This is a static archive of the previous Open Grid Forum Redmine content management system saved from host redmine.ogf.org file /projects/ur-wg/wiki/ConsideredURFieldsSubjectID/annotate/1 at Fri, 04 Nov 2022 15:15:48 GMT UR WG - Open Grid Forum

ConsideredURFieldsSubjectID

Version 1 (Jon Kerr Nilsen, 08/08/2012 05:04 AM)

1 1 Jon Kerr Nilsen
h1. List of fields considered for the subject identity block of the usage record
2 1 Jon Kerr Nilsen
3 1 Jon Kerr Nilsen
The following fields are considered for inclusion in a subject identity block in a usage record. Each resources will have its own specific block. This specific block is reserved to the attributes that describes the record identity. 
4 1 Jon Kerr Nilsen
5 1 Jon Kerr Nilsen
----
6 1 Jon Kerr Nilsen
7 1 Jon Kerr Nilsen
h2. SubjectIdentityBlock
8 1 Jon Kerr Nilsen
9 1 Jon Kerr Nilsen
This is the block property of the Subject identity.
10 1 Jon Kerr Nilsen
11 1 Jon Kerr Nilsen
Example
12 1 Jon Kerr Nilsen
<pre>
13 1 Jon Kerr Nilsen
<ur:SubjecyIdentityBlock>
14 1 Jon Kerr Nilsen
  <!— Identity properties go in here -->
15 1 Jon Kerr Nilsen
</ur:SubjectIdentityBlock>
16 1 Jon Kerr Nilsen
</pre>
17 1 Jon Kerr Nilsen
18 1 Jon Kerr Nilsen
h3. Comments:
19 1 Jon Kerr Nilsen
20 1 Jon Kerr Nilsen
Ralph: ok
21 1 Jon Kerr Nilsen
Mike J: OK, but perhaps need some more detail: what can we expect to see in this block
22 1 Jon Kerr Nilsen
<IdentityBlock>
23 1 Jon Kerr Nilsen
  <anonymous/>
24 1 Jon Kerr Nilsen
  <DN authorisaition="true">string</DN>
25 1 Jon Kerr Nilsen
  <uid>n</uid>
26 1 Jon Kerr Nilsen
  <ip authorisation="false">n.n.n.n</ip>
27 1 Jon Kerr Nilsen
  ...
28 1 Jon Kerr Nilsen
</IdentityBlock>
29 1 Jon Kerr Nilsen
</pre>
30 1 Jon Kerr Nilsen
31 1 Jon Kerr Nilsen
----
32 1 Jon Kerr Nilsen
33 1 Jon Kerr Nilsen
h2. UserIdentity or GlobalUsername
34 1 Jon Kerr Nilsen
35 1 Jon Kerr Nilsen
This property  is part of the SubjectIdentityBlock and describes the global identity of the user accountable for the resource consumption. The property should identify the user globally, such that clashes do not happen accidentally, (eg.: it could be an X509 identity)
36 1 Jon Kerr Nilsen
37 1 Jon Kerr Nilsen
Example
38 1 Jon Kerr Nilsen
<pre>
39 1 Jon Kerr Nilsen
<ur:UserIdentity>/O=Grid/OU=example.org/CN=John Doe
40 1 Jon Kerr Nilsen
</ur:UserIdentity>
41 1 Jon Kerr Nilsen
</pre>
42 1 Jon Kerr Nilsen
43 1 Jon Kerr Nilsen
h3. Comments:
44 1 Jon Kerr Nilsen
45 1 Jon Kerr Nilsen
Ralph: ok - other possible name  GlobalUserId, I would prefer equivalent names local vs global (e.g. LocalUserId - GlobalUserId or LocalUser - GlobalUser)
46 1 Jon Kerr Nilsen
Mike J: Not sure this is useful outside one specific domain: see example in Identity block comment -- other possibility:
47 1 Jon Kerr Nilsen
<pre>
48 1 Jon Kerr Nilsen
<UserIdentity type="IGTFDN" authorised="true" scope="global">/O=Grid/OU=example.org/CN=John Doe</UserIdentity>
49 1 Jon Kerr Nilsen
<UserIdentity type="LDAPUsername" scope="site">
50 1 Jon Kerr Nilsen
<UserIdentity type="system" scope="local">
51 1 Jon Kerr Nilsen
</pre>
52 1 Jon Kerr Nilsen
etc.
