Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07.

Published byAmie Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07

2 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 2 Index Introduction Groups in detail Roles in detail FQANs in detail Generic Attributes in detail Examples

3 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 3 Introduction What are VOMS attributes? Three broad types: –Groups. –Roles. –Generic Attributes. Different semantics. Usually, not (easily) interchangeable.

4 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 4 GROUPS

5 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 5 Group Attributes Group Attributes are meant to represent an organizational structure: –They are hierarchical. –Membership in a subgroup  Membership in the parent group. Groups are not deniable. –All group membership information will always be returned. Group membership in at least the root group is mandatory. –By convention, the root group has the same name as the VO. –Implies that all users will be in the root group.

6 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 6 Group Attributes Group naming requirements: –A group name may use the following characters:  [a-zA-Z0-9-_.]  ‘/’ is special and should not be used in a group name. See next slide on why. There are no limitations on the length of group names. There are no limitations on the depth of the group tree. Groups are returned in no particular order, except: –The root group will be the first group. –Users may request a specific ordering. No hard-coded requirement on naming standards.

7 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 7 Group Attributes Group representation: –Groups a represented in a filesystem-like way:  /dteam/ce/PL  Means: member of the group PL, which is a subgroup of ce, which is a subgroup of dteam, which is the root group. /dteam/ce/PL implies that the following group will also be returned: – /dteam/ce – /dteam Remember: –Membership in a subgroup  Membership in the parent group. –Group membership is not deniable.

8 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 8 ROLES

9 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 9 Role Attributes Role Attributes are meant to be used when additional privileges are needed. – They are unstructured. Roles are always granted in the context of a specific group. –There are no freestanding roles.  Though you could just assign a role in the main group. Roles are assigned to users, not to groups. I.e: Roles are assigned to users as members of a specified group.

10 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 10 Role Attributes Role naming conventions: –A role name may use the following characters:  [a-zA-Z0-9-_.] –A role name is represented as: /Role= Roles are not normally granted: –Besides having the right to receive them, the user must also explicitly request them.  Normally, no roles are present in the credentials. Special name: NULL –Implies no specific role.  Will be phased out. (see later)

11 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 11 FQAN

12 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 12 FQANs Compact way of representing groups and roles. Syntax: – [/Role= ][/Capability= ] –Example:  /atlas/Role=Production/Capability=NULL Notes: –Parts within [ ] will soon be optional (Voms 1.8). Specifically:  [/Capability= ] is deprecated. Ignore it.  == NULL means no specific role. It is deprecated.  [/Role= ] may only be present when != NULL (voms 1.8) Implementations should be prepared.

13 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 13 FQANs One FQAN for every group. One FQAN for every role. FQANs are returned without any predefined order, except: –The user may specify a preferred order. –If the user does not specify anything, this FQAN will be the first:  /Role=NULL/Capability=NULL Services are not obliged to consider all FQANs for authorization decisions. –But if they do not, then they should consider the first at least, with chosen by the service.

14 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 14 Generic Attributes

15 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 15 Generic Attributes Generic Attributes (GAs) are couples (name, value) –Name and Value are both chosen by the VO admin. They are non deniable. –All of them will always be present in the credentials. There is no structure among them. –Each one is independent of all the others. There may be any number of GAs per user.

16 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 16 Generic Attributes GAs conventions: –Name: ASCII Printable –Value: ASCII Printable GAs may be associated to: –Directly to users.  Only the specific User will receive that specific GA. –To Groups:  All Users of the specified group will receive that specific GA. –To Groups and Roles:  Only Users holding the specified role inside the specified group will receive that specific GA.

17 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 17 Generic Attributes GA Representation: – = (/some/group) –Examples:  userid=vciaschi (/vo)  HLR=hlr.to.infn.it (/vo)  Guarantor=JohnSmith (/vo/group)

18 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 18 Example

19 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 19 Example Authorize all users except a subset: –Solution 1: (using groups)  Put the users that should not be authorized in a group.  Explicitly authorize all groups but that.  Pro: No Deny.  Con: May be daunting if a lot of groups must be specified. –Solution 2: (using groups)  Put the users that should be authorized in a new group.  Authorize only that group.  Pro: Easy configuration.  Con: Group proliferation. Prone to errors

20 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 20 Example Authorize all users except a subset: –Solution 3: (using roles)  Give the users the same role.  Authorize the role.  Pro: Easy configuration  Con: Extra step for users, difficult setup –Solution 4: (using GAs)  Give the same GA to the group.  Authorize only the GA  Pro: Easy to setup.  Con: Difficult if the union of the sibling groups is not the parent group or if the intersection with the blocked group is not null.

21 Enabling Grids for E-sciencE INFSO-RI-508833 To change: View -> Header and Footer 21 Contacts Vincenzo Ciashini (vincenzo.ciaschini@cnaf.infn.it)vincenzo.ciaschini@cnaf.infn.it Valerio Venturi (valerio.venturi@cnaf.infn.it)valerio.venturi@cnaf.infn.it Andrea Ceccanti (andrea.ceccanti@cnaf.infn.it)

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07."

Similar presentations

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
Introduction to C Programming

Introduction to C Programming
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Lecture 7 Access Control

Lecture 7 Access Control
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.

Security Aspects Of Directory Enabled Applications Praerit Garg Program Manager Windows NT Security Microsoft Corporation.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Testing. What is Testing? Definition: exercising a program under controlled conditions and verifying the results Purpose is to detect program defects.

Testing. What is Testing? Definition: exercising a program under controlled conditions and verifying the results Purpose is to detect program defects.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Earth Sciences Requirements and Resources OAG Wed 18 May 2005.

INFSO-RI Enabling Grids for E-sciencE Earth Sciences Requirements and Resources OAG Wed 18 May 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Information System on gLite middleware Vincent.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Information System on gLite middleware Vincent.
SE: CHAPTER 7 Writing The Program

SE: CHAPTER 7 Writing The Program
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Voms & Voms-admin report Vincenzo Ciaschini.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Voms & Voms-admin report Vincenzo Ciaschini.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GRID sites connectivity database design Anthony Teslyuk, RRC KI JRA4, SA2 Meeting 4 th EGEE.

INFSO-RI Enabling Grids for E-sciencE GRID sites connectivity database design Anthony Teslyuk, RRC KI JRA4, SA2 Meeting 4 th EGEE.
Introduction to XML This presentation covers introductory features of XML. What XML is and what it is not? What does it do? Put different related technologies.

Introduction to XML This presentation covers introductory features of XML. What XML is and what it is not? What does it do? Put different related technologies.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

Similar presentations

Ads by Google