Changes between Version 2 and Version 3 of MashMyData


Ignore:
Timestamp:
05/07/10 10:49:15 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • MashMyData

    v2 v3  
    1313== Solutions for Access Control == 
    1414 1. Static PKI based: No delegation, services authenticate with other services based on their static PKI based credentials. 
    15    * Pros: simple, will work with the current ESG security infrastructure 
    16    * Cons: no concept of delegation, a given service A accessed by another B has no idea who the user is who service A is acting on behalf of.  It only knows the identity of A.  Consequently authorisation policy can only be coarse grained. 
     15   * '''Pros''': simple, will work with the current ESG security infrastructure 
     16   * '''Cons''': no concept of delegation, a given service A accessed by another B has no idea who the user is who service A is acting on behalf of.  It only knows the identity of A.  Consequently authorisation policy can only be coarse grained. 
    1717 1. [http://www.ietf.org/rfc/rfc3820.txt Proxy certificates]: There are different ways of implementing this: 
    18    i. With !MyProxy: use !MyProxy as a credential store.  The portal uploads a user credential to (a) !MyProxy server(s) which services can access on the users behalf and use to obtain delegated user credentials in order to access other secured services.  - Service A, is trusted by the !MyProxy server C.  Before accessing service B, it requests a delegated user credential from C.  It uses the user credential to access service B. 
     18   i. [wiki:MashMyData/MyProxy MyProxy Based]: use [http://grid.ncsa.illinois.edu/myproxy/ MyProxy] as a credential store.  The portal uploads a user credential to (a) !MyProxy server(s) which services can access on the users behalf and use to obtain delegated user credentials in order to access other secured services.  - Service A, is trusted by the !MyProxy server C.  Before accessing service B, it requests a delegated user credential from C.  It uses the user credential to access service B. 
    1919   i. Without !MyProxy: the principle of services obtaining delegated credentials remains the same but there is no !MyProxy server to acts as a broker of user credentials 
    20    * Pros: Well tried and tested solution in the Grid community, enables integration with other Grids.  ESG Security already supports PKI based authentication, but, 
    21    * Cons: Currently no ESG Java implementation to support authentication using proxy certificates.  A filter would need to be implemented.  CEDA's Python implementation ''does'' already support proxy certificates. 
     20   * '''Pros''': Well tried and tested solution in the Grid community, enables integration with other Grids.  ESG Security already supports PKI based authentication, but, 
     21   * '''Cons''': Currently no ESG Java implementation to support authentication using proxy certificates.  A filter would need to be implemented.  CEDA's Python implementation ''does'' already support proxy certificates. 
    2222 1. OAuth: 
    2323