AuthN and AuthR Where we have come from… Where we are going to…

perfSONAR developer workshop - Zagreb, 7th-9th April 08 1.14

AuthN and AuthRWhere we have come from…

Where we are going to…

Cándido Rodrí[email protected]


Agenda

1.Status of the authN

2. A brief overview of the authR

3. Impact analysis


AuthN is available in MDM perfSONAR 3.0

Status of the AuthN

Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).


Client from USA Services in USA don’t need authn information -> OK

Services in Europe require authn -> NO

Status of the AuthN



Client from Europe Services in USA don’t need authn information -> OK

Services in Europe require authn -> OK

Status of the AuthN



Summarizing USA teams cannot send messages to European perfSONAR

services Workaround: accounts in the GIdP When Internet2 and ESnet in eduGAIN?

RNP has started to join to eduGAIN Adding its own CA

EU teams can send messages to any perfSONAR service The authN doesn’t affect the NMWG message!

Status of the AuthN


Agenda

1. Status of the authN

2.A brief overview of the authR

3. Impact analysis


pSRs want to check if a user/client is allowed to do the requested action

The AuthR process implies the AuthN process

An AuthR request contains Subject: specifies which user is doing an action

Action: specifies which action the user is trying to do

Resource: specifies in which place the user is trying to do the action

An AuthR response contains Status code

[Optionally] User’s attributes in a SAML assertion

A brief overview of the AuthR


Authorization scenario

Subject: who has sent the message to the pSR. It’s an URN urn:geant:edugain:component:be:%fed%:user:%username%

Resource: which pSR has received the message . It’s an URN …:component:perfsonarresource:%fed%:%id_resource%:%uri_service%

Action: who has sent the message to the pSR . It’s an URI http://schemas.perfsonar.net/tools/admin/echo/2.0




Delegated-based authorization scenario

Subjects: who has sent the message to the pSR and using which client. They are URNs

urn:geant:edugain:component:be:%fed%:user:%username% …:component:perfsonarclient:%fed%:%id_client%

Resource: which pSR has received the message . It’s an URN Action: who has sent the message to the pSR . It’s an URI




Agenda

1. Status of the authN

2. A brief overview of the authR

3.Impact analysis


AS with authR support Available by the end of June

Need a powerful policy editor in the webadmin After finishing all authR developments

perfSONAR service’s perspective AuthR component and the authR library by summer

From authN component to authR component Minimal impact: only new line in service.properties

Using the authR library As complicated as the authN one

Impact analysis


Client’s perspective If the client doesn’t need attributes

No change

If the client need attributes A authR library will be released by fall

Impact analysis


Edificio CICA, Campus UniversitarioAvenida Reina Mercedes s/n41012 Sevilla. España

Tel.: 95 505 66 00Fax: 95 505 66 51www.red.eswww.rediris.es

Documents

AuthN and AuthR Where we have come from… Where we are going to…