190 likes | 275 Views
XACML and G-PBox update. MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini. XACML Updates. XACML extensions (1). We need requests to refer to more than a resource Otherwise WMS would get unacceptable delays But XACML Requests may refer to just one resource. Solution:
E N D
XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini
XACML extensions (1) • We need requests to refer to more than a resource • Otherwise WMS would get unacceptable delays • But XACML Requests may refer to just one resource. • Solution: • Specify multiple resources in the <Resource> tag by using the ‘#’ separator. • If an attribute should get different values for the different resources, also separate them with ‘#’. • Advantages: • Normal syntax is also allowed. The PDP remains standard compliant. • Disadvantages: • Requires a bit of extra code in the PDP.
XACML extensions (2) • Our policies are parameterized, with parameter values coming from external sources. • The PDP needs to be informed of the fact. • Solution: • We marked the external parameters with the “it:infn:pbox:external:<parameter name>:<parameter source>” AttributeID. • Example: it:infn:pbox:external:grid-se-available:griditse01.cnaf.infn.it • Advantages: • The PDP can clearly know what parameters it must look for. • Fully standard policies are still supported. • The policies can be received by another PDP and not cause errors. Simply, they would not find the parameter needed and so not apply. • Disadvantages: • Extra code in the PDP
G-PBox update • First version in the EGEE CVS (org.glite.gpbox.*) • An update will be committed soon. • RB-PEP and CE-PEP development has started. • VOMS Integration
G-PBox VOMS Integration • A user can express policies using the admin interface. • The admin interface shows the VO name, groups and resources. • VO name and VO groups are retrieved from a VOMS server by G-PBox via GSI. • Only certified PBox servers can ask VOMS.
Request Convert and filter RB Integration Attributes List of resources WMS PBox Convert XACML reqs List of resources after policy enforcement XACML response • All the responses must be converted in a “readable” format for the WMS • The policy enforcing process is the merging process between the resource list of the WMS and the set of responses of the PBox.
CE Integration • Really primitive: • Just LCAS/LCMAPS plugin to delegate the choice of the user mapping account to G-PBox. • Still, it has its uses! (no *mapfile whatsoever) • We plan on better integration with new CEs, and are in contact with CREAM developers to do this.
Policies supported • Policy requests regarding multiple resources! • No updates, really: • ACLs • Static policies, • Priority policies.
CEHIGH Policies Group A : high priority CEs Group B : low priority CEs Group C : deny everywhere CELOW G-PBox Priority use case (1)) VOMS and G-PBox (for Job submission Policies) VOMS server Group A RB Group B PBox Group C
G-PBox Priority Use Case (2) • Sources: ATLAS and CMS • This is ready and will be tested on a dedicated testbed starting next week. • Reasons for this implementation: • A CE is a QUEUE => The choice of the queue, and hence the priority must be delegated to the RB. • A Priority element is already present in the Glue Schema => It must only be filled.
Further development: • Integration with accounting and monitoring, as planned, to implement dynamic policies. • Software consolidation for EGEE deadline (15/10/05)