Information Technology Reference
In-Depth Information
determine the amount of access granted to users with presenting particu-
lar capabilities. This substantially reduces the work of resource adminis-
trators. The CAS architecture itself builds on the authentication and
delegation mechanisms provided by the Globus GSI. In using CAS, a user
will generate a proxy credential signed by his/her own user credential.
The proxy credential is presented to the CAS sever, which returns a new
credential, known as CAS proxy credential. This credential contains the
CAS policy assertions to represent the user's capabilities and restrictions
as an extension. SAML authorization decision statements are used to
express the CAS policy assertions. The CAS proxy credential is presented
to the resource provider. The resource provider then verii es the validity
of the proxy credential and parses the CAS policy assertions to obtain the
restrictions imposed by the CAS server. Thus, the CAS credential facili-
tates the mapping of the user to a local account, and the restrictions deter-
mine the operations the user is allowed to perform.
CAS provides scalability in terms of the number of users and VOs. Each
user needs to be known and trusted by the CAS server (but not by each
provider). Similarly, each resource provider needs to be known and trusted
by the CAS server (but not by each user). However, the centralized model
of a single CAS server, as with many other distributed system examples,
leads to scalability and fault tolerance limitations. Many users requesting
access to CAS will result in potential bottlenecks. Furthermore, the failure
of the CAS server implies that no VO-wide resources enforcing access
control based upon CAS capabilities will be available. This is further exac-
erbated since the VO administrator may need to maintain all VO-wide
users' capabilities.
12.3.3
Virtual Organization Membership Service
Virtual Organization Membership Service (VOMS) [13] is a system for
managing authorization data within VOs. VOMS has been developed as
part of the European DataGrid (http://edg-wp2.web.cern.ch/edg-wp2).
VOMS provides a centralized database of user roles and capabilities, and
a set of tools for accessing and manipulating the database and using the
database contents to generate grid credentials for users when needed.
The centralized VOMS model requires all sites to agree upon the roles
and privileges that are to be used throughout a particular VO. In this model,
all sites agree in advance on the dei nition and names of the roles that are
applicable to their particular VO, and the privileges that will be assigned to
them. A single VO administrator is then appointed who will typically
assign these roles to individuals on a case-by-case basis when users ask to
be granted particular roles or permissions in the VO. The VO administrator
may appoint other administrators to help him in this task, but all adminis-
trators are conceptually equal, in that each can in principle, override the
decisions made by the others. The VOMS model has gained widespread
Search WWH ::
Custom Search