Presentation is loading. Please wait.

Presentation is loading. Please wait.

I2/NMI Update: Signet, Grouper, & GridShib

Published byLynette Wilkins Modified over 6 years ago

Similar presentations

Presentation on theme: "I2/NMI Update: Signet, Grouper, & GridShib"— Presentation transcript:

1 I2/NMI Update: Signet, Grouper, & GridShib
Tom Barton University of Chicago

2 IdMS reality Each person’s online activities is shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads Other policy making bodies Self Common middleware infrastructure should be operated centrally To not oblige departments/programs/activities to build their own core middleware Management of the information it conveys should be highly distributed Hook up all of those SoAs to the middleware TF-EMC2 Feb 2005

3 Relative roles of Signet & Grouper
RBAC model Users are placed into groups Privileges are assigned to groups Groups can be arranged into static hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups Grouper Signet TF-EMC2 Feb 2005

4 Signet TF-EMC2 Feb 2005

5 Nutshell description of Signet
Analysts write XML descriptions of “business views” of privileges and store them in the Authority Registry Signet UI presents business views found in the Authority Registry Authoritative persons use the Signet UI to assign privileges and delegate authority across all “subsystems” in which they have any authority Signet UI stores assignments in the Authority Registry XML “permissions documents” are exported from the Authority Registry, transformed, and provisioned into integrated systems and infrastructure services TF-EMC2 Feb 2005

6 Privileges building blocks
Business view Subsystems Categories Functions Scope Limits Prerequisites Conditions System view Permissions Assignment to Individual Group With/without ability to further delegate Proxy assignment TF-EMC2 Feb 2005

7 Signet subsystems Define domains of ownership and responsibility
Reflect real world boundaries Can be large or small Financial system Student system HR system Network address plan management Network access management Research administration Clinical resources IdMS UI (Person Registry) Signet (Authority Registry) Grouper (Group Registry) TF-EMC2 Feb 2005

8 Authority elements by example
By authority of the Dean grantor principal investigators grantee (group) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects up to $100,000 limits until January 1, 2006 condition TF-EMC2 Feb 2005

9 Business view  system permissions
TF-EMC2 Feb 2005

10 Provisioning permissions into systems
TF-EMC2 Feb 2005

11 Provisioning permissions into infrastructure
TF-EMC2 Feb 2005

12 TF-EMC2 Feb 2005

13 Grouper groups Attributes of groups
Names: name, displayName, guid Description Members Can extend the set of attributes to support groups with more specific purposes Subgroups, compound groups, and aging Stored in an RDBMS, the Group Registry TF-EMC2 Feb 2005

14 Group namespaces Groups are created within namespaces
Namespaces scope the authority to create and name groups Namespaces can be arranged hierarchically, if desired faculties namespace faculties:arts namespace faculties:arts:all_staff group TF-EMC2 Feb 2005

15 Grouper privileges Access privileges Naming privileges
Who has what access (read, write) to a group’s attributes Naming privileges Who can create a group in each namespace Who can create a new namespace subordinate to an existing one Privilege interfaces are abstracted Can use external privilege management system, like Signet Grouper’s built-in privilege management Subgroups, compound groups, and aging can be used to manage privileges with built-in capability TF-EMC2 Feb 2005

16 Access privileges VIEW controls to whom a group is visible or hidden
READ information, especially membership, about a group UPDATE membership ADMIN can modify everything, including group name, description, & access privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list TF-EMC2 Feb 2005

17 Naming privileges CREATE a group in a given namespace
The creator is automatically given ADMIN priv STEM privilege in a given namespace enables: Assignment of CREATE and STEM privileges for the namespace Creation of subordinate namespaces The creator is automatically given STEM priv TF-EMC2 Feb 2005

18 Three ways to distribute group management
Create a group and assign someone UPDATE privilege to it Manage the group’s membership Create a group and assign someone ADMIN privilege to it Manage who manages the group’s membership and who can see what about the group Create a namespace and assign someone STEM privilege to it Manage who can create groups with constraint on how they are named TF-EMC2 Feb 2005

19 Signet & Grouper Subject Interface Now available
Component common to both to integrate with external IdMS Now available Grouper API v0.5. Basic group management by automation processes Demo release of Signet By Spring Internet2 meeting Grouper v0.6. First complete release, including the UI Initial production ready release of Signet anticipated middle of 2005 TF-EMC2 Feb 2005

20 What is GridShib? NSF Middleware Initiative (NMI) Grant: “Policy Controlled Attribute Framework” Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 2 year project starting December 1, 2004 Participants Von Welch, UIUC/NCSA (PI) Kate Keahey, UChicago/Argonne (PI) Frank Siebenlist, Argonne Tom Barton, UChicago TF-EMC2 Feb 2005

21 GridShib integration principles
No modification to typical grid client applications Leverage high-quality campus IdMS operations Attributes Attribute release policies Leverage high-quality Shib and Grid software TF-EMC2 Feb 2005

22 Basic use case grid-proxy-init 2 SIA: IdP ID(s) 1 EEC GT4 runtime
attribute marshalling pipeline 3 -2 4 -1 online CA 5 shib AA LionShare-like trust plugin TF-EMC2 Feb 2005

23 Managing the attributes marshalled by GridShib
Grid resource, user, and SoAs for user attributes may be in different administrative domains. How to manage attributes marshalled from which AA? Shibbolized Signet & Grouper might help… TF-EMC2 Feb 2005

Download ppt "I2/NMI Update: Signet, Grouper, & GridShib"

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,

Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Understanding Active Directory

Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

Similar presentations

Ads by Google