Fermilab Computing Division

CS Document 2591-v1

AuthZ Interop Profile Document - Jan 23 -2008 - Minutes

Document #:
CS-doc-2591-v1
Document type:
Documentation
Submitted by:
Gabriele Garzoglio
Updated by:
Gabriele Garzoglio
Document Created:
29 Jan 2008, 15:06
Contents Revised:
29 Jan 2008, 15:06
Metadata Revised:
29 Jan 2008, 15:06
Viewable by:
  • Public document
Modifiable by:

Quick Links:
Latest Version

Abstract:

- Discussing actions for each resource.
-- For SE, the only action is "access". We don't deal with finer grain access
control, like read file, write file, etc. Also, we do not pass paths in the
authz protocol, since it is dealt with by the SE software after the AuthZ
call-out.
-- For CE, we have 2 concepts: execute arbitrary code (e.g. via
job-manager-fork) and interact with the batch system queue. We call these two
actions "execute-now" and "queue" respectively. We don't go to finer grain
details in the interaction with the queue (e.g. submit, delete, suspend, etc.)

- Pilot job information: currently, the only way to distinguish an
authorization request involving a pilot and user jobs vs. one involving only a
user job is checking whether pilot job subject information is present in the
environment context. Do we need to have an explicit attribute? Yuri will look
into how to write policies for this use case.

- Chad and his group will help us write code examples involving the OpenSAML
library. Current use cases: 1) invoking obligation handlers at the PEP given a
list of obligations; 2) extracting PEP capabilities from the environment
context at the PDP

Files in Document:
Associated with Events:
Authorization Interoperability held on 23 Jan 2008
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators