Upload
henrik
View
21
Download
0
Embed Size (px)
DESCRIPTION
Authorization status. Andrew McNab High Energy Physics University of Manchester http://www.gridpp.ac.uk/authz/. Authz-WG. Meetings Tokyo, Seattle and here (yesterday) Main work is the frameworks document describes terminology (IETF/ISO) general models for authorization - PowerPoint PPT Presentation
Citation preview
Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 1
Authorization status
Andrew McNab
High Energy PhysicsUniversity of Manchester
http://www.gridpp.ac.uk/authz/
Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 2
Authz-WG
• Meetings Tokyo, Seattle and here (yesterday)
• Main work is the frameworks document– describes terminology (IETF/ISO)– general models for authorization– components (eg Attribute Authority)– describes some real systems in these terms
• Also producing a glossary for Authz• Work of Authz-WG coming to an end
– Final version of documents before next GGF?– Specifications to be produced elsewhere.
Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 3
OGSA Authz WG
• First meeting at 4pm today.• Producing specifications needed for
Authorization in OGSA:– Attributes
• eg attribute certs like CAS,VOMS
– Use of SAML • assertions and queries / “wire protocol”
– Use of XACML• expression / “storage”
– Requirements
• General enough to be used outside of OGSA too: eg for services’ internal use.
Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 4
What does this get you?
• Standard ways of handling and specifying attributes (eg group membership)
• Standard ways of asking a service if a user with a set of credentials can do a particular action.
• Standard ways of expressing policy about what users can do:– in terms of identities, groups, time of day,
location, current usage of a resource etc.
• Support for these in the rest of OGSA.
Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 5
What do you need from Authz?
• Authz systems can provide local enforcement of “permissions”.
• In most cases, can readily be extended to quotas or limits too.
• What hooks are needed to specify these externally?– eg as per-user credit limits??
• What about reporting of Use to other GESA components? – Granularity: Per site? Per resource? Per
“file”?