Globus Authorization Callouts (Pre-Web Services)

Note: This information is compatible with the pre-Web Services Security in Globus Toolkit version 3.2 and higher.

• Overview
• Developer Documentation
• Downloads
• Building Example Packages

Overview

The Globus Toolkit version 3.2 introduces the ability to customize gridmap lookup (currently available in the Gatekeeper and GridFTP servers) as well as a mechanism for doing fine-grained authorization in the GRAM Jobmanager. Both of these features were built upon a new callout library based on runtime library loading. For information specific to these callouts take a look at the following two sections:

Gridmap Callout

The updated code contains a replacement for the gridmap lookup function used in previous versions of the Globus Toolkit. The replacement function looks for the callout configuration file and checks whether any mapping or authorization callouts are defined. If any callouts are defined, the function proceeds to call the defined callouts. If no mapping callout is defined or if no configuration file was found the function behaves like the gridmap lookup function it replaces (i.e. it does the normal Globus gridmap lookup).
A paper describing a system using these callouts for integration with a site authorization system can be found here

GRAM callout

The GRAM callout was implemented by placing explicit calls to the callout API in the GRAM Jobmanager code. These calls were placed at any of the entry points to Jobmanager functionality. Similar to the gridmap callout, these calls look for the callout configuration file, check whether any GRAM callouts are defined and then call any callouts that were found. Should no callouts be defined then the Jobmanager code will behave just like in previous releases of the toolkit (no authorization in the Jobmanager itself).

Developer Documentation

This section provides documentation resources for authorization callout developers.

API & Code Documentation

• Globus Callout Module Documentation
  Informational only, a callout developer should not have to use this API
• Globus GRAM Callout Errors
  This defines the Globus errors that when returned from a callout are propagated to the user. This package also provides a few macros which can be used for error generation (not documented in the above, see the example callout for usage examples)
• Example Globus GRAM Authorization Callout
  Please take a look at the actual code for more information
• Example Globus GRAM Authorization Setup Package
  Please take a look at the actual setup package for details
• Globus Gridmap Callout Errors
  This defines the Globus errors that are used by the example gridmap callout. This package also provides a few macros which can be used for error generation (not documented in the above, see the example callout for usage examples)
• Example Globus Gridmap Callout
  Please take a look at the actual code (globus_gridmap_callout.c) for more information
• Example Globus Gridmap Callout Setup Package
  Please take a look at the actual setup package for details

Writing your own callout package

These instructions are not meant to be comprehensive and will improve as questions come up.

Follow the directions on the CVS page for building the GNU tools (ie follow steps 1-5) used for bootstrapping Globus packages. Now that you have the right tools, you can modify the example callout package to suit your needs by inserting your source and changing the Makefile.am, configure.in, pkgdata/pkg_data_src.gpt.in files.

Once you have made your modifications, run the bootstrap script to regenerate build related files. Once you have regenerated the build environment, you can build the package using "./configure --with-flavor=" followed by "make" or "make install". If everything seems to be working to satisfaction, you can generate a source package by running "make dist".

Deployment Information

The current version of the code checks the following locations (in order) for the callout configurations file:

• $GSI_AUTHZ_CONF
• /etc/grid-security/gsi-authz.conf
• $GLOBUS_LOCATION/etc/gsi-authz.conf
• $HOME/.gsi-authz.conf

The code defines the following abstract callout types:

• Gridmap Callout Types:
• globus_mapping Indicates a callout as described in section 4 of the Authorization Callout Specification
• globus_authorization Indicates a callout as described in section 5 of the Authorization Callout Specification
• GRAM Callout Type:
• globus_gram_jobmanager_authz

These are the abstract types to be used in the callout configuration file. The abstract type indicates a callback that takes certain arguments and provides certain functionality. You may define several callbacks of the same abstract type.

Downloads

• GRAM Authorization Callout Example Package
  Example callout implementation
• GRAM Authorization Callout Setup Example Package
  Setup package for the above example callout
• Gridmap Authorization Callout Example Package
  Example callout implementation
• Gridmap Authorization Callout Setup Example Package
  Setup package for the above example callout

Building Example Packages

To build and install the example packages you should do the following:

• Install the Globus Toolkit version 3.2 or later
• Make sure $GLOBUS_LOCATION and $GPT_LOCATION are set correctly
• Run "${GPT_LOCATION}/sbin/gpt-build <example callout package> <flavor>", where "<flavor>" is the flavor you used to install the toolkit
• Run "${GPT_LOCATION}/sbin/gpt-build <example callout setup package> <flavor>"
• Run "${GPT_LOCATION}/sbin/gpt-postinstall" and follow the instructions printed by the setup package