Bug 6542 - Modify Delegation Service/Resource authorization to be configurable
: Modify Delegation Service/Resource authorization to be configurable
Status: NEW
: Delegation Service
Campaign
: 4.2.1
: PC Windows XP
: P3 normal
: ---
Assigned To:
:
: OSG/EGEE_Authz_Interop
:
:
  Show dependency treegraph
 
Reported: 2008-11-14 09:12 by
Modified: 2008-11-14 09:50 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-11-14 09:12:03
Definition: Modify Delegation Service and resource to provide configurable
authorization and remove dependency on GridMap authorization. Test against an
external authorization service, GUMS. Details on current infrastructure and
requirements are described here:
http://docs.google.com/Doc?id=dfkt44p2_5djmh6dgs

1. Delegation Resource should allow for configurable resource security
descriptor, such that authorization mechanism can be configured. This requires
changes to the Delegation Home, to set up the configured authorization and
policy during resource creation.

2. Dependency on presence of GridMap object should be removed. Use of GridMap
authorization as resource authorization should be default configuration for
backwards compatibility.

3. Test scenario:
- Delegation Factory Service configured with Delegation Service PIPs and XACML
Authorization Callout PDP to talk to GUMS
- Delegation resources configured with Access Control List of DN used to create
the delegated resource.
- Client 1 and Client 2 mapped to same local account in GUMS server. 
- Client 1 delegates a credential
- Client 2 attempts to destroy the credential, should fail
- Client 1 should be able to refresh and destroy the credential.

5. Merge code to 4.2 branch and trunk

6. Documentation update