NotesOnGMS < IVOA

IVOA Web>IvoaInteropPOC>InterOpMay2020>InterOpMay2020GWS>NotesOnGMS (2020-05-20, GiulianoTaffoni) (raw view)
<br /> <!--
      * Set ALLOWTOPICRENAME = IVOA.TWikiAdminGroup
-->

<div id="magicdomid2">This text is intended as a starting point for the discussion.</div> <div id="magicdomid3">We will edit the text together during the session and then transfer the final version back to the IVOA wiki afterwards.</div> <div id="magicdomid5">
---+ GWS Session
</div> <div id="magicdomid7">Brian Major introduction on GMS and Authorization (authz).</div> <div id="magicdomid8">Difference bethween auth and Authz: who am i, what i can do.</div> <div id="magicdomid9">GMS based on groups.</div> <div id="magicdomid10">An example is the use of an authenticated TAP service.</div> <div id="magicdomid11">GMS is based on isMember request. Is a user member of a group?</div> <div id="magicdomid13">There are two API functions in GMS:</div> <div id="magicdomid14">   isMemberof</div> <div id="magicdomid15">   getMembership (get all membership for a user and cache it for a while) can work only on a single GMS, maybe we can remove it (?)</div> <div id="magicdomid16">why should I need the "getMembership"? </div> <div id="magicdomid17">TOM: is that a protective call? How the security works? Only the user themself can do the call.</div> <div id="magicdomid18">Steve Groom: asking about having authentication on datasets rather than entire endpoint. flow is similar to what is shown, with the service determining what group(s) are needed to check, instead of group being explicitly supplied by user in URI</div> <div id="magicdomid19">James Tocknell: GMS and token expiration. What is the status of the group {I miss the description of the use case} the OAuth token can expire. </div> <div id="magicdomid20">GMS works on the scenario where di group information is very private. The CDP approach avoid to have trust network between organzation, it is the user to decide the level of privacy</div> <div id="magicdomid22"> *Question*: (GT) can we procedd with the RFC even if we do not have the tocken CDP?</div> <div id="magicdomid24">Sonia: is presentig a GSM based on tokens (RAP based) based on JWT token relay, using JSON web tokens (self contained and signed). The use case is based on file server access. The protolc is OAuth token excange (RFC 8693)</div> <div id="magicdomid25">Group of groups (parent.children) need to stadnardize separator (now it is a ".") . Groups are stareod in a DB.</div> <div id="magicdomid27">Brian <strong>Questions</strong>: groups of groups. why do we need to see the herachy from outside? there are uses cases where users should download files from all the sub groups. Groups are associated to observatory programs. </div> <div id="magicdomid28">Pat <strong>Question:</strong> the way we implement GMS is a just a questions. If we</div> <div id="magicdomid29">Dave: the token is restricted to make some specific operation? Yes because in the token we use the scope. and that token is valid only for a specific service. It is an improvement from X509. But this restriction implies the client should know all the services to contact. </div> <div id="magicdomid30">When a suer delegate the credential would know to which extent her token is used. Could be implemented at the CDP level.</div> <div id="magicdomid31">Pat: when a user delegate to a site she is trusting the site and everyone the skite trust. Chain of trust. </div> <div id="magicdomid32">Users should be able to revoke scope.</div> <div id="magicdomid33">Proxy certificates are not working for kubernates properly. </div> <div id="magicdomid34">IA2 developed a web page where users can connect to download tokens for cli usage.</div> <div id="magicdomid36"> *SUMMARY:* </div> <div id="magicdomid37">   keep the list of all groups</div> <div id="magicdomid38">   we have two implementation one based on tokens</div> <div id="magicdomid39">    </div> <div id="magicdomid40"> *ACTIONS*: </div> <div id="magicdomid41">   Are we willing to work on the new CDP document</div> <div id="magicdomid42">  Participants:</div> <div id="magicdomid43">
   * DaveMorris @ Edinburgh interested in implementing GMS and CDP
   * INAF IA2 CDP
   * Sara Bertocco
</div> <div id="magicdomid45">    </div> <div id="magicdomid47">Sonia: in our use case the list of groups makes sense because we would like to show the list of groups in our portal</div> <div id="magicdomid49">Will Sonia's slides (OAuth2 implementation of GMS) be posted somewhere? don't see them yet</div>
Topic revision: r1 - 2020-05-20 - GiulianoTaffoni
IVOA
Log in or Register
IVOA.net
Wiki Home
WebChanges
WebTopicList
WebStatistics
Twiki Meta & Help
IVOA
Know
Main
Sandbox
TWiki
TWiki intro
TWiki tutorial
User registration
Notify me
Working Groups
Interest Groups
Time Domain
Committees
Stds&Procs
www.ivoa.net
Documents
Events
Members
XML Schema