[occi-wg] Renaming the "Link" base type
csom at interface.hu
Thu Oct 7 05:48:42 CDT 2010
The challenge is the ownership information. To put it simply: OCCI may lack authz but I think it cannot lack
ownership information. That is it must handle identity information during resource creation. I didn't have
time to read through authentication, yet. So my question is:
Does OCCI receive identity information on resource creation?
(1) Authorization relies on ownership information (besides others), it must link cloud resources and users.
Without the knowledge of ownership no authz could ever work.
(2) Question: who will record ownership information? If OCCI does this I have no question. However
if it doesnt then the external system must do this.
(3) Question: How will an external system record ownership information? I see 2 basic scenarios (though
others might be possible as well):
(a) An external (proxy like) system recieves the create request first which is then forwarded to OCCI. In this case
the external system must be OCCI-aware in order to extract ownership information. But can we expect from a
generic authz system to do this? I would say no. Generic authz systems are generic not OCCI-specific:)
(b) OCCI receives the create requests first, in this case OCCI must be aware of the identity in order to push
ownership information to the authz system.
Hence in either case OCCI must deal with identity/ownership: either record it or pass it through.
Note that this is just a quick analyis:)
Feladó: Edmonds, AndrewX [andrewx.edmonds at intel.com]
Küldve: 2010. október 7. 0:57
Címzett: Ralf Nyren; Csom Gyula; occi-wg at ogf.org
Tárgy: RE: [occi-wg] Renaming the "Link" base type
Yes - really OCCI will not define authorization or anything AAA/IdM but merely expose a way, by extension, to point/discover to such systems at most.
From: occi-wg-bounces at ogf.org [mailto:occi-wg-bounces at ogf.org] On Behalf Of Ralf Nyren
Sent: Wednesday, October 06, 2010 5:08 PM
To: Csom Gyula; occi-wg at ogf.org
Subject: Re: [occi-wg] Renaming the "Link" base type
Authorization will likely not make it to the first version of OCCI.
Authentication will be available though. You are however free to implement
"users" as a sub-type of Resource and then use ResourceLink to associate
users with resources.
On Wed, 06 Oct 2010 17:01:11 +0200, Csom Gyula <csom at interface.hu> wrote:
> Do you plan to add authorization support to the protocol? That is will
> OCCI handle users and
> ownership information? Just because ownership means a "link" from a
> resource pointing to a
> Feladó: occi-wg-bounces at ogf.org [occi-wg-bounces at ogf.org] ;
> meghatalmazó: Ralf Nyren [ralf at nyren.net]
> Küldve: 2010. október 6. 16:33
> Címzett: occi-wg at ogf.org
> Tárgy: [occi-wg] Renaming the "Link" base type
> It is easy to confuse the OCCI "Link" base type with HTTP "Link Header"
> and the general term of linking.
> Therefore it was proposed during today's conf call to rename the base
> "Link" to "ResourceLink". That way we let the name make clear what the
> Link is used for, i.e. linking Resources.
> Would appreciate your comments. Deadline is on Friday.
> regards, Ralf
> occi-wg mailing list
> occi-wg at ogf.org
occi-wg mailing list
occi-wg at ogf.org
More information about the occi-wg