"Seegrid will be due for a migration to confluence on the 1st of August. Any update on or after the 1st of August will NOT be migrated"

APAC Project Requirements


AAA (Authorisation, Authentication and Accounting)

Back to ApacProjectRequirements

Use Cases

  • APAC-AAA-UseCaseDiagram1.gif:
    APAC-AAA-UseCaseDiagram1.gif


CRC's



SERVICE COLLABORATOR
User Authentication (Document: Authorisation Policy)
User Account Management Job Submission Service




Sequence Diagrams




  • APAC-AA001-SeqDiagram.GIF:
    APAC-AA001-SeqDiagram.GIF


  • APAC-AA006-SeqDiagram.GIF:
    APAC-AA006-SeqDiagram.GIF


  • APAC-AA007-SeqDiagram.GIF:
    APAC-AA007-SeqDiagram.GIF



Functional Requirements



Requirements from Use Cases:
Req Sub Req1 Sub Req2 Child Of Requirement Comment
AA001       Log into the System User must be able to log into the system in a secure fashion
  AA002   AA001 Obtain a grid Proxy User must be able to obtain a grid proxy that will enable them access to the grid for a specified amount of time based on their user type, requirements and the Grid policies
  AA003   AA001 Upload Credentials User must be able to upload their credentials in a secure fashion to authenticate themselves to the Grid
  AA004   AA001 Enter Username and Password User must be able to enter a username and password (Note: pending on AA technique used)
AA005       User Administration An APAC administrator (user) must be able to perform basic administration tasks on users in the Grid
  AA006   AA001 Add User The APAC administrator must be able to add new users to the system and allocate them access to system resources based on their usertype and requirements
  AA007   AA001 Modify user The APAC administrator must be able to modify user settings, for example upgrade or downgrade their user types, rescind access to various services/resources
  AA008   AA001 Enable/Disable User The APAC administrator must be able to enable/disable users
  AA009   AA001 Manage VOs The APAC administrator must be able manage VOs (add, modify, delete)
  AA010   AA001 Maintain User Account The APAC administrator must be able to maintain user accounts and perform general maintenance on the accounts
AA011       Log Out User must be able to securely end their session with the Grid
AA012       Maintain Credentials User's must be functionalities available to them to maintain and manage their credentials on the grid, this will include uploading credentials, removing them and updating them
AA013       View User Account User must be able to view their user account, which will detail (among other things) usertype, access permissions, accounting information, useage etc)



Authorisation Policy:

  • Users may be members of any number of VOs
  • A resource can participate in one or more VO
  • User may have any number of roles within a given VO
  • VOs must be able to specify membership policy
  • A user’s VO membership must remain confidential
  • A resource owner must be able to allow authorisation by VO and VO role membership
  • It should be possible to list resources and actions to which a VO member or role has access
  • It should be possible to list resources to which a VO member or role has access to carry out specific actions
  • Authorisation decisions must be consistent within a VO
  • It must be possible to disable a users VO authorisation
  • The VO must be able to specify security requirements on any resource for specific roles
  • A user must be able to select and deselect VOs and roles
  • It must be possible to assign job priorities within resources
  • User priorities, provide different levels of access
  • Ability to integrate with GSI
  • Authorisation maintained and controlled by the Resource layer of the grid
  • no or mimimal modification required by existing components to adopt the service
  • Should be manageable and maintainable
  • reliable and scalable


(Ref - EU DataGrid WP6 2002 ; Foster, Kesselman, and Tuecke)

Auditing (Accounting):

  • Must be able to track the resource used by each job
  • Store info in a persistent data store for later retrieval
  • By utilizing the query interface, managers should be able to produce reports detailing the system resources used by users and projects on their systems over arbitrary time intervals.
  • Track/audit all resources including licence usage
  • Provide audit logging facility



Non-Functional Requirements



  • The AAA Service must be scalable, manageable, preferably under control of the resource end, minimal intervention at the portal end, ability to utilise existing Access Control Models, Ability to integrate with GSI, Future integration capabilities with other Grid related applications
  • Possibly using one of the following models CAS, VOMS, PERMIS, Shibboleth

  • Authentication must be supported (based on GSI).
  • Authorisation - possibly a role-based community authorisation model which the VO decides the roles of users, the rights associated with each role, and the degree of delegation allowed.
  • Auditing must be supported. Must be tamperproof.


Related Works and Documents




Preliminary Discussions



Requirements: (Draft)

-- RyanFraser - 23 Feb 2005

Must be scable, manageable, preferably under control of the resource end, minimal intervention at the data portal end, ability to utilise existing Access Control Models, Ability to integrate with GSI, Future integration capabilities with other Grid related applications
CAS – community authorisation Service
VOMS – virtual organistation management
PERMIS - Role based Privilege Management Infrastructure

- GSI delegation- users maintain a proxy certificate in a MyProxy Server repository.

  • gsi-proxy-arch.GIF:
    gsi-proxy-arch.GIF

-- RyanFraser - 15 Feb 2005



-- RyanFraser - 14 Mar 2005
Topic attachments
I Attachment Action Size Date Who Comment
APAC-AA001-SeqDiagram.GIFGIF APAC-AA001-SeqDiagram.GIF manage 6.5 K 04 Apr 2005 - 16:46 RyanFraser  
APAC-AA006-SeqDiagram.GIFGIF APAC-AA006-SeqDiagram.GIF manage 6.0 K 04 Apr 2005 - 16:46 RyanFraser  
APAC-AA007-SeqDiagram.GIFGIF APAC-AA007-SeqDiagram.GIF manage 6.3 K 04 Apr 2005 - 16:46 RyanFraser  
APAC-AAA-UseCaseDiagram1.gifgif APAC-AAA-UseCaseDiagram1.gif manage 15.0 K 18 Mar 2005 - 15:29 RyanFraser  
gsi-proxy-arch.GIFGIF gsi-proxy-arch.GIF manage 11.5 K 14 Mar 2005 - 09:54 RyanFraser  
Topic revision: r12 - 15 Oct 2010, UnknownUser
 

Current license: All material on this collaboration platform is licensed under a Creative Commons Attribution 3.0 Australia Licence (CC BY 3.0).