50 likes | 151 Vues
Authorization status. Andrew McNab High Energy Physics University of Manchester http://www.gridpp.ac.uk/authz/. Authz-WG. Meetings Tokyo, Seattle and here (yesterday) Main work is the frameworks document describes terminology (IETF/ISO) general models for authorization
E N D
Authorization status Andrew McNab High Energy Physics University of Manchester http://www.gridpp.ac.uk/authz/ GESA/Authz, GGF9, 7 Oct 2003
Authz-WG • Meetings Tokyo, Seattle and here (yesterday) • Main work is the frameworks document • describes terminology (IETF/ISO) • general models for authorization • components (eg Attribute Authority) • describes some real systems in these terms • Also producing a glossary for Authz • Work of Authz-WG coming to an end • Final version of documents before next GGF? • Specifications to be produced elsewhere. GESA/Authz, GGF9, 7 Oct 2003
OGSA Authz WG • First meeting at 4pm today. • Producing specifications needed for Authorization in OGSA: • Attributes • eg attribute certs like CAS,VOMS • Use of SAML • assertions and queries / “wire protocol” • Use of XACML • expression / “storage” • Requirements • General enough to be used outside of OGSA too: eg for services’ internal use. GESA/Authz, GGF9, 7 Oct 2003
What does this get you? • Standard ways of handling and specifying attributes (eg group membership) • Standard ways of asking a service if a user with a set of credentials can do a particular action. • Standard ways of expressing policy about what users can do: • in terms of identities, groups, time of day, location, current usage of a resource etc. • Support for these in the rest of OGSA. GESA/Authz, GGF9, 7 Oct 2003
What do you need from Authz? • Authz systems can provide local enforcement of “permissions”. • In most cases, can readily be extended to quotas or limits too. • What hooks are needed to specify these externally? • eg as per-user credit limits?? • What about reporting of Use to other GESA components? • Granularity: Per site? Per resource? Per “file”? GESA/Authz, GGF9, 7 Oct 2003