1 / 23

I2/NMI Update: Signet, Grouper, & GridShib

I2/NMI Update: Signet, Grouper, & GridShib. Tom Barton University of Chicago. IdMS reality. Each person’s online activities is shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads Other policy making bodies Self

naoko
Download Presentation

I2/NMI Update: Signet, Grouper, & GridShib

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. I2/NMI Update:Signet, Grouper, & GridShib Tom Barton University of Chicago

  2. IdMS reality • Each person’s online activities is shaped by many Sources of Authority (SoAs) • Resource managers • Program/activity heads • Other policy making bodies • Self • Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own core middleware • Management of the information it conveys should be highly distributed • Hook up all of those SoAs to the middleware

  3. Relative roles of Signet & Grouper • RBAC model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into static hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet

  4. Signet

  5. Nutshell description of Signet • Analysts write XML descriptions of “business views” of privileges and store them in the Authority Registry • Signet UI presents business views found in the Authority Registry • Authoritative persons use the Signet UI to assign privileges and delegate authority across all “subsystems” in which they have any authority • Signet UI stores assignments in the Authority Registry • XML “permissions documents” are exported from the Authority Registry, transformed, and provisioned into integrated systems and infrastructure services

  6. Business view Subsystems Categories Functions Scope Limits Prerequisites Conditions System view Permissions Assignment to Individual Group With/without ability to further delegate Proxy assignment Privileges building blocks

  7. Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Signet subsystems Financial system Student system HR system Network address plan management Network access management Research administration Clinical resources IdMS UI (Person Registry) Signet (Authority Registry) Grouper (Group Registry)

  8. Authority elements by example

  9. Business view  system permissions

  10. Provisioning permissions into systems

  11. Provisioning permissions into infrastructure

  12. Grouper groups • Attributes of groups • Names: name, displayName, guid • Description • Members • Can extend the set of attributes to support groups with more specific purposes • Subgroups, compound groups, and aging • Stored in an RDBMS, the Group Registry

  13. Group namespaces • Groups are created within namespaces • Namespaces scope the authority to create and name groups • Namespaces can be arranged hierarchically, if desired faculties namespace faculties:arts namespace faculties:arts:all_staff group

  14. Grouper privileges • Access privileges • Who has what access (read, write) to a group’s attributes • Naming privileges • Who can create a group in each namespace • Who can create a new namespace subordinate to an existing one • Privilege interfaces are abstracted • Can use external privilege management system, like Signet • Grouper’s built-in privilege management • Subgroups, compound groups, and aging can be used to manage privileges with built-in capability

  15. Access privileges • VIEW controls to whom a group is visible or hidden • READ information, especially membership, about a group • UPDATE membership • ADMIN can modify everything, including group name, description, & access privileges, and can delete the group • OPTIN can add self to the members list • OPTOUT can remove self from the members list

  16. Naming privileges • CREATE a group in a given namespace • The creator is automatically given ADMIN priv • STEM privilege in a given namespace enables: • Assignment of CREATE and STEM privileges for the namespace • Creation of subordinate namespaces • The creator is automatically given STEM priv

  17. Three ways to distribute group management • Create a group and assign someone UPDATE privilege to it • Manage the group’s membership • Create a group and assign someone ADMIN privilege to it • Manage who manages the group’s membership and who can see what about the group • Create a namespace and assign someone STEM privilege to it • Manage who can create groups with constraint on how they are named

  18. Signet & Grouper • Subject Interface • Component common to both to integrate with external IdMS • Now available • Grouper API v0.5. Basic group management by automation processes • Demo release of Signet • By Spring Internet2 meeting • Grouper v0.6. First complete release, including the UI • Initial production ready release of Signet anticipated middle of 2005

  19. What is GridShib? • NSF Middleware Initiative (NMI) Grant:“Policy Controlled Attribute Framework” • Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 • 2 year project starting December 1, 2004 • Participants • Von Welch, UIUC/NCSA (PI) • Kate Keahey, UChicago/Argonne (PI) • Frank Siebenlist, Argonne • Tom Barton, UChicago

  20. GridShib integration principles • No modification to typical grid client applications • Leverage high-quality campus IdMS operations • Attributes • Attribute release policies • Leverage high-quality Shib and Grid software

  21. Basic use case grid-proxy-init SIA: IdP ID(s) 2 1 EEC GT4 runtime attribute marshalling pipeline 0 3 4 -2 -1 online CA 5 shib AA LionShare-like trust plugin

  22. Managing the attributes marshalled by GridShib Grid resource, user, and SoAs for user attributes may be in different administrative domains. How to manage attributes marshalled from which AA? Shibbolized Signet & Grouper might help…

More Related