List of fields considered for the subject identity block of the usage record¶
The following fields are considered for inclusion in a subject identity block in a usage record. Each resources will have its own specific block. This specific block is reserved to the attributes that describes the record identity.
SubjectIdentityBlock¶
This is the block property of the Subject identity.
Example
<ur:SubjecyIdentityBlock> <!— Identity properties go in here --> </ur:SubjectIdentityBlock>
Comments:¶
Ralph: ok
Mike J: OK, but perhaps need some more detail: what can we expect to see in this block
<IdentityBlock>
<anonymous/>
<DN authorisaition="true">string</DN>
<uid>n</uid>
<ip authorisation="false">n.n.n.n</ip>
...
</IdentityBlock>
UserIdentity or GlobalUsername¶
This property is part of the SubjectIdentityBlock and describes the global identity of the user accountable for the resource consumption. The property should identify the user globally, such that clashes do not happen accidentally, (eg.: it could be an X509 identity)
Example
<ur:UserIdentity>/O=Grid/OU=example.org/CN=John Doe </ur:UserIdentity>
Comments:¶
Ralph: ok - other possible name GlobalUserId, I would prefer equivalent names local vs global (e.g. LocalUserId - GlobalUserId or LocalUser - GlobalUser)
Mike J: Not sure this is useful outside one specific domain: see example in Identity block comment -- other possibility:
<UserIdentity type="IGTFDN" authorised="true" scope="global">/O=Grid/OU=example.org/CN=John Doe</UserIdentity> <UserIdentity type="LDAPUsername" scope="site"> <UserIdentity type="system" scope="local">
etc.
There will be multiple identifiers on the system and in some cases multiple ways to login, and those login IDs may be permanently linked or not e.g. leased
Group or GlobalGroup¶
This property is part of the SubjectIdentityBlock and describes the global group accountable for the resource consumption. The property should identify the group globally, such that clashes do not happen accidentally, (eg.: using a FQDN to construct it. In Grid terms, this would typically be the VO name).
Example
<ur:Group>binarydataproject.example.org</ur:Group>
Comments:¶
Ralph: ok - see comment on UserIdentity
Mike J: OK but see comments on useridentity!
GroupAttribute or GlobalGroupAttribute¶
This property is part of the SubjectIdentityBlock and describes supplemental traits of the group property, e.g., sub-groups, role or authority. This makes it possible to account for segments of a group, while still being able to account for the group as a whole.
Example
<ur:GroupAttribute ur:attributeType="role">production</ur:GroupAttribute> <ur:GroupAttribute ur:attributeType="subgroup">analysis</ur:GroupAttribute> <ur:GroupAttribute ur:attributeType="authority"> /O=Grid/OU=example.org/CN=host/auth.example.org </ur:GroupAttribute>
Comments:¶
Ralph: ok
Mike J: Not sure about this; In the VOMS case if you have all the FQANs and you know based upon which FQAN that usage was authorized that should be sufficient.
The authority attribute however might be useful for auditing purposes.
AuthorityType¶
This property is part of the IdentityBlock and describes the authority type that identified the user, e.g., CA, shibboleth, etc..
Example
<ur:AuthorityType>CA</ur:AuthorityType>
Comments:¶
AuthorityID¶
This property is part of the SubjectIdentityBlock and identifies the authority which issued the user's credentials, e.g., INFN-CA, etc.
Example
<ur:AuthorityID>INFN-CA</ur:AuthorityID>
Comments:¶
WhereTheUserCameFrom¶
This property is part of the SubjectIdentityBlock and identifies the machine from which the user accessed the remote resource, e.g., IP address, hostname, etc.
Example
<ur:WhereTheUserCameFrom>156.156.156.156</ur:WhereTheUserCameFrom>
Comments:¶
Jon: Not sure where this came from. If still needed, I guess the name could be better.
issuer¶
This property denotes who issued the certification of the user.
Comments:¶
---
Mike: Suggest a mockup for the wiki: The following is an example straw-man of what I would like to see (it is not agreed nor a summary of the above)
<usage>
<recordIdentity>
<creationTime>[When the record is cut]</creationTime>
<recordID>[unique opaque ID]</recordID>
<recorderID type="DN">[DN of host cutting the record]</recorderID> ||
<recorderID type="IP">[IP address of host curring the record]</recorderID>
</recordIdentity>
<identity>
<!-- There may be other examples of the following. One of the following needs to have an attribute defining that it was used for authorisation -->
<Id individual="true" type="anonymous"/> ||
<Id individual="true"type="DN" scope="global|local">[DN]</userId>?
<Id individual="true" type="IP" scope="global|local">[IP]</userId>?
<Id individual="true" type="UID" scope="site|local">[ID]</userId>?
<ID individual="false" type="GID" scope="site|local">[ID]</groupID>?
<ID individual="false" type="VOMS">
<authority type="DN">[VOMS AC Issuer/Server certificate]</authority>
<method>AC|List|SAML</method>
</groupID>
<ID individual="false" type="GID" scope="site|local">[GID]</groupID>
<ID individual="false" type="IP" scope="local|global">
<IP mask="255.255.0.0">[IP]</IP>+
</groupID>
</identity>
...
</usage>
ALL OK:¶
LocalUser or LocalUserId¶
This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local user (eg.: Unix user).
Example
<ur:LocalUser>johndoe</ur:LocalUser>
Comments:¶
Ralph: ok
Mike J: OK
LocalGroup or LocalGroupId¶
This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local group (eg.: Unix group).
Example
<ur:LocalGroup>binarydataproject</ur:LocalGroup>
Comments:¶
Ralph: ok
Mike J: OK