Charter for OGSA-AUTHZ-WG
Date 2013-05-22
Group Abbreviation:
OGSA-Authz-WG
Group Name:
OGSA Authorization WG
Area:
Security
Group Leadership:
| David Chadwick | d.w.chadwick@kent.ac.uk | Chair |
| Valerio Venturi | valerio.venturi@cnaf.infn.it | Chair |
Group Summary:
The objective of the OGSA Authorization WG is to define the specifications needed to allow for interoperability and pluggability of authorization components from multiple authorization domains in the OGSA framework. There are a number of authorization systems emerging in the Grid today (Akenti, Cardea, CAS, PERMIS, VOMS, XACML, etc.), these specifications will allow these solutions to be interchangeably used with middleware that requires authorization functionality.
This group will leverage authorization work that is ongoing in the Web services world (e.g. SAML, XACML, the WS Security suite) and define specification for how these should be used for Grid services.
Charter Focus/Purpose and Scope:
The working group previously focused on creating a simple specification for PEP-PDP interactions, based on the SAML protocol, that allowed for basic access control decision making to be made by a third party PDP. This addressed the immediate community needs. Experience of this has led to more advanced features being required, such as obligations, decisions based on action parameters, policy management, dynamic delegation of authority, attribute schema exchanges etc.
The working group will produce its deliverables in an incremental fashion, working in an evolutionary delivery mode. It will produce small sets of highest priority deliverables in a relatively short time frame, and then determine what the next set should be once the previous set is nearing completion. The charter will continually be revised to reflect the current small set of deliverables. This is so that the WG is never overstretched with too many deliverables at any one point in time.
Exit Strategy:
Completion of a set of deliverables and no further set requested.
Goals/Deliverables:
Title: Use of SAML for OGSI Authorization
Abstract: This document defines an open grid services infrastructure (OGSI) authorization service based
on the use of the security assertion markup language (SAML) as a format for requesting and
expressing authorization assertions. Defining standard formats for these messages allows for
pluggability of different authorization systems using SAML.
Type: Experimental Document
| Milestone | Date (YYYY-MM) | Completed? | Completed Date (YYYY-MM) |
|---|
| First Draft |
|
Yes |
|
| Public Comment |
|
Yes |
|
| Publication |
2006-03 |
Yes |
2006-03 |
Title: Use of XACML Request Context to access a PDP
Abstract: The purpose of this document is to specify a protocol for accessing a Policy Decision Point (PDP) by a Grid Policy Enforcement Point (PEP) in order to obtain access control decisions. The protocol is a profile of XACML
Type: Recommendation Document
| Milestone | Date (YYYY-MM) | Completed? | Completed Date (YYYY-MM) |
|---|
| First Draft |
2006-03 |
Yes |
2006-03 |
| Public Comment |
2007-03 |
|
|
| Publication |
2008-03 |
|
|
Title: OGSA Attribute Exchange Profile
Abstract: This document presents a specification for an Attribute Exchange Profile based on the use of the Security Assertion Markup Language (SAML) as a format for requesting and asserting attributes.
Type: Recommendation Document
| Milestone | Date (YYYY-MM) | Completed? | Completed Date (YYYY-MM) |
|---|
| First Draft |
2007-10 |
Yes |
2007-10 |
| Public Comment |
2008-02 |
|
|
| Publication |
|
|
|
Title: Use of WS-Trust and SAML to access a CVS
Type: Recommendation Document
| Milestone | Date (YYYY-MM) | Completed? | Completed Date (YYYY-MM) |
|---|
| First Draft |
2006-04 |
Yes |
2006-04 |
| Public Comment |
2008-2 |
|
|
| Publication |
|
|
|
Seven Questions:
1. Is the scope of the proposed group sufficiently focused?
2. Are the topics that the group plans to address clear and relevant for the Grid research, development, industrial, implementation, and/or application user community?
3. Will the formation of the group foster (consensus-based) work that would not be done otherwise?
4. Do the group's activities overlap inappropriately with those of another OGF group or to a group active in another organization such as IETF or W3C?
5. Are there sufficient interest and expertise in the group's topic, with at least several people willing to expend the effort that is likely to produce significant results over time?
6. Does a base of interested consumers (e.g., application developers, Grid system implementers, industry partners, end-users) appear to exist for the planned work?
7. Does the OGF have a reasonable role to play in the determination of the technology?
Group Status:
Active
Public Description (for print & web site):
The objective of the OGSA Authorization WG is to define the specifications needed to allow for interoperability and pluggability of authorization components from multiple authorization domains in the OGSA framework. There are a number of authorization systems emerging in the Grid today (Akenti, Cardea, CAS, PERMIS, VOMS, XACML, etc.), these specifications will allow these solutions to be interchangeably used with middleware that requires authorization functionality.
This group will leverage authorization work that is ongoing in the Web services world (e.g. SAML, XACML, the WS Security suite) and define specification for how these should be used for Grid services.