Title: I2/NMI Update: Signet, Grouper,
1I2/NMI UpdateSignet, Grouper, GridShib
- Tom Barton
- University of Chicago
2IdMS reality
- Each persons online activities is shaped by many
Sources of Authority (SoAs) - Resource managers
- Program/activity heads
- Other policy making bodies
- Self
- Common middleware infrastructure should be
operated centrally - To not oblige departments/programs/activities to
build their own core middleware - Management of the information it conveys should
be highly distributed - Hook up all of those SoAs to the middleware
3Relative roles of Signet Grouper
- RBAC model
- Users are placed into groups
- Privileges are assigned to groups
- Groups can be arranged into static hierarchies to
effectively bestow privileges - Signet manages privileges
- Grouper manages, well, groups
Grouper
Signet
4Signet
5Nutshell description of Signet
- Analysts write XML descriptions of business
views of privileges and store them in the
Authority Registry - Signet UI presents business views found in the
Authority Registry - Authoritative persons use the Signet UI to assign
privileges and delegate authority across all
subsystems in which they have any authority - Signet UI stores assignments in the Authority
Registry - XML permissions documents are exported from the
Authority Registry, transformed, and provisioned
into integrated systems and infrastructure
services
6Privileges building blocks
- Business view
- Subsystems
- Categories
- Functions
- Scope
- Limits
- Prerequisites
- Conditions
- System view
- Permissions
- Assignment to
- Individual
- Group
- With/without ability to further delegate
- Proxy assignment
7Signet subsystems
- Define domains of ownership and responsibility
- Reflect real world boundaries
- Can be large or small
Financial system Student system HR system Network
address plan management Network access
management Research administration Clinical
resources IdMS UI (Person Registry) Signet
(Authority Registry) Grouper (Group Registry)
8Authority elements by example
By authority of the Dean grantor
principal investigators grantee (group)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects up to 100,000 limits
until January 1, 2006 condition
9Business view ? system permissions
10Provisioning permissions into systems
11Provisioning permissions into infrastructure
12(No Transcript)
13Grouper groups
- Attributes of groups
- Names name, displayName, guid
- Description
- Members
- Can extend the set of attributes to support
groups with more specific purposes - Subgroups, compound groups, and aging
- Stored in an RDBMS, the Group Registry
14Group namespaces
- Groups are created within namespaces
- Namespaces scope the authority to create and name
groups - Namespaces can be arranged hierarchically, if
desired - faculties namespace
- facultiesarts namespace
- facultiesartsall_staff group
15Grouper privileges
- Access privileges
- Who has what access (read, write) to a groups
attributes - Naming privileges
- Who can create a group in each namespace
- Who can create a new namespace subordinate to an
existing one - Privilege interfaces are abstracted
- Can use external privilege management system,
like Signet - Groupers built-in privilege management
- Subgroups, compound groups, and aging can be used
to manage privileges with built-in capability
16Access privileges
- VIEW controls to whom a group is visible or
hidden - READ information, especially membership, about a
group - UPDATE membership
- ADMIN can modify everything, including group
name, description, access privileges, and can
delete the group - OPTIN can add self to the members list
- OPTOUT can remove self from the members list
17Naming privileges
- CREATE a group in a given namespace
- The creator is automatically given ADMIN priv
- STEM privilege in a given namespace enables
- Assignment of CREATE and STEM privileges for the
namespace - Creation of subordinate namespaces
- The creator is automatically given STEM priv
18Three ways to distribute group management
- Create a group and assign someone UPDATE
privilege to it - Manage the groups membership
- Create a group and assign someone ADMIN privilege
to it - Manage who manages the groups membership and who
can see what about the group - Create a namespace and assign someone STEM
privilege to it - Manage who can create groups with constraint on
how they are named
19Signet Grouper
- Subject Interface
- Component common to both to integrate with
external IdMS - Now available
- Grouper API v0.5. Basic group management by
automation processes - Demo release of Signet
- By Spring Internet2 meeting
- Grouper v0.6. First complete release, including
the UI - Initial production ready release of Signet
anticipated middle of 2005
20What is GridShib?
- NSF Middleware Initiative (NMI) GrantPolicy
Controlled Attribute Framework - Allow the use of Shibboleth-transported
attributes for authorization in NMI Grids built
on the Globus Toolkit v4 - 2 year project starting December 1, 2004
- Participants
- Von Welch, UIUC/NCSA (PI)
- Kate Keahey, UChicago/Argonne (PI)
- Frank Siebenlist, Argonne
- Tom Barton, UChicago
21GridShib integration principles
- No modification to typical grid client
applications - Leverage high-quality campus IdMS operations
- Attributes
- Attribute release policies
- Leverage high-quality Shib and Grid software
22Basic use case
grid-proxy-init
SIA IdP ID(s)
2
1
EEC
GT4 runtime attribute marshalling pipeline
0
3
4
-2
-1
online CA
5
shib AA LionShare-like trust plugin
23Managing the attributes marshalled by GridShib
Grid resource, user, and SoAs for user attributes
may be in different administrative domains. How
to manage attributes marshalled from which
AA? Shibbolized Signet Grouper might help