[gridshib-user] GridShib Installation testbed

Tim Freeman tfreeman at mcs.anl.gov
Wed Aug 8 13:18:55 CDT 2007 

On Wed, 8 Aug 2007 14:12:44 -0400
"Tom Scavo" <trscavo at gmail.com> wrote:

> On 8/8/07, Giulio Galiero <giulio.galiero at eng.it> wrote:
> >
> > Ok! Very good, I apologize if I wasn't so clear in the previous mail.
> 
> No problem.  I'm glad we're on the same page now :-)
> 
> > At
> > the moment we don't have any major constraint about which GT version to
> > use: then, GT4.1+ seems the better choice.
> 
> Just to be clear, though, GT4.1 is a *development* version of GT that
> will give rise to the next production release called GT4.2.  I have no
> idea when GT4.2 will be released, however.
> 
> > By the way, comparing Tim's mail...
> > >>> As Tom explains, there is GT4.0 support for this permit-overrides
> > >>> VOMS/SAML behavior in GridShib for GT and it is on the roadmap to
> > >>> include this in subsequent versions.
> > >>> In GT4.1+ you can configure the authorization chain to do this
> > >>> without any explicit support from GridShib for GT (which can be
> > >>> configured as a PDP alongside VOMS in the permit-overrides chain).
> >
> > ...and Tim's mail...
> > > The answer is yes, with the qualifications that Tim outlined
> > > previously.  Currently, the best solution leverages GT4.1+.  Starting
> > > in GT4.1, the authz framework uses a permit-overrides combining
> > > algorithm by default, so all you have to do is introduce both the VOMS
> > > PDP and the GridShibPDP into the authz chain and you're done.  As it
> > > stands today, each has its own policy configuration file, so that's a
> > > bit of a pain, but not terribly so.
> >
> > ...I can't understand if GridShib4GT is necessary or not if I'm using
> > GT4.1+ (Could I just add a PDP for SAML in the authZ chain and that's it?)
> 

Thanks for the detailed response Tom!  Just to further clarify in my sentence
above when I said "without any explicit support from GridShib for GT" I meant
that the VOMS permit-overrides combination can be done without this specific
support *inside* GridShib for GT -- not that GridShib/SAML attribute things can
be done without it.  GridShib for GT will still need to be configured as a PDP
in the GT4.1+ authorization chain configuration in this scenario (alongside
VOMS as another PDP configuration).

Tim

> Yes, that's a good question.  (It gets kind of confusing with all
> these versions and plugins floating around.)  Here's how it goes:
> 
> 1. Choose a GT version, either GT4.0 or GT4.1+.
> 2. For SAML support, install the latest GridShib for GT plugin on top
> GT.  (The current version of GridShib for GT is GS4GT v0.6.0 TP4.)
> 3. For VOMS support, install the latest VOMS plugin on top of GT.
> (See the VOMS web page I referred to earlier.)
> 
> GridShib for GT autosenses the underlying GT version (thanks to Tim's
> handiwork :) and deploys the correct codebase into GT.  VOMS supports
> both versions of GT as well (see the web page referred to below).
> 
> > The possibility to use both VOMS and SAML for authZ sounds like a very
> > interesting opportunity, and we are thinking of setting up a testbed in
> > our lab to start with a very basic example.
> > We'd really appreciate if you guys could support us in the
> > configuration/testing activities. Could you give us references
> > (tutorials/howtos) or whatever you could think is helpful.
> 
> For VOMS, refer to this web page:
> 
> http://dev.globus.org/wiki/VOMS
> 
> For GridShib, take a look at the latest Quick Start guide:
> 
> http://gridshib.globus.org/docs/gridshib-gt-0.6.0-tp4/quick-start.html
> 
> The latter is currently limited to GT4.0 and Windows, but hopefully
> it's straightforward to adapt to GT4.1+ and Unix.  (We're working on
> it! :)
> 
> Questions about the GridShib install should be posted to gridshib-dev
> (since v0.6.0 is still a Technology Preview).
> 
> > PS: could be a useful to start from "GridShib for Globus Toolkit -
> > QuickStart guide"
> > (http://gridshib.globus.org/docs/gridshib-gt-0.6.0-tp3/quick-start.html)?
> > and the integrate it with VOMS installation/configuration?
> 
> Yes, that's what I would do, but please refer to the Quick Start for
> TP4, not TP3.
> 
> Thanks,
> Tom
> 


-----------------------------------------
Tim Freeman - tfreeman at mcs.anl.gov
http://www-unix.mcs.anl.gov/~tfreeman/
Grid Search: http://www.gridindex.org

More information about the gridshib-user mailing list