perfsonar developer workshop - zagreb, 7 th -9 th april 08 1.14 authn and authr where we have come...
TRANSCRIPT
perfSONAR developer workshop - Zagreb, 7th-9th April 08 1.14
AuthN and AuthRWhere we have come from…
Where we are going to…
Cándido Rodrí[email protected]
perfSONAR developer workshop - Zagreb, 7th-9th April 08 2.14
Agenda
1.Status of the authN
2. A brief overview of the authR
3. Impact analysis
perfSONAR developer workshop - Zagreb, 7th-9th April 08 3.14
AuthN is available in MDM perfSONAR 3.0
Status of the AuthN
Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).
perfSONAR developer workshop - Zagreb, 7th-9th April 08 4.14
Client from USA Services in USA don’t need authn information -> OK
Services in Europe require authn -> NO
Status of the AuthN
Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).
perfSONAR developer workshop - Zagreb, 7th-9th April 08 5.14
Client from Europe Services in USA don’t need authn information -> OK
Services in Europe require authn -> OK
Status of the AuthN
Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).
perfSONAR developer workshop - Zagreb, 7th-9th April 08 6.14
Summarizing USA teams cannot send messages to European perfSONAR
services Workaround: accounts in the GIdP When Internet2 and ESnet in eduGAIN?
RNP has started to join to eduGAIN Adding its own CA
EU teams can send messages to any perfSONAR service The authN doesn’t affect the NMWG message!
Status of the AuthN
perfSONAR developer workshop - Zagreb, 7th-9th April 08 7.14
Agenda
1. Status of the authN
2.A brief overview of the authR
3. Impact analysis
perfSONAR developer workshop - Zagreb, 7th-9th April 08 8.14
pSRs want to check if a user/client is allowed to do the requested action
The AuthR process implies the AuthN process
An AuthR request contains Subject: specifies which user is doing an action
Action: specifies which action the user is trying to do
Resource: specifies in which place the user is trying to do the action
An AuthR response contains Status code
[Optionally] User’s attributes in a SAML assertion
A brief overview of the AuthR
perfSONAR developer workshop - Zagreb, 7th-9th April 08 9.14
Authorization scenario
Subject: who has sent the message to the pSR. It’s an URN urn:geant:edugain:component:be:%fed%:user:%username%
Resource: which pSR has received the message . It’s an URN …:component:perfsonarresource:%fed%:%id_resource%:%uri_service%
Action: who has sent the message to the pSR . It’s an URI http://schemas.perfsonar.net/tools/admin/echo/2.0
A brief overview of the AuthR
Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).
perfSONAR developer workshop - Zagreb, 7th-9th April 08 10.14
Delegated-based authorization scenario
Subjects: who has sent the message to the pSR and using which client. They are URNs
urn:geant:edugain:component:be:%fed%:user:%username% …:component:perfsonarclient:%fed%:%id_client%
Resource: which pSR has received the message . It’s an URN Action: who has sent the message to the pSR . It’s an URI
A brief overview of the AuthR
Para ver esta película, debedisponer de QuickTime™ y deun descompresor TIFF (LZW).
perfSONAR developer workshop - Zagreb, 7th-9th April 08 11.14
Agenda
1. Status of the authN
2. A brief overview of the authR
3.Impact analysis
perfSONAR developer workshop - Zagreb, 7th-9th April 08 12.14
AS with authR support Available by the end of June
Need a powerful policy editor in the webadmin After finishing all authR developments
perfSONAR service’s perspective AuthR component and the authR library by summer
From authN component to authR component Minimal impact: only new line in service.properties
Using the authR library As complicated as the authN one
Impact analysis
perfSONAR developer workshop - Zagreb, 7th-9th April 08 13.14
Client’s perspective If the client doesn’t need attributes
No change
If the client need attributes A authR library will be released by fall
Impact analysis