[cas-dev] Can CAS grant, permissionsataservice/operationlevelwithview/execute actions mappings ? [Fwd: BOUNCE cas-dev at globus.org: Non-member submission from [Karen Loughran <k.loughran at qub.ac.uk>]]

Fri Aug 18 12:33:38 CDT 2006

Hi Karen,

I apologize for not noticing earlier, but i'm afraid that your previous
postings were "eaten" by our cas-dev email-list-manager program without
making it to the list itself...

If people are not list members, then the posting is bounced, and a
"BOUNCE"-notification is sent the the list owner, which is me. In
theory, I should then be able to repost it and notify you.

In any case it didn't work, as this BOUNCED message ended up with the
gazillion SPAM messages that are randomly sent to all existing mailing
lists and fill-up my mailbox.

All a long story to explain why i didn't read you Q about the cas trust
models and thanks to Rachana for bugging me why i didn't reply ;-)

So... you asked:

> On another unrelated issue; we have a trust model which we want to
> implement and we are wondering what future plans CAS might have to
> support trust models between organisations.
>
> Is there any documentation or written information on where CAS is going
> with trust models ?
>
> We are interested in models of trust between organisations,
> A-Symetic/Symetric trust relationships...
>
> For example, A B and C are companies.  If B trusts A can C trust A
> (transitive).
>
> A might trust B completely but B only partially trusts A (Symetric).
>   

We do not have anything written down about where we may want to take our
CAS trust models.

Your examples sound intriguing, though, but I'm not sure if I understand
them completely.

For example:

Suppose a user and the CAS server live within organization A,
and the resource service lives in organization B,
then CAS-A will issue an assertion that user is allowed to access
resource-B:
<cas-A: user-A can access resource-B>
the policy of resource-B needs a statement that empowers cas-a to
administer the access rights:
<org-B: cas-A can administer access-rights for resource-B>
such that both policy statements chain and reduce to:
<org-B: user-A can access resource-B>

If we introduce a third organization C,
and we like to outsource the policy management to A,
then currently, resource-C requires a policy statement:
<org-C: cas-A can administer access-rights for resource-C>
which is identical to the setting for org-B

What you are proposing is that organization C doesn't necessarily know
or trust organization A directly, but could derive it's trust
transitively through organization B.
Essentially you would then need the following three assertions to chain:
<org-C: if org-B allows cas-A to administer access-rights for
resource-B, then cas-A can administer access-rights for resource-C>
<org-B: cas-A can administer access-rights for resource-B>
<cas-A: user-A can access resource-C>

Does this reflect your use case correctly?

If so, then there are a number of practical issues.
First of all, right now the trust that an organization has in a foreign
cas identity is not exposed, meaning that this policy is only used
locally within that organization. Even the foreign cas service doesn't
have this assertion as it doesn't need it: it's a one-way dependency.
Theoretically, we could probably make it available for other
organizations, in the form of another SAML-authz-assertion, though.
Second, the policy statement:
<org-C: if org-B allows cas-A to administer access-rights for
resource-B, then cas-A can administer access-rights for resource-C>
is very complicated...
maybe it could be simplified by:
<org-C: if org-B allows cas-A to administer access-rights for any
resource within B, then cas-A can administer access-rights for resource-C>
but even then we do not have any policy language out-of-the-box that
could express that.

We could simplify further by:
<org-C: org-B can administer access-rights for resource-C>
<org-B: cas-A can administer access-rights for resource-C>
<cas-A: user-A can access resource-C>
or even:
<org-C: org-B can access resource-C>
<org-B: cas-A can access resource-C>
<cas-A: user-A can access resource-C>

where the last statements could be expressed and evaluated by existing
langages like the saml-authz-decision statements.

Does this discussion reflect your uses cases?

Regards, Frank.

-- 
Frank Siebenlist               franks at mcs.anl.gov
The Globus Alliance - Argonne National Laboratory

-------------- next part --------------
An embedded message was scrubbed...
From: owner-cas-dev at globus.org
Subject: BOUNCE cas-dev at globus.org:    Non-member submission from [Karen Loughran <k.loughran at qub.ac.uk>]   
Date: Wed, 16 Aug 2006 08:42:55 -0500 (CDT)
Size: 1270
URL: <http://lists.globus.org/pipermail/cas-dev/attachments/20060818/f34ab89e/attachment.mht>