[OGSA-AUTHZ] checkpointing the discussion on VO attributes
Valerio Venturi
valerio.venturi at cnaf.infn.it
Mon Jan 28 10:00:37 CST 2008
Anyone else? Krzysztof, Tom, Chad?
Valerio
On Mon, 2008-01-28 at 14:33 +0100, David Chadwick wrote:
> You can if you want. I have the other two docs to edit
>
> David
>
>
> Valerio Venturi wrote:
> > Ok, looks like we have agreements on most of the point. Who takes the
> > pen?
> > Blair, DavidG, what about the chances that this may become an OGF doc?
> > If there are some, we'll go with the OGF doc template.
> >
> > Valerio
> >
> >
> > On Mon, 2008-01-21 at 15:22 +0100, Valerio Venturi wrote:
> >> Hi,
> >> I'll try to checkpoint the discussion had so far.
> >>
> >> As Krzysztof is planning to serve more than one VO with the same
> >> service, we cannot have a one to one relationship between entityIDs and
> >> VOs, this imply the need of having a VO attribute. Which was also more
> >> or less David's concern, an authority being able to assert whatever it
> >> wants. If we go wiht this, the VO attribute stays.
> >> We have two proposal so far. Tom suggested to use the MACE-Dir
> >> eduPersonScopedAffiliation attribute
> >>
> >> <saml:Attribute
> >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >> xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
> >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
> >> ldapprof:Encoding="LDAP"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> >> FriendlyName="eduPersonScopedAffiliation">
> >> <saml:AttributeValue
> >> xsi:type="xs:string">member at voName
> >> </saml:AttributeValue>
> >> </saml:Attribute>
> >>
> >> while in our first draft Krzysztof and I suggested the use of a specific
> >>
> >> <saml:Attribute
> >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >> Name="uri_to_define"
> >> FriendlyName="vo"
> >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> >> <saml:AttributeValue xsi:type="xsd:string">
> >> voName
> >> </saml:AttributeValue>
> >> </saml:Attribute>
> >>
> >> Let's try to agree on one.
> >>
> >> There were concerns about Tom's proposal to use Grouper to express
> >> groups, specifically about the contents being an URN. Anyway, the
> >> specification doesn't mandate them to be URN, it recommends to use URIs
> >> is uniqueness is to eb achieved.
> >>
> >> Other concerns with using this?
> >>
> >> Still we have no suggestions for expressing roles, apart from the
> >> initial (but I have made the group syntax homogeneous with the above)
> >>
> >> <saml:Attribute
> >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >> Name="uri_to_define"
> >> FriendlyName="role"
> >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> >> <saml:AttributeValue xsi:type="xsd:string">
> >> VO-Admin at vo
> >> </saml:AttributeValue>
> >> <saml:AttributeValue xsi:type="xsd:string">
> >> SoftwareManager at vo:group:subgroup
> >> </saml:AttributeValue>
> >> </saml:Attribute>
> >>
> >> that seems to receive more favor than the one with the scope attributes.
> >>
> >> What problems can you see with that?
> >>
> >> Valerio
> >>
> >>
> >>
> >>
> >>
> >
> > --
> > ogsa-authz-wg mailing list
> > ogsa-authz-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> >
>
More information about the ogsa-authz-wg
mailing list