Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Index
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
The Authorization Framework component provides a framework for container level authorization. It allows chains of authorization modules with well defined interfaces to be associated with various entities, e.g. services, in the container. It also provides multiple authorization module implementations, for example support for gridmap based authorization, callout module that uses the SAML protocol to query a external service for an authorization decision.
Features new in GT 4.1.0:
Enhanced server-side attributed-based authorization framework: The server-side authorization framework has been reworked to support attribute based authorization with delegation of rights. The framework allows for configuring a chain of Policy Information Points(PIPs) and Policy Decision Points(PDPs) and a combining alogorithm that processes the individual decisions returned by the PDPs. Some of the key changes from the previous versions are:
Authorization framework uses a set of attributes to identify entities
The authorization engine uses Java Security provider framework to allow different combining algorithms to be plugged in.
A default implementation of permit override combining algorithm, which looks for a permit decision chain, to allow for fine grained delegation of rights.
Refer Architecture and Design Overview for detailed information on the architecture.
Host or Self Authoriation: Support for a pluggable PDP that does host authorization, and if that fails, tries self authorization.
The security descriptor framework, used to configure security properties for the security framework has been enhanced. Detailed information about the framework is provided Section 1, “Introduction”
Other Supported Features
- Authorization based on
grid-mapfileand other access control lists. - Ability to implement custom authorization modules.
- A SAML callout authorization module enables outsourcing of authorization decisions to an authorization service (e.g. PERMIS).
Deprecated Features
- None
The server side authorization framework has been reworked to support attribute-based authorization. The APIs and framework have been enhanced to deal with a representation where each entity is identified by a bag of attributes.
Also the default engine used for combining the individual Policy Decision Point(PDP) decision has been changed from a deny-override algorithm to a permit override scheme that looks for a chain of delegation of rights from the resource owner to the requestor.
Refer to Architecture and design overview in the Developer's Guide for more detailed information.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
All the PDPs that were distributed with the previous version have been ported to new framework and are supported. |
- Bug 2287: Adding exception message support for authz based on attributes other than DN
- Bug 3528: Action Operation Namespace in SAML Authorization Callout
- Bug 3606: Tests don't work with host authorization setup
- Bug 4079: Issuer of attributes should be an entity attribute.
- Bug 4441: Permit Override provider does not filter up the deny exceptions.
The following problems and limitations are known to exist for WS Authorization Framework. at the time of the 4.1.0 release:
The WS Authentication and Authorization component depends on the following GT components:
- WS Authentication and Authorization Message-Level Security
The WS Authentication and Authorization component depends on the following 3rd party software:
- OpenSAML
Tested Platforms for WS Authorization Framework:
- Linux (Red Hat 7.3)
- Windows 2000
- Solaris 9
Protocol changes in the Authorization Framework since GT 4.0.2
- Addition of the SAML authorization callout
API changes since GT 4.0.2
- None
Exception changes since GT 4.0.2
- None
Schema changes since GT 4.0.2
- None
Associated standards for WS Authentication and Authorization Framework:
See Authorization Framework for more information about this component.