Grid Authorization Profile PIP

Warning

This is the default profile supported starting from Argus 1.2.

This PIP allows the PEP client to send only the end-user certificate or proxy as lone Subject Key-Info attribute. It will then parse the certificate, extract all the information from the certificate required by the gLite Grid XACML Authorization Profiles, and populate the request with attributes found in the certificate/proxy.

This PIP implements the XACML Grid Worker Node Authorization Profile (v.1.0) and the XACML Grid Computing Element Authorization Profile (v.1.0) specifications.

Configuration

  1. Create a new INI section for you PIP (you may choose any valid INI section name. e.g. GLITEXACMLPROFILE_PIP)
  2. Into the PIP INI section add the parserClass property with the value org.glite.authz.pep.pip.provider.GLiteAuthorizationProfilePIPIniConfigurationParser
  3. To enable VOMS attribute certificate support add the vomsInfoDir property with a value corresponding to the absolute path of the VOMS vomsdir, traditionally /etc/grid-security/vomsdir.
  4. If, in the SECURITY section, the trustInfoDir property is not already set, add it with a value of the absolute filesystem path of your IGTF trust bundle.
  5. Configure which profile IDs are to be accepted.

PIP Configuration Properties

Property Description Required? Default Value
acceptedProfileIDs The space separated list of accepted authorization profile IDs No None.
vomsInfoDir The absolute path to the VOMS vomsdir directory. Y None.
vomsInfoRefresh The refresh interval time in minutes of the vomsInfoDir directory. No 60
requireCertificate The request Subject attribute key-info MUST be present in the incoming request. No true
requireProxy The request Subject attribute key-info MUST to be a proxy (PEM encoded proxy chain). No false

Note

If the acceptedProfileIDs is not defined, then all profile IDs present in the request environment profile-id attribute are accepted.

Required Request Attributes

This PIP requires that the request environment contains a profile-id attribute with the profile identifier, and that the request subject contains the certificate, and its chain, that were used to authenticate to the service, in the key-info attribute:

Populated Effective Request Attributes

The PIP will process the request subject key-info attribute and populate the following attributes:

If VOMS support is enabled and a VOMS certificate is included within a user’s proxy certificate, the following attributes will be populated within the request:

Example Configuration

The following example shows a PEP Server configuration with the Grid authorization profile PIP enabled, and accepting both the http://glite.org/xacml/profile/grid-ce/1.0 and the http://glite.org/xacml/profile/grid-wn/1.0 XACML Grid authorization profiles.

[SERVICE]
entityId = https://example.org/pep
hostname = example.org
pips = GLITEXACMLPROFILE_PIP

[PDP]
pdps = http://localhost:8152/authz

[SECURITY]
trustInfoDir = /etc/grid-security/certificates

[GLITEXACMLPROFILE_PIP]
parserClass = org.glite.authz.pep.pip.provider.GLiteAuthorizationProfilePIPIniConfigurationParser
vomsInfoDir = /etc/grid-security/vomsdir
acceptedProfileIDs = http://glite.org/xacml/profile/grid-ce/1.0 http://glite.org/xacml/profile/grid-wn/1.0