Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
The Authorization Framework component provides the infrastructure to process attributes and protect resource access based on access policy. It allows for authorization policy to be configured and enforced at various levels of granularity (container, service or resource). It also provides client side authorization to allow clients to authorize the services they access.
The framework is pluggable and can be configred to use custom mechanisms for attribute collection and policy evaluation. It also provides multiple authorization module implementations, for example support for gridmap based authorization, callout module that uses the SAML protocol to query a external service for an authorization decision and such.
Features new in GT 4.1.1:
Enhanced server-side attributed-based authorization framework: The server-side authorization framework has been reworked to support attribute based authorization with delegation of rights. The framework allows for configuring a chain of Policy Information Points(PIPs) and Policy Decision Points(PDPs) and a combining alogorithm that processes the individual decisions returned by the PDPs. Some of the key changes from the previous versions are:
Authorization framework uses a set of attributes to identify entities
The authorization engine uses Java Security provider framework to allow different combining algorithms to be plugged in.
A default implementation of permit override combining algorithm, which looks for a permit decision chain, to allow for fine grained delegation of rights.
Refer Section 3, “Architecture and design overview” for detailed information on the architecture.
Host or Self Authoriation: Support for a pluggable PDP that does host authorization, and if that fails, tries self authorization.
The security descriptor framework, used to configure security properties for the security framework has been enhanced. Detailed information about the framework is provided Java WS Security Descriptor Framework
Other Supported Features
- Authorization based on
grid-mapfileand other access control lists. - Ability to implement custom authorization modules.
- A SAML callout authorization module enables outsourcing of authorization decisions to an authorization service (e.g. PERMIS).
Deprecated Features
- None
The server side authorization framework has been reworked to support attribute-based authorization. The APIs and framework have been enhanced to deal with a representation where each entity is identified by a bag of attributes.
Also the default engine used for combining the individual Policy Decision Point(PDP) decision has been changed from a deny-override algorithm to a permit override scheme that looks for a chain of delegation of rights from the resource owner to the requestor.
Refer Section 3, “Architecture and design overview” for detailed information on the architecture.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
All the PDPs that were distributed with the previous version have been ported to new framework and are supported. |
- Bug 2287: Adding exception message support for authz based on attributes other than DN
- Bug 3528: Action Operation Namespace in SAML Authorization Callout
- Bug 3606: Tests don't work with host authorization setup
- Bug 4079: Issuer of attributes should be an entity attribute.
- Bug 4441: Permit Override provider does not filter up the deny exceptions.
- Bug 4535: Client security descriptor does not allow for GSI Transport configuration
- Bug 4572: Decision object should have getter for notBefore/notAfter
- Bug 4837: Username/Password PDP not working
- Bug 4893: Improve Parameter PIP test
The following problems and limitations are known to exist for WS Authorization Framework. at the time of the 4.1.1 release:
The WS Authentication and Authorization component depends on the following GT components:
- WS Authentication and Authorization Message-Level Security
The WS Authentication and Authorization component depends on the following 3rd party software:
- OpenSAML
Tested Platforms for WS Authorization Framework:
- Linux (Red Hat 7.3)
- Windows 2000
- Solaris 9
Associated standards for WS Authentication and Authorization Framework:
See Authorization Framework for more information about this component.