Information Technology Reference
In-Depth Information
repository. Through username and password access to MyProxy
repositories, short-lived proxy certii cates can be created.
MyProxy solutions are now being used in combination with
portals for example, where users accessing a portal through a
username and password will automatically have short-lived
proxy certii cates created, which can subsequently be used for
grid-based job submission. Of all of the authorization infrastruc-
tures, GSI is arguably the most straightforward to establish and
use. This is unsurprising, since GSI has been developed as an
integral part of the Globus development. That said and as noted,
the ACL-based approach offered by
grid-mapi les
is a limited
form of authorization. However, recent enhancements such as
through the SAML authorization API now offer richer possibili-
ties for i ner-grained access control.
12.3.2
Community Authorization Service
Community Authorization Service
(
CAS) [12] implements access control
using a centralized authorization model. The main idea behind CAS is
that a resource owner delegates the allocation of authorization rights to a
community administrator and lets the community administrator deter-
mine who can use this allocation. This is achieved by the administrator by
having a CAS server, which acts as a trusted intermediary between VO
users and resources. The CAS server decides whether a given user has suf-
i cient privileges depending on the community policy and, if so, gives the
user the right to perform the requested actions depending on the user's
role in the community.
To achieve this, CAS keeps track of its community membership infor-
mation. It also contains the access control policy statements that dei ne
policies along the lines of “who is allowed what type of access on which
resources.” To help manage this, CAS introduces the concept of rights in
the form of a
capability.
Through possession of a particular capability
(which is itself stored in a database associated with the CAS server), a user
can show that they are allowed to access and use a particular resource.
To access a CAS-managed resource, a user has to i rst request a capabil-
ity to use that resource. If this is the case, the CAS server responds with an
appropriate capability. This capability corresponds to the intersection of
the set of rights granted to the community by the resource provider and
the set of rights dei ned by the capabilities granted to the user by the com-
munity. Following this, the user presents the capability to the resource
provider responsible for that resource. The resource provider verii es the
rights for both the community and the capability to grant access to the
user to the resource.
For i ner-grained access control and ensuring site autonomy, local
resource providers can additionally apply their own local policies to
Search WWH ::
Custom Search