Common CE XACML Authorization Profile, Version 1.0

Version 1.0 of for the Common Computing Element XACML Authorization Profile for EMI.

Introduction

Document Identifier: http://dci-sec.org/xacml/profile/common-ce/1.0

Location: EMI-DOC-JRA1-CommonXACMLProfile-v1.0.doc

Contact: emi-jra1-sec@eu-emiNOSPAMPLEASE.eu

References

[XACML]
OASIS Standard, eXtensible Access Control Markup Language, Version 2.0, February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
[XACML-CREAM]
XACML Profile for the gLite CREAM CE (Draft). https://edms.cern.ch/document/1078881/
[SAML-EMI]
EMI Common VO SAML Attributes Profile, Version 1.0.1. https://twiki.cern.ch/twiki/bin/view/EMI/CommonSAMLProfileV1_0_1
[RFC2253]
LADPv3 Distinguished Names. http://www.ietf.org/rfc/rfc2253.txt

Notation

The examples use the following namespace prefixes:

The prefix ctx
stands for the XACML context namespace (urn:oasis:names:tc:xacml:2.0:context)

XML Namespaces

The XACML common CE profile syntax is defined in a schema associated with the following XML namespaces:

  • http://dci-sec.org/xacml/attribute
  • http://dci-sec.org/xacml/datatype
  • http://dci-sec.org/xacml/algorithm
  • http://dci-sec.org/xacml/action
  • http://dci-sec.org/xacml/profile

Environment Attributes

The XACML Environment element contains a set of attributes of the environment, that are relevant to an authorization decision and are independant of a particular subject, resource or action.

Profile Identifier

Identify the profile implemented by the request sender. The attribute MUST be present in the request.

AttributeId
http://dci-sec.org/xacml/attribute/profile-id
DataType
http://www.w3.org/2001/XMLSchema#anyURI
AttributeValue Multiplicity
1
Value(s)
The attribute value MUST be http://dci-sec.org/xacml/profile/common-ce/1.0

Example

<ctx:Environment>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/profile-id” 
      DataType=”http://www.w3.org/2001/XMLSchema#anyURI”>
     <ctx:AttributeValue>
       http://dci-sec.org/xacml/profile/common-ce/1.0
     </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Environment>

Subject Attributes

The XACML Subject element identifies a subject, an actor, by listing a sequence of attributes associated with the subject.

Subject Identifier

Identify the submitter of the job to the CE. The attribute MUST be present in the request.

AttributeId
urn:oasis:names:tc:xacml:1.0:subject:subject-id
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1
Value(s)
X.509 distinguished name of the end-entity certificate. The value MUST be in RFC2253 format, e.g. "CN=John Doe,DC=example,DC=org"

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=John Doe,DC=example,DC=org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Subject Issuer

DNs of the subject of all the root certificate authority and all subordinate certificate authorities within the certificate chain identifying the job submitter. The attribute SHOULD be present in the request.

For example, assume:

  • certificate C is the end entity certificate
  • subordinate certificate authority B signed certificate C
  • root certificate authority A signed subordinate certificate authority B
then this attribute would contain the subject DN for certificate authorities A and B.

AttributeId
http://dci-sec.org/xacml/attribute/subject-issuer
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1..N
Value(s)
X.509 distinguished name of the authority(ies) which issued the job submitter's identity. The value MUST be in RFC2253 format.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/subject-issuer” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=QV Schweiz ICA,OU=Issuing Certificate Authority,O=QuoVadis Trustlink Schweiz AG,C=CH
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Virtual Organization (VO)

The subject's virtual organization membership.

AttributeId
http://dci-sec.org/xacml/attribute/virtual-organization
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1..N
Value(s)
Name of the virtual organization(s) the subject is member of. The value MUST respect the following grammar:
 
    vo ::= [a-zA-Z0-9][a-zA-Z0-9_.-]*
   

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/virtual-organization” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      atlas
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      vo.example.org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Group

The subject group membership.

AttributeId
http://dci-sec.org/xacml/attribute/group
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1..N
Value(s)
Groups the subject is member of. The value MUST respect the following grammar:
      group ::= '/' groupname | group '/' groupname
      groupname :: = [a-zA-Z0-9][a-zA-Z0-9_.-]*
    
The first path element of each group MUST be the VO name. i.e. if the VO name is atlas, then each group must start with /atlas

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      /dteam
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      /atlas/analysis
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Primary Group

The subject primary group membership.

AttributeId
http://dci-sec.org/xacml/attribute/group/primary
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1
Value
Primary group of the subject. The value MUST also appear in the http://dci-sec.org/xacml/attribute/group attribute values and MUST respect the same format.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/group/primary” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      /atlas/analysis
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Role

Represents the roles assigned to the subject. The role MUST be scoped to a particular group.