53 1 Jon Kerr Nilsen
There will be multiple identifiers on the system and in some cases multiple ways to _login_, and those login IDs may be permanently linked or not e.g. leased
54 1 Jon Kerr Nilsen
55 1 Jon Kerr Nilsen
----
56 1 Jon Kerr Nilsen
57 1 Jon Kerr Nilsen
58 1 Jon Kerr Nilsen
h2. Group or  GlobalGroup
59 1 Jon Kerr Nilsen
60 1 Jon Kerr Nilsen
This property is part of the SubjectIdentityBlock and describes the global group accountable for the resource consumption. The property should identify the group globally, such that clashes do not happen accidentally, (eg.: using a FQDN to construct it. In Grid terms, this would typically be the VO name).
61 1 Jon Kerr Nilsen
Example
62 1 Jon Kerr Nilsen
<pre>
63 1 Jon Kerr Nilsen
<ur:Group>binarydataproject.example.org</ur:Group>
64 1 Jon Kerr Nilsen
</pre>
65 1 Jon Kerr Nilsen
66 1 Jon Kerr Nilsen
h3. Comments:
67 1 Jon Kerr Nilsen
68 1 Jon Kerr Nilsen
Ralph: ok - see comment on UserIdentity
69 1 Jon Kerr Nilsen
Mike J: OK but see comments on useridentity!
70 1 Jon Kerr Nilsen
71 1 Jon Kerr Nilsen
----
72 1 Jon Kerr Nilsen
73 1 Jon Kerr Nilsen
h2. GroupAttribute or GlobalGroupAttribute
74 1 Jon Kerr Nilsen
75 1 Jon Kerr Nilsen
This property is part of the SubjectIdentityBlock and describes supplemental traits of the group property, e.g., sub-groups, role or authority. This makes it possible to account for segments of a group, while still being able to account for the group as a whole.
76 1 Jon Kerr Nilsen
Example
77 1 Jon Kerr Nilsen
<pre>
78 1 Jon Kerr Nilsen
<ur:GroupAttribute ur:attributeType="role">production</ur:GroupAttribute>
79 1 Jon Kerr Nilsen
<ur:GroupAttribute ur:attributeType="subgroup">analysis</ur:GroupAttribute>
80 1 Jon Kerr Nilsen
<ur:GroupAttribute ur:attributeType="authority">
81 1 Jon Kerr Nilsen
/O=Grid/OU=example.org/CN=host/auth.example.org
82 1 Jon Kerr Nilsen
</ur:GroupAttribute>
83 1 Jon Kerr Nilsen
</pre>
84 1 Jon Kerr Nilsen
85 1 Jon Kerr Nilsen
h3. Comments:
86 1 Jon Kerr Nilsen
87 1 Jon Kerr Nilsen
Ralph: ok
88 1 Jon Kerr Nilsen
Mike J: Not sure about this; In the VOMS case if you have all the FQANs and you know based upon which FQAN that usage was authorized that should be sufficient.
89 1 Jon Kerr Nilsen
The authority attribute however might be useful for auditing purposes.
90 1 Jon Kerr Nilsen
91 1 Jon Kerr Nilsen
---
92 1 Jon Kerr Nilsen
93 1 Jon Kerr Nilsen
h2. AuthorityType
94 1 Jon Kerr Nilsen
95 1 Jon Kerr Nilsen
This property is part of the IdentityBlock and describes the authority type that identified the user, e.g., CA, shibboleth, etc..
