ViewVC logotype

Contents of /trunk/projects/grid/gms/doc/GMS.tex

Parent Directory Parent Directory | Revision Log Revision Log

Revision 5737 - (show annotations)
Tue Feb 25 02:07:05 2020 UTC (5 months, 1 week ago) by major.brian
File MIME type: application/x-tex
File size: 25808 byte(s)
GMS syntax error fix
1 \documentclass[11pt,a4paper]{ivoa}
2 \input tthdefs
4 \title{Group Membership Service}
6 \ivoagroup{Grid and Web Services}
8 \author{Brian Major}
9 \author{Patrick Dowler}
10 \author{Giuliano Taffoni}
11 \author{Adrian Damian}
12 \author{Sara Bertocco}
13 \author{Marco Molinaro}
15 \editor{Brian Major}
17 % \previousversion[????URL????]{????Funny Label????}
18 \previousversion{This is the first public release}
20 \begin{document}
21 \begin{abstract}
23 The Group Membership Service (GMS) specification describes a service interface for determining whether a user is a member of a group. Membership information can be used to protect access to proprietary resources. When an authorization decision is needed (whether to grant or deny access to a proprietary resource), a call to GMS can be made to see if the requesting user is a member of the group assigned to protect the resource in question. Examples of proprietary resources are wide ranging but include: observation data and metadata and scarce or limited services and infrastructure. Because this specification details how a single group can protect multiple, potentially distributed, resources, it allows for the representation of teams with common authorization rights. The members of such teams can span multiple organizations but can be managed within a single service. In this way, GMS offers an interoperable, flexible, and scalable mechanism for sharing proprietary assets with a potentially dynamic set of team members.
25 \end{abstract}
27 \section*{Acknowledgments}
28 For the creation of this document we acknowledge the support of the Canadian Space Agency, the National Research Council Canada, the Italian National Institue of Astrophysics, and the Astronomy ESFRI and Research Infrastructure Cluster (ASTERICS). ASTERICS is a project supported by the European Commission Framework Programme Horizon 2020 Research and Innovation action under grant agreement n. 653477.
30 \section*{Conformance-related definitions}
32 The words ``MUST'', ``SHALL'', ``SHOULD'', ``MAY'', ``RECOMMENDED'', and
33 ``OPTIONAL'' (in upper or lower case) used in this document are to be
34 interpreted as described in IETF standard RFC2119 \citep{std:RFC2119}.
36 The \emph{Virtual Observatory (VO)} is a
37 general term for a collection of federated resources that can be used
38 to conduct astronomical research, education, and outreach.
39 The \href{http://www.ivoa.net}{International
40 Virtual Observatory Alliance (IVOA)} is a global
41 collaboration of separately funded projects to develop standards and
42 infrastructure that enable VO applications.
45 \section{Introduction}
47 Through standard IVOA protocols, many astronomy data centres and institutes offer users access to datasets through Datalink (Datalink \citep{2015ivoa.spec.0617D}) and SODA (Server-side Operations for Data Access \citep{2017ivoa.spec.0517B}, etc), metadata and catalogs through TAP (\citep{2010ivoa.spec.0327D}), and storage through VOSpace (\citep{2018ivoa.spec.0621G}). There are also many instances of custom access services to astronomy resources. In certain cases the information within these services is proprietary -- it is only allowed to be accessed by certain individuals. Due to the wide variety and inherently institute-specific set of rules that may define how the information is proprietary, it is beneficial to the owners and maintainers of the rules to have a standard way of describing who has access to what resources. Additionally, the rules describing resource access may be determined by an entity external to the holder of these resources. To these ends, this document sets out a standard, programmatic, and interoperable method of determining whether a given user is allowed to access a given proprietary resource.
49 The ideas presented by GMS enable data centres to do authorization checks in an interoperable fashion. In the context of authorization, interoperability can viewed on two levels: interoperability amongst the cooperating services \emph{within} a data centre, and interoperability \emph{between} data centres. Because of the orthogonal nature of authorization, these amount to the same problem.
51 Interoperability aside, GMS describes a simple, general, maintainable, and scalable approach to performing authorization, and so is a recommended architectural pattern for managing access to proprietary resources.
53 \subsection{Proprietary resources}
54 \label{subsec:propresources}
56 Most facilities have a period of time in which only the Principal Investigator and the associated team has access to observation metadata and data files. Even without a proprietary period, time is required to verify and validate observations before they can be made public.
58 Programs create higher level products such as catalogs and images. On many occasions, they must be accessible to only those who are authorized.
