Transcript Document 7633007

I2/NMI Update:
Signet, Grouper, & GridShib
Tom Barton
University of Chicago
IdMS reality
• Each person’s online activities is shaped by
many Sources of Authority (SoAs)
– Resource managers
– Program/activity heads
– Other policy making bodies
– Self
• Common middleware infrastructure should be
operated centrally
– To not oblige departments/programs/activities to build their own
core middleware
• Management of the information it conveys
should be highly distributed
– Hook up all of those SoAs to the middleware
TF-EMC2 Feb 2005
2
Relative roles of Signet & Grouper
RBAC model
• Users are placed into
groups
• Privileges are assigned
to groups
• Groups can be arranged
into static hierarchies to
effectively bestow
privileges
• Signet manages
privileges
• Grouper manages, well,
groups
TF-EMC2 Feb 2005
Grouper
Signet
3
Signet
TF-EMC2 Feb 2005
4
Nutshell description of Signet
• Analysts write XML descriptions of “business views” of
privileges and store them in the Authority Registry
• Signet UI presents business views found in the
Authority Registry
• Authoritative persons use the Signet UI to assign
privileges and delegate authority across all
“subsystems” in which they have any authority
– Signet UI stores assignments in the Authority Registry
• XML “permissions documents” are exported from the
Authority Registry, transformed, and provisioned into
integrated systems and infrastructure services
TF-EMC2 Feb 2005
5
Privileges building blocks
• Business view
–
–
–
–
–
–
–
Subsystems
Categories
Functions
Scope
Limits
Prerequisites
Conditions
TF-EMC2 Feb 2005
• System view
– Permissions
• Assignment to
– Individual
– Group
– With/without ability
to further delegate
• Proxy
assignment
6
Signet subsystems
• Define domains of
ownership and
responsibility
• Reflect real world
boundaries
• Can be large or
small
TF-EMC2 Feb 2005
Financial system
Student system
HR system
Network address plan
management
Network access management
Research administration
Clinical resources
IdMS UI (Person Registry)
Signet (Authority Registry)
Grouper (Group Registry)
7
Authority elements by example
By authority of the Dean
principal investigators
who have completed training
can approve purchases
in the School of Medicine
for research projects up to $100,000
grantor
grantee (group)
prerequisite
function
scope
limits
until January 1, 2006
condition
TF-EMC2 Feb 2005
8
Business view  system
permissions
TF-EMC2 Feb 2005
9
Provisioning permissions into
systems
TF-EMC2 Feb 2005
10
Provisioning permissions into
infrastructure
TF-EMC2 Feb 2005
11
TF-EMC2 Feb 2005
12
Grouper groups
• Attributes of groups
– Names: name, displayName, guid
– Description
– Members
– Can extend the set of attributes to support groups with
more specific purposes
• Subgroups, compound groups, and aging
• Stored in an RDBMS, the Group Registry
TF-EMC2 Feb 2005
13
Group namespaces
• Groups are created within namespaces
• Namespaces scope the authority to create and
name groups
• Namespaces can be arranged hierarchically, if
desired
faculties
namespace
faculties:arts
namespace
faculties:arts:all_staff
group
TF-EMC2 Feb 2005
14
Grouper privileges
• Access privileges
– Who has what access (read, write) to a group’s attributes
• Naming privileges
– Who can create a group in each namespace
– Who can create a new namespace subordinate to an existing
one
• Privilege interfaces are abstracted
– Can use external privilege management system, like Signet
• Grouper’s built-in privilege management
– Subgroups, compound groups, and aging can be used to
manage privileges with built-in capability
TF-EMC2 Feb 2005
15
Access privileges
• VIEW controls to whom a group is visible or
hidden
• READ information, especially membership,
about a group
• UPDATE membership
• ADMIN can modify everything, including group
name, description, & access privileges, and can
delete the group
• OPTIN can add self to the members list
• OPTOUT can remove self from the members list
TF-EMC2 Feb 2005
16
Naming privileges
• CREATE a group in a given
namespace
–The creator is automatically given ADMIN priv
• STEM privilege in a given namespace
enables:
–Assignment of CREATE and STEM privileges
for the namespace
–Creation of subordinate namespaces
• The creator is automatically given STEM priv
TF-EMC2 Feb 2005
17
Three ways to distribute group
management
• Create a group and assign someone
UPDATE privilege to it
– Manage the group’s membership
• Create a group and assign someone
ADMIN privilege to it
– Manage who manages the group’s membership and who
can see what about the group
• Create a namespace and assign someone
STEM privilege to it
– Manage who can create groups with constraint on how
they are named
TF-EMC2 Feb 2005
18
Signet & Grouper
• Subject Interface
– Component common to both to integrate with external
IdMS
• Now available
– Grouper API v0.5. Basic group management by
automation processes
– Demo release of Signet
• By Spring Internet2 meeting
– Grouper v0.6. First complete release, including the UI
• Initial production ready release of Signet
anticipated middle of 2005
TF-EMC2 Feb 2005
19
What is GridShib?
• NSF Middleware Initiative (NMI) Grant:
“Policy Controlled Attribute Framework”
• Allow the use of Shibboleth-transported
attributes for authorization in NMI Grids built
on the Globus Toolkit v4
• 2 year project starting December 1, 2004
• Participants
– Von Welch, UIUC/NCSA (PI)
– Kate Keahey, UChicago/Argonne (PI)
– Frank Siebenlist, Argonne
– Tom Barton, UChicago
TF-EMC2 Feb 2005
20
GridShib integration principles
• No modification to typical grid client
applications
• Leverage high-quality campus IdMS
operations
– Attributes
– Attribute release policies
• Leverage high-quality Shib and Grid
software
TF-EMC2 Feb 2005
21
Basic use case
grid-proxy-init
2
1
SIA: IdP ID(s)
EEC
0
-2
GT4 runtime
3
4
-1
online CA
attribute
marshalling
pipeline
shib AA
5
LionShare-like
trust plugin
TF-EMC2 Feb 2005
22
Managing the attributes marshalled
by GridShib
Grid resource, user, and
SoAs for user attributes
may be in different
administrative domains.
How to manage attributes
marshalled from which
AA?
Shibbolized Signet &
Grouper might help…
TF-EMC2 Feb 2005
23