Access Keys:
Skip to content (Access Key - 0)

CDS

CDS 1.2 Design

[ CDS: Administrators Guide | Design | Developers Guide | Users Guide | caGrid: Documentation Guides ]

Table of Contents

Architecture

Credential Delegation Service (CDS) Architecture
The Credential Delegation Service (CDS) is a WSRF-compliant web service built on top of the Globus Toolkit. The CDS Grid Service Implementation component implements the CDS web service interfaceand is responsible for handling invocations received by the underlying web service container. For each invocation received the CDS Grid Service Implementation together with the underlying Grid container authenticates each requestor and deserializes requests into associated Java objects. The request and associated Java objects are then passed to the Delegation Manager component. The Delegation Managercomponent is responsible on enforcing access control on all request, once it is determined that a client is allowed to perform the request, the Delegation Manager passes the request onto the sub-component that specializes in the request. Requests associated with delegating credentials, obtaining delegated credentials, and monitoring delegated credentials are handled by the Credential Delegation Manager component. The Credential Delegation Manager component employs a set of pluggable Policy Handler(s) each of which manages and enforces the access control policy for delegated credentials. The ability to plug in *Custom Policy Handler(s)*to the CDS allows customized delegation policies to be used by clients when delegating their credentials to other clients. For example a client could delegated their credentials to (1) clients whom are a member of a specified Grid Grouper group or (2) or clients that are a approved by a specified Common Security Module (CSM) policy or (3) clients that meet some other customized policy.

The Group Manager component is responsible for managing the administrators of the CDS. Request received by the DelegationManager for adding, removing, listing, and determining if a client is an administrator are handled by the Group Manager component.

MySQL is employed by all components for persisting relevant information.

Delegating a Credential

Delegating a Credential to the CDS
The diagram to the right illustrates the process of a client (delegator) delegating a credential to the CDS. The first step or Initiation step, initiates the delegation process. To execute the Initiation step the client must have the credential they wish to delegate in hand. The client must also provide the following information to the CDS:

  • Delegated Credential Lifetime - The amount of time that the CDS will be allowed to delegate the client's credential to allowed parties.
  • Delegated Credential Path Length - Specifies how much the credential may be further delegated. A path length of 1 would allow the CDS to delegate the client's credential to other parties, however the other parties would not be allowed to further delegate. A path length of 2 would allow the CDS to delegated to second parties, the second parties would also be able to delegate the client's credentials to third parties, the third parties would not be allowed to further delegate.
  • Issued Credential Lifetime - Specifies the amount of time that a client's credential issued to a allowed party by the CDS would be valid for.
  • Issued Credential Path Length - Specifies whether of not a client's credential issued to an allowed party by the CDS could be further delegated. A path length of 0 would not allow the party to further delegate. A path length of 1, would allow the party to delegate to a second party, however the seconds party would not be able to further delegate.
  • Delegation Policy - A policy that expresses which parties may request the delegators credential. The CDS provides a framework for plugging in and enforcing any type of Delegation policy.

When executing the Initiation step the client must provide the above information and must authenticate to the CDS using the credential they wish to delegate. Upon receiving the Initiation request the CDS will generate a key pair and store the information provided and the key pair in its database. The key pair generated will be used to make up a delegated credential for the client making the request. This delegated credential will be used to further delegate credentials to clients that are allowed by the delegation policy provided. The delegated credential will be made up of the generated private key and a certificate containing the generated public key.. The certificate will be signed by the client making the request. To create the certificate, the CDS will send a signing request back to the client. The signing request will contain the generated public key such that it can be included in the certificate that the client will sign. When the client receives the signing request it creates a certificate containing the public key provided by the CDS in the signing request. The client signs the certificate with the private key of the credential that it is delegated. The client re-authenticates with the CDS using the credential being delegated and returns the signed certificate to the CDS. Upon receiving the signed certificate the CDS stores the certificate with the delegated credential record created during the Initiation Step. The signed certificate along with the earlier generated private key make up a credential which can be delegated to other clients based on the delegation policy specified. Finally the CDS creates a web service resource for the delegated credential and returns a reference to the resource (DelegatedCredentialReference) to the client. Client's wishing to obtain the delegator's credential can use the DelegatedCredentialReference to request a credential from the CDS.

Obtaining a Delegated Credential

Obtaining a Credential from the CDS
To obtain a credential, the client obtaining the credential must have in hand a DelegatedCredentialReference referring to the credential they wish to obtain. A DelegatedCredentialReferencemay be obtained directly from the delegator or directly from the CDS by asking the CDS which credentials have been delegated to them. Before making the request for the credential to the CDS, the client must generated a public/private key pair which will make up the credential. Once generated the client authenticates to the CDS using their credential and passes the CDS the DelegatedCredentialReference and the generated public key. Upon receiving the request from the client, the CDS check that the client against the delegation policy to validate that the client has been granted the ability to obtain the requested credential. If the client is authorized the CDS creates a certificate containing the public key supplied by the client and signs the certificate with the private key associated with the credential delegated the CDS by the delegator. The signed certificate is then returned to the client, the signed certificate along with the private key generated earlier by the client make up a credential that can be used to invoke secure services on the delegator's behalf.

Administration

The CDS maintains a group of administrative users. Administrative users have the ability to monitor all delegated credentials, update the status of delegated credentials, and manage the group of administrators. The CDS web service interface allows administrators to add administrators, remove administrators, and obtain a list of administrators from the CDS. CDS administrators are identified by their Grid identity and must authenticate with the CDS using their Grid credentials to invoke administrative operations.

Monitoring Delegated Credentials

The CDS allows both clients and administrators to monitor delegated credentials. Clients may monitor only the credentials they delegated, where as administrators may monitor any credential delegated to the CDS. Credentials can be monitored through the CDS web service interface, both client and administrators must authenticate with the CDS using their Grid credential in order to monitor delegated credentials. The following information regarding delegated credentials may be monitored:

  • General Information
  • Delegation Policy
  • Certificate Chain
  • Auditing Information

The general information contains contains the following information:

  • Who delegated the credential
  • The delegation identifier for the credential
  • When the delegation was initiated.
  • When the delegated credential was approved.
  • When the delegated credential expires.
  • The lifetime of credentials that are issued to requesting parties.
  • The path length of credentials that are issued to requesting parties.
  • The status of a Delegated Credential.

For each delegated credential the CDS maintains auditing information around events associated with the delegated credential. The following is a list of auditing information that is captured by the CDS:

  • Delegation Initiation
  • Delegation Approval
  • Delegation Status Update
  • Credential Issued
  • Access Denied to Credential

Administrators and Delegators may monitor the auditing information to determine when it was created, when it was approved, who was issued a delegated credential, and who was not granted access to a delegated credential.

Modifying the Status of a Delegated Credential

Delegator's and those acting on their behalf may suspend access to a delegated credential, once access is suspended it may not be granted again. CDS Administrators may also suspend access to any delegated credential. CDS administrators may re-enable access to a delegate credential that has been suspended.
Last edited by
Knowledge Center (1516 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence