Difference between revisions of "Virtual Organisation Management"

From Gcube Wiki
Jump to: navigation, search
(Authentication components)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The Virtual Organisation Management (VO-Management) subsystem provides security-related components to implement the [[gCube Security Model]]. The VO-Management subsystem is part of the [[GCube Infrastructure Enabling Services]], and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure.
+
<!-- CATEGORIES -->
Two main functionalities are provided by the VO-Management to a gCube infrastructure to control resource sharing: Authentication of interacting entities, and Authorisation of required actions. Components related to these two functionalities are briefly introduced below.
+
[[Category: Developer's Guide]]
 +
<!-- CATEGORIES -->
  
=== Authentication components ===
+
The Virtual Organisation Management (VO-Management) subsystem provides gCube security-related components. It is part of the [[GCube Infrastructure Enabling Services]], and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure. The components implement '''Security As A Service''' Model (''Secaas'') and are based on ''Service Oriented Authorization, Authentication and Accounting'' (SOA3) framework.
As introduced in the [[gCube Security Model]], authentication-related components provides gCube users and Running Instances with credentials to operate in the infrastructure. The following picture shows main relations among authentication components.
+
  
<center>[[Image:CredentialManagement.jpg|500px]]</center>
+
GCube security model is based on the ''application of security policies for limiting the accessing to services''. Basing on this statement, the main entities characterising the security domain are the following:
 +
* '''Actors''', i.e. the ''subjects'' to be authenticated and authorized. In the most of cases they are the ''human users'' registered on IMarine Portal or on Federated domains. In other cases the ''subjects'' are services that have to perform some batch operations by using any associated identity: in these cases the credentials are X509 Certificates and the authorization policies are based on the attributes of associated service profiles
 +
* '''Actions''', i.e. the ''operations'' that the ''subjects'' can or cannot perform. In IMarine context they are ''service categories'', defined by service name and service class: this means that groups of users (or services) can be authorized to use some ''service categories'' 
 +
* '''Resources''', i.e. the ''objects'' of authorization queries, in other words on ''what'' the ''subject'' can or cannot perform the ''operation''. In IMarine context ''resources'' are ''service instances'', i.e. the actual deployment of the service on a certain node. A service instance is identified by the attributes of the Node on which it is deployed.
 +
* '''Policies''', i.e. the statements defining which ''service instances'' a certain ''subject'' can use.
  
In the diagram above, following authentication components have been created as part of the gCube VO-Management services:
+
The detailed description of the subsystem is on [[Data e-Infrastructure Policy-oriented Security Facilities]] page, where the links to the main functionalities
  
* [[VOMS-API_v3|VOMS-API]] - this library enable interaction with the MyProxy<ref name="MYPROXY">http://grid.ncsa.uiuc.edu/myproxy/</ref> credentials repository, to retrieve user's credentials. This component is typically used by the portal to load user credentials when the user logs in a VRE.
+
* [[SOA3_Authentication_Module|Authentication]]
* [[VO-Management_Delegation|Delegation]] - this service provides credentials for gCube Running Instances. Credentials are needed by RIs to be authenticated to other gCube RIs. The set of credentials provided to RI depends on the security configuration of the Service the RI is instance of.
+
* [[VO-Management_CredentialsRenewal|Credentials Renewal]] - this service interacts with the Delegation service to delegate user's credentials to RI on a given node, when these credentials are needed to perform background operations.
+
  
=== Authorization model ===
+
* [[SOA3_Authorization_Module|Authorization]]
The authorisation model described in the gCube Security Model is implemented by the following set of components, as shown in the diagram below.
+
  
<center>[[Image:Authorisation.jpg|500px]]</center>
+
* [[Resource_Accounting|Accounting]]
  
In the diagram above, following authorisation components have been created as part of the gCube VO-Management services:
+
* [[SOA3_User_Management_Module|User Management]]
  
* [[VOMS-API_v3|VOMS-API]] - beside provisioning of user's credentials, the VOMS-API library also allows for the management of user membership and roles in Virtual Organisations. The VOMS-API relies on VOMS as the backend service to store VO-related information.
+
are presented.
* Authorisation Service - this service is in charge to store authorisation policies and provide services with authorisation decisions. The authorisation service is still under development, and it will be integrated in future gCube releases.
+

Latest revision as of 11:20, 4 December 2013


The Virtual Organisation Management (VO-Management) subsystem provides gCube security-related components. It is part of the GCube Infrastructure Enabling Services, and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure. The components implement Security As A Service Model (Secaas) and are based on Service Oriented Authorization, Authentication and Accounting (SOA3) framework.

GCube security model is based on the application of security policies for limiting the accessing to services. Basing on this statement, the main entities characterising the security domain are the following:

  • Actors, i.e. the subjects to be authenticated and authorized. In the most of cases they are the human users registered on IMarine Portal or on Federated domains. In other cases the subjects are services that have to perform some batch operations by using any associated identity: in these cases the credentials are X509 Certificates and the authorization policies are based on the attributes of associated service profiles
  • Actions, i.e. the operations that the subjects can or cannot perform. In IMarine context they are service categories, defined by service name and service class: this means that groups of users (or services) can be authorized to use some service categories
  • Resources, i.e. the objects of authorization queries, in other words on what the subject can or cannot perform the operation. In IMarine context resources are service instances, i.e. the actual deployment of the service on a certain node. A service instance is identified by the attributes of the Node on which it is deployed.
  • Policies, i.e. the statements defining which service instances a certain subject can use.

The detailed description of the subsystem is on Data e-Infrastructure Policy-oriented Security Facilities page, where the links to the main functionalities

are presented.