Table of Contents
org.globus.exec.authz.xacml.FactoryServicePIP
org.globus.exec.authz.xacml.JobServicePIP
These PIPs are for use with WS GRAM service to collect attributes about the job submitted. The PIPs collect attributes as required in the OSG/EGEE Authorization Interoperability Profile. The PIPs add two kinds of attributes:
Action attribute: Depending on whether it is a Fork job or not, the an action attribute set to execute-now or queue is added.
Resource attribute: A resource attribute set to Compute Element as defined in the profile.
The attributes are added as part of the RequestEntities and will be sent to the authorization service as part of the XACML Authorization Callout PDP
There are two PIPs,
FactoryServicePIP: PIP to configure with the WS GRAM Factory Service (ManagedJobFactoryService)
JobServicePIP: PIP to configure with WS GRAM Job Service (ManagedJobService)
The PIPs are part of the WS-GRAM code base and depend on a WS-GRAM service code base.
This component is installed part of WS GRAM service. Link to GRAM
admin documentation. With installer use, use
-enable-gramxacml
option when you runconfigurefor this code to be
installed.
The PIPs do not require any additional configuration and have to be used as part of the security descriptors of WS GRAM service, factory and job.
Both factory and job service configuration has to be modified for the service to use the PIPs as follows:
Factory Service Configuration: Factory security descriptor should be modified to have the following entry:
<pips> <interceptor name="pip2:org.globus.exec.authz.xacml.FactoryServicePIP"/> </pips>Note, other pieces for authentication, PDPs and other PIPs should be configured as needed.Typically this involves editing the file configured as part of value in $GLOBUS_LCOATION/etc/globus_wsrf_gram/server-config.wsdd, as value for parameter
securityDescriptor.Refer to WS GRAM administrator document for details.Job Service Configuration: The job service security descriptor should be modified to have the following entry:
<pips> <interceptor name="pip2:org.globus.exec.authz.xacml.JobServicePIP"/> </pips>Note, other pieces for authentication, PDPs and other PIPs should be configured as needed.The JNDI configuration of WS GRAM service should be modified to use the security descriptor with job service PIP. Example:
<!-- Resource security descriptor --> <parameter> <name>resourceSecurityDescriptorFile</name> <value> etc/globus_exec_authz_xacml/job-xacml-security-config.xml </value> </parameter>
Sample descriptors:
These PIPs collect the following attributes described in the following tables:
Table 7.1. Attribute I
| Description of attribute | Type of schedule used for the job, distingushes between a fork job and any other backend scheduler. It is either org.globus.exec.authz.xacml.ACTION_EXECUTE_NOW for Fork jobs and org.globus.exec.authz.xacml.ACTION_QUEUE for allother jobs. |
| Identity attribute | False |
| Attribute ID | org.globus.wsrf.impl.security.authorization.XACMLConstants.ACTION_ID |
| Datatype | org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE |
| Issuer | Container Issuer Entity |
| Validity from | Current time |
| Validity to | Infinity |
Table 7.2. Attribute II
| Description of attribute | Resource attribute always set to compute element. |
| Identity attribute | No |
| Attribute ID | org.globus.wsrf.impl.security.authorization.XACMLConstants.RESOURCE_ID |
| Datatype | org.globus.wsrf.impl.security.authorization.XACMLConstants.STRING_DATATYPE |
| Issuer | Container Issuer Entity |
| Validity from | Current time |
| Validity to | Infinity |
This PIP can be used in tandem with XACML Authorization Callout PDP to obtain authorization decision from a XACML Authorization Callout about the service access.