Generic attributes support in VOMS

Generic attributes, from the point of view of applications, are (name, value) pairs that can be assigned to VO users and that end up in the attribute certificate issued by voms (i.e., when a user issues a voms-proxy-init command).

From the point of the developer, a GA has a name, a description, a value and a context (the context will be described later on).

  • The name is the unique ID for the attribute.
  • The description may be used to provide information about the meaning and use of the attribute, and is bound to the attribute name.
  • The value is the actual value of the attribute for a specific user, and may be different for each user.

An example of GA name and description could be:

attributeName attributeDescription
emailAddress This attribute contains the email address for a user

While the value of such attribute may be different for each user:

userName attributeName attributeValue
andrea emailAddress andrea.ceccanti@cnaf.infn.it
valerio emailAddress valerio.venturi@cnaf.infn.it
vincenzo emailAddress NULL

The example above shows also that NULL values are accepted in voms.

In the current implementation, Voms-Admin (VA) provides the tools and interfaces to assign GAs to VO users. When a GA is assigned to a user, it ends directly in the proxy generated for such user. However it could be time-consuming and tedious for an administrator to assign attributes on a user-by-user basis. For this reason, VA and VOMS provide some "shortcuts": GAs may assigned also to VO groups and roles. When a GA is assigned to a group, it ends in the proxy of all the users that are members of such group. Likewise, when a GA is assigned to a role within a group, it ends in the proxy of all the users that have such role in such group.

What happens if GAs with the same name are defined in mutiple contexts for a specific user? For example, suppose we have the following scenario:

  • VO /test has users andrea, vincenzo and valerio.
  • andrea is also member of group /test/g1, while vincenzo and valerio are just members of the vo group /test.
  • andrea has been assigned the role 'ciccio' in group /test.

Suppose an administrator assigns the GA (A,'aValueForAndrea') to user andrea, and the GA (A,'aValueForGroupTestG1') to group /test/g1. This leads to having two GAs with the same name assigned to user Andrea, the one assigned directly to the user and the one assigned to him as a member of group /test/g1. VOMS provides a context qualifier to distinguish the two attributes. More specifically, the Andrea's proxy will contain the triples,

('', A, 'aValueForAndrea'), ('/test/g1',A,'aValueForGroupTestG1')

where the first field is the qualifier, and '' is the default we use for "attribute assigned directly to user".

The understanding of GA name and values is left to the applications that are willing to use this feature, i.e. VOMS does not infer any semantical meaning on GAs content.

Design and API

A GA object, as managed by voms-admin, is composed of the following parts:

  • a name: The name of the attribute
  • a description: a description that can be bound at creation time to the attribute
  • a value: The value of the attribute
  • a context: a context qualifier

The org.glite.security.voms.services.attributes.Attribute class contains the information described above as well as getter/setter methods for such information that are omitted here for clarity.

public class Attribute implements Serializable{
    private String name;
    private String description;
    private String value;
    private String context;
}

In the current design and implementation, the name has a size contraint of 255 characters, while the value and description fields are not constrained in theirs size (CLOB sql objects).

The VA GA support exposes a WSDL interface that has methods for:

  • Creating/Deleting/Listing attribute names and descriptions.
  • Creating/Deleting/Listing user attributes.
  • Creating/Deleting/Listing group attributes.
  • Creating/Deleting/Listing role attributes.

GA names and descriptions operations

public void createAttribute(String name, String description) throws VOMSException;
creates a new GA name and description. An exception is thrown if an attribute with the same name already exists in the database.
public Attribute getAttribute(String name) throws VOMSException;
returns an Attribute object containing the GA name and description for a GA with name name, provided it exists in the database.
public Attribute deleteAttribute(String name) throws VOMSException;
deletes the GA whose name matches the parameter name. An exception is thrown if an attribute with the same name does not exists in the database
public Attribute[] listAttributes() throws VOMSException;
returns the list of GA defined in the db as an array of Attribute objects. Note that this method returns only the names and descriptions for such attributes.

User attributes management

public void setUserAttribute(User u, Attribute a) throws VOMSException;
assigns attribute a to user u. If attribute name and description do not exists in the database, a new attribute is created and then the value is assigned to the user.
public void deleteUserAttribute(User u, String attributeName) throws VOMSException;
removes the attribute named attributeName from the user's u list of attributes. If such attribute is not present is such list, an exception is thrown.
public Attribute[] listUserAttributes(User u)throws VOMSException;
returns the list of GAs defined for user u, NULL if no attribute is defined for such user.

Group and role attributes management methods are very similar to the methods above and thus are not described here.

The VOMS-Admin GA support interface

public interface VOMSAttributes {

    public void createAttribute(String name, String description)
        throws VOMSException;

    public Attribute getAttribute(String name)
        throws VOMSException;

    public Attribute deleteAttribute(String name)
        throws VOMSException;

    public Attribute[] listAttributes()
        throws VOMSException;

    public Attribute[] listUserAttributes(User u)
        throws VOMSException;

    public void setUserAttribute(User u, Attribute a)
        throws VOMSException;

    public void deleteUserAttribute(User u, String attributeName)
        throws VOMSException;

    public void setGroupAttribute(String groupName, Attribute attribute)
        throws VOMSException;

    public void deleteGroupAttribute(String groupName, String attributeName)
        throws VOMSException;

    public Attribute[] listGroupAttributes(String groupName)
        throws VOMSException;

    public void setRoleAttribute(String groupName, String roleName, Attribute attribute)
        throws VOMSException;

    public void deleteRoleAttribute(String groupName, String roleName, String attrName)
        throws VOMSException;

    public Attribute[] listRoleAttributes(String groupName, String roleName)
        throws VOMSException;

}

Planned developments

Lifetime management of generic attributes

Attributes may get a lifetime at creation time (e.g., this attribute is valid for 10 days). If an attribute is not "refreshed" by an administrator before expiration, the attribute enters the "invalid" state. When this happens, an administrator is notified in order to:

  • refresh the attribute in order to make it "valid" again, or
  • remove the attribute.

The service can also be configured to automatically remove attributes that have been in the "invalid" state for a configurable amount of time and haven't been renewed/removed by an administrator.

-- AndreaCeccanti - 05 Oct 2006

Topic revision: r8 - 2007-01-22 - AndreaCeccanti
 
TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback