The Credential Delegation Service (CDS) is a WSRF-compliant Grid service that enables users/services (delegator) to delegate their Grid credentials to other users/services (delegatee) such that the delegatee(s) may act on the delegator's behalf. The CDS enables secure workflow, distributed queries and web application single sign on. Consider a usecase where a user Bob wishes to invoke a simple workflow where three services interact with one another sequentially. Upon completion Workflow Step 1 calls Workflow Step 2, which in turn calls Workflow Step 3. Now consider the following access control policies for these services:
Bob has been granted access to each of these service resources
Each of the services does not have access to the other services resources.
Credential Delegation Service (CDS)
Since the services do not have access to one another's resources, the services must connect to one another as Bob in order to successfully execute this workflow. In order to interact with one another as Bob each of the first two service in the workflow: Workflow Step 1 and Workflow Step 2must have Bob's Grid credentials such that they may authenticate as Bob. The CDS provides a secure mechanism for Bob to provide his credentials to the workflow service such that they may act on his behalf.
Besides enabling secure workflow the CDS enables secure execution of other technologies / frameworks including distributed queries and web application single sign on.