Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 1

Authorization status

Andrew McNab

High Energy PhysicsUniversity of Manchester

http://www.gridpp.ac.uk/authz/

Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 2

Authz-WG

• Meetings Tokyo, Seattle and here (yesterday)

• Main work is the frameworks document– describes terminology (IETF/ISO)– general models for authorization– components (eg Attribute Authority)– describes some real systems in these terms

• Also producing a glossary for Authz• Work of Authz-WG coming to an end

– Final version of documents before next GGF?– Specifications to be produced elsewhere.

Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 3

OGSA Authz WG

• First meeting at 4pm today.• Producing specifications needed for

Authorization in OGSA:– Attributes

• eg attribute certs like CAS,VOMS

– Use of SAML • assertions and queries / “wire protocol”

– Use of XACML• expression / “storage”

– Requirements

• General enough to be used outside of OGSA too: eg for services’ internal use.

Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 4

What does this get you?

• Standard ways of handling and specifying attributes (eg group membership)

• Standard ways of asking a service if a user with a set of credentials can do a particular action.

• Standard ways of expressing policy about what users can do:– in terms of identities, groups, time of day,

location, current usage of a resource etc.

• Support for these in the rest of OGSA.

Andrew McNab GESA/Authz, GGF9, 7 Oct 2003 Slide 5

What do you need from Authz?

• Authz systems can provide local enforcement of “permissions”.

• In most cases, can readily be extended to quotas or limits too.

• What hooks are needed to specify these externally?– eg as per-user credit limits??

• What about reporting of Use to other GESA components? – Granularity: Per site? Per resource? Per

“file”?