60 Many organizations have internal, custom services with private or sensitive data. Similarily, organizations are using TAP to to access relational data that serves only internal or operational purposes and should not be exposed to the general public.
62 In these ways and others, proprietary resources exist. For these to be made available to those with authorization, we require a consistent way of performing authorization checks within and between organizations.
64 \subsection{Role within the VO Architecture}
65 \label{subsec:roleinarch}
67 \begin{figure}
68 \centering
70 \includegraphics[width=0.9\textwidth]{role_diagram.pdf}
71 \caption{GMS in relation to the IVOA architecture}
72 \label{fig:archdiag}
73 \end{figure}
75 Fig.~\ref{fig:archdiag} shows the role this document plays within the
76 IVOA architecture \citep{note:VOARCH}.
78 GMS can be used by any software that needs to check, for authorization purposes, whether a user is a member of group. Because of this general purpose functionality, GMS slices through all IVOA standards and lies in the middle of the SHARING technical resource in the IVOA architecture diagram. Indeed, GMS allows for the sharing of proprietary resources to a limited audience.
80 \subsection{Use Cases}
81 \label{subsec:usecases}
83 Aside from the main use case of restricting access to proprietary resources, GMS supports a number of other use cases, of both the user and system variety.
85 \paragraph{Proprietary information} Restricting access to proprietary resources to certain users.
87 \paragraph{Homogeneity} Using the same mechanism to control access to proprietary resources in a data centre or in multiple data centres.
89 \paragraph{Scalability} A distributed mechanism that scales linearly with the resources being protected.
91 \paragraph{Remotely managing access} A project may wish to control access to resources that reside externally.
93 \paragraph{Access rule sharing} A project may consist of a variety of resources that can be all managed by the same access rule: group membership certification.
95 \paragraph{Extending the services of a data centre} A project that has hosted data and metadata at a data centre may wish to create value-added services outside of the data centre itself. If some of the data or metadata is proprietary, the extended services may need to determine if a user is allowed to perform certain action on that data or metadata. A remote GMS instance can be used in this way.
97 \paragraph{Cooperating institutes} Two or more institutes may work together on a single project that involves proprietary resources and would benefit from a single, standard mechanism for protecting those resources.
99 \subsection{Definitions}
101 \paragraph{Authentication} User identification through credentials or identity provider. Refer to the IVOA Single-Sign-On Profile: Authentication Mechanisms. \citep{2017ivoa.spec.0524T}
103 \paragraph{Authorization} Making the decision of whether to grant a user permission to a given resource. The decision usually involves knowing the user's identity obtained through authentication.
105 \paragraph{GMS Authorization} Making the decision of whether to grant a user permission to a given resource by ensuring the authenticated user is a member of the group assigned to protect that resource.
107 \paragraph{Resource} Something that may require authorization for access. For example, a service, a data file, metadata, a catalog, or infrastructure.
109 \paragraph{User} An individual or entity identified by authentication that is attempting to perform some action.
111 \paragraph{Group} A set of users.
113 \paragraph{Grant} Authorizing access to a proprietary resource by assigning a group to protect that resource.
115 \paragraph{Revoke} Removing access to a proprietary resource by removing an assigned group.
117 \paragraph{Owner} A user or group of users who may grant or revoke access to a specific resource.
119 \section{Scope}
121 When looking at a system that has proprietary resources that need to be protected, it is clear that there are two distinct phases to authorization: the assignment of the rules protecting the resources, and the attempts by various users to gain access to those resources. They are described here:
123 \begin{enumerate}
124 \item The owner(s) of a resource may, at any time, change the rules by which a resource may be accessed. This is the \emph{granting and revoking of access}.
125 \item When users try to access resources, the granting rules for that resource are evaluated at runtime. This is the \emph{authorization check}.
126 \end{enumerate}
128 GMS only describes item 2, the \emph{authorization check}, though it acknowledges that step 1, \emph{granting and revoking of access} is a part of the authorization process.
130 \section{Groups}
132 \subsection{Why Groups?}
133 \label{subsec:whygroups}
135 Why are groups a good model for authorization? When a system needs to perform an \emph{authorization check} on a resource, it is trying to determine if the authenticated user is allowed access. There are a number of options on how this can be accomplished.
137 A simple approach would be to add the identity of the user to the resource. However, this is too restrictive as there may be multiple users who are allowed access. So, we could instead add a list of user identities to the resource being protected. It becomes a problem when there are two resources that need protecting by the same set of individuals. This becomes difficult to maintain because a change in access rules (\emph{granting and revoking access}) would mean a change to multiple resources.
