eu.emi.dsr.security
Interface IAttributeSource

All Known Implementing Classes:

AttributeSourcesChain, FileAttributeSource, SecurityManager.NullAuthoriser

public interface IAttributeSource

IAttributeSource provides the interface for UNICORE/X to retrieve authorisation information (attributes) for a particular request from an attribute provider, based on information such as Client DN, certificate, etc, contained in an instance of SecurityTokens.

The getAttributes method shall return the incarnation attributes, which are specially handled by the UNICORE stack. Those attribute names are defined in this interface with constants ATTRIBUTE_*. Additionally XACML attributes can be returned, those are used for authorization (are fed to the PDP). Note that any attribute which is returned in the first list shouldn't be returned again in XACML version; UNICORE automatically exposes incarnation attributes to the PDP too when needed. Lifecycle IAttributeSource implementations are created and initialised by the AttributeSourceFactory, which will create the instance using Class.forName(), set additional parameters, and finally call the init() method. The IAuthoriser will be created only once, and will be kept alive during the lifetime of the server.

Parameter injection When creating an IAttributeSource instance, UNICORE/X will set parameters according to the properties defined in the main configuration file (usually uas.config), provided there is a public setter method. For example, if the class has a field setHost(String host), it will be automatically invoked by UNICORE/X if the configuration has a property
uas.security.attributes.NAME1.Host
Currently parameters can be of type String, boolean, or numerical, for details see AttributeSourceFactory

Author:

schuller, golbi

Field Summary

static String	ATTRIBUTE_ADD_DEFAULT_GROUPS Add OS default groups.
static String	ATTRIBUTE_GROUP UNIX primary group attribute key.
static String	ATTRIBUTE_ROLE UNICORE role attribute key.
static String	ATTRIBUTE_SUPPLEMENTARY_GROUPS UNIX supplementary groups attribute key.
static String	ATTRIBUTE_VOS Virtual Organisations attribute key.
static String	ROLE_ADMIN role attribute value: admin
static String	ROLE_ANONYMOUS role attribute value: anonymous

Method Summary

String[]	getAcceptedVOs() This method returns the list of VOs that this attribute source supports.
SubjectAttributesHolder	getAttributes(SecurityTokens tokens, SubjectAttributesHolder otherAuthoriserInfo) Retrieves a map of attributes based on the supplied SecurityTokens. Since authorisers can be chained, it might be sometimes useful to see attributes returned by authorisers that have run previously.
String	getName() This method should return name of this attribute source, which was passed to the init() method.
String	getStatusDescription() Get a user-friendly description of the attribute source's status. This is used for informing the administrator of any problems with configuration, connection problems, etc.
void	init(String name) initialise the source

Field Detail

ATTRIBUTE_ROLE

static final String ATTRIBUTE_ROLE

UNICORE role attribute key. Only one may be selected.

See Also:

Constant Field Values

ATTRIBUTE_GROUP

static final String ATTRIBUTE_GROUP

UNIX primary group attribute key. Only one may be selected.

See Also:

Constant Field Values

ATTRIBUTE_SUPPLEMENTARY_GROUPS

static final String ATTRIBUTE_SUPPLEMENTARY_GROUPS

UNIX supplementary groups attribute key.

See Also:

Constant Field Values

ATTRIBUTE_ADD_DEFAULT_GROUPS

static final String ATTRIBUTE_ADD_DEFAULT_GROUPS

Add OS default groups.

See Also:

Constant Field Values

ATTRIBUTE_VOS

static final String ATTRIBUTE_VOS

Virtual Organisations attribute key.

See Also:

Constant Field Values

ROLE_ANONYMOUS

static final String ROLE_ANONYMOUS

role attribute value: anonymous

See Also:

Constant Field Values

ROLE_ADMIN

static final String ROLE_ADMIN

role attribute value: admin

See Also:

Constant Field Values

Method Detail

init

void init(String name)
          throws Exception

initialise the source

Throws:

Exception

getAttributes

SubjectAttributesHolder getAttributes(SecurityTokens tokens,
                                      SubjectAttributesHolder otherAuthoriserInfo)
                                      throws IOException

Retrieves a map of attributes based on the supplied SecurityTokens.
Since authorisers can be chained, it might be sometimes useful to see attributes returned by authorisers that have run previously. This information is supplied in the "otherAuthoriserInfo" map.
Attribute sources must not make any authorisation decisions. Thus, no exceptions must be thrown if no attributes are found. Only IOExceptions should be thrown in case of technical problems contacting the actual attribute provider. This is to allow upstream code (i.e. the UNICORE/X server) to log the error, or to take any other action (like notify an administrator). If no attributes are found, an empty map or null must be returned.

Parameters:

tokens - - security tokens for this request

otherAuthoriserInfo - - attributes returned by other authorisers, which may be null

Returns:

subject's attributes

Throws:

IOException - in case of technical problems

getStatusDescription

String getStatusDescription()

Get a user-friendly description of the attribute source's status.
This is used for informing the administrator of any problems with configuration, connection problems, etc. UNICORE/X will print a log entry describing the status immediately after startup.
This method should not block for too long, since the server startup would be stalled in this case. For example, you may use the TimeoutRunner class to avoid blocking.

Returns:

a String describing this attribute source's status.

getName

String getName()

This method should return name of this attribute source, which was passed to the init() method.

Returns:

getAcceptedVOs

String[] getAcceptedVOs()

This method returns the list of VOs that this attribute source supports. If the attribute source is not aware of virtual organisations (like XUUDB) then empty list is returned, meaning that it is possible that VO-less users might be accepted by this attribute source.

Returns: