TWiki>
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T4Security>EmiJra1T4XACML (2012-12-21, SimonLeinenExCern)
EditAttachPDF
EMI Web>EmiProjectStructure>JRA1>EmiJra1>EmiJra1T4Security>EmiJra1T4XACML (2012-12-21, SimonLeinenExCern) EditAttachPDFCommon XACML Authorization Profiles
The goal is to define a common XACML authorization profile usable by the EMI components (CREAM, gLExec-WN, StoRM, UNICORE, ARC, ...) and to integrate these components with the Argus Authorization Service. Authorization decision, eventually containing obligation and attribute assignments should also be supported. The Argus Authorization Service was primary designed to ban users (Deny decision), secondary to allow users to perform action on a resource (Permit decisions). It is not intended to replace the internal inter-components decision engine (internal component A is allowed to interact with component B), but to render authorization decisions about users, like: Ban user X to perform any action on any resource! Can user X perform action Y on resource Z? In order to achieve such authorization decisions, it is required to define XACML attributes to:- Identify the user X using XACML Subject attribute(s)
- Identify the resource Y using XACML Resource attribute
- Identify the action Z using XACML Action attribute
Common XACML Profile
-
EMI Common XACML Authorization Profile v.1.1.1 technical document EMI-DOC-JRA1-CommonXACMLProfile-v1.1.1.doc
- Wiki page for the EMI Common XACML Authorization Profile v.1.1.1
- EMI Common XACML Authorization Profile v.1.1 technical document EMI-DOC-JRA1-CommonXACMLProfile-v1.1.doc
- EMI Common CE XACML Authorization Profile v.1.0 technical document EMI-DOC-JRA1-CommonXACMLProfile-v1.0.doc:
- Wiki page for the Common CE XACML Authorization Profile v.1.0
Services which shall implement or use the common XACML Profile
- Argus
- Implements the profile
- Extends the simple policy language (SPL) to support the profile
- UNICORE
- UNICORE PDP integrates directly with Argus PDP in XACML
- ARC
- SecurityHandler integrates using the PEP client API ?
- CREAM CE
- Updates to use the new profile
- gLExec WN
- Updates to use the new profile
- StoRM (candidate)
- Integrates with its banning engine
- EMI Execution Service (candidate)
- Integrates for authorization ???
Profile Drafts
High Level Workplan
- Define the XACML attributes and values required by each stack (glite, ARC, UNICORE)
- Identify the common set of attributes and values
- Identify the policies ruling these attributes
- Implement the profile(s) and policies
Useful Specifications
- XACML 2.0 Specifications eXtensible Access Control Markup Language (XACML) Version 2.0
- XACML Profile for the gLite WN XACML Grid Worker Node Authorization Profile (v. 1.0)
- XACML Profile for the gLite CE XACML Grid Computing Element Authorization Profile (Draft)
Additional Information
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 doc |
EMI-DOC-JRA1-CommonXACMLProfile-v1.0.doc | r1 | manage | 143.5 K | 2011-10-16 - 12:13 | ValeryTschoppExCern | EMI Common XACML Profile v.1.0 |
| doc |
EMI-DOC-JRA1-CommonXACMLProfile-v1.1.1.doc | r1 | manage | 168.0 K | 2012-11-19 - 12:53 | ValeryTschoppExCern | EMI Common XACML Profile v.1.1.1 |
| doc |
EMI-DOC-JRA1-CommonXACMLProfile-v1.1.doc | r2 r1 | manage | 159.5 K | 2011-11-21 - 10:05 | ValeryTschoppExCern | EMI Common XACML Profile v.1.1 |
Topic revision: r22 - 2012-12-21 - SimonLeinenExCern
EMI Web
News
Events
Procedures and Tools
Mailing Lists
Documents
Project Structure
Create New Topic
Index
Search
Changes
Statistics- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback