[OGSA-AUTHZ] checkpointing the discussion on VO attributes
Tom Scavo
trscavo at gmail.com
Mon Jan 28 11:21:15 CST 2008
I have the pen on the Attribute Exchange Profile right now, so I'll
pass on this one.
Thanks,
Tom
On Jan 28, 2008 11:00 AM, Valerio Venturi <valerio.venturi at cnaf.infn.it> wrote:
> Anyone else? Krzysztof, Tom, Chad?
>
> Valerio
>
>
> On Mon, 2008-01-28 at 14:33 +0100, David Chadwick wrote:
> > You can if you want. I have the other two docs to edit
> >
> > David
> >
> >
> > Valerio Venturi wrote:
> > > Ok, looks like we have agreements on most of the point. Who takes the
> > > pen?
> > > Blair, DavidG, what about the chances that this may become an OGF doc?
> > > If there are some, we'll go with the OGF doc template.
> > >
> > > Valerio
> > >
> > >
> > > On Mon, 2008-01-21 at 15:22 +0100, Valerio Venturi wrote:
> > >> Hi,
> > >> I'll try to checkpoint the discussion had so far.
> > >>
> > >> As Krzysztof is planning to serve more than one VO with the same
> > >> service, we cannot have a one to one relationship between entityIDs and
> > >> VOs, this imply the need of having a VO attribute. Which was also more
> > >> or less David's concern, an authority being able to assert whatever it
> > >> wants. If we go wiht this, the VO attribute stays.
> > >> We have two proposal so far. Tom suggested to use the MACE-Dir
> > >> eduPersonScopedAffiliation attribute
> > >>
> > >> <saml:Attribute
> > >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > >> xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP"
> > >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string"
> > >> ldapprof:Encoding="LDAP"
> > >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > >> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
> > >> FriendlyName="eduPersonScopedAffiliation">
> > >> <saml:AttributeValue
> > >> xsi:type="xs:string">member at voName
> > >> </saml:AttributeValue>
> > >> </saml:Attribute>
> > >>
> > >> while in our first draft Krzysztof and I suggested the use of a specific
> > >>
> > >> <saml:Attribute
> > >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > >> Name="uri_to_define"
> > >> FriendlyName="vo"
> > >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> > >> <saml:AttributeValue xsi:type="xsd:string">
> > >> voName
> > >> </saml:AttributeValue>
> > >> </saml:Attribute>
> > >>
> > >> Let's try to agree on one.
> > >>
> > >> There were concerns about Tom's proposal to use Grouper to express
> > >> groups, specifically about the contents being an URN. Anyway, the
> > >> specification doesn't mandate them to be URN, it recommends to use URIs
> > >> is uniqueness is to eb achieved.
> > >>
> > >> Other concerns with using this?
> > >>
> > >> Still we have no suggestions for expressing roles, apart from the
> > >> initial (but I have made the group syntax homogeneous with the above)
> > >>
> > >> <saml:Attribute
> > >> xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
> > >> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> > >> Name="uri_to_define"
> > >> FriendlyName="role"
> > >> xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string">
> > >> <saml:AttributeValue xsi:type="xsd:string">
> > >> VO-Admin at vo
> > >> </saml:AttributeValue>
> > >> <saml:AttributeValue xsi:type="xsd:string">
> > >> SoftwareManager at vo:group:subgroup
> > >> </saml:AttributeValue>
> > >> </saml:Attribute>
> > >>
> > >> that seems to receive more favor than the one with the scope attributes.
> > >>
> > >> What problems can you see with that?
> > >>
> > >> Valerio
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > > --
> > > ogsa-authz-wg mailing list
> > > ogsa-authz-wg at ogf.org
> > > http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> > >
> >
>
> --
> ogsa-authz-wg mailing list
> ogsa-authz-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>
More information about the ogsa-authz-wg
mailing list