March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.

Slides:

Advertisements

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Authz work in GGF David Chadwick

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.

Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.

Grid Authorization Landscape and Futures Von Welch NCSA

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

An Introduction to Campus Grids 19-Apr-2010 Keith Chadwick & Steve Timm.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Argus EMI Authorization Integration

StoRM: a SRM solution for disk based storage systems

f f FermiGrid – Site AuthoriZation (SAZ) Service

AuthZ Interop report out

Overview OSG & EGEE Authorization Models

A Grid Authorization Model for Science Gateways

Presentation transcript:

March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE globusWorld, March 2, 2010 On behalf of the Authorization Interoperability Collaboration Ted Hesselroth Computing Division, Fermilab Overview OSG & EGEE Authorization Models Authorization Interoperability Profile Implementations and Deployments

March 2, 20102/20 An XACML profile and implementation for Authorization Interoperability The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1 Ted Hesselroth

March 2, 20103/20 An XACML profile and implementation for Authorization Interoperability The Authorization Model The EGEE and OSG security model is based on X509 end entity and proxy certificates for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site- central Policy Decision Points (PDP) for authorization decisions Ted Hesselroth

March 2, 20104/20 An XACML profile and implementation for Authorization Interoperability The Interoperability Problem EGEE and OSG had developed different authorization infrastructures The two Grids now have a common PEP to PDP call-out protocol to enable interoperability: –Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures –Software groups in EGEE and OSG can share and reuse common code The common call-out protocol was developed in collaboration with the Globus Toolkit and Condor groups Ted Hesselroth

March 2, 20105/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the EGEE case) AuthZ Components Legend VO Management Services Grid Site SCAS Site Services CE Gatekeeper SCAS Clnt. Is Auth? ID Map? Yes / No UID/GID SE (dCache) SRM gPlazma VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy WN gLExec SCAS Clnt. Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 6 6 Schedule Pilot OR Job 7 Pilot SU Job (UID/GID) 8 VO Ted Hesselroth PDP PEPs Attribute Authority

March 2, 20106/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO Ted Hesselroth PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

March 2, 20107/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO Ted Hesselroth PDP A Common Protocol for OSG and EGEE integrated with the GT PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

March 2, 20108/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab Overview OSG & EGEE Authorization Models  Authorization Interoperability Profile Implementations and Deployments

March 2, 20109/20 An XACML profile and implementation for Authorization Interoperability XACML and the Grid Domain Existing standards: –XACML defines ways to express, combine, and evaluate policies. Motivation was mainly to unify and manage policies. –Allows for domain-specific definitions of attributes of authorization requests and responses. –Definitions for the “Grid Domain” are the authorization interoperability profile. –Attributes for requests and responses determined to be useful for grid authorization Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability An XACML AuthZ Interop Profile Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor Releases: v1.1  10/09/08 v1.0  05/16/08 Dave DykstraTed Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Request/Response Attribute Categories Request is made with –Subject attributes –Action attributes –Resource attributes –Environment attributes Response is made with –Permit, Deny, or Indeterminate –Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Request Attributes Subject (see profile doc for full list) –Subject-X509-id String: OpenSSL DN notation –Subject-VO String: “CMS” –VOMS-FQAN String: “/CMS/VO-Admin” Resource (see doc for full list) –Resource-id (enum type) CE / SE / WN –Resource X509 Service Certificate Subject resource-x509-id –Host DNS Name Dns-host-name Action –Action-id (enum type) Queue / Execute-Now / Access (file) –Res. Spec. Lang. RSL string Environment –PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently –Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Obligation Attributes UIDGID –UID (integer): Unix User ID local to the PEP –GID (integer): Unix Group ID local to the PEP Secondary GIDs –GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username –Username (string): Unix username or account name local to the PEP. Path restriction –RootPath (string): a sub-tree of the FS at the PEP –HomePath (string): path to user home area (relative to RootPath) Storage Priority –Priority (integer): priority to access storage resources. Access permissions –Access-Permissions (string): “read-only”, “read-write” Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Implementation Agreement: SAML and SOAP Security Assertion Markup Language SAML Implementations provide marshalling/unmarshalling of XML SOAP messaging for web service call Ted Hesselroth X509 Credentials Plus Desired Operation XACML Request Attributes SAML Objects SAML XML (XACML profile) SOAP Wrapper Web Service RPC SSL

March 2, /20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab Overview OSG & EGEE Authorization Models Authorization Interoperability Profile  Implementations and Deployments

March 2, /20 An XACML profile and implementation for Authorization Interoperability Implementations SAML-XACML profile –OpenSAML (Java); Globus XACML (C) Authorization Callout Modules –LCAS / LCMAPS (L&L) / SCAS plug-in (EGEE); PRIMA / gPlazma plug-in (OSG)/GUMS (OSG) Resource Gateways –Computing Element Pre-WS Gatekeeper 2.0 (5.0 in progress) WS-Gatekeeper 4.2 –Storage Element SRM / dCache; BeStMan; GridFTP –Worker Node gLExec Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Cmpnt Legend: Component or dependency available by 01/2011 Pre-WS GK GUMS XACML2 SCAS XACML2 SAZ XACML2 GridFTPgLExecSRM/dCache L&L XACML2 gLite lib XACML2 gLite lib XACML2 gLite lib gPlazma XACML2 priv. lib XACML Callout Structure (EGEE case) L&L WN CE SE Gateway Call-out XACML lib PDP L&L

March 2, /20 An XACML profile and implementation for Authorization Interoperability PRIMA Pre-WS GK GUMS SAML1 XACML2 SCAS XACML2 SAZ socket GridFTPgLExec WS GK v4.0 SRM/dCache L&L SAML1 lib XACML2 gLite lib PRIMA WS SAML1 lib PRIMA SAML1 lib XACML2 gLite lib PRIMA SAML1 lib XACML2 gLite lib gPlazma SAML1 priv. lib XACML2 priv. lib SAZ Clnt SAZ Clnt SAZ Clnt SAZ Clnt XACML Callout Structure(OSG case) WN CE SE Gateway Call-out XACML lib PDP Legend: Cmpnt EGEE Comp. used in OSG

March 2, /20 An XACML profile and implementation for Authorization Interoperability Pre-WS GK GUMS XACML2 SCAS XACML2 SAZ XACML2 GridFTPgLExecSRM/dCache L&L XACML2 gLite lib GT5.0 Security XACML2 gLite lib gPlazma XACML2 priv. lib XACML2 GT5.0 PEP XACML Callout Structure OSG case, 2011 L&L GT5.0 Security WN CE SE XACML2 GT5.0 PEP Gateway Call-out XACML lib PDP Cmpnt Legend: Component or dependency foreseen by 01/2011 Cmpnt EGEE Comp. used in OSG GK v5.0

