Embed Size (px)
DESCRIPTION
Access Grid Authorization. Thomas Uram [email protected] Argonne National Laboratory. Agenda. Authorization Landscape Role-based Authorization AuthorizationManager API Examples and exercises. Landscape. PKI Every user has a unique certificate Web Services - PowerPoint PPT Presentation
Citation preview
Agenda
• Authorization Landscape• Role-based Authorization• AuthorizationManager API• Examples and exercises
Landscape
• PKI– Every user has a unique certificate
• Web Services– Web-accessible components of the AG software
are exposed via SOAP over GSI– GSI connections are authenticated using
certificates• User’s identity subject to verification by server• Server’s identity subject to verification by user
– Methods are distinguished by their callability• Administrator methods
– Venue configuration• User methods
– Venue entry
Landscape
Multicast
Multicast
AudioService
VideoService
Venue
Role-based Authorization
• Abstraction layer between objects and persons who will access them
• Similar to *nix file system concept– Each object has a list of actions that can
be performed on it (rwx)– Each action has a list of groups which
are allowed to call it – Each group has a list of members
(/etc/group)
Roles
• Roles are user groups– Required roles
• Administrator• User
– Custom roles• Venue.AllowedEntry• Venue.RegisteredUsers
Actions
• Actions define operations on web services– In *nix file system analog,
read/write/execute are Actions
• Actions currently map one-to-one to web service methods– VenueServer.GetVenues– Venue.GetStreams
Subjects
• Subject class holds information about a user (in particular, the user’s distinguished name)
Policies
• An authorization policy describes the role/action/subject relationships in force for a service
• The policy for a service is represented in XML
• The policy can be modified wholesale, or through individual calls
• Services define default policies
Authorization UI
• VenueServer
Authorization UI
• Venue
AuthorizationManager
• AccessGrid.Security.AuthorizationManager• Exposes interfaces for modifying the
authorization policy for a service• Used in authorization callback registered
with SOAP server
AuthorizationManager API
Future work
• Finer-grained authorization– Apply to objects in Venue– Permit authorization of individuals, not
just groups
• Consider integrating a well-established authorization framework
Example: List defined Roles#!/usr/bin/python2
import sysfrom AccessGrid.Toolkit import CmdlineApplicationfrom AccessGrid.Venue import VenueIWfrom AccessGrid.Security.AuthorizationManager import AuthorizationManagerIW
url = sys.argv[1]
# Create and initialize applicationapp = CmdlineApplication()app.Initialize('ListRoles')
# Get url for authorization manager and create interface wrapperv = VenueIW(url)amurl = v.GetAuthorizationManager()authManager = AuthorizationManagerIW(amurl)
# Get roles from venue and processroleList = authManager.ListRoles()for role in roleList: print role.name
Exercise: List subjects in Roles
Example: Venue ACL manager
