This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.
CAS: Key Concepts
Overview
Building on the Globus Toolkit™ Grid Security Infrastructure (GSI), CAS allows resource providers to specify course-grained access control policies in terms of communities as a whole, delegating fine-grained access control policy management to the community itself.
Resource providers maintain ultimate authority over their resources but are spared day-to-day policy administration tasks (e.g. adding and deleting users, modifying user privileges).
This page contains the following topics:
CAS: Process
How it works:
- A CAS server is initiated for a community: a community representative acquires
a GSI credential to represent that community as a whole, and then runs a
CAS server using that community identity.
- Resource providers grant privileges to the community. Each resource provider
verifies that the holder of the community credential represents that community
and that the community's policies are compatible with the resource provider's
own policies. Once a trust relationship has been established, the resource
provider then grants rights to the community identity, using normal local
mechanisms (e.g. gridmap files and disk quotas, filesystem permissions,
etc.)
- Community representatives use the CAS to manage the community's trust
relationships (e.g., to enroll users and resource providers into the community
according to the community's standards) and grant fine-grained access control
to resources. The CAS server is also used to manage its own access control
policies; for example, community members who have the appropriate privileges
may authorize additional community members to manage groups, grant permissions
on some or all of the community's resources, etc.
- When a user wants to access resources served by the CAS, that user makes
a request to the CAS server. If the CAS server's database indicates that
the user has the appropriate privileges, the CAS issues the user a GSI
restricted proxy credential with an embedded policy giving the user the
right to perform the requested actions.
- The user then uses the credentials from the CAS to connect to the resource with any normal Globus tool (e.g. GridFTP). The resource then applies its local policy to determine the amount of access granted to the community, and further restricts that access based on the policy in the CAS credentials, This serves to limit the user's privileges to the intersection of those granted by the CAS to the user and those granted by the resource provider to the community.
CAS: Graphic Overview
Licensing Considerations
This version of CAS uses the OASIS Security Assertion Markup Language (SAML)
standard. Users should be aware that RSA Security has identified four patents
it believes could be relevant to implementing certain operational modes of
the SAML specifications. The Globus Alliance has established a license agreement
with RSA covering usage of SAML in the Globus Toolkit, however users who redistribute
SAML-enabled portions of the Globus Toolkit or use SAML-enabled portions in
their own applications should understand the issue and may want to obtain a
royalty-free license from RSA.
For information regarding the patent claims and a royalty-free reciprocal license
to the RSA patents, see: http://www.rsasecurity.com/solutions/standards/saml
For sublicense rights to the RSA patents under the Globus Toolkit
Public License, click here.