Globus Toolkit provides various callout mechanisms to enable a site to implement a local/custom policy for mapping user DNs to local user accounts and for making authorization decisions. This document describes the API for a mapping and authorization callout to Python from within specific components of Globus Toolkit 5.x that use Gridmap authorization callouts (described later). An example implementation of the callout to Python is also provided so that a system administrator can modify the Python script to implement a site-specific identity mapping and authorization policy instead of writing and compiling a new C callout shared library.
Globus Toolkit provides the following identity mapping and authorization mechanisms:
1. Gridmap file-based mapping and authorization (default/standard)
2. Gridmap callouts
3. Supplemental callouts
3.1 GRAM callout
3.2 GridFTP CAS authorization callouts
The following matrix shows the various Globus Toolkit components and the mapping and authorization mechanisms they use.
Gridmap File-based Authorization (default)
As mentioned at this Globus page:
The gridmap file also serves as an access control list for GSI-enabled services.
More information on the format of the Gridmap file and its usage is available at:
The following section very briefly describes the different callout mechanisms listed above.
There may be cases where the default file-based identity mapping and authorization mechanism described above doesn't satisfy a site's requirements. For example, a local/custom policy might involve utilizing LDAP, SAML assertions, etc., to perform identity mapping and make authotization decisions. Globus Toolkit performs callouts so that such local/custom policies for identity mapping and authorization can be implemented by a site for use by Globus services.
Please refer to the following for detailed information on configuring callouts.
The kinds of callouts available in GSI are briefly described in the following sub-sections with references to pages with detailed information.These callouts provide the following:
1. Enable a site to override the gridmap file as the means of mapping the grid credentials to local identities.
2. Enable a site to install site-specific admission control checks based on the credentials of incoming clients.
These callouts are specified in the following document:
Detailed information including an example implementation of the gridmap callouts module, along with the GRAM callouts mentioned next, is available at: http://www.globus.org/toolkit/security/callouts/
VDT uses this callout mechanism for GRAM/Gatekeeper and GridFTP (and GSI-OpenSSH?) to call out to PRIMA which then contacts a GUMS server to perform mapping and authorization functions.
More information on PRIMA and its use in VDT can be found at:
An implementation of the PRIMA called-out module (prima_authz_module-0.3) can be found in the source code tar ball mentioned on:
There are certain application specific callouts made by specific individual components such as the GRAM job manager and GridFTP/CAS.
A description and an example implementation of the GRAM callout is available at:
GridFTP CAS authorization callouts are implemented using GAA (Generic Authentication and Access Control). Community Authorization Service (CAS) is defined at: http://www.globus.org/alliance/publications/papers/CAS_2002_Revised.pdf
The CAS module is loaded into GridFTP using GridFTP's ACL plug-in mechanism. The CAS module then makes specific callouts, which in turn use the GAA mechanism for an authorization decision.
Details on setting up GridFTP with CAS can be found at:
A couple of implementations of these callouts are available at: