ConsideredURFieldsSubjectID
Version 1 (Jon Kerr Nilsen, 08/08/2012 05:04 AM)
1 | 1 | Jon Kerr Nilsen | h1. List of fields considered for the subject identity block of the usage record |
---|---|---|---|
2 | 1 | Jon Kerr Nilsen | |
3 | 1 | Jon Kerr Nilsen | The following fields are considered for inclusion in a subject identity block in a usage record. Each resources will have its own specific block. This specific block is reserved to the attributes that describes the record identity. |
4 | 1 | Jon Kerr Nilsen | |
5 | 1 | Jon Kerr Nilsen | ---- |
6 | 1 | Jon Kerr Nilsen | |
7 | 1 | Jon Kerr Nilsen | h2. SubjectIdentityBlock |
8 | 1 | Jon Kerr Nilsen | |
9 | 1 | Jon Kerr Nilsen | This is the block property of the Subject identity. |
10 | 1 | Jon Kerr Nilsen | |
11 | 1 | Jon Kerr Nilsen | Example |
12 | 1 | Jon Kerr Nilsen | <pre> |
13 | 1 | Jon Kerr Nilsen | <ur:SubjecyIdentityBlock> |
14 | 1 | Jon Kerr Nilsen | <!— Identity properties go in here --> |
15 | 1 | Jon Kerr Nilsen | </ur:SubjectIdentityBlock> |
16 | 1 | Jon Kerr Nilsen | </pre> |
17 | 1 | Jon Kerr Nilsen | |
18 | 1 | Jon Kerr Nilsen | h3. Comments: |
19 | 1 | Jon Kerr Nilsen | |
20 | 1 | Jon Kerr Nilsen | Ralph: ok |
21 | 1 | Jon Kerr Nilsen | Mike J: OK, but perhaps need some more detail: what can we expect to see in this block |
22 | 1 | Jon Kerr Nilsen | <IdentityBlock> |
23 | 1 | Jon Kerr Nilsen | <anonymous/> |
24 | 1 | Jon Kerr Nilsen | <DN authorisaition="true">string</DN> |
25 | 1 | Jon Kerr Nilsen | <uid>n</uid> |
26 | 1 | Jon Kerr Nilsen | <ip authorisation="false">n.n.n.n</ip> |
27 | 1 | Jon Kerr Nilsen | ... |
28 | 1 | Jon Kerr Nilsen | </IdentityBlock> |
29 | 1 | Jon Kerr Nilsen | </pre> |
30 | 1 | Jon Kerr Nilsen | |
31 | 1 | Jon Kerr Nilsen | ---- |
32 | 1 | Jon Kerr Nilsen | |
33 | 1 | Jon Kerr Nilsen | h2. UserIdentity or GlobalUsername |
34 | 1 | Jon Kerr Nilsen | |
35 | 1 | Jon Kerr Nilsen | This property is part of the SubjectIdentityBlock and describes the global identity of the user accountable for the resource consumption. The property should identify the user globally, such that clashes do not happen accidentally, (eg.: it could be an X509 identity) |
36 | 1 | Jon Kerr Nilsen | |
37 | 1 | Jon Kerr Nilsen | Example |
38 | 1 | Jon Kerr Nilsen | <pre> |
39 | 1 | Jon Kerr Nilsen | <ur:UserIdentity>/O=Grid/OU=example.org/CN=John Doe |
40 | 1 | Jon Kerr Nilsen | </ur:UserIdentity> |
41 | 1 | Jon Kerr Nilsen | </pre> |
42 | 1 | Jon Kerr Nilsen | |
43 | 1 | Jon Kerr Nilsen | h3. Comments: |
44 | 1 | Jon Kerr Nilsen | |
45 | 1 | Jon Kerr Nilsen | Ralph: ok - other possible name GlobalUserId, I would prefer equivalent names local vs global (e.g. LocalUserId - GlobalUserId or LocalUser - GlobalUser) |
46 | 1 | Jon Kerr Nilsen | Mike J: Not sure this is useful outside one specific domain: see example in Identity block comment -- other possibility: |
47 | 1 | Jon Kerr Nilsen | <pre> |
48 | 1 | Jon Kerr Nilsen | <UserIdentity type="IGTFDN" authorised="true" scope="global">/O=Grid/OU=example.org/CN=John Doe</UserIdentity> |
49 | 1 | Jon Kerr Nilsen | <UserIdentity type="LDAPUsername" scope="site"> |
50 | 1 | Jon Kerr Nilsen | <UserIdentity type="system" scope="local"> |
51 | 1 | Jon Kerr Nilsen | </pre> |
52 | 1 | Jon Kerr Nilsen | etc. |
53 | 1 | Jon Kerr Nilsen | There will be multiple identifiers on the system and in some cases multiple ways to _login_, and those login IDs may be permanently linked or not e.g. leased |
54 | 1 | Jon Kerr Nilsen | |
55 | 1 | Jon Kerr Nilsen | ---- |
56 | 1 | Jon Kerr Nilsen | |
57 | 1 | Jon Kerr Nilsen | |
58 | 1 | Jon Kerr Nilsen | h2. Group or GlobalGroup |
59 | 1 | Jon Kerr Nilsen | |
60 | 1 | Jon Kerr Nilsen | This property is part of the SubjectIdentityBlock and describes the global group accountable for the resource consumption. The property should identify the group globally, such that clashes do not happen accidentally, (eg.: using a FQDN to construct it. In Grid terms, this would typically be the VO name). |
61 | 1 | Jon Kerr Nilsen | Example |
62 | 1 | Jon Kerr Nilsen | <pre> |
63 | 1 | Jon Kerr Nilsen | <ur:Group>binarydataproject.example.org</ur:Group> |
64 | 1 | Jon Kerr Nilsen | </pre> |
65 | 1 | Jon Kerr Nilsen | |
66 | 1 | Jon Kerr Nilsen | h3. Comments: |
67 | 1 | Jon Kerr Nilsen | |
68 | 1 | Jon Kerr Nilsen | Ralph: ok - see comment on UserIdentity |
69 | 1 | Jon Kerr Nilsen | Mike J: OK but see comments on useridentity! |
70 | 1 | Jon Kerr Nilsen | |
71 | 1 | Jon Kerr Nilsen | ---- |
72 | 1 | Jon Kerr Nilsen | |
73 | 1 | Jon Kerr Nilsen | h2. GroupAttribute or GlobalGroupAttribute |
74 | 1 | Jon Kerr Nilsen | |
75 | 1 | Jon Kerr Nilsen | This property is part of the SubjectIdentityBlock and describes supplemental traits of the group property, e.g., sub-groups, role or authority. This makes it possible to account for segments of a group, while still being able to account for the group as a whole. |
76 | 1 | Jon Kerr Nilsen | Example |
77 | 1 | Jon Kerr Nilsen | <pre> |
78 | 1 | Jon Kerr Nilsen | <ur:GroupAttribute ur:attributeType="role">production</ur:GroupAttribute> |
79 | 1 | Jon Kerr Nilsen | <ur:GroupAttribute ur:attributeType="subgroup">analysis</ur:GroupAttribute> |
80 | 1 | Jon Kerr Nilsen | <ur:GroupAttribute ur:attributeType="authority"> |
81 | 1 | Jon Kerr Nilsen | /O=Grid/OU=example.org/CN=host/auth.example.org |
82 | 1 | Jon Kerr Nilsen | </ur:GroupAttribute> |
83 | 1 | Jon Kerr Nilsen | </pre> |
84 | 1 | Jon Kerr Nilsen | |
85 | 1 | Jon Kerr Nilsen | h3. Comments: |
86 | 1 | Jon Kerr Nilsen | |
87 | 1 | Jon Kerr Nilsen | Ralph: ok |
88 | 1 | Jon Kerr Nilsen | Mike J: Not sure about this; In the VOMS case if you have all the FQANs and you know based upon which FQAN that usage was authorized that should be sufficient. |
89 | 1 | Jon Kerr Nilsen | The authority attribute however might be useful for auditing purposes. |
90 | 1 | Jon Kerr Nilsen | |
91 | 1 | Jon Kerr Nilsen | --- |
92 | 1 | Jon Kerr Nilsen | |
93 | 1 | Jon Kerr Nilsen | h2. AuthorityType |
94 | 1 | Jon Kerr Nilsen | |
95 | 1 | Jon Kerr Nilsen | This property is part of the IdentityBlock and describes the authority type that identified the user, e.g., CA, shibboleth, etc.. |
96 | 1 | Jon Kerr Nilsen | Example |
97 | 1 | Jon Kerr Nilsen | <pre> |
98 | 1 | Jon Kerr Nilsen | <ur:AuthorityType>CA</ur:AuthorityType> |
99 | 1 | Jon Kerr Nilsen | </pre> |
100 | 1 | Jon Kerr Nilsen | |
101 | 1 | Jon Kerr Nilsen | h3. Comments: |
102 | 1 | Jon Kerr Nilsen | |
103 | 1 | Jon Kerr Nilsen | |
104 | 1 | Jon Kerr Nilsen | --- |
105 | 1 | Jon Kerr Nilsen | |
106 | 1 | Jon Kerr Nilsen | h2. AuthorityID |
107 | 1 | Jon Kerr Nilsen | |
108 | 1 | Jon Kerr Nilsen | This property is part of the SubjectIdentityBlock and identifies the authority which issued the user's credentials, e.g., INFN-CA, etc. |
109 | 1 | Jon Kerr Nilsen | Example |
110 | 1 | Jon Kerr Nilsen | <pre> |
111 | 1 | Jon Kerr Nilsen | <ur:AuthorityID>INFN-CA</ur:AuthorityID> |
112 | 1 | Jon Kerr Nilsen | </pre> |
113 | 1 | Jon Kerr Nilsen | |
114 | 1 | Jon Kerr Nilsen | h3. Comments: |
115 | 1 | Jon Kerr Nilsen | |
116 | 1 | Jon Kerr Nilsen | |
117 | 1 | Jon Kerr Nilsen | --- |
118 | 1 | Jon Kerr Nilsen | |
119 | 1 | Jon Kerr Nilsen | h2. WhereTheUserCameFrom |
120 | 1 | Jon Kerr Nilsen | |
121 | 1 | Jon Kerr Nilsen | This property is part of the SubjectIdentityBlock and identifies the machine from which the user accessed the remote resource, e.g., IP address, hostname, etc. |
122 | 1 | Jon Kerr Nilsen | Example |
123 | 1 | Jon Kerr Nilsen | <pre> |
124 | 1 | Jon Kerr Nilsen | <ur:WhereTheUserCameFrom>156.156.156.156</ur:WhereTheUserCameFrom> |
125 | 1 | Jon Kerr Nilsen | </pre> |
126 | 1 | Jon Kerr Nilsen | |
127 | 1 | Jon Kerr Nilsen | h3. Comments: |
128 | 1 | Jon Kerr Nilsen | |
129 | 1 | Jon Kerr Nilsen | Jon: Not sure where this came from. If still needed, I guess the name could be better. |
130 | 1 | Jon Kerr Nilsen | |
131 | 1 | Jon Kerr Nilsen | --- |
132 | 1 | Jon Kerr Nilsen | |
133 | 1 | Jon Kerr Nilsen | h2. issuer |
134 | 1 | Jon Kerr Nilsen | |
135 | 1 | Jon Kerr Nilsen | This property denotes who issued the certification of the user. |
136 | 1 | Jon Kerr Nilsen | |
137 | 1 | Jon Kerr Nilsen | h3. Comments: |
138 | 1 | Jon Kerr Nilsen | |
139 | 1 | Jon Kerr Nilsen | --- |
140 | 1 | Jon Kerr Nilsen | Mike: Suggest a mockup for the wiki: The following is an example straw-man of what I would like to see (it is not agreed nor a summary of the above) |
141 | 1 | Jon Kerr Nilsen | <pre> |
142 | 1 | Jon Kerr Nilsen | <usage> |
143 | 1 | Jon Kerr Nilsen | <recordIdentity> |
144 | 1 | Jon Kerr Nilsen | <creationTime>[When the record is cut]</creationTime> |
145 | 1 | Jon Kerr Nilsen | <recordID>[unique opaque ID]</recordID> |
146 | 1 | Jon Kerr Nilsen | <recorderID type="DN">[DN of host cutting the record]</recorderID> || |
147 | 1 | Jon Kerr Nilsen | <recorderID type="IP">[IP address of host curring the record]</recorderID> |
148 | 1 | Jon Kerr Nilsen | </recordIdentity> |
149 | 1 | Jon Kerr Nilsen | <identity> |
150 | 1 | Jon Kerr Nilsen | <!-- There may be other examples of the following. One of the following needs to have an attribute defining that it was used for authorisation --> |
151 | 1 | Jon Kerr Nilsen | <Id individual="true" type="anonymous"/> || |
152 | 1 | Jon Kerr Nilsen | <Id individual="true"type="DN" scope="global|local">[DN]</userId>? |
153 | 1 | Jon Kerr Nilsen | <Id individual="true" type="IP" scope="global|local">[IP]</userId>? |
154 | 1 | Jon Kerr Nilsen | <Id individual="true" type="UID" scope="site|local">[ID]</userId>? |
155 | 1 | Jon Kerr Nilsen | |
156 | 1 | Jon Kerr Nilsen | <ID individual="false" type="GID" scope="site|local">[ID]</groupID>? |
157 | 1 | Jon Kerr Nilsen | <ID individual="false" type="VOMS"> |
158 | 1 | Jon Kerr Nilsen | <authority type="DN">[VOMS AC Issuer/Server certificate]</authority> |
159 | 1 | Jon Kerr Nilsen | <method>AC|List|SAML</method> |
160 | 1 | Jon Kerr Nilsen | </groupID> |
161 | 1 | Jon Kerr Nilsen | <ID individual="false" type="GID" scope="site|local">[GID]</groupID> |
162 | 1 | Jon Kerr Nilsen | <ID individual="false" type="IP" scope="local|global"> |
163 | 1 | Jon Kerr Nilsen | <IP mask="255.255.0.0">[IP]</IP>+ |
164 | 1 | Jon Kerr Nilsen | </groupID> |
165 | 1 | Jon Kerr Nilsen | </identity> |
166 | 1 | Jon Kerr Nilsen | ... |
167 | 1 | Jon Kerr Nilsen | </usage> |
168 | 1 | Jon Kerr Nilsen | </pre> |
169 | 1 | Jon Kerr Nilsen | |
170 | 1 | Jon Kerr Nilsen | ---- |
171 | 1 | Jon Kerr Nilsen | |
172 | 1 | Jon Kerr Nilsen | h2. ALL OK: |
173 | 1 | Jon Kerr Nilsen | |
174 | 1 | Jon Kerr Nilsen | ---- |
175 | 1 | Jon Kerr Nilsen | |
176 | 1 | Jon Kerr Nilsen | h2. LocalUser or LocalUserId |
177 | 1 | Jon Kerr Nilsen | |
178 | 1 | Jon Kerr Nilsen | This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local user (eg.: Unix user). |
179 | 1 | Jon Kerr Nilsen | |
180 | 1 | Jon Kerr Nilsen | Example |
181 | 1 | Jon Kerr Nilsen | <pre> |
182 | 1 | Jon Kerr Nilsen | <ur:LocalUser>johndoe</ur:LocalUser> |
183 | 1 | Jon Kerr Nilsen | </pre> |
184 | 1 | Jon Kerr Nilsen | |
185 | 1 | Jon Kerr Nilsen | h3. Comments: |
186 | 1 | Jon Kerr Nilsen | |
187 | 1 | Jon Kerr Nilsen | Ralph: ok |
188 | 1 | Jon Kerr Nilsen | Mike J: OK |
189 | 1 | Jon Kerr Nilsen | |
190 | 1 | Jon Kerr Nilsen | ---- |
191 | 1 | Jon Kerr Nilsen | |
192 | 1 | Jon Kerr Nilsen | h2. LocalGroup or LocalGroupId |
193 | 1 | Jon Kerr Nilsen | |
194 | 1 | Jon Kerr Nilsen | This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local group (eg.: Unix group). |
195 | 1 | Jon Kerr Nilsen | |
196 | 1 | Jon Kerr Nilsen | Example |
197 | 1 | Jon Kerr Nilsen | <pre> |
198 | 1 | Jon Kerr Nilsen | <ur:LocalGroup>binarydataproject</ur:LocalGroup> |
199 | 1 | Jon Kerr Nilsen | </pre> |
200 | 1 | Jon Kerr Nilsen | |
201 | 1 | Jon Kerr Nilsen | h3. Comments: |
202 | 1 | Jon Kerr Nilsen | |
203 | 1 | Jon Kerr Nilsen | Ralph: ok |
204 | 1 | Jon Kerr Nilsen | Mike J: OK |
205 | 1 | Jon Kerr Nilsen | |
206 | 1 | Jon Kerr Nilsen | ---- |