Table of Contents
|Credential Delegation Service (CDS) Architecture|
The Group Manager component is responsible for managing the administrators of the CDS. Request received by the DelegationManager for adding, removing, listing, and determining if a client is an administrator are handled by the Group Manager component.
MySQL is employed by all components for persisting relevant information.
|Delegating a Credential to the CDS|
- Delegated Credential Lifetime - The amount of time that the CDS will be allowed to delegate the client's credential to allowed parties.
- Delegated Credential Path Length - Specifies how much the credential may be further delegated. A path length of 1 would allow the CDS to delegate the client's credential to other parties, however the other parties would not be allowed to further delegate. A path length of 2 would allow the CDS to delegated to second parties, the second parties would also be able to delegate the client's credentials to third parties, the third parties would not be allowed to further delegate.
- Issued Credential Lifetime - Specifies the amount of time that a client's credential issued to a allowed party by the CDS would be valid for.
- Issued Credential Path Length - Specifies whether of not a client's credential issued to an allowed party by the CDS could be further delegated. A path length of 0 would not allow the party to further delegate. A path length of 1, would allow the party to delegate to a second party, however the seconds party would not be able to further delegate.
- Delegation Policy - A policy that expresses which parties may request the delegators credential. The CDS provides a framework for plugging in and enforcing any type of Delegation policy.
When executing the Initiation step the client must provide the above information and must authenticate to the CDS using the credential they wish to delegate. Upon receiving the Initiation request the CDS will generate a key pair and store the information provided and the key pair in its database. The key pair generated will be used to make up a delegated credential for the client making the request. This delegated credential will be used to further delegate credentials to clients that are allowed by the delegation policy provided. The delegated credential will be made up of the generated private key and a certificate containing the generated public key.. The certificate will be signed by the client making the request. To create the certificate, the CDS will send a signing request back to the client. The signing request will contain the generated public key such that it can be included in the certificate that the client will sign. When the client receives the signing request it creates a certificate containing the public key provided by the CDS in the signing request. The client signs the certificate with the private key of the credential that it is delegated. The client re-authenticates with the CDS using the credential being delegated and returns the signed certificate to the CDS. Upon receiving the signed certificate the CDS stores the certificate with the delegated credential record created during the Initiation Step. The signed certificate along with the earlier generated private key make up a credential which can be delegated to other clients based on the delegation policy specified. Finally the CDS creates a web service resource for the delegated credential and returns a reference to the resource (DelegatedCredentialReference) to the client. Client's wishing to obtain the delegator's credential can use the DelegatedCredentialReference to request a credential from the CDS.
|Obtaining a Credential from the CDS|
The CDS maintains a group of administrative users. Administrative users have the ability to monitor all delegated credentials, update the status of delegated credentials, and manage the group of administrators. The CDS web service interface allows administrators to add administrators, remove administrators, and obtain a list of administrators from the CDS. CDS administrators are identified by their Grid identity and must authenticate with the CDS using their Grid credentials to invoke administrative operations.
The CDS allows both clients and administrators to monitor delegated credentials. Clients may monitor only the credentials they delegated, where as administrators may monitor any credential delegated to the CDS. Credentials can be monitored through the CDS web service interface, both client and administrators must authenticate with the CDS using their Grid credential in order to monitor delegated credentials. The following information regarding delegated credentials may be monitored:
- General Information
- Delegation Policy
- Certificate Chain
- Auditing Information
The general information contains contains the following information:
- Who delegated the credential
- The delegation identifier for the credential
- When the delegation was initiated.
- When the delegated credential was approved.
- When the delegated credential expires.
- The lifetime of credentials that are issued to requesting parties.
- The path length of credentials that are issued to requesting parties.
- The status of a Delegated Credential.
For each delegated credential the CDS maintains auditing information around events associated with the delegated credential. The following is a list of auditing information that is captured by the CDS:
- Delegation Initiation
- Delegation Approval
- Delegation Status Update
- Credential Issued
- Access Denied to Credential
Administrators and Delegators may monitor the auditing information to determine when it was created, when it was approved, who was issued a delegated credential, and who was not granted access to a delegated credential.
Delegator's and those acting on their behalf may suspend access to a delegated credential, once access is suspended it may not be granted again. CDS Administrators may also suspend access to any delegated credential. CDS administrators may re-enable access to a delegate credential that has been suspended.