Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf.

Similar presentations


Presentation on theme: "AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf."— Presentation transcript:

1 AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf Leon Gommans University of Amsterdam

2 Chapter 2: Authorization framework concepts Foundation of chapters 2 & 3 are RFC 2903, RFC 2904 and ISO/IEC 10181-3 Term authorization may point at: Decide to issue a right The possession or a reference to a right The verification of a right. Within Grid context we recognize 3 basic entities which have (trust) relationships: Subject Resource Authority GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Typical trust Relationships

3 Chapter 2: Authorization framework concepts Foundation of chapters 2 & 3 are RFC 2903, RFC 2904 and ISO/IEC 10181-3 Term authorization may point at: Decide to issue a right The possession or a reference to a right The verification of a right. Within Grid context we recognize 3 basic entities which have (trust) relationships: Subject Resource Authority GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Typical trust Relationships

4 Subject: Any entity with a certain identity that can request, receive, own, transfer, present or delegate an electronic authorization as to exercise a certain right. Informally, a subject is any user of a service or resource. The subject may be identified as an individual user or as a member of a group of users. A user may also be a process that acts on behalf of a user and as such assumes some delegated form of identity. The subject may define a set of policies that determine how its authorization is used. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

5 Resource: A component of the system that provides or hosts services and enforces access to these services based on a set of rules and policies defined by entities that are authoritative for the particular resource. Typically in Grid environments a resource is a computer providing compute cycles or data storage through a set of services it offers. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

6 Authority: An administrative entity that is capable of and authoritative for issuing, validating and revoking an electronic means of proof such that the subject and/or owner of the issued electronic means is authorized to exercise a certain right or assert a certain attribute. Right(s) may be implicitly or explicitly present in the electronic proof. A set of policies may determine how authorizations are issued, verified, etc. based on the contractual relationships the Authority has established. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

7 Different Authority types: Commonly used authority types for authorization are: Attribute Authority Policy Authority Certification Authority (CA) may be used to make an Authorization (certificate) authentic. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

8 Authorization is frequently split into three distinct processes: 1) Definition: a person or organization defining an authorization policy at high-level. 2) Implementation of the high level policy into a certain executable form 3) Evaluation of the executable policy by a process which subsequently decides to issue a specific authorization to a subject or take a specific action. The component performing the latter step of computing an authorization decision on behalf of the authorities is sometimes referred to as an Authorization Server. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans

9 Evaluation sequences according to RFC2904 in new terms Resource Authority Subject Resource Authority Subject Resource Authority Subject 1 1 1 22 2 3 33 4 4 4 Pull modelAgent modelPush model

10 Domain Considerations In authorization scenarios there are at least two administrative domains GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain

11 Contractual & Trust Relationships One must recognize and understand the involved contractual relationships and map the trust relationships to fully understand the sequences. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain Contractual relationship Trust relationship

12 Contractual & Trust Relationships One must recognize and understand the involved contractual relationships and map the trust relationships to fully understand the sequences. GGF 8 - 06/25/03 - AuthZ WG / L.Gommans Resource Authority Subject Home domainService domain Contractual relationship Trust relationship

13 Thank you ! lgommans@science.uva.nl


Download ppt "AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework-20030606.pdf."

Similar presentations


Ads by Google