Fermilab Computing Division

CS Document 2476-v1

Authorization Interoperability Meeting on Oct 23, 2007 - Minutes

Document #:
CS-doc-2476-v1
Document type:
Documentation
Submitted by:
Gabriele Garzoglio
Updated by:
Gabriele Garzoglio
Document Created:
24 Oct 2007, 17:48
Contents Revised:
24 Oct 2007, 17:48
Metadata Revised:
24 Oct 2007, 17:48
Viewable by:
  • Public document
Modifiable by:

Quick Links:
Latest Version

Abstract:
- discussed the document on obligations common to the AuthZ Interoperability
Group.
Topics:
-- need to investigate some types of the obligation attributes (e.g. list of
integer)
-- no formal XACML way of declaring obligation dependencies (e.g. MultipleGIDs
makes sense only ig UIDGID or Username is specified)
-- do we need a PoolName obligation i.e. unresolved PoolAccount name? This is a
GPBox use case to be discussed at the security meeting at CERN
-- when using the AFS token obligation, the handler must reject it IF the
channel was not encrypted.
-- we may not need the PrivilegeMask obligation anymore; using ACL's instead.

- discussed PEP -> PDP communication. SAZ (site authorization service) needs
more attributes than the typical request for local id mapping.
Request context will use <subject> to pass attributes like DN, FQAN, CA, VO and
<environment> to pass PEP capabilities

- action items:
-- Rachana will send a correction to the XACML example of List of Integer.
-- Rachana will do tests with an Array of integers to see how this works in an
obligation.
-- Oscar will check if base-64 string is fine to represent an AFS token.
-- Yuri: example of XACML interfaces will be published to this list
-- Alberto: send what user attributes are encoded in the XACML <subject> for
authorization via GPBox

Files in Document:
Associated with Events:
Authorization Interoperability held on 23 Oct 2007
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators