This deliverable is due by M11 of the project (i.e. end of March 2018). 

Authorisation Models for SPs

Summary

This deliverable should capture 

Working docs

Google-Doc: https://docs.google.com/document/d/1ofgSoUXI-CXO5Mqgpm-6bs_cejSdWm_wUAFcsEwbgm8


Notes for potential input:


  • JWT Shared Profile for WLCG
    Authors: M Martinez Pedreira, M Litmaath, P Millar, A Ceccanti, M Sallé, B Bockelman, H Short
    https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit?usp=sharing
    Notes:
    • use it as a state-of-the-art analysis of currently used token-related authorisation model
    • extract a shared JWT profile that is interoperable across infrastructures; this doc is already aiming for a WLCG JWT profile but I don’t know if this would cover the authorisation needs of other research communities so perhaps we need to come up with a more generic shared AARC JWT interoperable profile.
    • JWT is relevant for OIDC/OAuth2 relying parties. So this doc could be used as the basis for describing the token based authorisation scheme we’re looking for in AARC since there are already real use cases for it
      (while XACML is a bit exotic - at least according to my understanding).

  • The drafty text of AARC2-JRA1.2A
    Guidelines for scalable authorisation across multi-SP environments
    https://docs.google.com/document/d/17BaAp8OBUo9V3Z4iDYxfckzrEFwdIBfBrkOebp6VSIg/edit#heading=h.1cjulk67kv2d





Meetings schedule and Minutes

DateLocationAgendaMinutes

2018-01-30 10:00 (CET)


https://www.nikhef.nl/grid/video/?m=aarcjra1Document Kickoff

Marcus will circulate the initial ToC on Wednesday

2018-02-13 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Finalise ToC and assign writing tasks

Received a lot of input during TIIME

In the call we went through the whole ToC and discussed / updated changes

Marcus will contact authors of individual sections p2p

The call was missing contribution from:

  • EGI
  • PSNC
  • Surfnet
2018-02-20 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input

Most partners are contributing,

The call was missing contribution from:

  • Surfnet
  • PSNC
    Assigned writers should provide input of 5-20 lines
2018-02-22DocFestDiscuss Evolution of document

Restructure ToC to have use-cases after basic Authorisation Patterns.

Optionally move Technology (section 4) to appendix, if it becomes too long

2018-03-06 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input and progress

Most input received; Low attendance of Partners

- We have too much school-book like content in sections 2 and 4. We will shorten them dramatically and put links to wikipedia (where we found quite some content to be copied from !!)

- @ALL: Please familiarise yourself with RFC 2753 [4], as we will use it to describe the architectures of the use-cases. (I found the introduction quite misleading. Most important are section 2 on terminology and 4 on architectures.  

- Again: The plan is to use one well-defined standard to describe all the different use-cases.  In our section 5, we'll then try to put them into one big and consistent picture, just as we did for the blueprint.  

- Plan for the week is that I will work on this today and tomorrow and hand things back to you by thursday morning.  We have to come to an initial draft for tuesdays call.



2018-03-13 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input and progress

Marcus Announces that it will be tough to keep the deadline

We decided to use the technology agnostic authorisation model (RFC2753, RFC 2904) to describe the available authorisation architectures. For this we'll request the following input from architectures:

  • Sketch of their Architecture
  • Identification of where PIP/PAP/PDP/... are located
  • Mapping PIP/PAP/PDP/... to the BPA

A lucidchart 1 was created

1 https://www.lucidchart.com/documents/edit/6982e6d3-a052-4aba-936f-188c03ba13a8/

2018-03-20 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input and progress

Marcus asked communities for input:

  • Elixir
  • Dariah
  • Ligo
  • EGI
  • WLCG

In the call we discussed EGI and WLCG

2018-03-27 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input and progress

No further input received. We discussed the input provided by Dariah and Elixir

Marcus raises the flag of being late and that we must finish before AARC AHM

2018-04-03 10:00 (CET)https://www.nikhef.nl/grid/video/?m=aarcjra1Review Input and progress

Marcus raises the flag of being late and that we must finish before AARC AHM; Furthermore, if we won't finish before then, we need a deputy for the time until May 22nd.

All of a sudden (ToC was created back in Feb) we noticed a lack of Infrastructures. Therefore we added two Geant cases and EUDAT.

Decision of whether or not to include additional architectures was sent to Licia

=> Update: we should focus on finishing the document.

Request for input was resent to communities together with a better defined structure. We expect input until the AHM next week, so we can discuss the "Observations" section.





This deliverable is due by M11 of the project (i.e. end of March 2018).
Authorisation Models for SPs
Summary

This deliverable should capture
Links
Working docs

Google-Doc: https://docs.google.com/document/d/1ofgSoUXI-CXO5Mqgpm-6bs_cejSdWm_wUAFcsEwbgm8


Notes for potential input:


    JWT Shared Profile for WLCG
    Authors: M Martinez Pedreira, M Litmaath, P Millar, A Ceccanti, M Sallé, B Bockelman, H Short
    https://docs.google.com/document/d/1XQvh2dxDivUstjQaS3K6tkpLyvXlEOR4QU8YtTzDqg4/edit?usp=sharing
    Notes:
        use it as a state-of-the-art analysis of currently used token-related authorisation model
        extract a shared JWT profile that is interoperable across infrastructures; this doc is already aiming for a WLCG JWT profile but I don’t know if this would cover the authorisation needs of other research communities so perhaps we need to come up with a more generic shared AARC JWT interoperable profile.

        JWT is relevant for OIDC/OAuth2 relying parties. So this doc could be used as the basis for describing the token based authorisation scheme we’re looking for in AARC since there are already real use cases for it
        (while XACML is a bit exotic - at least according to my understanding).
    The drafty text of AARC2-JRA1.2A
    Guidelines for scalable authorisation across multi-SP environments
    https://docs.google.com/document/d/17BaAp8OBUo9V3Z4iDYxfckzrEFwdIBfBrkOebp6VSIg/edit#heading=h.1cjulk67kv2d


    
    
    
Meetings schedule and Minutes
Date    Location    Agenda    Minutes

2018-01-30 10:00 (CET)


    https://www.nikhef.nl/grid/video/?m=aarcjra1    Document Kickoff    

Marcus will circulate the initial ToC on Wednesday
2018-02-13 10:00 (CET)    https://www.nikhef.nl/grid/video/?m=aarcjra1    Finalise ToC and assign writing tasks    

Received a lot of input during TIIME

In the call we went through the whole ToC and discussed / updated changes

Marcus will contact authors of individual sections p2p

The call was missing contribution from:

    EGI
    PSNC
    Surfnet

2018-02-20 10:00 (CET)    https://www.nikhef.nl/grid/video/?m=aarcjra1    Review Input    

Most partners are contributing,

The call was missing contribution from:

    Surfnet
    PSNC
    Assigned writers should provide input of 5-20 lines

2018-02-22    DocFest    Discuss Evolution of document    

Restructure ToC to have use-cases after basic Authorisation Patterns.

Optionally move Technology (section 4) to appendix, if it becomes too long
2018-03-06 10:00 (CET)    https://www.nikhef.nl/grid/video/?m=aarcjra1    Review Input and progress    

Most input received; Low attendance of Partners

- We have too much school-book like content in sections 2 and 4. We will shorten them dramatically and put links to wikipedia (where we found quite some content to be copied from !!)

- @ALL: Please familiarise yourself with RFC 2753 [4], as we will use it to describe the architectures of the use-cases. (I found the introduction quite misleading. Most important are section 2 on terminology and 4 on architectures.  

- Again: The plan is to use one well-defined standard to describe all the different use-cases.  In our section 5, we'll then try to put them into one big and consistent picture, just as we did for the blueprint.  

- Plan for the week is that I will work on this today and tomorrow and hand things back to you by thursday morning.  We have to come to an initial draft for tuesdays call.



2018-03-13 10:00 (CET)    
    
    
2018-03-20 10:00 (CET)    
    
    
2018-03-27 10:00 (CET)    
    
    
2018-04-03 10:00 (CET)    
    
    

    
    
    



  • No labels