Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Published byColleen Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester"— Presentation transcript:

1 Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Outline u Authorization Frameworks WG u Site Authentication, Authorization and Accounting RG u OGSA Authorization WG u VOMS / XACML / GACL

3 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Authorization Frameworks and Mechanisms WG u Authz WG set out the terminology and models (push / pull / agent) used in later groups. u Glossary n Brief definition of terms used in Authorization n For each term, includes reference to document that defines it (RFCs, WS-xx etc) u Frameworks document n Discussion of authorization models and classification of existing systems (VOMS etc) with those models u Documents at: n http://forge.gridforum.org/projects/authz-wg

4 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Site Authentication, Authorization and Accounting Requirements RG u One document: n “Grid Authentication Authorization and Accounting Requirements Research Document” u Many, detailed requirements have been captured by this process: n For example 2.4.8.1 is “Authorization policies may change over time. Mechanisms to manage policy specification across the sphere of control of the resource, site, VO, application manager, and user should be provided.“ u Document at: n http://forge.gridforum.org/projects/saaa-rg

5 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 OGSA-Authz WG in GGF u Attribute format/structure document n Draft document now in mature state after much discussion n Defines vocabulary and profiles for SAML and X.509 attribute certs n (This would benefit from more VOMS input too!) u Assertion protocol document n Defines how to use SAML in authorization callouts u Requirements document n Simple use cases and authorization models (push / pull) u Expression n Assumed will be XACML, but this document not started yet. u Documents at: n http://forge.gridforum.org/projects/ogsa-authz

6 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 XACML subject matching <AttributeValue DataType=“http://www.w3.org/2001/XMLSchema#string” >John< /AttributeValue> u Some other data types: n urn:oasis:names:tc:xacml:1.0:data-type:x500Name n http://www.ietf.org/rfc/rfc2256.txt#userPassword n urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address u Obviously could add http://something/something-voms u But need a unique string representation of VOMS attributes too

7 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Suggestions for VOMS representation u Use the Fully Qualified Attribute Name (FQAN) u This makes the string opaque - this means repeating parent groups n /VO.name/group n /VO.name/group/subgroup n (VOMS attribute certificates already do this anyway) u Can then use simple string matching n (maybe even regular expressions for wildcard enthusiasts) u But may still want to define a VOMS FQAN data type so can do syntax checking in any validation stage?

8 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 GACL vs XACML? /vo.org/group <AttributeValue DataType=“http://voms.standard.url/” >/vo.org/group/Role=admin< /AttributeValue>

9 Andrew McNab - GGF Authz - 16 Dec 2003 GridPP / EDG / WP6 Summary u Several relevant documents have been produced by original GGF authorization groups u Very relevant ongoing work in OGSA-Authz n especially in Attribute format document u XACML document in OGSA-Authz not started n some ideas for how to migrate from GACL to XACML

Download ppt "Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.

© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Thoughts & Ideas on AuthZ Interoperability Christos Kanellopoulos AUTH/GRNET skanct at physics.auth.gr.

Thoughts & Ideas on AuthZ Interoperability Christos Kanellopoulos AUTH/GRNET skanct at physics.auth.gr.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
BaBarGrid: Some UK developments Roger Barlow Imperial College 13th September 2002.

BaBarGrid: Some UK developments Roger Barlow Imperial College 13th September 2002.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Www.ggf.org OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

Similar presentations

Ads by Google