Skip to Content.
Sympa Menu

perfsonar-dev - Re: [pS-dev] Help needed for the design of the authorization request

Subject: perfsonar development work

List archive

Re: [pS-dev] Help needed for the design of the authorization request


Chronological Thread 
  • From: "Jeff W. Boote" <>
  • To: Cándido Rodríguez Montes <>
  • Cc: " List" <>, Zurawski Jason <>
  • Subject: Re: [pS-dev] Help needed for the design of the authorization request
  • Date: Tue, 3 Jun 2008 07:04:34 -0600
Why do you escape the elements in the request?

jeff

On Jun 3, 2008, at 5:07 AM, Jason Zurawski wrote:

Cándido;

Specifically... Will this need to 'ride' along within the context of other messages? Or is this only within the context of a service communicating with the AS? (If it needs to 'ride along' it would argue for perhaps actually using the SOAP headers, or perhaps message parameters.)

It's only within the context of a service communicating with the AS. I though that I can include it inside the SOAP headers but I don't think it's the right place because it's not information about the message but it's the query that the service want to send to the AS.
The request that I'm trying to define is the authorization request from a perfSONAR service to an AS. And I want to send a message like the following:
<nmwg:message id="authRMessage1" type="AuthNEERequest" xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";>
<nmwg:metadata id="authRMetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authRMetadata">
<Request>
.
.
.
</Request>
</nmwg:data>
</nmwg:message>


Is there anything else that would go inside of the metadata element other than the security token parameter?

Not so far

The only reason I ask is that I want to make sure the interaction is modeled correctly (e.g. is the request element that you currently have in the data itself more of the 'subject', or is it tied [perhaps indirectly] to the token). If the request itself is the 'subject' or 'source', I would argue that it makes more sense to live in the metadata, perhaps inside of a subject element (aa:subject or something).

I think the request itself is more of the 'subject' but it is the message that I want to send to the subject. If a subject identifies an end point I think the request shouldn't be included inside a subject element (but, of course, I may be wrong :-D)
So, does it make sense to include it inside a aa:authrrequest? But this 'aa:authrrequest', where do you think it should be included?


I've been doing some examples and the request looks like:
<nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"; id="localhost.1269d12a:11a2f25d39e:-7fff" type="AuthNEERequest">
<nmwg:metadata id="authNmetadata">
<nmwg:parameters id="keys">
<nmwg:parameter name="SecurityToken" value="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 "/>
</nmwg:parameters>
</nmwg:metadata>
<nmwg:data id="authN1" metadataIdRef="authNmetadata">
<aa:authrrequest xmlns:psservice="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/authrrequest/1.0/ ">
&lt;Request&gt;
&lt;Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject "&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;kan&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Subject&gt;
&lt;Resource&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id " DataType="http://www.w3.org/2001/ XMLSchema#anyURI"&gt;&lt;AttributeValue&gt;http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt <http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt>;
&lt;/Resource&gt;
&lt;Action&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;read&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Action&gt;
&lt;/Request&gt;
</aa:authrrequest>
</nmwg:data>
</nmwg:message>

Does it make sense for you?


If the request itself is the subject, I would actually argue for something like this:


<nmwg:message id="authRMessage1" type="AuthNEERequest"
xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/";
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">

<nmwg:metadata id="authRMetadata">
<aa:subject id="authRSubject"
xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">
&lt;Request&gt;
&lt;Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject "&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;kan&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Subject&gt;
&lt;Resource&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id " DataType="http://www.w3.org/2001/ XMLSchema#anyURI"&gt;&lt;AttributeValue&gt;http://perfsonar.net/MA&lt;/AttributeValue&gt;&lt;/Attribute&gt ;
&lt;/Resource&gt;
&lt;Action&gt;
&lt;Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id " DataType="http://www.w3.org/2001/ XMLSchema#string"&gt;&lt;AttributeValue&gt;read&lt;/ AttributeValue&gt;&lt;/Attribute&gt;
&lt;/Action&gt;
&lt;/Request&gt;
</aa:subject>
<nmwg:eventType>http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/request/1.0 </nmwg:eventType>
<aa:parameters id="keys" xmlns:aa="http://ggf.org/ns/nmwg/tools/org/perfsonar/service/as/1.0/ ">
<nmwg:parameter name="SecurityToken">XXXXXXX</nmwg:parameter>
</aa:parameters>
</nmwg:metadata>

<nmwg:data id="authN1" metadataIdRef="authRMetadata" />

</nmwg:message>

This keeps the request in the metadat/subject portion and uses an empty data trigger.

-jason



Archive powered by MHonArc 2.6.16.

Top of Page