Common CE XACML Authorization Profile (v.1)
Second draft for the common CE XACML authorization profile.
- TODO: add description of the matching algo for the datatype
Introduction
References
- [XACML]
- OASIS Standard, eXtensible Access Control Markup Language, Version 2.0, February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
- [XACML-CREAM]
- XACML Profile for the gLite CREAM CE (Draft). https://edms.cern.ch/document/1078881/
- [SAML-EMI]
- EMI Common SAML Attributes. https://twiki.cern.ch/twiki/bin/view/EMI/EmiJra1T4SAML
- [RFC2253]
- http://www.ietf.org/rfc/rfc2253.txt
Notation
The examples use the following namespace prefixes:
- The prefix
ctx
- stands for the XACML context namespace (
urn:oasis:names:tc:xacml:2.0:context
)
XML Namespaces
The XACML common CE profile syntax is defined in a schema associated with the following XML namespaces:
-
http://dci-sec.org/xacml/attribute
-
http://dci-sec.org/xacml/datatype
-
http://dci-sec.org/xacml/algorithm
-
http://dci-sec.org/xacml/action
-
http://dci-sec.org/xacml/profile
Environment Attributes
Profile Identifier
Identify the profile implemented by the request sender. The attribute MUST be present in the request.
- AttributeId
-
http://dci-sec.org/xacml/attribute/profile-id
- DataType
-
http://www.w3.org/2001/XMLSchema#anyURI
- AttributeValue Multiplicity
-
1
- Value(s)
- The attribute value MUST be
http://dci-sec.org/xacml/profile/common-ce/1.0
Example
<ctx:Environment>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/profile-id”
DataType=”http://www.w3.org/2001/XMLSchema#anyURI”>
<ctx:AttributeValue>
http://dci-sec.org/xacml/profile/common-ce/1.0
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Environment>
|
Subject Attributes
Subject Identifier
Identify the submitter of the job to the CE. The attribute MUST be present in the request.
- AttributeId
-
urn:oasis:names:tc:xacml:1.0:subject:subject-id
- DataType
-
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
- AttributeValue Multiplicity
-
1
- Value(s)
- X.509 distinguished name of the end-entity certificate. The DN format is RFC2253, e.g. "CN=John Doe,DC=example,DC=org"
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id”
DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
<ctx:AttributeValue>
CN=John Doe,DC=example,DC=org
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Subject Issuer
DNs of the subject of all the root certificate authority and all subordinate certificate authorities within the certificate chain identifying the job submitter. The attribute SHOULD be present in the request.
For example, assume:
- certificate C is the end entity certificate
- subordinate certificate authority B signed certificate C
- root certificate authority A signed subordinate certificate authority B
then this attribute would contain the subject DN for certificate authorities A and B.
- AttributeId
-
http://dci-sec.org/xacml/attribute/subject-issuer
- DataType
-
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
- AttributeValue Multiplicity
-
1..N
- Value(s)
- X.509 distinguished name of the authority(ies) which issued the job submitter's identity. The DN format is RFC2253.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/subject-issuer”
DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
<ctx:AttributeValue>
CN=QV Schweiz ICA,OU=Issuing Certificate Authority,O=QuoVadis Trustlink Schweiz AG,C=CH
</ctx:AttributeValue>
<ctx:AttributeValue>
CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Virtual Organization (VO)
The subject's virtual organization membership.
TODO: add link to the common SAML profile
- AttributeId
-
http://dci-sec.org/xacml/attribute/virtual-organization
- DataType
-
http://www.w3.org/2001/XMLSchema#string
- AttributeValue Multiplicity
-
1..N
- Value(s)
- Names of virtual organizations the subject is member of.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/virtual-organization”
DataType=”http://www.w3.org/2001/XMLSchema#string”>
<ctx:AttributeValue>
atlas
</ctx:AttributeValue>
<ctx:AttributeValue>
vo.example.org
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Questions
- do we need a special data type for VO (like SAML) or #string is enough?
Comments
- Aleksandr Konstantinov
- Maybe accompanied by issuer - like VOMS SN.
Group
The subject group membership.
TODO: add link to the common SAML profile.
- AttributeId
-
http://dci-sec.org/xacml/attribute/group
- DataType
-
http://dci-sec.org/xacml/datatype/group
- AttributeValue Multiplicity
-
1..N
- Value(s)
- Names of the group the subject is member of.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group”
DataType=”http://dci-sec.org/xacml/datatype/group”>
<ctx:AttributeValue>
/atlas/admin
</ctx:AttributeValue>
<ctx:AttributeValue>
/atlas/analysis
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Primary Group
The subject primary group membership.
TODO: add link to the common SAML profile.
- AttributeId
-
http://dci-sec.org/xacml/attribute/group/primary
- DataType
-
http://dci-sec.org/xacml/datatype/group
- AttributeValue Multiplicity
-
1
- Value
- Name of the primary group of the subject. The value MUST appear in the Group attribute values.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group/primary”
DataType=”http://dci-sec.org/xacml/datatype/group”>
<ctx:AttributeValue>
/atlas/admin
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Role
Represents the roles assigned to the subject. The subject role MUST be scoped to a particular group or VO name.
- AttributeId
-
http://dci-sec.org/xacml/attribute/role
- DataType
-
http://dci-sec.org/xacml/datatype/role
- Issuer
- Group or VO name scope of the role. The Issuer value set MUST have a corresponding XACML Group or VO name attribute value.
- AttributeValue Multiplicity
-
1..N
- Value(s)
- Names of the role assigned to the subject.
Example
<ctx:Subject>
<!-- role scoped to the group -->
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role”
DataType=”http://dci-sec.org/xacml/datatype/role”
Issuer="/atlas/analysis">
<ctx:AttributeValue>
SoftwareManager
</ctx:AttributeValue>
</ctx:Attribute>
<!-- role scoped to a VO name -->
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role”
DataType=”http://dci-sec.org/xacml/datatype/role”
Issuer="vo.example.org">
<ctx:AttributeValue>
Tester
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Questions
- is an attribute uniquely identified by the {AttributeId, DataType, Issuer} tuple (see [XACML] 5.37 AttributeDesignatorType)?
- do we need a special data type for the role (like SAML) or
...#string
is enough?
- is this MUST or MAY (like the SAML) be scoped to particular group or VO name?
Primary Role
Represents the primary role assigned to the subject. The primary role MUST be scoped to a group or VO name.
- AttributeId
-
http://dci-sec.org/xacml/attribute/role/primary
- DataType
-
http://dci-sec.org/xacml/datatype/role
- Issuer
- Group or VO name scope of the primary role. The Issuer value set MUST have a corresponding XACML Group or VO name attribute value.
- AttributeValue Multiplicity
-
1
- Value(s)
- Name of the primary role assigned to the subject.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role/primary”
DataType=”http://dci-sec.org/xacml/datatype/role”
Issuer="atlas">
<ctx:AttributeValue>
Tester
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Questions
- do we need a special data type for the role (like SAML) or
...#string
is enough?
- how to differentiate between a Group or VO name scope (Issuer is not typed) ?
Comments
- Aleksandr Konstantinov
- maybe add VO to Role and Group.
Resource Owner
Identify the owner of the resource.
- AttributeId
-
http://dci-sec.org/xacml/attribute/resource-owner
- DataType
-
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
- AttributeValue Multiplicity
-
1
- Value(s)
- X.509 distinguished name of the end-entity certificate.
Example
<ctx:Subject>
<ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/resource-owner”
DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
<ctx:AttributeValue>
CN=Jane Doe,DC=example,DC=org
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Subject>
|
Comments
- This attribute is required by UNICORE
Resource Attributes
Resource Identifier
Identifies the CE, or a logical grouping of CEs, upon which the action to be authorized will be executed. This attribute MUST be present in a request.
- Identifier
-
urn:oasis:names:tc:xacml:1.0:resource:resource-id
- DataType
-
http://www.w3.org/2001/XMLSchema#string
- AttributeValue Multiplicity
-
1
- Value(s)
- ???
Example
<ctx:Resource>
<ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:resource:resource-id”
DataType=”http://www.w3.org/2001/XMLSchema#string”>
<ctx:AttributeValue>
http://example.org/ce/cream-ce-1
</ctx:AttributeValue>
</ctx:Attribute>
</ctx:Resource>
|
Questions
- Is the DataType
...#string
correct to identity a resource, why not ...#anyURI
?
- Should we formalize the resource identifier values ?
Comments
- Karsten Schwank
- I think it is a good idea to formalize the the values, otherwise I could imagine the risk of duplicates within a large system is too big and formalized values would keep the policies human readable. Depending on the kind of formalization this could even allow further automatic, semantic evaluation of the policies. Same thing for the actions.
- Krzysztof Benedyczak
- I vote for URI. In our case {UNICORE} it is an URL of the Web Service.
- Aleksandr Konstantinov
- too generic. Or it needs an attribute/scoping to define which kind of identifier it is - URL, SN, WS-Addressing, path. Also it is not clear to me how to specify resource at service which can't be represented as combined URL. Like job handled by Execution Service - with job id XML-ized and ES represented by URL or EPR.
Action Attributes
Action Identifier
Identifies the action being performed on the CE. This attribute MUST be present in a request.
- Identifier
-
urn:oasis:names:tc:xacml:1.0:action:action-id
- DataType
-
http://www.w3.org/2001/XMLSchema#string
- AttributeValue Multiplicity
-
1
- Value(s)
- ???
CREAM CE action value examples:
A-REX actions examples:
EMI Execution Service actions examples:
- define the list of action value, based on the EMI Execution Service (EES) requirement.
Questions
- values multiplicity:
1
or 1..N
?
Comments
- Krzysztof Benedyczak
- My remark is that here (in opposite what is in the current CREAM profile) we want any string - without any restrictions. However we may obey some predefined actions if those are applicable.
- Aleksandr Konstantinov
- probably needs some scoping to define kind of service involved. Or there need to be some rules how to compose the string representing action which would allow to distinguish "create" action of Storage from "create" of ES.
Data-types
Defines the
DataType s used in the XACML attributes.
- Identifier
-
http://dci-sec.org/xacml/datatype/group
TODO: add description and link to the common SAML profile
- Identifier
-
http://dci-sec.org/xacml/datatype/role
TODO: add description and link to the common SAML profile