139 So, it becomes clear that this list of users needs to be decoupled from the resource so that it can be referenced and shared by multiple resources. To do so, the list must become a single entity than can be referenced by a name. And so, we must have a named group of users.
141 A central repository of groups of users would introduce other problems: a single point of failure, and the inability to partition groups of users. Thus, the \emph{location} of the group must accompany the group reference so that it is possible to have multiple collections of groups of users and multiple associated GMS services.
143 Resources must then reference a group by a URI with a location and a name that is unique within that location. This is called the Group Identifier.
145 Systems must use the information in the group identifier to determine if the user is a member of the group. Because the location may be outside of the immediate vicinity of the resource, this query must be performed in a standard and accessible manner and so is defined as a RESTful interface to group membership.
147 \subsection{Group Identifiers}
148 \label{subsec:groupids}
150 A \emph{group identifier} is used to uniquely and universally identify individual groups. They are attached to proprietary resources for the purpose of referencing the group (or groups) whose members are authorized to access that resource. When a system needs to do an authorization check because a request for access is being made, it can make the decision based on the response of a membership call to a GMS service. With the help of an IVOA Registry, the system has all the information it needs within the group identifier to locate the associated GMS service and formulate the REST call to that service for the membership check.
152 Group identifiers are IVOA Identifiers (IVOIDs) \citep{2016ivoa.spec.0523D}. This means they can be used to look up the underlying GMS service in an IVOA registry (as is explained in the IVOA Identifiers document). Group names are specified in the \emph{query} part of the IVOID and are mandatory in group identifiers. So, group identifiers must conform to all the rules of IVOIDs and also MUST include the \emph{query} part of an IVOID representing the group name.
154 Below is an example of a valid and typical group identifier:
156 \begin{verbatim}
157 ivo://authority.example.com/groupService?mygroup
158 \end{verbatim}
160 There are two ways to resolve the associated GMS service URL: lookup the document associated with \emph{ivo://authority.example.com/groupService} in the registry; or, issue a RegTAP (\citep{2014ivoa.spec.1208D}) query for relevant elements of that document. Here we explain the RegTAP approach. Following the recommendations in that specification, the query would be done with three necessary constraints in the where clause:
161 \begin{itemize}
162 \item{ivoid} - The \emph{registry part} of the group identifier.
163 \item{standard\_id} - The desired search feature of GMS.
164 \item{intf\_role} - Always '\emph{std}', to indicate a standard service is being queried for.
165 \end{itemize}
167 and one optional constraint, \emph{security\_method\_id}, used to identify how clients can authenticate to the GMS service. To find a GMS service that does not require authorization, the value of the security\_method\_id constraint would be NULL. However, since anonymously accessible GMS services are not likely to exist (see section \ref{subsec:creddel}), the query should either:
169 \begin{itemize}
170 \item include a desired security\_method\_id in the where clause, as specified by the IVOA Single-Sign-On Profile \citep{2017ivoa.spec.0524T}, or;
171 \item omit the constraint and iterate over the resulting rows to choose an appropriate security method.
172 \end{itemize}
174 The following query will return a row for each access\_url and security\_method\_id combination. The ivoid value is calculated by removing the query string from the group identifier. Since we are looking to perform an \emph{is member} call, we ask for the GMS search capability, identified by the GMS search standardID (see section \ref{subsec:api}).
176 \begin{verbatim}
177 SELECT access_url, security_method_id
178 FROM rr.interface
179 NATURAL JOIN rr.capability
180 NATURAL JOIN rr.resource
182 ivoid = 'ivo://authority.example.com/groupService'
183 AND standard_id = 'ivo://ivoa.net/std/gms#search-1.0'
184 AND intf_role='std'
185 \end{verbatim}
187 Note to authors: The use of security\_method\_id is undergoing changes in RegTAP 1.1 (possible removal). This document should be updated accordingly upon its acceptance.
189 This would result in one or more access URLs capable of supporting a GMS search on the group 'groupName' with its corresponding security method support. For example, it could return three rows with values:
191 \vspace{3mm}
192 \hskip-1.0cm
193 \begin{tabular}{l l}
194 \textbf{access\_url} & \textbf{security\_method\_id} \\
195 \hline
196 https://server.example.com/gms1/search & ivo://ivoa.net/sso\#tls-with-password \\
197 https://server.example.com/gms2/search & ivo://ivoa.net/sso\#tls-with-certificate \\
198 https://server.example.com/gms2/search & ivo://ivoa.net/sso\#cookie \\
199 \hline
200 \end{tabular}
201 \vspace{3mm}
203 The first row identifies a URL to the GMS search capability supporting username and password authentication. The second and third rows show a URL that supports both client certificate authentication and cookie authentication. This also implies that membership information about the group 'mygroup' is available from either access URL.
