I2/NMI Update:Signet, Grouper, & GridShib

Tom BartonUniversity of Chicago

TF-EMC2 Feb 2005 2

IdMS reality

• Each person’s online activities is shaped by many Sources of Authority (SoAs)

–Resource managers–Program/activity heads–Other policy making bodies–Self

• Common middleware infrastructure should be operated centrally

–To not oblige departments/programs/activities to build their own core middleware

• Management of the information it conveys should be highly distributed

–Hook up all of those SoAs to the middleware

TF-EMC2 Feb 2005 3

Relative roles of Signet & Grouper

Grouper Signet

RBAC model• Users are placed into

groups• Privileges are assigned

to groups• Groups can be arranged

into static hierarchies to effectively bestow privileges

• Signet manages privileges

• Grouper manages, well, groups

TF-EMC2 Feb 2005 4

Signet

TF-EMC2 Feb 2005 5

Nutshell description of Signet

• Analysts write XML descriptions of “business views” of privileges and store them in the Authority Registry

• Signet UI presents business views found in the Authority Registry

• Authoritative persons use the Signet UI to assign privileges and delegate authority across all “subsystems” in which they have any authority

–Signet UI stores assignments in the Authority Registry

• XML “permissions documents” are exported from the Authority Registry, transformed, and provisioned into integrated systems and infrastructure services

TF-EMC2 Feb 2005 6

Privileges building blocks

• Business view– Subsystems– Categories– Functions– Scope– Limits– Prerequisites– Conditions

• System view– Permissions

• Assignment to– Individual– Group– With/without ability

to further delegate

• Proxy assignment

TF-EMC2 Feb 2005 7

Signet subsystems

• Define domains of ownership and responsibility

• Reflect real world boundaries

• Can be large or small

Financial systemStudent systemHR systemNetwork address plan

managementNetwork access managementResearch administrationClinical resourcesIdMS UI (Person Registry)Signet (Authority Registry)Grouper (Group Registry)

TF-EMC2 Feb 2005 8

Authority elements by example

By authority of the Dean grantorprincipal investigators grantee (group)who have completed training prerequisitecan approve purchases functionin the School of Medicine scopefor research projects up to $100,000 limits

until January 1, 2006 condition

TF-EMC2 Feb 2005 9

Business view system permissions

TF-EMC2 Feb 2005 10

Provisioning permissions into systems

TF-EMC2 Feb 2005 11

Provisioning permissions into infrastructure

TF-EMC2 Feb 2005 12

TF-EMC2 Feb 2005 13

Grouper groups

• Attributes of groups–Names: name, displayName, guid–Description–Members –Can extend the set of attributes to support groups with

more specific purposes

• Subgroups, compound groups, and aging • Stored in an RDBMS, the Group Registry

TF-EMC2 Feb 2005 14

Group namespaces

• Groups are created within namespaces• Namespaces scope the authority to create and

name groups• Namespaces can be arranged hierarchically, if

desiredfaculties namespacefaculties:arts namespacefaculties:arts:all_staff group

TF-EMC2 Feb 2005 15

Grouper privileges

• Access privileges–Who has what access (read, write) to a group’s attributes

• Naming privileges–Who can create a group in each namespace–Who can create a new namespace subordinate to an existing

one

• Privilege interfaces are abstracted–Can use external privilege management system, like Signet

• Grouper’s built-in privilege management–Subgroups, compound groups, and aging can be used to

manage privileges with built-in capability

TF-EMC2 Feb 2005 16

Access privileges

• VIEW controls to whom a group is visible or hidden

• READ information, especially membership, about a group

• UPDATE membership• ADMIN can modify everything, including group

name, description, & access privileges, and can delete the group

• OPTIN can add self to the members list• OPTOUT can remove self from the members list

TF-EMC2 Feb 2005 17

Naming privileges

• CREATE a group in a given namespace

–The creator is automatically given ADMIN priv

• STEM privilege in a given namespace enables:

–Assignment of CREATE and STEM privileges for the namespace

–Creation of subordinate namespaces• The creator is automatically given STEM priv

TF-EMC2 Feb 2005 18

Three ways to distribute group management

• Create a group and assign someone UPDATE privilege to it

–Manage the group’s membership

• Create a group and assign someone ADMIN privilege to it

–Manage who manages the group’s membership and who can see what about the group

• Create a namespace and assign someone STEM privilege to it

–Manage who can create groups with constraint on how they are named

TF-EMC2 Feb 2005 19

Signet & Grouper

• Subject Interface–Component common to both to integrate with external

IdMS

• Now available–Grouper API v0.5. Basic group management by

automation processes–Demo release of Signet

• By Spring Internet2 meeting–Grouper v0.6. First complete release, including the UI

• Initial production ready release of Signet anticipated middle of 2005

TF-EMC2 Feb 2005 20

What is GridShib?

• NSF Middleware Initiative (NMI) Grant:“Policy Controlled Attribute Framework”

• Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4

• 2 year project starting December 1, 2004• Participants

–Von Welch, UIUC/NCSA (PI)–Kate Keahey, UChicago/Argonne (PI)–Frank Siebenlist, Argonne–Tom Barton, UChicago

TF-EMC2 Feb 2005 21

GridShib integration principles

• No modification to typical grid client applications

• Leverage high-quality campus IdMS operations– Attributes– Attribute release policies

• Leverage high-quality Shib and Grid software

TF-EMC2 Feb 2005 22

Basic use case

grid-proxy-init

SIA: IdP ID(s)

GT4 runtime

attribute marshalling

pipelineshib AA

LionShare-like trust plugin

EEC

2

3

4

5online CA

0

1

-1-2

TF-EMC2 Feb 2005 23

Managing the attributes marshalled by GridShib

Grid resource, user, and SoAs for user attributes may be in different administrative domains.

How to manage attributes marshalled from which AA?

Shibbolized Signet & Grouper might help…