Common XACML Authorization Profiles
The goal is to define a common XACML authorization profile usable by the EMI components (CREAM, gLExec-WN,
StoRM, UNICORE, ARC, ...) and to integrate these components with the Argus Authorization Service. Authorization decision, eventually containing obligation and attribute assignments should also be supported.
The Argus Authorization Service was primary designed to ban users (Deny decision), secondary to allow users to perform action on a resource (Permit decisions).
It is
not intended to replace the internal inter-components decision engine (internal component A is allowed to interact with component B), but to render authorization decisions about
users, like:
Ban user X to perform any action on any resource!
Can user X perform action Y on resource Z?
In order to achieve such authorization decisions, it is required to define XACML attributes to:
- Identify the user X using XACML Subject attribute(s)
- Identify the resource Y using XACML Resource attribute
- Identify the action Z using XACML Action attribute
Common XACML Profile
Services which shall implement or use the common XACML Profile
- Argus
- Implements the profile
- Extends the simple policy language (SPL) to support the profile
- UNICORE
- UNICORE PDP integrates directly with Argus PDP in XACML
- ARC
- CREAM CE
- Updates to use the new profile
- gLExec WN
- Updates to use the new profile
- StoRM (candidate)
- Integrates with its banning engine
- EMI Execution Service (candidate)
- Integrates for authorization ???
Profile Drafts
High Level Workplan
- Define the XACML attributes and values required by each stack (glite, ARC, UNICORE)
- Identify the common set of attributes and values
- Identify the policies ruling these attributes
- Implement the profile(s) and policies
Useful Specifications
Additional Information