205 To then perform the group membership query on any of these URLs, the service would formulate a REST call as defined by the GMS Search API.
207 \section{GMS Search API}
209 \subsection{API Definition}
210 \label{subsec:api}
212 The Group Membership Service defines a RESTful API \citep{fielding00} that allows for the determination of whether a user is a member of a group. This is the GMS search capability and is identified by the following standard ID:
214 \begin{verbatim}
215 ivo://ivoa.net/std/gms#search-1.0
216 \end{verbatim}
218 Within this capability, there are two functions and associated endpoints as described in the table below.
220 \vspace{3mm}
221 \begin{tabular}{l l}
222 \textbf{Function} & \textbf{Endpoint} \\
223 \hline
224 boolean isMember(Group, User) & GET /\emph{search}/\{group\} \\
225 list<Group> getMemberships(User) & GET /\emph{search} \\
226 \hline
227 \end{tabular}
228 \vspace{3mm}
230 Where \emph{search} represents the \xmlel{access\_url} from the RegTAP call and \emph{\{group\}} is the groupName part of a Group Identifier.
232 For a successful HTTP GET to \xmlel{/search/\{group\}}, the service shall respond with HTTP 200 (OK). If the user is a member of \xmlel{\{group\}}, the service must repeat the name of the group (ending with a newline as a CRLF\footnote{Carriage Return character (ASCII 13) plus a Line Feed character (ASCII 10)}) in the response body in \emph{text/plain} format. If the user is not a member of the group, or if the group is not recognized, the service must return an empty response body.
234 A successful HTTP GET to \xmlel{/search} shall return HTTP 200 (OK) with a list of the groupNames in which the user is a member in the response body. The response must again have a Content-Type of \emph {text/plain}. Each group (even the last) must end with a CRLF. If the user is not a member of any groups, or if the user is not recognized, the response body must be empty.
236 It is the authenticated user (the user making the REST call) who is the subject of the of the membership question. This user's identity is determined by one of the authentication mechanisms described in the IVOA Single-Sign-On Profile.
238 If the user cannot be identified from the call because they have not authenticated, the service must respond with HTTP 403 (Forbidden). The response message should indicate that authentication is required to use the service.
240 If an authenticated user could not be identitfied from the HTTP request the service must response with HTTP 400 (Bad Request). The response message should indicate that the user is unknown to the system.
242 \subsection {Search Examples}
243 \label{subsec:examples}
245 \paragraph{Example 1 - Group access to a VOSpace Node}
247 A user is trying to download a VOSpace file that has the group-read property set to
249 \begin{verbatim}
250 ivo://authority.example.com/gms/instance1?my-collaboration
251 \end{verbatim}
253 This resolves (though a RegTAP query for the search API) to URL
255 \begin{verbatim}
256 https://server.example.com/groupService/search
257 \end{verbatim}
259 To authorize the user, the VOSpace service queries the GMS search service using the user's delegated credentials
261 \begin{verbatim}
262 HTTP GET to https://server.example.com/gmsService/search/
263 my-collaboration
264 \end{verbatim}
266 The GMS service identifies the user, consults its group membership information, and returns a response code of 200 with the string \emph{my-collaboration} (followed by CRLF) written to the response body when confirming the user is a member of group 'my-collaboration'.
268 \begin{verbatim}
269 my-collaboration
270 \end{verbatim}
272 \paragraph{Example 2 - Group access to table data}
274 A user issues an ADQL query to a table with row-level authorization in a TAP service. A read-group column defines which group is allowed to read that row. The first row that is encountered with a non-null read-group has value:
276 \begin{verbatim}
277 ivo://authority.example.com/gms/instance1?my-other-collaboration
278 \end{verbatim}
280 In anticipation of more rows to follow, and to avoid needing to make multiple calls to GMS, the TAP service asks for all the user's groups when the first protected row is encountered. This cached group information can be applied to all subsequent rows processed. In this example, the service does not have the user's delegated credentials so passes the user information (as parameters) in the search call.
282 \begin{verbatim}
283 HTTP GET to
284 https://server.example.com/gmsService/search
285 \end{verbatim}
287 The GMS service returns HTTP 200 and all the groups in which user 'myusername' is a member:
289 \begin{verbatim}
290 my-collaboration
291 my-other-collaboration
292 my-final-collaboration
293 \end{verbatim}
295 The TAP service caches this group membership information for the lifetime of the request so that it can be used if necessary when checking other rows. If a read-group entry with a different \emph{registry part} of the group identifier is encountered, the TAP service must call that GMS service too and add the list of groups to its cache.
