Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Outline u Authorization Frameworks WG u Site Authentication, Authorization and Accounting RG u OGSA Authorization WG u VOMS / XACML / GACL

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Authorization Frameworks and Mechanisms WG u Authz WG set out the terminology and models (push / pull / agent) used in later groups. u Glossary n Brief definition of terms used in Authorization n For each term, includes reference to document that defines it (RFCs, WS-xx etc) u Frameworks document n Discussion of authorization models and classification of existing systems (VOMS etc) with those models u Documents at: n

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Site Authentication, Authorization and Accounting Requirements RG u One document: n “Grid Authentication Authorization and Accounting Requirements Research Document” u Many, detailed requirements have been captured by this process: n For example is “Authorization policies may change over time. Mechanisms to manage policy specification across the sphere of control of the resource, site, VO, application manager, and user should be provided.“ u Document at: n

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 OGSA-Authz WG in GGF u Attribute format/structure document n Draft document now in mature state after much discussion n Defines vocabulary and profiles for SAML and X.509 attribute certs n (This would benefit from more VOMS input too!) u Assertion protocol document n Defines how to use SAML in authorization callouts u Requirements document n Simple use cases and authorization models (push / pull) u Expression n Assumed will be XACML, but this document not started yet. u Documents at: n

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 XACML subject matching <AttributeValue DataType=“ >John< /AttributeValue> u Some other data types: n urn:oasis:names:tc:xacml:1.0:data-type:x500Name n n urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address u Obviously could add u But need a unique string representation of VOMS attributes too

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Suggestions for VOMS representation u Use the Fully Qualified Attribute Name (FQAN) u This makes the string opaque - this means repeating parent groups n /VO.name/group n /VO.name/group/subgroup n (VOMS attribute certificates already do this anyway) u Can then use simple string matching n (maybe even regular expressions for wildcard enthusiasts) u But may still want to define a VOMS FQAN data type so can do syntax checking in any validation stage?

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 GACL vs XACML? /vo.org/group <AttributeValue DataType=“ >/vo.org/group/Role=admin< /AttributeValue>

Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Summary u Several relevant documents have been produced by original GGF authorization groups u Very relevant ongoing work in OGSA-Authz n especially in Attribute format document u XACML document in OGSA-Authz not started n some ideas for how to migrate from GACL to XACML