MSO and multiple communities
Guy Rixon
gtr at ast.cam.ac.uk
Tue Jul 6 08:26:30 PDT 2004
In which case, see my last reply to Dave.
Group warrants are therefore dependent on individual identity warrants. You
can't authenticate group membership by having a group warrant and matching
signature because the group warrant isn't associated with a registration; you
have to get the individual identity out of the group warrant and authenticate
that separately, using a separate warrant.
We _still_ have a problem is a service doesn't trust your individual warrant.
That now mean that you can not use that service at all, even if you have the
group warrant.
However, it does mean that group warrants can be given out without sign on,
since they don't relate to key pairs. In fact, a group warrant probably isn't
an X.509 certficate any more; it's something else we haven't designed yet.
On Tue, 6 Jul 2004, Tony Linde wrote:
> If a user has to hunt around finding different communities to register
> accounts with before they can achieve anything useful with the the IVO then
> the IVO will have failed.
>
> We must find a way that a user can simply construct a workflow consisting of
> several jobs, having first made sure that they have the relevant
> authorisations through group membership (1), and then expect that workflow
> to run through to completion. That is the requirement.
>
> Making every user set up an account with every community which manages
> groups they are joined to (and groups that those groups are joined to? and
> ...) will simply not work.
>
> Cheers,
> Tony.
>
> > -----Original Message-----
> > From: owner-grid at eso.org [mailto:owner-grid at eso.org] On
> > Behalf Of Guy Rixon
> > Sent: 06 July 2004 15:28
> > To: Grid and WebServices
> > Subject: Re: MSO and multiple communities
> >
> > Let's clear something up.
> >
> > Hands up all those who think that service providers to the
> > IVO are required to accept identity warrants from any
> > community CA inside the IVO. Hands up those who think that
> > providers will actually do this.
> >
> > If we get this kind of universal trust, then we can have true
> > SSO while still having multiple communities. If not, then we
> > automatically some form of MSO and _nothing_ we can do
> > changes that without breaking the integrity of the system.
> >
> > I reiterate: if user U is registered at communities C1 and
> > C2, and if service S trusts C1 and distrusts C2, then C1
> > _cannot_ rightfully act as a sign-on proxy for groups in C2
> > when talking to S. U _must_, somehow, sign on separately to
> > C1 and C2.
> >
> > On Tue, 6 Jul 2004, Guy Rixon wrote:
> >
> > > On Tue, 6 Jul 2004, Dave Morris wrote:
> > >
> > > > Guy Rixon wrote:
> > > >
> > > > >>Would it work if a Community issued a warrant
> > (certificate) when
> > > > >>an Account joined a Group at that Community ?
> > > > >>An Account would then have a primary identity
> > certificate signed
> > > > >>by their 'home' Community, to prove who they are, plus a set of
> > > > >>membership certificates signed by other Communities to
> > prove that
> > > > >>they belong to Groups on those Communities.
> > > > >
> > > > >Nearly. The warants are supposed to be short-lived, so
> > the group
> > > > >warrants have to be collected at time of sign-on (start of each
> > > > >session). Therefore, one has to be able to find all the
> > > > >group-granting communities from the primary community.
> > That's doable.
> > > > >
> > > > >
> > > > Yep, if a Community for an Account keeps a list of Groups
> > that that
> > > > Account is a member of, then it can use this to get the
> > membership warrants.
> > > > Could even be delayed, and only done when a warrant is required.
> > > > Client service could keep a cache of membership warrants for this
> > > > session, and only call the remote Communitites when it needs to
> > > > prove group membership.
> > > > This avoids a message storm of warrant requests when a
> > user logs in
> > > > to check the news pages.
> > > >
> > > > However, there is a useability problem with this model.
> > > > a) The user needs to be aware of what membership warrants are
> > > > required for which actions and selects them when
> > designing a workflow.
> > >
> > > This would be a policy look-up on the registry.
> > >
> > > > b) All the membership warrants are sent with every
> > message (message
> > > > bloat - a 2 line status request may end up with 50+
> > warrants in the header).
> > >
> > > A good reason for using X.509 instead of SAML - much more compact.
> > >
> > > > c) The system works it all out - a complex problem that we havn't
> > > > solved yet (particularly if workflow execution can
> > dynamically swap
> > > > between equivalent services based on availability etc.)
> > >
> > >
> > > (d) Back to the pull model: service knows which groups are relevant
> > > (because service has internal authorization tables mapping
> > groups to
> > > privileges) and which communities host which groups
> > (because it looked
> > > them up when setting up its authZ tables); so service pulls the
> > > warrants required from the community services.
> > >
> > > Pro: minimized warrants sent to service.
> > >
> > > Con: service has to interact with many communities at time of call;
> > > all must be up and there are more (but smaller) messages.
> > >
> > > Con: user agent has to associate the same key pair with all the
> > > communities => user agent has to log in to each community
> > at the start
> > > of the session => use ragent has to know which communities
> > are relevant.
> > >
> > > > Dave
> > > >
> > > >
> > >
> > > Guy Rixon gtr at ast.cam.ac.uk
> > > Institute of Astronomy Tel: +44-1223-337542
> > > Madingley Road, Cambridge, UK, CB3 0HA Fax:
> > +44-1223-337523
> > >
> >
> > Guy Rixon gtr at ast.cam.ac.uk
> > Institute of Astronomy Tel: +44-1223-337542
> > Madingley Road, Cambridge, UK, CB3 0HA Fax:
> > +44-1223-337523
> >
>
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid
mailing list