Table of Contents
Authorization is the process of determining who is allowed to perform what actions on a given resource. The goal of the caGrid 1.1 authorization framework is to empower service providers and data owners to make authorization decisions. One of the major focuses of the caGrid 1.1 authorization framework is to provide higher level services to facilitate authorization at the grid level. These services will be made available to service providers and will be developed based on community demand. The purpose of this document it to present the design of Grid Grouper, a grid service for instantiating and managing groups of users in a grid. Given such a service, access to resources can be restricted based on membership to groups.
Suppose we have a Patient Provider service, that provides patient information about an institution's Patients, and that any user classified as a Doctor can access the patient information provided by the Patient Provider service. The deployment scenario shown in Figure 1contains three Patient Provider services one at Duke, one at Georgetown, and one at the Ohio State University. The Duke Patient Provider Service allows access to users that are classified as Doctors by Duke (represented by the Duke Doctors group). The Georgetown Patient Provider Service allows access to users that are classified as Doctors by Georgetown (represented by the Georgetown Doctors group). The Ohio State University Patient Provider Service allows access to users that are classified as Doctors by caBIG, where a user is classified as a caBIG Doctor if they are classified as a Doctor by a caBIG affiliated institution. In current scenario caBIG Doctors are all the users classified by Duke as Doctors and all the users classified by Georgetown as Doctors.
In order to be able to efficiently manage and scale access control policy it is critical that policy is based on "groups or users" or "attributes of users". In this simple use case access to the Ohio State Patient Provider service is based on membership to the caBIG Doctors group. It is important to note that as users are added and removed to that group, the authorization policy is not changed.
Grid Grouper provides a group based authorization solution for caGrid, where grid services and applications enforce authorization policy based on membership to groups defined and managed at the grid level. Grid Grouper is built on top of Grouper  an internet2 initiative focused on providing tools for group management. Grouper is a java object model which currently supports: basic group management by distributed authorities; subgroups; composite groups (whose membership is determined by the union, intersection, or relative complement of two other groups); custom group types and custom attributes; trace back of indirect membership; delegation. Applications interact with Grouper by embedding the Grouper's java object model within applications. Grouper does not provide a service interface for accessing groups. Grid Grouper (Figure 2) is a grid enabled version of Grouper, providing a web service interface to the Grouper object model. Grid Grouper make groups managed by Grouper available and manageable to applications and other services in the grid. Grid Grouper provides an almost identical object model to the Grouper object model on the grid client side. Applications and services can use the Grid Grouper object model much like they would use the Grouper object model to access and manage groups as well as enforce authorization policy based on membership to groups. Grid Grouper provides a fully functional administrative UI for accessing and administrating groups in Grid Grouper.
In Grouper/Grid Grouper groups are organized into namespaces or stems. Each stem can have a set of child stems and set of child groups with exception to the root stem which cannot have any child groups. The Stem hierarchy in Grid Grouper is publicly visible to anyone accessing the service, however the ability to view a group within a stem publicly depends on the privileges for the group. A Stem can have two types of privileges associated with it, the "Stem Privilege" and the "Create Privilege". Users with the "Stem Privilege" can create, modify, and remove child stems. Users with the "Create Privilege" can create, modify, and remove child groups.
In Grouper/Grid Grouper groups are compromised of a set of metadata describing the group, a set of members in the groups, and a set of privileges assigned to users for protecting access to the group. Grid Grouper provides three mechanisms for adding members to a group: 1) Directly adding a member 2) Adding a subgroup to a group 3) Making a group a composite of other groups. Directly adding a user as a member to a groups is straight forward, these members are referred to as "Immediate Members". Adding a subgroup to a group makes all the members of the subgroup members of the group in which the subgroup was added. Members in a group whose membership is granted by membership in a sub group are referred to as "Effective Members". A group can also be set to be a Composite group. A composite group consists of a set operation (Union, Intersection, Complement) on two other groups. For example a composite group consisting of the Intersection of Group X and Group Y would contain all the members that are both member of Group X and Group Y. Members whose membership is granted through a composite group are referred to as "Composite Members".
To protect access to groups in Grid Grouper, users can be assigned the following privileges on a group: View, Read, Update, Admin, Optin, and Optout. Users with the View privilege can see that the group exists. Users with the Read privilege can read basic information about the group. Users with the Update Privilege can manage memberships to the group as well as administer View, Read, and Update privileges. Users with the Admin privilege can modify/administer anything on the group: metadata, privileges, and memberships. Users with the Optin privilege can add themselves as a member to a group, similarly users with the Opout privilege can remove themselves from a group. By default Grid Grouper grants Read and View privileges to all users on each group.
Initially grid grouper has a root stem with on child stem named "Grouper Administration" (grouperadministration). The Grouper Administrative stem contains one group named "Grid Grouper Administrators" (grouperadministration:gridgrouperadministrators). The "Grid Grouper Administrators" is the super user group for Grid Grouper, all members of this group will have admin privileges on all the stems and groups within Grid Grouper. This group is initially empty, but at least one administrative user must be added during Grid Grouper installation. This can be done using the GridGrouperBootstrapper command line tool.
The Grid Grouper object model provides an API for applications and services to access groups managed by Grid Grouper. The object model can be used to enforce access control policies in applications. For example the object model can be used for determining membership to a group in an application that allows access to a specific area of the application if the user is a member of a specified group. The Grouper object model can also be used to administrate Grid Grouper. As a testament to this the Grid Grouper Admin UI application was built on top of the Grid Grouper object model. The Grid Grouper object model consists of several objects: GridGrouper, Stem, Group, Member, Membership, NamingPrivilege, and AccessPrivilege. The Grid Grouper object corresponds to an instance of a Grid Grouper service, it provides high level operations such as finding stems and groups or determining is a user is a member of a group, etc. The Stem object represents an instance of a stem within Grid Grouper. The Stem object provides operations for managing the stem: viewing metadata, managing child stems, managing child groups, managing stem privileges, etc. The group object models a group instance within Grid Grouper, providing operations for managing metadata, managing privileges, and managing members. In the remainder of this section we will provide several code examples of performing common tasks with the Grid Grouper object model.
- Cancer Biomedical Informatics Grid (caBIGTM), https://cabig.nci.nih.gov.
- Cancer Biomedical Informatics Grid (caBIGTM), https://cabig.nci.nih.gov/workspaces/Architecture/caGrid/