I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago

TF-EMC2 Feb IdMS reality Each person’s online activities is shaped by many Sources of Authority (SoAs) –Resource managers –Program/activity heads –Other policy making bodies –Self Common middleware infrastructure should be operated centrally –To not oblige departments/programs/activities to build their own core middleware Management of the information it conveys should be highly distributed –Hook up all of those SoAs to the middleware

TF-EMC2 Feb Relative roles of Signet & Grouper Grouper Signet RBAC model Users are placed into groups Privileges are assigned to groups Groups can be arranged into static hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

TF-EMC2 Feb Signet

TF-EMC2 Feb Nutshell description of Signet Analysts write XML descriptions of “business views” of privileges and store them in the Authority Registry Signet UI presents business views found in the Authority Registry Authoritative persons use the Signet UI to assign privileges and delegate authority across all “subsystems” in which they have any authority –Signet UI stores assignments in the Authority Registry XML “permissions documents” are exported from the Authority Registry, transformed, and provisioned into integrated systems and infrastructure services

TF-EMC2 Feb Privileges building blocks Business view –Subsystems –Categories –Functions –Scope –Limits –Prerequisites –Conditions System view – Permissions Assignment to –Individual –Group –With/without ability to further delegate Proxy assignment

TF-EMC2 Feb Signet subsystems Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Financial system Student system HR system Network address plan management Network access management Research administration Clinical resources IdMS UI (Person Registry) Signet (Authority Registry) Grouper (Group Registry)

TF-EMC2 Feb Authority elements by example By authority of the Dean grantor principal investigators grantee (group) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects up to $100,000 limits until January 1, 2006 condition

TF-EMC2 Feb Business view  system permissions

TF-EMC2 Feb Provisioning permissions into systems

TF-EMC2 Feb Provisioning permissions into infrastructure

TF-EMC2 Feb

TF-EMC2 Feb Grouper groups Attributes of groups –Names: name, displayName, guid –Description –Members –Can extend the set of attributes to support groups with more specific purposes Subgroups, compound groups, and aging Stored in an RDBMS, the Group Registry

TF-EMC2 Feb Group namespaces Groups are created within namespaces Namespaces scope the authority to create and name groups Namespaces can be arranged hierarchically, if desired facultiesnamespace faculties:artsnamespace faculties:arts:all_staff group

TF-EMC2 Feb Grouper privileges Access privileges –Who has what access (read, write) to a group’s attributes Naming privileges –Who can create a group in each namespace –Who can create a new namespace subordinate to an existing one Privilege interfaces are abstracted –Can use external privilege management system, like Signet Grouper’s built-in privilege management –Subgroups, compound groups, and aging can be used to manage privileges with built-in capability

TF-EMC2 Feb Access privileges VIEW controls to whom a group is visible or hidden READ information, especially membership, about a group UPDATE membership ADMIN can modify everything, including group name, description, & access privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list

TF-EMC2 Feb Naming privileges CREATE a group in a given namespace –The creator is automatically given ADMIN priv STEM privilege in a given namespace enables: –Assignment of CREATE and STEM privileges for the namespace –Creation of subordinate namespaces The creator is automatically given STEM priv

TF-EMC2 Feb Three ways to distribute group management Create a group and assign someone UPDATE privilege to it –Manage the group’s membership Create a group and assign someone ADMIN privilege to it –Manage who manages the group’s membership and who can see what about the group Create a namespace and assign someone STEM privilege to it –Manage who can create groups with constraint on how they are named

TF-EMC2 Feb Signet & Grouper Subject Interface –Component common to both to integrate with external IdMS Now available –Grouper API v0.5. Basic group management by automation processes –Demo release of Signet By Spring Internet2 meeting –Grouper v0.6. First complete release, including the UI Initial production ready release of Signet anticipated middle of 2005

TF-EMC2 Feb What is GridShib? NSF Middleware Initiative (NMI) Grant: “Policy Controlled Attribute Framework” Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 2 year project starting December 1, 2004 Participants –Von Welch, UIUC/NCSA (PI) –Kate Keahey, UChicago/Argonne (PI) –Frank Siebenlist, Argonne –Tom Barton, UChicago

TF-EMC2 Feb GridShib integration principles No modification to typical grid client applications Leverage high-quality campus IdMS operations –Attributes –Attribute release policies Leverage high-quality Shib and Grid software

TF-EMC2 Feb Basic use case grid-proxy-init SIA: IdP ID(s) GT4 runtime attribute marshalling pipeline shib AA LionShare-like trust plugin EEC online CA

TF-EMC2 Feb Managing the attributes marshalled by GridShib Grid resource, user, and SoAs for user attributes may be in different administrative domains. How to manage attributes marshalled from which AA? Shibbolized Signet & Grouper might help…