Download - Access Grid Authorization
![Page 2: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/2.jpg)
Agenda
• Authorization Landscape• Role-based Authorization• AuthorizationManager API• Examples and exercises
![Page 3: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/3.jpg)
Landscape
• PKI– Every user has a unique certificate
• Web Services– Web-accessible components of the AG software
are exposed via SOAP over GSI– GSI connections are authenticated using
certificates• User’s identity subject to verification by server• Server’s identity subject to verification by user
– Methods are distinguished by their callability• Administrator methods
– Venue configuration• User methods
– Venue entry
![Page 4: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/4.jpg)
Landscape
Multicast
Multicast
AudioService
VideoService
Venue
![Page 5: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/5.jpg)
Role-based Authorization
• Abstraction layer between objects and persons who will access them
• Similar to *nix file system concept– Each object has a list of actions that can
be performed on it (rwx)– Each action has a list of groups which
are allowed to call it – Each group has a list of members
(/etc/group)
![Page 6: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/6.jpg)
Roles
• Roles are user groups– Required roles
• Administrator• User
– Custom roles• Venue.AllowedEntry• Venue.RegisteredUsers
![Page 7: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/7.jpg)
Actions
• Actions define operations on web services– In *nix file system analog,
read/write/execute are Actions
• Actions currently map one-to-one to web service methods– VenueServer.GetVenues– Venue.GetStreams
![Page 8: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/8.jpg)
Subjects
• Subject class holds information about a user (in particular, the user’s distinguished name)
![Page 9: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/9.jpg)
Policies
• An authorization policy describes the role/action/subject relationships in force for a service
• The policy for a service is represented in XML
• The policy can be modified wholesale, or through individual calls
• Services define default policies
![Page 10: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/10.jpg)
Authorization UI
• VenueServer
![Page 11: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/11.jpg)
Authorization UI
• Venue
![Page 12: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/12.jpg)
AuthorizationManager
• AccessGrid.Security.AuthorizationManager• Exposes interfaces for modifying the
authorization policy for a service• Used in authorization callback registered
with SOAP server
![Page 13: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/13.jpg)
AuthorizationManager API
![Page 14: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/14.jpg)
Future work
• Finer-grained authorization– Apply to objects in Venue– Permit authorization of individuals, not
just groups
• Consider integrating a well-established authorization framework
![Page 15: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/15.jpg)
Example: List defined Roles#!/usr/bin/python2
import sysfrom AccessGrid.Toolkit import CmdlineApplicationfrom AccessGrid.Venue import VenueIWfrom AccessGrid.Security.AuthorizationManager import AuthorizationManagerIW
url = sys.argv[1]
# Create and initialize applicationapp = CmdlineApplication()app.Initialize('ListRoles')
# Get url for authorization manager and create interface wrapperv = VenueIW(url)amurl = v.GetAuthorizationManager()authManager = AuthorizationManagerIW(amurl)
# Get roles from venue and processroleList = authManager.ListRoles()for role in roleList: print role.name
![Page 16: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/16.jpg)
Exercise: List subjects in Roles
![Page 17: Access Grid Authorization](https://reader035.vdocuments.site/reader035/viewer/2022070405/56813c91550346895da63e85/html5/thumbnails/17.jpg)
Example: Venue ACL manager