do that? The application would have
> to create a SAGA context for it? Can you create a
> SAGA context from any GSSCredential and then
> create a new GSSCredential for it with exactly the
> same info?
I do not know the GGS-API intimitately, so hope my answer is
not too much off target... ;-)
AFAIK, the GSS-API has indeed means to serialize a
credential into a string, and to de-serialize it. But that
is not what I mean.
Rather, I assume the application needs some information to
create the original GSSContext instance, such as the
mech(anism) to use, the UserID, etc. IIUC, these
information can also be retrieved from any previously
instantiated credential (in case the application gets the
credential passed form another library or so).
What I would hope is that this set of information can be
passed to the saga::context, via the attribute interface,
and that the adaptor can create a GSS credential in just the
same way as the original application did.
AFAICS, the following attributes would match directly
saga context: Type - gss: desired_mechs
saga context: UserID - gss: desired_name
saga context: LifeTime - gss: lifetime_req
Everything else seems to be set GSS implementation specific,
e.g. via environment variables etc.
So, in pseudocode:
saga::context gss-to-saga (const gss_cred_id_t & gss_cred)
{
char type [256];
char name [256];
unsigned int lifetime;
gss_OID_set mechset;
gss_cred_usage_t usage;
unsigned int major;
unsigned int minor;
major = OM_uint32 gss_inquire_cred (&minor
gss_cred,
name,
&lifetime,
&usage,
&mechset);
// simply use the first mech id. Ideally, one would
// iterate over the mechs, and either return the first
// which can be used to create a context, or even retrun
// a list of contexts, one per mech type
major = gss_oid_to_str (&minor, mechset->elements, type);
saga::context c (type);
c.set_attribute ("UserID", name);
c.set_defaults ();
return c;
}
Maybe I misunderstand the reason why the implementation you
refer to wants to pass the credential to SAGA though. If,
for example, an adaptor wants to reuse a context which was
added to the GSS credential, e.g. to authenticate messages
on an IO channel, then that would not be supported by the
mechanism above. But, then again, the sharing of IO
channels between the SAGA implementation and the application
is not supported in the first place, so that does not seem
to be a valid use case either...
Best, Andre.
Andre.
--
Nothing is ever easy.
More information about the saga-rg
mailing list