I2/NMI Update: Signet, Grouper, - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

I2/NMI Update: Signet, Grouper,

Description:

Title: Slide 1 Author: Tom Barton Last modified by: Tom Barton Created Date: 2/12/2005 1:36:00 AM Document presentation format: On-screen Show Company – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 24
Provided by: TomBa88
Learn more at: https://geant.org
Category:
Tags: nmi | grouper | rdbms | signet | update

less

Transcript and Presenter's Notes

Title: I2/NMI Update: Signet, Grouper,


1
I2/NMI UpdateSignet, Grouper, GridShib
  • Tom Barton
  • University of Chicago

2
IdMS reality
  • Each persons online activities is shaped by many
    Sources of Authority (SoAs)
  • Resource managers
  • Program/activity heads
  • Other policy making bodies
  • Self
  • Common middleware infrastructure should be
    operated centrally
  • To not oblige departments/programs/activities to
    build their own core middleware
  • Management of the information it conveys should
    be highly distributed
  • Hook up all of those SoAs to the middleware

3
Relative roles of Signet Grouper
  • RBAC model
  • Users are placed into groups
  • Privileges are assigned to groups
  • Groups can be arranged into static hierarchies to
    effectively bestow privileges
  • Signet manages privileges
  • Grouper manages, well, groups

Grouper
Signet
4
Signet
5
Nutshell description of Signet
  • Analysts write XML descriptions of business
    views of privileges and store them in the
    Authority Registry
  • Signet UI presents business views found in the
    Authority Registry
  • Authoritative persons use the Signet UI to assign
    privileges and delegate authority across all
    subsystems in which they have any authority
  • Signet UI stores assignments in the Authority
    Registry
  • XML permissions documents are exported from the
    Authority Registry, transformed, and provisioned
    into integrated systems and infrastructure
    services

6
Privileges building blocks
  • Business view
  • Subsystems
  • Categories
  • Functions
  • Scope
  • Limits
  • Prerequisites
  • Conditions
  • System view
  • Permissions
  • Assignment to
  • Individual
  • Group
  • With/without ability to further delegate
  • Proxy assignment

7
Signet subsystems
  • Define domains of ownership and responsibility
  • Reflect real world boundaries
  • Can be large or small

Financial system Student system HR system Network
address plan management Network access
management Research administration Clinical
resources IdMS UI (Person Registry) Signet
(Authority Registry) Grouper (Group Registry)
8
Authority elements by example
By authority of the Dean grantor
principal investigators grantee (group)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects up to 100,000 limits
until January 1, 2006 condition
9
Business view ? system permissions
10
Provisioning permissions into systems
11
Provisioning permissions into infrastructure
12
(No Transcript)
13
Grouper groups
  • Attributes of groups
  • Names name, displayName, guid
  • Description
  • Members
  • Can extend the set of attributes to support
    groups with more specific purposes
  • Subgroups, compound groups, and aging
  • Stored in an RDBMS, the Group Registry

14
Group namespaces
  • Groups are created within namespaces
  • Namespaces scope the authority to create and name
    groups
  • Namespaces can be arranged hierarchically, if
    desired
  • faculties namespace
  • facultiesarts namespace
  • facultiesartsall_staff group

15
Grouper privileges
  • Access privileges
  • Who has what access (read, write) to a groups
    attributes
  • Naming privileges
  • Who can create a group in each namespace
  • Who can create a new namespace subordinate to an
    existing one
  • Privilege interfaces are abstracted
  • Can use external privilege management system,
    like Signet
  • Groupers built-in privilege management
  • Subgroups, compound groups, and aging can be used
    to manage privileges with built-in capability

16
Access privileges
  • VIEW controls to whom a group is visible or
    hidden
  • READ information, especially membership, about a
    group
  • UPDATE membership
  • ADMIN can modify everything, including group
    name, description, access privileges, and can
    delete the group
  • OPTIN can add self to the members list
  • OPTOUT can remove self from the members list

17
Naming privileges
  • CREATE a group in a given namespace
  • The creator is automatically given ADMIN priv
  • STEM privilege in a given namespace enables
  • Assignment of CREATE and STEM privileges for the
    namespace
  • Creation of subordinate namespaces
  • The creator is automatically given STEM priv

18
Three ways to distribute group management
  • Create a group and assign someone UPDATE
    privilege to it
  • Manage the groups membership
  • Create a group and assign someone ADMIN privilege
    to it
  • Manage who manages the groups membership and who
    can see what about the group
  • Create a namespace and assign someone STEM
    privilege to it
  • Manage who can create groups with constraint on
    how they are named

19
Signet Grouper
  • Subject Interface
  • Component common to both to integrate with
    external IdMS
  • Now available
  • Grouper API v0.5. Basic group management by
    automation processes
  • Demo release of Signet
  • By Spring Internet2 meeting
  • Grouper v0.6. First complete release, including
    the UI
  • Initial production ready release of Signet
    anticipated middle of 2005

20
What is GridShib?
  • NSF Middleware Initiative (NMI) GrantPolicy
    Controlled Attribute Framework
  • Allow the use of Shibboleth-transported
    attributes for authorization in NMI Grids built
    on the Globus Toolkit v4
  • 2 year project starting December 1, 2004
  • Participants
  • Von Welch, UIUC/NCSA (PI)
  • Kate Keahey, UChicago/Argonne (PI)
  • Frank Siebenlist, Argonne
  • Tom Barton, UChicago

21
GridShib integration principles
  • No modification to typical grid client
    applications
  • Leverage high-quality campus IdMS operations
  • Attributes
  • Attribute release policies
  • Leverage high-quality Shib and Grid software

22
Basic use case
grid-proxy-init
SIA IdP ID(s)
2
1
EEC
GT4 runtime attribute marshalling pipeline
0
3
4
-2
-1
online CA
5
shib AA LionShare-like trust plugin
23
Managing the attributes marshalled by GridShib
Grid resource, user, and SoAs for user attributes
may be in different administrative domains. How
to manage attributes marshalled from which
AA? Shibbolized Signet Grouper might help
Write a Comment
User Comments (0)
About PowerShow.com