AttributeId
http://dci-sec.org/xacml/attribute/role
DataType
http://www.w3.org/2001/XMLSchema#string
Issuer
Scope of the roles. The Issuer value expressed MUST have a corresponding http://dci-sec.org/xacml/attribute/group attribute value.
AttributeValue Multiplicity
1..N
Value(s)
Role assigned to the subject. The value MUST respect the following grammar:
   role ::= [a-zA-Z0-9][a-zA-Z0-9_.-]*
   

Example

<ctx:Subject>
  <!-- role scoped to group /atlas/analysis -->
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”
      Issuer="/atlas/analysis">
    <ctx:AttributeValue>
      SoftwareManager
    </ctx:AttributeValue>
  </ctx:Attribute>
  <!-- roles scoped to group /dteam -->
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role” 
      DataType=”http://www.w3.org/2001/XMLSchema#string”
      Issuer="/dteam">
    <ctx:AttributeValue>
      Tester
    </ctx:AttributeValue>
    <ctx:AttributeValue>
      Developer
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Primary Role

Represents the primary role assigned to the subject. The primary role MUST be scoped to a group.

AttributeId
http://dci-sec.org/xacml/attribute/role/primary
DataType
http://www.w3.org/2001/XMLSchema#string
Issuer
Scope of the primary role. The Issuer value expressed MUST have a corresponding http://dci-sec.org/xacml/attribute/group attribute value.
AttributeValue Multiplicity
1
Value
Primary role assigned to the subject. The value MUST also appear in the http://dci-sec.org/xacml/attribute/role attribute values and MUST respect the same format.

Example

<ctx:Subject>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/role/primary”
     DataType=”http://www.w3.org/2001/XMLSchema#string”
     Issuer="/dteam">
    <ctx:AttributeValue>
      Tester
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Subject>

Resource Attributes

The XACML Resource element specifies information about the resource to which access is requested, by listing a sequence of attributes associated with the resource.

Resource Identifier

Identifies the computing element (CE), or a logical grouping of CEs, upon which the action to be authorized will be executed. This attribute MUST be present in a request.

Identifier
urn:oasis:names:tc:xacml:1.0:resource:resource-id
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1
Value
CE, or logical group of CE, identifier. It is recommended to use an URI like identifier (e.g. http://example.org/cream-ce-1)

Example

<ctx:Resource>
  <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:resource:resource-id”
     DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      http://example.org/ce/cream-ce-1
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Resource>

Resource Owner

Identify the owner of the resource.

AttributeId
http://dci-sec.org/xacml/attribute/resource-owner
DataType
urn:oasis:names:tc:xacml:1.0:data-type:x500Name
AttributeValue Multiplicity
1
Value
X.509 distinguished name of the end-entity certificate owning the resource. The value MUST be in RFC2253 format.

Example

<ctx:Resource>
  <ctx:Attribute AttributeId=”http://dci-sec.org/xacml/attribute/resource-owner” 
      DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”>
    <ctx:AttributeValue>
      CN=Jane Doe,DC=example,DC=org
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Resource>

Comments

  • This attribute is required by UNICORE to create SPL authorization rules like:
    resource "http://myresource" {
       action "myaction" {
          rule permit {
             subject == resource-owner
          }
       }
    } 
    

Action Attributes

The XACML Action element specifies the requested action on the resource, by listing a set of attributes associated with the action.

Action Identifier

Identifies the action being performed on the CE. This attribute MUST be present in a request.

Identifier
urn:oasis:names:tc:xacml:1.0:action:action-id
DataType
http://www.w3.org/2001/XMLSchema#string
AttributeValue Multiplicity
1
Value
Identifier of the action being performed. It is recommended to use an action identifier in the form http://dci-sec.org/xacml/action/<ACTION>, where <ACTION> defines the action being performed.

Use the following value to represent ANY action: http://dci-sec.org/xacml/action/ANY

Example

<ctx:Action>
  <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:action:action-id”
     DataType=”http://www.w3.org/2001/XMLSchema#string”>
    <ctx:AttributeValue>
      http://dci-sec.org/xacml/action/execute
    </ctx:AttributeValue>
  </ctx:Attribute>
</ctx:Action>

Comments

It would be nice to have some predefined action values, typically the action required for the EMI Execution Service. Due to the lack of feedback, we decided to postpone the definition of valid action values to a later time.

-- ValeryTschopp - 03-May-2011

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r5 - 2011-10-16 - ValeryTschoppExCern
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback