[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ggf-ogsa-sec-wg] Re: [AuthZ] question on AuthZ specification

Richard

It is possible to use the current spec to specify particular tables in a
RDBMS, or indeed specific columns, by simply making the resource URI
more specific, and then saying in the policy which groups of users can
access each specific resource. Of course this might make the policy more
verbose, but it is a work around. The alternative would be to state who
could access the entire database, and then have conditional clauses
based on the parameters of the request, where the parameters specify
particular columns or tables. But this would require a change to the
Authz spec in order to specify paramaters of the actions. I am not
opposed to such a change to the spec

regards

David


> Richard Sinnott wrote:
> 
> Hello All,
> a quick question. I would have raised this at the AuthZ meeting here
> at GGF but had a clash with the Life Science Grid meeting.
> 
> Is there a reason for the restriction in the Use of SAML for OGSA
> Authorisation specification? Specifically in section 6.1
> AuthorizationDecisionQuery Element and 6.1.3 Action Element. Why is
> "action element" restricted to the name of the operation only and not
> on possible parameters associated with it.
> 
> We have a DB2 data repository containing various public, shared
> (secure) and private data sets for our life science VO. We would like
> to be able to offer Grid services making use of this resource, e.g.
> a GT3 based BLAST service. Now we want to be able to restrict usage of
> this BLAST resource to the VO members based on the data they want to
> BLAST against, e.g. they can BLAST against the public data, but
> authorisation decisions are needed if they want to BLAST against some
> of the shared/private data sets. Right now, I do not see how to
> support this with the current spec. I'd like a BLAST service which had
> for example a parameter identifying the DB2 user view (nickname) of
> the data sets that they are allowed to see.
> 
> Comments?
> 
> Rich
> --
> Dr Richard Sinnott
> Technical Director National eScience Centre
> University of Glasgow, Glasgow G12 8QQ, Scotland
> Email: ros@dcs.gla.ac.uk  Mob: +44-(0)7952-376627
> Tel: +44-(0)141-330--8606/Fax: --8625
> 

-- 

*****************************************************************

David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 1484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Web site: http://sec.isi.salford.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************
begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://sec.isi.salford.ac.uk
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-18752
fn:David Chadwick
end:vcard