MSO and multiple communities

Guy Rixon gtr at ast.cam.ac.uk
Tue Jul 6 06:09:26 PDT 2004 

On Tue, 6 Jul 2004, Dave Morris wrote:

> An Account (identity) is registered with one Community, but will be a
> member of multiple Groups at multiple Communities.
> Access rights are checked based on membership of groups (credentials).

Ah. Terminology problem.  I'm using "identity" and "account" as distinct
terms.

In the IVOA drafts I've written/am writing, I use "identity" to mean just a
name. An identity can exist independently of any account in any community.

When I write "account", I mean an arrangement between a user and a community
that allows the user to request warrants from that community in respect of an
agreed identity. You need an account in order to be able to authenticate.

Authentication is done one the basis of accounts (because warrants are
conencted with accounts). Authorization is done on the basis of identity, not
account name.

I think any user needs just one identity and at least one account. Sometimes,
we may need to support multiple accounts per identity, in order to satisfy
nervous service-providers.

When a user registers at a community, the community can do one of two things:

  - create a new identity, and assign an account;

  - verify a given identity and assign a new account to that.

The second one is what the national CAs do.

> This is a rough outline of the kind of thing we were aiming for (some of
> this is out of date now).
> http://wiki.astrogrid.org/bin/view/Astrogrid/CrossCommunityPolicyChecking
>
> Would it work if a Community issued a warrant (certificate) when an
> Account joined a Group at that Community ?
> An Account would then have a primary identity certificate signed by
> their 'home' Community, to prove who they are, plus a set of membership
> certificates signed by other Communities to prove that they belong to
> Groups on those Communities.

Nearly.  The warants are supposed to be short-lived, so the group warrants
have to be collected at time of sign-on (start of each session). Therefore,
one has to be able to find all the group-granting communities from the primary
community.  That's doable.

> Dave
>
> Guy Rixon wrote:
>
> >In light of Tony's last message, I ask the group whether we are to proceed
> >with the abilities to have accounts at more than one community, to federate
> >communities and to allow credentials for an SSO session to be collected from
> >more than one server. If not, then the nature of the system is changed; some
> >processes are simplified and some are made impossible.
> >
> >I don't mind changing tack if there is consensus, but I need to know which
> >way we're going before I finish the SSO document-set.
> >
> >Cheers,
> >Guy
> >
> >Guy Rixon 				        gtr at ast.cam.ac.uk
> >Institute of Astronomy   	                Tel: +44-1223-337542
> >Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523
> >
> >
>

Guy Rixon 				        gtr at ast.cam.ac.uk
Institute of Astronomy   	                Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA		Fax: +44-1223-337523

More information about the grid mailing list