96 1 Jon Kerr Nilsen
Example
97 1 Jon Kerr Nilsen
<pre>
98 1 Jon Kerr Nilsen
<ur:AuthorityType>CA</ur:AuthorityType>
99 1 Jon Kerr Nilsen
</pre>
100 1 Jon Kerr Nilsen
101 1 Jon Kerr Nilsen
h3. Comments:
102 1 Jon Kerr Nilsen
103 1 Jon Kerr Nilsen
104 1 Jon Kerr Nilsen
---
105 1 Jon Kerr Nilsen
106 1 Jon Kerr Nilsen
h2. AuthorityID
107 1 Jon Kerr Nilsen
108 1 Jon Kerr Nilsen
This property is part of the SubjectIdentityBlock and identifies the authority which issued the user's credentials, e.g., INFN-CA, etc.
109 1 Jon Kerr Nilsen
Example
110 1 Jon Kerr Nilsen
<pre>
111 1 Jon Kerr Nilsen
<ur:AuthorityID>INFN-CA</ur:AuthorityID>
112 1 Jon Kerr Nilsen
</pre>
113 1 Jon Kerr Nilsen
114 1 Jon Kerr Nilsen
h3. Comments:
115 1 Jon Kerr Nilsen
116 1 Jon Kerr Nilsen
117 1 Jon Kerr Nilsen
---
118 1 Jon Kerr Nilsen
119 1 Jon Kerr Nilsen
h2. WhereTheUserCameFrom
120 1 Jon Kerr Nilsen
121 1 Jon Kerr Nilsen
This property is part of the SubjectIdentityBlock and identifies the machine from which the user accessed the remote resource, e.g., IP address, hostname, etc.
122 1 Jon Kerr Nilsen
Example
123 1 Jon Kerr Nilsen
<pre>
124 1 Jon Kerr Nilsen
<ur:WhereTheUserCameFrom>156.156.156.156</ur:WhereTheUserCameFrom>
125 1 Jon Kerr Nilsen
</pre>
126 1 Jon Kerr Nilsen
127 1 Jon Kerr Nilsen
h3. Comments:
128 1 Jon Kerr Nilsen
129 1 Jon Kerr Nilsen
Jon: Not sure where this came from. If still needed, I guess the name could be better.
130 1 Jon Kerr Nilsen
131 1 Jon Kerr Nilsen
---
132 1 Jon Kerr Nilsen
133 1 Jon Kerr Nilsen
h2. issuer
134 1 Jon Kerr Nilsen
135 1 Jon Kerr Nilsen
This property denotes who issued the certification of the user.
136 1 Jon Kerr Nilsen
137 1 Jon Kerr Nilsen
h3. Comments:
138 1 Jon Kerr Nilsen
139 1 Jon Kerr Nilsen
---
140 1 Jon Kerr Nilsen
Mike: Suggest a mockup for the wiki: The following is an example straw-man of what I would like to see (it is not agreed nor a summary of the above)
141 1 Jon Kerr Nilsen
<pre>
142 1 Jon Kerr Nilsen
<usage>
143 1 Jon Kerr Nilsen
  <recordIdentity>
144 1 Jon Kerr Nilsen
    <creationTime>[When the record is cut]</creationTime>
145 1 Jon Kerr Nilsen
    <recordID>[unique opaque ID]</recordID>
146 1 Jon Kerr Nilsen
    <recorderID type="DN">[DN of host cutting the record]</recorderID> ||  
147 1 Jon Kerr Nilsen
    <recorderID type="IP">[IP address of host curring the record]</recorderID>
148 1 Jon Kerr Nilsen
  </recordIdentity>
149 1 Jon Kerr Nilsen
  <identity>
150 1 Jon Kerr Nilsen
    <!-- There may be other examples of the following. One of the following needs to have an attribute defining that it was used for authorisation -->
151 1 Jon Kerr Nilsen
    <Id individual="true" type="anonymous"/> ||
152 1 Jon Kerr Nilsen
    <Id  individual="true"type="DN" scope="global|local">[DN]</userId>?
