[OGSA-AUTHZ] checkpointing the discussion on VO attributes

Valerio Venturi valerio.venturi at cnaf.infn.it
Mon Jan 21 08:22:40 CST 2008 

Hi,
I'll try to checkpoint the discussion had so far.

As Krzysztof is planning to serve more than one VO with the same
service, we cannot have a one to one relationship between entityIDs and
VOs, this imply the need of having a VO attribute. Which was also more
or less David's concern, an authority being able to assert whatever it
wants. If we go wiht this, the VO attribute stays.
We have two proposal so far. Tom suggested to use the MACE-Dir
eduPersonScopedAffiliation attribute

<saml:Attribute
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
  ldapprof:Encoding="LDAP"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
  FriendlyName="eduPersonScopedAffiliation">
  <saml:AttributeValue        
    xsi:type="xs:string">member at voName
  </saml:AttributeValue>
</saml:Attribute>

while in our first draft Krzysztof and I suggested the use of a specific

<saml:Attribute 
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="uri_to_define"
  FriendlyName="vo"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
  <saml:AttributeValue xsi:type="xsd:string">
    voName 
  </saml:AttributeValue>
</saml:Attribute>

Let's try to agree on one.

There were concerns about Tom's proposal to use Grouper to express
groups, specifically about the contents being an URN. Anyway, the
specification doesn't mandate them to be URN, it recommends to use URIs
is uniqueness is to eb achieved.

Other concerns with using this?

Still we have no suggestions for expressing roles, apart from the
initial (but I have made the group syntax homogeneous with the above)

<saml:Attribute
  xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="uri_to_define"
  FriendlyName="role"
  xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
  <saml:AttributeValue xsi:type="xsd:string">
    VO-Admin at vo
  </saml:AttributeValue>
  <saml:AttributeValue xsi:type="xsd:string">
    SoftwareManager at vo:group:subgroup
  </saml:AttributeValue>
</saml:Attribute>

that seems to receive more favor than the one with the scope attributes.

What problems can you see with that?

Valerio

More information about the ogsa-authz-wg mailing list