Common CE XACML Authorization Profile (v.1)

Second draft for the common CE XACML authorization profile.

  • TODO: add description of the matching algo for the datatype

Introduction

References

[XACML]
OASIS Standard, eXtensible Access Control Markup Language, Version 2.0, February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
[XACML-CREAM]
XACML Profile for the gLite CREAM CE (Draft). https://edms.cern.ch/document/1078881/
[SAML-EMI]
EMI Common SAML Attributes. https://twiki.cern.ch/twiki/bin/view/EMI/EmiJra1T4SAML
[RFC2253]
http://www.ietf.org/rfc/rfc2253.txt

Notation

The examples use the following namespace prefixes:

The prefix ctx
stands for the XACML context namespace (urn:oasis:names:tc:xacml:2.0:context)

XML Namespaces

The XACML common CE profile syntax is defined in a schema associated with the following XML namespaces:

  • http://dci-sec.org/xacml/attribute
  • http://dci-sec.org/xacml/datatype
  • http://dci-sec.org/xacml/algorithm
  • http://dci-sec.org/xacml/action
  • http://dci-sec.org/xacml/profile

Environment Attributes

Profile Identifier

Identify the profile implemented by the request sender. The attribute MUST be present in the request.

AttributeId
http://dci-sec.org/xacml/attribute/profile-id
DataType
http://www.w3.org/2001/XMLSchema#anyURI
AttributeValue Multiplicity
1
Value(s)
The attribute value MUST be http://dci-sec.org/xacml/profile/common-ce/1.0

Example

<ctx:Environment>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/profile-id” 
      DataType=”http://www.w3.org/2001/XMLSchema#anyURI”>
     <ctx:AttributeValue>
       http://dci-sec.org/xacml/profile/common-ce/1.0
     </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Environment>

Subject Attributes

Subject Identifier

Identify the submitter of the job to the CE. The attribute MUST be present in the request.

AttributeId
urn:oasis:names:tc:xacml:1.0:subject:subject-id
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1
Value(s)
X.509 distinguished name of the end-entity certificate. The DN format is RFC2253, e.g. "CN=John Doe,DC=example,DC=org"

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=John Doe,DC=example,DC=org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Subject Issuer

DNs of the subject of all the root certificate authority and all subordinate certificate authorities within the certificate chain identifying the job submitter. The attribute SHOULD be present in the request.

For example, assume:

  • certificate C is the end entity certificate
  • subordinate certificate authority B signed certificate C
  • root certificate authority A signed subordinate certificate authority B
then this attribute would contain the subject DN for certificate authorities A and B.

AttributeId
http://dci-sec.org/xacml/attribute/subject-issuer
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1..N
Value(s)
X.509 distinguished name of the authority(ies) which issued the job submitter's identity. The DN format is RFC2253.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/subject-issuer” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=QV Schweiz ICA,OU=Issuing Certificate Authority,O=QuoVadis Trustlink Schweiz AG,C=CH
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Virtual Organization (VO)

The subject's virtual organization membership.

TODO: add link to the common SAML profile

AttributeId
http://dci-sec.org/xacml/attribute/virtual-organization
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1..N
Value(s)
Names of virtual organizations the subject is member of.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/virtual-organization” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      atlas
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      vo.example.org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Questions

  • do we need a special data type for VO (like SAML) or #string is enough?

Comments

Aleksandr Konstantinov
Maybe accompanied by issuer - like VOMS SN.

Group

The subject group membership.

TODO: add link to the common SAML profile.

AttributeId
http://dci-sec.org/xacml/attribute/group
DataType
http://dci-sec.org/xacml/datatype/group
AttributeValue Multiplicity
1..N
Value(s)
Names of the group the subject is member of.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group” 
      DataType=”http://dci-sec.org/xacml/datatype/group”>
    <ctx:AttributeValue>
      /atlas/admin
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      /atlas/analysis
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Primary Group

The subject primary group membership.

TODO: add link to the common SAML profile.

AttributeId
http://dci-sec.org/xacml/attribute/group/primary
DataType
http://dci-sec.org/xacml/datatype/group
AttributeValue Multiplicity
1
Value
Name of the primary group of the subject. The value MUST appear in the Group attribute values.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group/primary” 
      DataType=”http://dci-sec.org/xacml/datatype/group”>
    <ctx:AttributeValue>
      /atlas/admin
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Role

Represents the roles assigned to the subject. The subject role MUST be scoped to a particular group or VO name.

AttributeId
http://dci-sec.org/xacml/attribute/role
DataType
http://dci-sec.org/xacml/datatype/role
Issuer
Group or VO name scope of the role. The Issuer value set MUST have a corresponding XACML Group or VO name attribute value.
AttributeValue Multiplicity
1..N
Value(s)
Names of the role assigned to the subject.

Example

<ctx:Subject>
  <!-- role scoped to the group -->
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role” 
      DataType=”http://dci-sec.org/xacml/datatype/role”
      Issuer="/atlas/analysis">
    <ctx:AttributeValue>
      SoftwareManager
    </ctx:AttributeValue>
  </ctx:Attribute>
  <!-- role scoped to a VO name -->
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role” 
      DataType=”http://dci-sec.org/xacml/datatype/role”
      Issuer="vo.example.org">
    <ctx:AttributeValue>
      Tester
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Questions

  • is an attribute uniquely identified by the {AttributeId, DataType, Issuer} tuple (see [XACML] 5.37 AttributeDesignatorType)?
  • do we need a special data type for the role (like SAML) or ...#string is enough?
  • is this MUST or MAY (like the SAML) be scoped to particular group or VO name?

Primary Role

Represents the primary role assigned to the subject. The primary role MUST be scoped to a group or VO name.

AttributeId
http://dci-sec.org/xacml/attribute/role/primary
DataType
http://dci-sec.org/xacml/datatype/role
Issuer
Group or VO name scope of the primary role. The Issuer value set MUST have a corresponding XACML Group or VO name attribute value.
AttributeValue Multiplicity
1
Value(s)
Name of the primary role assigned to the subject.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role/primary”
     DataType=”http://dci-sec.org/xacml/datatype/role”
     Issuer="atlas">
    <ctx:AttributeValue>
      Tester
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Questions

  • do we need a special data type for the role (like SAML) or ...#string is enough?
  • how to differentiate between a Group or VO name scope (Issuer is not typed) ?

Comments

Aleksandr Konstantinov
maybe add VO to Role and Group.

Resource Owner

Identify the owner of the resource.

AttributeId
http://dci-sec.org/xacml/attribute/resource-owner
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1
Value(s)
X.509 distinguished name of the end-entity certificate.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/resource-owner” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=Jane Doe,DC=example,DC=org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Comments

  • This attribute is required by UNICORE

Resource Attributes

Resource Identifier

Identifies the CE, or a logical grouping of CEs, upon which the action to be authorized will be executed. This attribute MUST be present in a request.

Identifier
urn:oasis:names:tc:xacml:1.0:resource:resource-id
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1
Value(s)
???

Example

<ctx:Resource>
  <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:resource:resource-id”
     DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      http://example.org/ce/cream-ce-1
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Resource>

Questions

  • Is the DataType ...#string correct to identity a resource, why not ...#anyURI ?
  • Should we formalize the resource identifier values ?

Comments

Karsten Schwank
I think it is a good idea to formalize the the values, otherwise I could imagine the risk of duplicates within a large system is too big and formalized values would keep the policies human readable. Depending on the kind of formalization this could even allow further automatic, semantic evaluation of the policies. Same thing for the actions.

Krzysztof Benedyczak
I vote for URI. In our case {UNICORE} it is an URL of the Web Service.

Aleksandr Konstantinov
too generic. Or it needs an attribute/scoping to define which kind of identifier it is - URL, SN, WS-Addressing, path. Also it is not clear to me how to specify resource at service which can't be represented as combined URL. Like job handled by Execution Service - with job id XML-ized and ES represented by URL or EPR.

Action Attributes

Action Identifier

Identifies the action being performed on the CE. This attribute MUST be present in a request.

Identifier
urn:oasis:names:tc:xacml:1.0:action:action-id
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1
Value(s)
???

CREAM CE action value examples:

A-REX actions examples:

EMI Execution Service actions examples:

  • define the list of action value, based on the EMI Execution Service (EES) requirement.

Questions

  • values multiplicity: 1 or 1..N ?

Comments

Krzysztof Benedyczak
My remark is that here (in opposite what is in the current CREAM profile) we want any string - without any restrictions. However we may obey some predefined actions if those are applicable.

Aleksandr Konstantinov
probably needs some scoping to define kind of service involved. Or there need to be some rules how to compose the string representing action which would allow to distinguish "create" action of Storage from "create" of ES.

Data-types

Defines the DataType s used in the XACML attributes.

Group DataType

Identifier
http://dci-sec.org/xacml/datatype/group

TODO: add description and link to the common SAML profile

Role DataType

Identifier
http://dci-sec.org/xacml/datatype/role

TODO: add description and link to the common SAML profile

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2011-02-15 - ValeryTschoppExCern
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback