[RUS-WG] Do we need RUS::ListAssignedRoles?
Rosario Michael Piro
piro at to.infn.it
Thu Jul 5 06:28:11 CDT 2007
Hi,
Gilbert Netzer wrote:
> Hi everybody,
>
> I just have a short question about a part of the tracker artf5934
> (https://forge.gridforum.org/sf/go/artf5934?nav=1) concerning the new
> RUS::ListAssignedRoles operation:
I've read through the proposals on the tracker, but so far I didn't have
the time to answer. Here's my opinion on the RUS::ListAssignedRoles.
But first let me say: I think we shouldn't work contemporarily on two
versions of the draft (17 that went through public comment and 19 that
is a proposal of which some things have already been discussed and
agreed, but many changes are not "approved"). I would suggest to port
the proposed changes that have been accepted to version 17 and let that
evolve step by step. For example: the removal of the wrapping RUS-UR and
an additional extractRecordHistory.
But now to RUS::ListAssignedRoles:
I don't think we should go that much into authorization. I still believe
that authorization is an implementation issue, not an issue if the
interface to the service. We should not force anybody to use Role-Based
Access Control (RBAC). If an implementation wants to use some other
mechanism that should be perfectly compliant with the interface
specification.
And even for those implementations that have an RBAC mechansim, I
honestly don't see the need to give role information back to a client.
Each user should/would know what it's role is and no user should be able
to find out what another user's role is. So the method would most
probably give back only role information for yourself ...
If there is really a stong wish in that, than _at least_ the faults that
can be returned upon a RUS::ListAssignedRoles call must include
RUSUserNotAuthorizedFault (retruned for example if user X tries to find
out the role of user Y).
And then: have such an explicit method for getting roles does make sense
above all if there well-defined roles that can be recognized by all
clients. That however means to even more restrict implementation choices
by forcing developers to support specific roles (that maybe don't even
exist in their grid enviornment ...)
> Maybe I got confused here, but should not the user/client specify which
> role she wants and then either provide the RUS server with some assertion
> from a third party (e.g. an attribute certificate) or have the server check
> with this party (some sort of pull mode) to get such an assertion? Is not
> the whole point of roles that the same user/client (the same identity) can
> at one instance be a normal user with restricted privileges and at another
> instance be an administrator with much greater privileges.
>
I think there is a misunderstanding with the roles here. I guess Xiaoyu
meant roles regarding the RUS server (ordinary user, RUS admin, ecc.)
while you (correctly) refer to roles specified in the certificate (VOMS
roles/groups for example), i.e. VO-related roles. Those are essentially
different things and I suppose Xiaoyu meant the method to retrieve the
user DN and the (VO-specifc) role to provide a mapping to the
RUS-internal role (what can you do with that specific VOMS certificate
proxy?)
> In any case, the users identity should be established by the transport
> layer during the authentication phase and not be given a input parameter.
> The operation would have to check anyway that you are not trying to look at
> the roles of another user.
Yes, what I thought as well. But in theory if your an admin of the RUS
server than you might be allowed to see all user's roles. But then: why
would you need to use a remote SOAP call to get the information when you
already got it under your hand. That's why I don't see the need for the
method: the admin already has the information and ordinary users would
only get information about themselves (info they most probably already
know). At the same time we're restricting implementations to using a
role-based authorization procedure.
>
> Another question concerning this is how you would manage some session state
> if the roles are not transported with the request. In this case the RUS
> server would have to remember the user roles for some time or ask for an
> assertion to get all the roles during each request, and how would you
> choose the role in this case.
If the (VO-)role is already "hard-coded" in the VOMS certificate proxy,
then the RUS server will get it with each request and won't need to keep
a session state. It can just map the VO-role to a RUS-role for each
single request. But again, I think that's an implementation issue, not
an issue of an interface that is meant to store and retrieve information
(and not define how the service itself has to work).
>
> In the end I am also wondering if this role assignment would not be queried
> using another service interface like the VOMS interface and should they not
> already have such a operation (or is it an API call to extract it from the
> credentials)?
Yes, and VOMS is only one possible choice, what about environments that
use something else? Should we force everybody to use VOMS just to store
some usage records?
Cheers,
Rosario.
>
> Comments please!
> I also added the text to the GridForge tracker so that we can keep track of
> this thread.
>
> Best Regards
> Gilbert Netzer
> PDC
>
>
> --
> rus-wg mailing list
> rus-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/rus-wg
More information about the rus-wg
mailing list