On Fri, Jul 27, 2007 at 09:59:03AM +0100, Ma, M (Mingchao) wrote:
> Good point!
>
> In theory:
>
> Proxy certificate should be short-live (12 or 24 hours), attribute
> certificate should be no longer than proxy certificate (shorter is ok),
I don't think that shorter is OK (with the current system). At the moment
when your attribute expires the result is that the gridmap file the
gridmap file will be used which means that your job, file transfer,
whatever will be now mapped to something else and get a completely
different set off capabilities.
> any services or operations require long-live proxy certificate should
> use my proxy server and my proxy server should be voms attribute
> awareness so that it can renew not only proxy certificate but also
> attribute certificate when required, and all services also need to be
> voms attribute aware so that they can verify not only proxy certificate
> but also voms attributes.
Sure all services should be voms aware at the level that they should even
contact the voms server on their own to renew the voms attributes if
they expire.
> In reality (at moment):
>
> Proxy certificates are 3-7 days long because there is no my proxy server
> or my proxy server is not used by other services. Some services are not
> voms attributes aware, that mean they do not recognise the voms
> attributes. My proxy server is not attribute aware, so that it can not
> renew attribute certificate on behalf of users if needed.
It doesn't have to be only MyProxy that renews your attribute certificate,
any service can renew the attributes if needed. Of course they'll have
to be voms aware first.
> In fact, proxy certificate tells the system who you are (authentication)
> and attribute certificate tells the system what you can do (your
> capabilities) so that the system can authenticate you (by proxy
> certificate) and also authorize you according to the attributes (by
> attribute certificate and its local access control policy). It requires
> that all services are attributes-awareness, but at moment it is not the
> case.
Unfortunately the proxy certificate is also used for authorization as well
when the attributes are not there, have expired or the service isn't
voms aware. We have two authorization systems in use and having
different expiry times for the proxy and it's attributes results on both
of them being used in the lifetime of a job.
I would have liked to see something a lot more fine tuned instead of the
basic voms attributes. We could have had attributes with something like:
* proxy can copy back the sandbox of job X to RB Y (signed by RB Y)
for example and then you don't have to worry that much about the expiry
times or that proxy being stolen at some later point.
I have seen some projects working on adding RBAC in x509 but I haven't
spend any time thinking about it so the idea might not be workable at
all.
> Obviously we have a long way to go!
Very very true.
Kostas
|