Project notes about GRID Authorization Framework for CCLRC Data Portal. Ananta Manandhar, Glen Drinkwater, Richard Tyer, Kerstin Kleese CCLRC Daresbury Laboratory. Proceedings of UK e-Science All Hands Meeting 2003, 2-4th September, Nottingham, UK. http://www.nesc.ac.uk/events/ahm2003/AHMCD/pdf/118.pdf
- Mentions the 3 primary AuthZ frameworks:
- Community AuthZ Service (CAS) from the Globus project,
- Virtual Organization Management System (VOMS) from the EU Data grid project
- and PERMIS with respect to a "Grid Authorization Framework for CCLRC Data Portal".
- Analysing the structure of the resource providers and the future directions it is heading, it is seen that the important requirement to the Authorization infrastructure are that it has to be: Scalable It is quite inevitable that as organizations start collaborating more there would be an increase in users accessing their resources. The organizations need be able to scale up the number of users or resources without much additional administration overhead for them to be able to enjoy collaboration; Manageable Adding or removing users or resources to the system or modifying user privileges to the resources need to be kept simple and intuitive for the organizations so that the overhead for collaboration does not increase. Also keeping users privileges manageable keeps the system more consistent and up to date, making them reliable; Preferably under the control of the resource end When it comes to the issue of security, organizations are wary of external parties accessing their resources. Organizations would prefer to have control over who have access over their data and up to what degree. They are not yet ready to trust third party organizations in authorizing their resources and prefer to keep control over their resources to keep them reliable; Minimum intervention at the Data Portal layer As the Data Portal is a broker application between users and resource, it is best to pull authentication and authorization information from the resource provider s trusted bodies and have Data Portal forward it to the resource provider along with the request. This keeps Data Portal away from being an addition point of security consideration; Ability to utilize existing Access Control Models Much of the data are stored in file systems, databases or other system which already have an elaborate access control features and many resources present already utilize these existing access control features in managing the level of information that need to be returned. It seems best to integrate the authorization information along with these access control mechanism in providing the level of information to be returned; Ability to integrate with GSI The GSI is the standard means of authenticating users in the e-science community. It provides a trusted mechanism in authenticating users and delegating authentication rights. It would be useful for the authorization system to use GSI as the authentication mechanism; Future integration capabilities with other Grid related applications Users accessing data resources via the Data Portal may like to use other Grid applications such as the HPC portal [10,11] in conjunction. For example a user may retrieve a certain data set via the data portal and may then submit a job on the HPC portal. It would be easy for the user to do such operations if different Grid applications use the similar authentication and authorization strategies.