Generic attributes support in VOMS

Generic attributes, from the point of view of applications, are (name, value) pairs that can be assigned to VO users and that end up in the attribute certificate issued by voms (i.e., when a user issues a voms-proxy-init command).

From the point of the developer, GA are composed by a (name, description), that is unique for each GA, and a value, that may be different for each user. An example of name and description could be:

attributeName attributeDescription
emailAddress This attribute contains the email address for a user

While the value of such attribute may be different for each user:

userName attributeName attributeValue
andrea emailAddress andrea.ceccanti@cnaf.infn.it
valerio emailAddress valerio.venturi@cnaf.infn.it
vincenzo emailAddress NULL

The example above shows also that NULL values are accepted in voms.

In the current implementation, Voms-Admin (VA) provides the tools and interfaces to assign GAs to VO users. When a GA is assigned to a user, it ends directly in the proxy generated for such user. However it could be time-consuming and tedious for an administrator to assign attributes on a user-by-user basis. For this reason, VA provides some "shortcuts": GAs may assigned also to VO groups and roles. When a GA is assigned to a group, it ends in the proxy of all the users that are members of such group. Likewise, when a GA is assigned to a role within a group, it ends in the proxy of all the users that have such role in such group.

What happens if GAs with the same name are defined in mutiple context for a user? [TBD]

Design

A GA object, as managed by voms-admin, is composed of the following parts:

  • a name: The name of the attribute
  • a description: a description that can be bound at creation time to the attribute
  • a value: The value of the attribute
  • a context: since voms-admin allows admins to assign attributes at the user, group, or role level, a context qualifier is needed to allow the definition of different values of the same attribute in different contexts for the same user. This point will be clarified later on.

The Attribute class contains the information described above as well as getter/setter methods for such information that are omitted here for clarity.

public class Attribute implements Serializable{
    private String name;
    private String description;
    private String value;
    private String context;
}

In the current design and implementation, the name has a size contraint of 255 characters, while the value and description fields are not constrained in theirs size (CLOB sql objects).

The VA GA support exposes a WSDL interface that has methods for:

  • Creating/Deleting/Listing attribute names and descriptions.
  • Creating/Deleting/Listing user attributes.
  • Creating/Deleting/Listing group attributes.
  • Creating/Deleting/Listing role attributes.

GA names and descriptions operations

    public void createAttribute(String name, String description)
        throws VOMSException;

    public Attribute getAttribute(String name)
        throws VOMSException;

    public Attribute deleteAttribute(String name)
        throws VOMSException;

    public Attribute[] listAttributes()
        throws VOMSException;

public interface VOMSAttributes {

    public void createAttribute(String name, String description)
        throws VOMSException;

    public Attribute getAttribute(String name)
        throws VOMSException;

    public Attribute deleteAttribute(String name)
        throws VOMSException;

    public Attribute[] listAttributes()
        throws VOMSException;

    public Attribute[] listUserAttributes(User u)
        throws VOMSException;

    public void setUserAttribute(User u, Attribute a)
        throws VOMSException;

    public void deleteUserAttribute(User u, String attributeName)
        throws VOMSException;

    public void setGroupAttribute(String groupName, Attribute attribute)
        throws VOMSException;

    public void deleteGroupAttribute(String groupName, String attributeName)
        throws VOMSException;

    public Attribute[] listGroupAttributes(String groupName)
        throws VOMSException;

    public void setRoleAttribute(String groupName, String roleName, Attribute attribute)
        throws VOMSException;

    public void deleteRoleAttribute(String groupName, String roleName, String attrName)
        throws VOMSException;

    public Attribute[] listRoleAttributes(String groupName, String roleName)
        throws VOMSException;

}

The Attribute class

The Attribute class contains information regarding generic attributes as understood by the voms-admin wsdl interface, and getter/setter methods for such information that are omitted here for clarity.


public class Attribute implements Serializable{

    private String name;
    private String description;
    private String value;
    private String context;
}

VA CLI

VA Web UI

Group attributes

Role attributes

Planned developments

Lifetime management of generic attributes

Attributes get a lifetime at creation time (e.g., this attribute is valid for 10 days). If an attribute is not "refreshed" by an administrator before expiration, the attribute enters the "invalid" state. When this happens, an administrator is notified in order to:
  • refresh the attribute in order to make it "valid" again, or
  • remove the attribute.

The service can also be configured to automatically remove attributes that have been in the "invalid" state for a configurable amount of time and haven't been renewed/removed by an administrator.

-- AndreaCeccanti - 05 Oct 2006

Edit | Attach | Print version | History: r8 | r6 < r5 < r4 < r3 | Backlinks | Raw View | More topic actions...
Topic revision: r4 - 2006-10-25 - AndreaCeccanti
 
Edit Attach

TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback