1 / 17

Access Grid Authorization

Access Grid Authorization. Thomas Uram turam@mcs.anl.gov Argonne National Laboratory. Agenda. Authorization Landscape Role-based Authorization AuthorizationManager API Examples and exercises. Landscape. PKI Every user has a unique certificate Web Services

bat
Download Presentation

Access Grid Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Grid Authorization Thomas Uram turam@mcs.anl.gov Argonne National Laboratory

  2. Agenda • Authorization Landscape • Role-based Authorization • AuthorizationManager API • Examples and exercises

  3. Landscape • PKI • Every user has a unique certificate • Web Services • Web-accessible components of the AG software are exposed via SOAP over GSI • GSI connections are authenticated using certificates • User’s identity subject to verification by server • Server’s identity subject to verification by user • Methods are distinguished by their callability • Administrator methods • Venue configuration • User methods • Venue entry

  4. Audio Service Video Service Venue Landscape Multicast

  5. Role-based Authorization • Abstraction layer between objects and persons who will access them • Similar to *nix file system concept • Each object has a list of actions that can be performed on it (rwx) • Each action has a list of groups which are allowed to call it • Each group has a list of members (/etc/group)

  6. Roles • Roles are user groups • Required roles • Administrator • User • Custom roles • Venue.AllowedEntry • Venue.RegisteredUsers

  7. Actions • Actions define operations on web services • In *nix file system analog, read/write/execute are Actions • Actions currently map one-to-one to web service methods • VenueServer.GetVenues • Venue.GetStreams

  8. Subjects • Subject class holds information about a user (in particular, the user’s distinguished name)

  9. Policies • An authorization policy describes the role/action/subject relationships in force for a service • The policy for a service is represented in XML • The policy can be modified wholesale, or through individual calls • Services define default policies

  10. Authorization UI • VenueServer

  11. Authorization UI • Venue

  12. AuthorizationManager • AccessGrid.Security.AuthorizationManager • Exposes interfaces for modifying the authorization policy for a service • Used in authorization callback registered with SOAP server

  13. AuthorizationManager API

  14. Future work • Finer-grained authorization • Apply to objects in Venue • Permit authorization of individuals, not just groups • Consider integrating a well-established authorization framework

  15. Example: List defined Roles #!/usr/bin/python2 import sys from AccessGrid.Toolkit import CmdlineApplication from AccessGrid.Venue import VenueIW from AccessGrid.Security.AuthorizationManager import AuthorizationManagerIW url = sys.argv[1] # Create and initialize application app = CmdlineApplication() app.Initialize('ListRoles') # Get url for authorization manager and create interface wrapper v = VenueIW(url) amurl = v.GetAuthorizationManager() authManager = AuthorizationManagerIW(amurl) # Get roles from venue and process roleList = authManager.ListRoles() for role in roleList: print role.name

  16. Exercise: List subjects in Roles

  17. Example: Venue ACL manager

More Related