Authz work in GGF

About This Presentation

Title:

Authz work in GGF

Description:

Optional fetching of addition authz credentials (credential pull model) ... Fetch. Additional. Credentials. for this user. User's. Credentials. Draft for this based ... – PowerPoint PPT presentation

Number of Views:27

Avg rating:3.0/5.0

Slides: 10

Provided by: david2256

Learn more at: http://www.ggf.org

Category:

more less

Transcript and Presenter's Notes

Title: Authz work in GGF

1
Authz work in GGF

David Chadwick
d.w.chadwick_at_kent.ac.uk

2
Previous Work of OGSA Authz

Have specified the GGF Authorisation
Specification Use of SAML for OGSA Authorization
This provides a callout from a Grid application
to any authorisation service, using extensions to
the OASIS Security Assertion Markup Language
(SAML)v1.1
GT3.3 and GT4 have implemented this callout
PERMIS and PRIMEA were the first authorisation
infrastructures to implement this specification

3
OGSA Authz Protocol
GRID Application
Grid Middleware e.g. GT
OGSA SAML authz request/responses
OGSA Authorisation Service
4
But SAML has its limitations

No support for obligations
This means it cant support responses such as
Granted subject to following restriction
No support for action parameters
This means that authorisation decisions cannot be
based on parameters of the users request such
as amount of resource requested, priority of
request etc.
So, we are now working on a second generation of
Authz protocols

5
New Direction

We are splitting up Authz into its functional
components
Access control decision making
Authorisation Credential Validation (Note.
different from PKI credential validation!)
Optional fetching of addition authz credentials
(credential pull model)
Looking at different ways of architecting these
components
Specifying protocols for interacting with these
components
Two protocol IDs have been produced so far, one
for making an access control decision, the other
for authz credential validation

6
Functional Components
Authorised request
GRID target resource
Policy Enforcement Point
Grid User
Grid access request
Validate these user Authz Credentials
Return valid attributes
Access Control Request
Granted or denied
Credential Validation Service
Access Control Service
Fetch Authz Credentials for this user
Users Authz Credentials
Credential Retriever
Access Control Policy
Authz Credential Validation Policy
7
Separate Functional Components
Authorised request
PEP
GRID target resource
Grid User
Grid access request
Draft for this based on WS-Trust and SAML
Draft for this based on XACML
XACML Authz Decision Statement
Validate User Authz Credentials
XACML Authz Decision Query
Return valid attributes
CVS
PDP
Users Credentials
Fetch Additional Credentials for this user
Access Control Policy
Authz Credential Retriever
Authz Credential Validation Policy
8
Combined Components
Authorised request
PEP
GRID target resource
Grid User
Grid access request
Authz Decision Response
Authz Decision Query
Validate User Authz Credentials
Draft for this based on WS-Trust and SAML
PDP
CVS
Return valid attributes
Access Control Policy
Fetch Additional Credentials for this user
Users Credentials
Credential Retriever
Authz Credential Validation Policy
9
What you can do for the OGSA Authz WG