297 \subsection {GMS and Credential Delegation}
298 \label{subsec:creddel}
300 User and group membership information may be considered private, so determining who is allowed to make GMS search calls is an important consideration. This is part of the reason why the specification only allows for group membership checks to be made by the user whose membership is being checked (the 'target user'). This rule ensures that only the target user can see their group membership information.
302 This rule also means that the caller of GMS must use the credentials (proxy certificate, token, etc..) of the target user. Although users may themselves call GMS for membership information it is generally not very useful in their hands. The target use case is for programmatic systems to call GMS for authorization checks. So, those systems must have access to the target user's credentials. This is accomplished through use of the IVOA Credential Delegation Protocol \citep{2010ivoa.spec.0218P}.
304 An alternative to this approach, which was thoroughly considered, is to also allow the use of privileged credentials to make GMS calls. That is: allow the set of systems that need to do authorization checks to make GMS calls for any target user. There are a number of complications with this approach.
306 New systems that need to do authorization checks require authorization to make those calls so would have to be added to a set of rules. This is a maintenance step that can be avoided. When there is a chain of privileged service calls that need to be made, the complexity of mapping and maintaining those rules increases quickly. This complexity is compounded when needing to interoperate with external GMS instances.
308 Another problem with allowing external GMS calls with privileged accounts is the need for a trust arrangement between the hosts. Organizations would need to ask each other to allow GMS calls to work for certain privileged accounts.
310 When service calls are always made by the originating user, then services such as GMS only have to concern themselves with the caller of the service, so the complexity and potential for error is much reduced. Information privacy is easily controlled when only the user may see membership information.
312 \section {Implementation}
314 \subsection {Implementation Options}
315 \label{subsec:implopts}
317 An implementation of GMS requires a system that associates users with zero or more groups, some options include:
319 \begin{itemize}
320 \item Grouper\footnote{https://www.internet2.edu/products-services/trust-identity/grouper/} (groups in MySQL\footnote{https://mysql.com}, users in LDAP\footnote{Lightweight Directory Access Protocol})
321 \item By using LDAP only (some implementations require plugins to support groups)
322 \item Through a relational database.
323 \item A VOSpace implementation: It is conceivable that VOSpace could be used to implement GMS, where ContainerNodes represent groups and DataNodes represent users.
324 \end{itemize}
326 \subsection{Groups of Groups}
327 \label{subsec:groupsofgroups}
329 It may be functionally attractive to support groups within groups. If this is implemented, then the service must ensure that this representation is reflected by the service API. For example, if an isMember(g) call is made, and the group 'g' is a group within another group in which the user is a member, then the service must return true. The fact that the service supports groups within groups is not exposed through the search API, but the API does not prohibit such an implementation.
331 If one of the contained groups exists at another GMS instance, perhaps outside of the organization, then the service may transitively query that service to determine group membership, taking care to avoid a loop caused by groups being members of each other.
333 \appendix
335 \section{Changes from Previous Versions}
336 \label{sec:changehistory}
338 \subsection{Changes from WD-GMS-1.0-20190506}
339 \begin{itemize}
340 \item{General text changes for clarification in abstract and sections 1, 3}
341 \item{Removed support for identifying the 'target user' of a GMS call with id parameters. The 'target user' is now always the user making the API call to GMS.}
342 \item{Added new sub-section: GMS and Credential Delegation}
343 \item{Section 2 renamed from 'Authorization Requirements' to 'Scope'}
344 \end{itemize}
346 \subsection{Changes from WD-GMS-1.0-20190329}
347 \begin{itemize}
348 \item{Reverted Group Identifier to be an IVOID}
349 \item{Corrected, expanded, and clarified the group identifier registry resolution procedure}
350 \item{Updated bibliography references}
351 \end{itemize}
353 \subsection{Changes from WD-GMS-1.0-20181025}
354 \begin{itemize}
355 \item{Changed Group identifier URI to be in the format gms://authority/path?group}
356 \item{Changed names of params user and principal to identity and identityType}
357 \item{Corrected API definition to always return 200 on succcess}
358 \item{REST API now described in a table}
359 \end{itemize}
361 % these would be subsections "Changes from v. WD-..."
362 % Use itemize environments.
364 \bibliography{ivoatex/ivoabib,ivoatex/docrepo}
366 \end{document}

ViewVC Help
Powered by ViewVC 1.1.26