153 1 Jon Kerr Nilsen
    <Id individual="true"  type="IP" scope="global|local">[IP]</userId>?
154 1 Jon Kerr Nilsen
    <Id individual="true"  type="UID" scope="site|local">[ID]</userId>?
155 1 Jon Kerr Nilsen
156 1 Jon Kerr Nilsen
    <ID individual="false"  type="GID" scope="site|local">[ID]</groupID>?
157 1 Jon Kerr Nilsen
    <ID  individual="false" type="VOMS">
158 1 Jon Kerr Nilsen
      <authority type="DN">[VOMS AC Issuer/Server certificate]</authority>
159 1 Jon Kerr Nilsen
      <method>AC|List|SAML</method>
160 1 Jon Kerr Nilsen
    </groupID>
161 1 Jon Kerr Nilsen
    <ID individual="false" type="GID" scope="site|local">[GID]</groupID>
162 1 Jon Kerr Nilsen
    <ID individual="false" type="IP" scope="local|global">
163 1 Jon Kerr Nilsen
      <IP mask="255.255.0.0">[IP]</IP>+
164 1 Jon Kerr Nilsen
    </groupID>
165 1 Jon Kerr Nilsen
  </identity>
166 1 Jon Kerr Nilsen
...
167 1 Jon Kerr Nilsen
</usage>
168 1 Jon Kerr Nilsen
</pre>
169 1 Jon Kerr Nilsen
170 1 Jon Kerr Nilsen
----
171 1 Jon Kerr Nilsen
172 1 Jon Kerr Nilsen
h2. ALL OK:
173 1 Jon Kerr Nilsen
174 1 Jon Kerr Nilsen
----
175 1 Jon Kerr Nilsen
176 1 Jon Kerr Nilsen
h2. LocalUser or  LocalUserId
177 1 Jon Kerr Nilsen
178 1 Jon Kerr Nilsen
This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local user (eg.: Unix user).
179 1 Jon Kerr Nilsen
180 1 Jon Kerr Nilsen
Example
181 1 Jon Kerr Nilsen
<pre>
182 1 Jon Kerr Nilsen
<ur:LocalUser>johndoe</ur:LocalUser>
183 1 Jon Kerr Nilsen
</pre>
184 1 Jon Kerr Nilsen
185 1 Jon Kerr Nilsen
h3. Comments:
186 1 Jon Kerr Nilsen
187 1 Jon Kerr Nilsen
Ralph: ok
188 1 Jon Kerr Nilsen
Mike J: OK
189 1 Jon Kerr Nilsen
190 1 Jon Kerr Nilsen
----
191 1 Jon Kerr Nilsen
192 1 Jon Kerr Nilsen
h2. LocalGroup or LocalGroupId
193 1 Jon Kerr Nilsen
194 1 Jon Kerr Nilsen
This is the attribute property of the Usage Record is part of the ~IdentityBlock and identify the local group (eg.: Unix group).
195 1 Jon Kerr Nilsen
196 1 Jon Kerr Nilsen
Example
197 1 Jon Kerr Nilsen
<pre>
198 1 Jon Kerr Nilsen
<ur:LocalGroup>binarydataproject</ur:LocalGroup>
199 1 Jon Kerr Nilsen
</pre>
200 1 Jon Kerr Nilsen
201 1 Jon Kerr Nilsen
h3. Comments:
202 1 Jon Kerr Nilsen
203 1 Jon Kerr Nilsen
Ralph: ok
204 1 Jon Kerr Nilsen
Mike J: OK
205 1 Jon Kerr Nilsen
206 1 Jon Kerr Nilsen
----
This is a static archive of the previous Open Grid Forum Redmine content management system saved from host redmine.ogf.org file /projects/ur-wg/wiki/ConsideredURFieldsSubjectID/annotate/1 at Fri, 04 Nov 2022 15:15:48 GMT