1 / 9

Authentication and Authorization Architecture for AstroGrid and the VO

This paper discusses the importance of access control and desirable features for identity, authentication, and authorization in the AstroGrid and Virtual Observatory (VO) environment. It explores the use of X.509 certificates for identification, Grid Security Infrastructure (GSI) for authentication, and community-based authorization. The paper also suggests a pragmatic approach to using access rights with the Community Access Server (CAS).

kierar
Download Presentation

Authentication and Authorization Architecture for AstroGrid and the VO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002

  2. Why have access control? • High value features ex use cases all require Identity, Authentication and Authorization

  3. Desirable features • Transparent to end-users: single sign-on. • Globally-unique identities • Secure against misuse • Resource providers (data-centres) retain control of their assets • Users retain control of their private data • Encourage collaboration via sharing of access rights. • Allow one service to call another (transparent composition of jobs). …sounds like the Grid model!

  4. X.509 for identification • Distinguished names (ex Grid) for users, e.g.: /C=UK/O=es-grid/OU=ast.cam.ac.uk/CN=Guy Rixon • Also works for software agents • X509 certificates encode the DNs for machine use. • Certificates issued, digitally-signed and managed by Grid organizations. • Certificates include authentication tokens => reduced use of passwords. • Can use one certificate to make another: “proxies”.

  5. GSI for authentication • Grid Security Infrastructure (Globus project) is a way to authenticate use of X.509 certificates. • Based on Public Key Cryptography • Authentication without passwords! • Allows services to call other services on user’s behalf.

  6. Community based Authorization • Managing access rights is a big job: ~103 users, ~107 resources, ~10 kinds of permission. • Don’t want to load up data centres with user-management. • Want data-centres to carry on managing data. • (Almost) all access rights come from position in community… • …so manage the users and their relationships as communities, centrally: avoid duplicate work… • …but data-centres still set permissions on data-sets. • Possible community: “Astronomers funded by PPARC” – access rights tend to follow funding arrangements. • Based on Community Access Server from Globus.

  7. Partitioning the community • Community is sub-divided into groups ofusers and group of resources. • Resource providers define resource-groups, grant access on resource groups to appropriate user groups. • Individual members hold rights on private data. • Users can create sub-groups for collaborations. • Access rights can be shared between collaborators.

  8. Using access rights with CAS

  9. Pragmatic approach • Don’t add restrictions where they’re not needed. • Don’t add security where there are no restrictions. • Pairs of services: • Simple services: anonymous, no security • Full-function services: identified access • System can tell from context which kind of service to call.

More Related