60 likes | 239 Views
Background information on authorization service. Christoph Witzig, SWITCH (christoph.witzig@switch.ch) TMB - Nov 29, 2008. Quote. “There has never been a design of the authorization system” J "prioritizing the fair scare" T approx. Oct/Nov 2007. A bit of history. Sept. 2007:
E N D
Background information on authorization service Christoph Witzig, SWITCH (christoph.witzig@switch.ch) TMB - Nov 29, 2008
Quote “There has never been a design of the authorization system” J "prioritizing the fair scare" T approx. Oct/Nov 2007 TMB 19.11.2008
A bit of history • Sept. 2007: • C.Grandi assigns a comprehensive review of authZ mechanisms in gLite (-> milestone MJRA1.7) • Goals: • clear set of recommendations to TCG, which - upon acceptance by TCG - will be implemented within EGEE-III • MJRA1.7 milestone document: https://edms.cern.ch/document/887174/1 • Previous discussions in TCG/TMB: • Jan. 16, 2008 • Mar. 12, 2008 • June 18, 2008 TMB 19.11.2008
Key Features of new authZ Service • MUST: • Basis for a long-term solution for the uniform and consistent authorization and policy management in gLite • Standards based (XACML) • Initial focus on use-cases for job management • Data management: see next slide • Be extendable for future development • Eg SAML • Flexible deployment scenarios • Multiple solutions must be possible - need to obtain feedback from SA1/3 • No single point of failure • Integration into new kinds of execution environments • Support for multiple languages • Initially Java and C, but other languages must be easily supported • Ease of use for system administrators • Note: • Joint effort of several institutes active in Grid security -- beneficial for long term support and sustainability TMB 19.11.2008
What about Data Management? • authZ study recommendation #12: • DPM model should be accepted by other storage solutions • Recommendation accepted by TCG • Up to now nobody requested a change in this recommendation (ASAIK) • authZ service is NOT designed to handle authorization requests on thousands of files (e.g. ls-like command) • However, authZ service can be used to authorize access to storage elements (e.g. at the command level) • Will clarify possible use-cases with DPM, FTS developers and others TMB 19.11.2008
Last but not least … • Consider today’s presentation and discussion as a update on the progress of the authZ service • And not as the final presentation on all the authZ issues TMB 19.11.2008