Generic attributes support in VOMS
Generic attributes, from the point of view of applications, are (name, value) pairs that can be assigned to VO
users and that end up in the attribute certificate issued by voms (i.e.,
when a user issues a
voms-proxy-init
command).
From the point of the developer, a GA has a
name, a
description, a
value and a
context (the context will be
described later on).
- The name is the unique ID for the attribute.
- The description may be used to provide information about the meaning and use of the attribute, and is bound to the attribute name.
- The value is the actual value of the attribute for a specific user, and may be different for each user.
An example of GA name and description could be:
While the value of such attribute may be different for each user:
The example above shows also that NULL values are accepted in voms.
In the current implementation, Voms-Admin (VA) provides the tools and interfaces to assign GAs to
VO users. When a GA is assigned to a user, it ends directly in the
proxy generated for such user. However it could be time-consuming and tedious for
an administrator to assign attributes on a user-by-user basis. For this reason, VA and VOMS provide some
"shortcuts": GAs may assigned also to VO groups and roles. When a GA is assigned to a group, it ends in the proxy
of all the users that are members of such group. Likewise, when a GA is assigned to a role within a group,
it ends in the proxy of all the users that have such role in such group.
What happens if GAs with the same name are defined in mutiple contexts for a specific user? For example, suppose we have the following scenario:
- VO /test has users andrea, vincenzo and valerio.
- andrea is also member of group /test/g1, while vincenzo and valerio are just members of the vo group /test.
- andrea has been assigned the role 'ciccio' in group /test.
Suppose an administrator assigns the GA (A,'aValueForAndrea') to user andrea, and the GA (A,'aValueForGroupTestG1')
to group /test/g1. This leads to having two GAs with the same name assigned to user Andrea, the one assigned directly
to the user and the one assigned to him as a member of group /test/g1. VOMS provides a
context qualifier to distinguish the two attributes.
More specifically, the Andrea's proxy will contain the triples,
('', A, 'aValueForAndrea'), ('/test/g1',A,'aValueForGroupTestG1')
where the first field is the qualifier, and '' is the default we use for "attribute assigned directly to user".
The understanding of GA name and values is left to the applications that are willing to use this feature, i.e.
VOMS does not infer any semantical meaning on GAs content.
Design and API
A GA object, as managed by voms-admin, is composed of the following parts:
- a name: The name of the attribute
- a description: a description that can be bound at creation time to the attribute
- a value: The value of the attribute
- a context: a context qualifier
The
org.glite.security.voms.services.attributes.Attribute
class contains the information described above as well as getter/setter methods for such information that are omitted here for clarity.
public class Attribute implements Serializable{
private String name;
private String description;
private String value;
private String context;
}
In the current design and implementation, the name has a size contraint of 255 characters, while the value and description fields are not
constrained in theirs size (CLOB sql objects).
The VA GA support exposes a WSDL interface that has methods for:
- Creating/Deleting/Listing attribute names and descriptions.
- Creating/Deleting/Listing user attributes.
- Creating/Deleting/Listing group attributes.
- Creating/Deleting/Listing role attributes.
GA names and descriptions operations
-
public void createAttribute(String name, String description) throws VOMSException;
- creates a new GA name and description. An exception is thrown if an attribute with the same
name
already exists in the database.
-
public Attribute getAttribute(String name) throws VOMSException;
- returns an Attribute object containing the GA name and description for a GA with name
name
, provided it exists in the database.
-
public Attribute deleteAttribute(String name) throws VOMSException;
- deletes the GA whose name matches the parameter
name
. An exception is thrown if an attribute with the same name
does not exists in the database
-
public Attribute[] listAttributes() throws VOMSException;
- returns the list of GA defined in the db as an array of
Attribute
objects. Note that this method returns only the names and descriptions for such attributes.
User attributes management
-
public void setUserAttribute(User u, Attribute a) throws VOMSException;
- assigns attribute a to user u. If attribute name and description do not exists in the database, a new attribute is created and then the value is assigned to the user.
-
public void deleteUserAttribute(User u, String attributeName) throws VOMSException;
- removes the attribute named
attributeName
from the user's u
list of attributes. If such attribute is not present is such list, an exception is thrown.
-
public Attribute[] listUserAttributes(User u)throws VOMSException;
- returns the list of GAs defined for user u, NULL if no attribute is defined for such user.
Group and role attributes management methods are very similar to the methods above and thus are not described here.
The VOMS-Admin GA support interface
public interface VOMSAttributes {
public void createAttribute(String name, String description)
throws VOMSException;
public Attribute getAttribute(String name)
throws VOMSException;
public Attribute deleteAttribute(String name)
throws VOMSException;
public Attribute[] listAttributes()
throws VOMSException;
public Attribute[] listUserAttributes(User u)
throws VOMSException;
public void setUserAttribute(User u, Attribute a)
throws VOMSException;
public void deleteUserAttribute(User u, String attributeName)
throws VOMSException;
public void setGroupAttribute(String groupName, Attribute attribute)
throws VOMSException;
public void deleteGroupAttribute(String groupName, String attributeName)
throws VOMSException;
public Attribute[] listGroupAttributes(String groupName)
throws VOMSException;
public void setRoleAttribute(String groupName, String roleName, Attribute attribute)
throws VOMSException;
public void deleteRoleAttribute(String groupName, String roleName, String attrName)
throws VOMSException;
public Attribute[] listRoleAttributes(String groupName, String roleName)
throws VOMSException;
}
Planned developments
Lifetime management of generic attributes
Attributes may get a lifetime at creation time (e.g., this attribute is valid for 10 days). If an attribute is not "refreshed" by an administrator before expiration, the attribute enters the "invalid" state. When this happens, an administrator is notified in order to:
- refresh the attribute in order to make it "valid" again, or
- remove the attribute.
The service can also be configured to automatically remove attributes that have been in the "invalid" state for a configurable amount of time and haven't been renewed/removed by an administrator.
--
AndreaCeccanti - 05 Oct 2006