March 2, /20 An XACML profile and implementation for Authorization Interoperability Deployments Except for those in the dashed boxes, clients and services have all passed certification and are available for production. Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Conclusions EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 Call-out module implementations are integrated with major Resource Gateways The major advantages of the infrastructure are: –Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures –Software groups in EGEE and OSG can share and reuse common code Production deployments are under way in OSG and EGEE Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Additional Slides Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Related Work The goal of the Authorization Interoperability collaboration is to provide a common PEP to PDP callout protocol between OSG, EGEE, and major software providers, such as Globus and Condor The Open Grid Service Architecture (OGSA) Authorization Working Group (WG) in OGF defines the specifications needed to allow for pluggable and interoperable authorization components from multiple authorization domains in the OGSA framework. The scope of OGSA-AuthZ WG is broader and includes interoperability across several authorization standards. Several members of our collaboration also participate in the OGSA-AuthZ WG Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Subject attributes (1) Subject-X509-id –String: OpenSSL oneline notation of the DN Subject-X509-Issuer –String: OpenSSL oneline notation of the Issuer DN Subject-Condor-Canonical-Name-id –String: Subject-VO –String: “gin.ggf.org” VOMS-signing-subject –String: OpenSSL oneline notation VOMS-signing-issuer –String: OpenSSL oneline notation VOMS-FQAN –String: “/gin.ggf.org/APAC/VO-Admin” VOMS-Primary-FQAN –String: “/gin.ggf.org/APAC/VO-Admin” Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Subject attributes (2) - Optional Certificate-Serial-Number –Integer: 42 CA-serial-number –Integer: 1 Subject End-Entity X509v3 Certificate Policies OID –String: “ ” (Robot Certificate) Cert-Chain –base64Binary: “MIICbjCCAVagA……..” VOMS-dns-port –String: “kuiken.nikhef.nl:15050” Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Action attributes Action-type: ‘action-id’ (enumerated type) –Queue Requesting execution to a (remote) queue. –Execute-Now Requesting direct execution (remotely) –Access (file) Request for (generic) file access Action-specific attributes –Resource Specification Language RSL string Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Resource attributes Resource-type: ‘resource-id’ (enumerated type) –CE (Computing Element) Can also be the head-node or entry point to a cluster –WN (Worker Node) A node type that will process jobs, typically in a cluster –SE (Storage Element) (Logical) storage facility or specific storage node Resource-specific attributes –Resource X509 Service Certificate Subject resource-x509-id – Resource X509 Service Certificate Issuer resource-x509-issuer –Host DNS Name Dns-host-name Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Environment attributes PEP-PDP capability negotiation - Supported Obligations –PEP sends to PDP a list of the supported obligations –The PDP can choose to return an appropriate set of obligations from this list –Allows upgradeability of the PEPs and PDPs independently by deploying new functionalities step by step Pilot Job context –To support pull-based job management model –Policy statement example “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” –Pilot job invoker identity These attributes define the identity of the pilot job invoker Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Obligations (1) UIDGID UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP –Stakeholder: Common –Must be consistent with: Username Multiple Secondary GIDs –Multi recurrence GID (integer): Unix Group ID local to the PEP –Stakeholder: EGEE –Needs obligation(s): UIDGID Username Username (string): Unix username or account name local to the PEP. –Stakeholder: OSG –Must be consistent with: UIDGID Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Obligations (2) AFSToken AFSToken (string) in base64: AFS Token passed as a string –Stakeholder: EGEE –Needs obligation(s): UIDGID Path restriction (root-and-home-paths) RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Stakeholder: OSG –Needs obligation(s): UIDGID or Username Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability Obligations (3) Storage Priority Priority (integer): an integer number that defines the priority to access storage resources. –Stakeholder: OSG –Needs obligations: UIDGID or Username Access permissions Access-Permissions (string): Access permissions to a file that is requested Allowed values: “read-only”, “read-write” –Stakeholder: OSG –Needs obligations: UIDGID or Username Ted Hesselroth

March 2, /20 An XACML profile and implementation for Authorization Interoperability OSG Integration Tests ComponentTest PDP Component Old GUMS New GUMS SCAS WS-Gatekeeper (Out of Scope) Test call-out component NOYES Run job w/o Delegation or File Transfer NOYES out of scope Run job with Delegation and File Transfer NOYES out of scope SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-outYES NO AuthZ call via XACML protocol call-outNOYES Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocolYES NO Run job. AuthZ via XACML protocolNOYES GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocol YES NO Transfer file. AuthZ via XACML protocol NOYES gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocol YES NO Run pilot job. AuthZ via XACML protocol NOYES SRM/dCache gPlazma (REL. Jan 20) Transfer file. AuthZ via Legacy protocol YES NO Transfer file. AuthZ via XACML protocol NOYES Ted Hesselroth