Prev Part III. OGSA-DAI for deployers Next

Appendix J. Appendix - Plug-in policy decision points (PDPs) for OGSA-DAI GT authorization

J.1. Differences between GT4.0 and GT4.2 PDP implementations
J.2. Resource authorizer PDP
J.3. Regular expression-based DN authorizer PDP

OGSA-DAI provides the following policy decision points (PDPs) that can be used within a Globus Toolkit authorization chain.

PDPDescription
Resource Authorizer PDP Authorizes whether a user, identified by a distinguished name (DN), can access a set of resources. The actual authorization decision is made by a plug-in resource authorizer.
Regular expression-based DN Authorizer PDP Authorizes whether a user, identified by a distinguished name, can access the OGSA-DAI server, based upon whether the distinguished name matches a regular expression.

J.1. Differences between GT4.0 and GT4.2 PDP implementations

Unlike GT 4.0 PDPs, GT 4.2 PDPs implement the interface: 

org.globus.security.authorization.PDPInterceptor

For further information please see Globus documentation for this interface.

OGSA-DAI GT 4.0 and 4.2 PDPs both support a method, isPermitted but the GT 4.2 version returns a Decision object. However, in the GT 4.2 PDPs the methods canAccess and canAdminister are also supported and these also return a Decision object. The GT 4.2 Decision allows for more complex authorization scenarios. The default operation should be to use the canAccess method.

GT 4.2 methods that return a Decision object require GT 4.2-compliant PIPs that populate a RequestEntities object.

[Note]Note
GT 4.2 PDPs cannot run in GT 4.0 and vice-versa. While the behaviour is the same the interfaces and implemetations differ.

J.2. Resource authorizer PDP

The Resource Authorizer PDP authorizes whether a user, identified by a distinguished name, can access a set of resources. The actual authorization decision is made by a plug-in resource authorizer which is assumed to be in the OGSA-DAI context.

  • Class:uk.org.ogsadai.service.gt.security.authorization.ResourceAuthorizerPDP
  • Inputs:
    • DN: the caller's DN is extracted from the following property held in the Axis MessageContext.
      • Property name: uk.org.ogsadai.authz.DN
      • Property value: String containing the DN.
    • ResourceSet: the set of resources to be authorized is extracted from a property held in the Axis MessageContext.
      • Property name: uk.org.ogsadai.authz.ResourceIDs
      • Property value: java.util.Set containing uk.org.ogsadai.resource.ResourceID objects.
  • Parameters:
    • ResourceAuthorizerKey: optional parameter used to specify the key used to obtain a resource authorizer from the OGSA-DAI context. If unspecified, the default key of uk.org.ogsadai.resource.authorizer is used. This key must give access to an object that implements the uk.org.ogsadai.authorization.ResourceAuthorizer interface.
    • AuthorizeUnknownResources: optional parameter used to specify whether the resource authorizer should authorize access to resources it does not know about. The default value is false. Set this parameter value to true if access to unknown resources is to be allowed.

The PDP obtains the resource authorizer from the OGSA-DAI context and makes calls to the object for each resource ID in the resource list. If the resource authorizer authorizes the caller to access each resource in the list then the authorization request passes. If the resource authorizer fails to authorize the caller to access one or more of the resources in the resource set then the authorization request fails.

If the PDP is unable to obtain the caller's DN or the resource set from the MessageContext the authorization request will fail. If the PDP is unable to obtain a resource authorizer from the OGSA-DAI context all authorization requests will fail.

OGSA-DAI provides one a basic implementation of the uk.org.ogsadai.authorization.ResourceAuthorizer interface that can be used with this PDP. This implementation class is uk.org.ogsadai.authorization.SimpleResourceAuthorizer

J.3. Regular expression-based DN authorizer PDP

The regular expression-based DN Authorizer PDP authorizes whether a user, identified by a distinguished name, can access the OGSA-DAI server, based upon whether the distinguished name matches a regular expression.

  • Class:uk.org.ogsadai.service.gt.security.authorization.RegexpDNAuthorizerPDP
  • Inputs:
    • DN: the caller's DN is extracted from the following property held in the Axis MessageContext.
      • Property name: uk.org.ogsadai.authz.DN
      • Property value: String containing the DN.
    • ResourceSet: the set of resources to be authorized is extracted from a property held in the Axis MessageContext.
      • Property name: uk.org.ogsadai.authz.ResourceIDs
      • Property value: java.util.Set containing uk.org.ogsadai.resource.ResourceID objects.
  • Parameters:
    • RegexpDNKey: optional parameter used to specify the regular expression. If unspecified the default regular expression of .* - equivalent to any DN - is used. The parameter value must compile into a valid regular expression.

If the PDP is unable to obtain the caller's DN from the MessageContext the authorization request will fail.

Prev Up Next
Appendix I. Appendix - Plug-in policy information points (PIPs) for OGSA-DAI GT authorization Home Appendix K. Appendix - Globus MDS registration files