[Pgi-wg] Sec: Agreement on supported Attribute Authority Interfaces

m.riedel at fz-juelich.de m.riedel at fz-juelich.de
Thu Mar 19 12:57:14 CDT 2009 

ok let dive into them...,


----- Original Message -----
From: weizhong qiang <weizhongqiang at gmail.com>
Date: Thursday, March 19, 2009 4:57 pm
Subject: Re: [Pgi-wg] Sec: Agreement on supported Attribute Authority	Interfaces

> hi,
> I have some questions as following.
> 
> 2009/3/19 Morris Riedel <m.riedel at fz-juelich.de>
> 
> > Hi PGI security folks,
> >
> >  another issue I see is the supported attribute authorities and 
> (more> notably) their interfaces.
> >
> > Taking our experience from GIN into account and addressing the 
> message of
> > Steven (EGEE) there are still two interfaces to consider in 
> terms of VOMS.
> > Also, as an alternative AA there is Shibboleth quite much used 
> in the
> > space.
> >
> > ### goal
> >
> > (a)
> > We are discussing which AA can be used in PGI to retrieve 
> attributes...>
> > (b)
> > ...because we want to find out which interfaces have to be 
> supported to get
> > attributes...
> >
> >
> > (c)
> > ... in order to know more precisely which types of attribute 
> transport> mechanisms we have to support in PGI.
> >
> > ### Possible scenarios
> >
> > A. A user contacts a non-WS-based classic VOMS with a proprietary
> > interface,
> > but gets a standardized RFC AC
> 
> Do you proposed to use the stadardized RFC AC, instead of the VOMS 
> AC which
> is known as a simplified RFC while de-facto AC. If so, I think it 
> is not
> needed. We can use VOMS AC, because we already have a few 
> production Grid
> systems which have supported it.

Well I was aware that VOMS AC are compliant with RFC AC's - I didn't know that they reduced the complexity of the specification. Can you point me to a standard specification of AC VOMS then - or this really purely de-facto?!







> 
> 
> 
> > back with the attributes signed by the VOMS.
> > (later on these are used within extensions of RFC proxies for 
> attr-authZ)
> >
> > B. A user contacts a WS-based VOMS with SAML-REQUEST-interface 
> standard and
> > gets a standardized SAML Assertion back signed by the VOMS 
> service. (later
> > on these are used within WS-SecExt within SOAP Headers)
> >
> > C. A user contacts a Shibboleth system (possibly w/o WAYF) using 
> SLCs with
> > SAML assertions inside its extensions.
> 
> Shibboleth itself does not support SLCs, and you need to develope some
> system to issuing SLCs by using Shibboleth as ONE part of this 
> system. You
> can also get SLCs credential through otherway except Shibboleth-
> based. IF we
> use "push" model, I think how does the client get the credential 
> doesn'tmatter, what does matter is the content of the credential.

Yes, of course, I was referring with Shib to the full palette of it [GridShib, ShibGrid, ***whateverSHIB]

I didn't go so much into detail because I hoped Shib* was out of scope here, which in turn means that we do not have to deal with credential formats in that context - my experience is clearly related to GridShib (X.509 + Shib IDP) and rather Globus-driven, which is putting SAML assertions in SLC extensions to be checked by CAS.

Q: However, is there  precise demand to support Shib from ARC or could this be the non-PGI elements of ARC? Are there users in your production Grid using Shib as AA?

Q: What is the plan of EGEE in this context? Are there already users in production using Shib as AA?

Info: UNICORE has been enabled with Shibboleth in DEISA, but part of the implementation relies on GridShib to the best of my knowledge following the mentioned approach above. So far - we see no precise demand that Shib-* part should be part of the PGI profile - especially Shib access is not in production in DEISA now, only planned for the next years (-> our of scope of PGI from our viewpoint).






> 
> Futhermore, I can see two different problems here about 
> interoperability in
> PGI in terms of credential/attributes:
> a.The interoperability of getting a credential (with attributes 
> inside);    The points you mentioned above are all about this problem.
> b.the interoperability of using a credential (with attribute inside).
>    One user or client (on behalf of user) get the credential, it 
> needs to
> use it and  interoperate with services.
> 
> I guess PGI is supposed to solve both of them?

I think a might be out of scope since it have to then include proprietary protocols such as classic VOMS?! Part of this discussion is to find this out - maybe there is a way for it?! (e.g. what do you do once your AC-based proxy lifetime ended?! Renewal problem, which interface you use of renewal then?)

b. Absolutely!


> 
> 
> >
> >
> > D. A user contacts MyProxy with a stored proxy using ACs in its 
> extension> (implies no new attribute transport mechanism), but 
> possibly a new
> > interface
> > of getting (indirectly) attributes.
> >
> 
> >
> >
> > I see the agreement on the elements of this e-mail thread as a 
> prerequisite> to agree on the mechanisms of which attribute 
> formats we support and how we
> > convey attributes precisely (separate email thread).
> >
> > ### Possible conclusion:
> >
> > A. We only reference in our profile possible ways of retrieving 
> either ACs
> > or SAML assertions (e.g. by pointing to the SAML-request 
> document that is
> > in
> > public comment currently as mentioned earlier). We do not intend 
> to profile
> > how exactly a user gets its attributes.
> >
> > B. If we agree on A - we indirectly agree on attribute push 
> since in the
> > attribute pull mode - for interoperability reasons - the 
> interface of
> > getting attributes must be known so that the middleware can 
> contact it on
> > behalf of the user!
> 
> 
> So we are only going to solve the second sub-problem I concluded 
> above?


Maybe - its actually only my suggestion by now - I'm happy to discuss ways of how we could standardize point (a) mentioned by you.

> 
> >
> >
> > C. We deal with RFC ACs
> 
> Not VOMS AC?

Please provide a reference for this standard.


> 
> 
> >
> >
> > D. We deal with SAML assertions
> >
> > E. We only consider C+D in the first iteration of the profile
> >
> >
> >
> > ### open Questions
> >
> > Q: Can we agree on these conclusions? Are there any comments - 
> something I
> > missed?
> 
> Changing VOMS AC to RFC AC?
> Plus Supporting SAML Assertion?

That is the input for the next e-mail thread then - which types of attribute transport formats we have to support - I guess that's hopefully all of them, while hopefully avoid using SAML assertions within X.509 extensions?!


> 
> 
> >
> >
> > Q: Is there any production infrastructure that largely supports 
> Shibboleth> w/o supporting VOMS either in classic or WS style?
> 
> 
> In terms of ARC,
> The production ARC supports VOMS classic
> The development ARC supports VOMS classic and WS style, and has it 
> own SLCs
> service which is based on Shibboleth IdP.

ok - useful information - the question would be then when you plan to move from development to production with the WS-style?

Nevertheless, we have to support VOMS Classic since Steven stated clearly that EGEE will not directly move soon to the WS-style - and even if they do - there would be probably a lot of services that will be only Classic VOMS compliant.


> 
> Cheers
> Weizhong

Thanks for your sharing your thoughts!

> 
> >
> >
> >
> >
> >
> > Please consider the attribute - and its transport mechanisms out 
> of scope
> > in
> > this e-mail thread.
> >
> >
> > Take care,
> > Morris
> >
> > ------------------------------------------------------------
> > Morris Riedel
> > SW - Engineer
> > Distributed Systems and Grid Computing Division
> > Jülich Supercomputing Centre (JSC)
> > Forschungszentrum Juelich
> > Wilhelm-Johnen-Str. 1
> > D - 52425 Juelich
> > Germany
> >
> > Email: m.riedel at fz-juelich.de
> > Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> > Phone: +49 2461 61 - 3651
> > Fax: +49 2461 61 - 6656
> >
> > Skype: MorrisRiedel
> >
> > "We work to better ourselves, and the rest of humanity"
> >
> > Sitz der Gesellschaft: Jülich
> > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> > Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> > Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> > Dr. Ulrich Krafft (stellv. Vorsitzender)
> >
> >
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/pgi-wg
> >
> >
> 



-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Bärbel Brumme-Bothe
Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

More information about the Pgi-wg mailing list