| Version 66 (modified by , 19 years ago) ( diff ) | 
|---|
LDAP and RBAC
In normal, scheduled operation, ORBIT security involves making sure that each person using an ORBIT resource is allowed to do so at that time. The Lightweight Directory Access Protocol (LDAP) is used by ORBIT to authenticate each user's password when he or she logs into an ORBIT controller or server. LDAP authentication and the proper use of ORBIT user id's and passwords allows each user id to be related to a single human user. A single person may have one or more ORBIT user id's. Each ORBIT user id may be logged into one or more sessions, and during each session there may be multiple computer processes initiated by the user. A process is an instance of a user running an application program like a spreadsheet, editor or browser.
Role-Based Access Control (RBAC) will be used by ORBIT to control each user's access to ORBIT resources based on his or her role. To explain this use of roles, first some terminology. When a user runs an application program that process acts on behalf of the user and is referred to as a subject. An object is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database. An operation is an active part of a process invoked by the subject process much like a function call or a method invocation. In general, a permission or privilege is the authorization to perform some action on the system. In RBAC, a permission is the authorization to perform a given operation on a given object. The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are fewer than a hundred different roles they act in at any given time to access resources. Users are assigned to one or more roles. Each role has a defined set of permissions, each permission either allowing or disallowing an operation invoked by a subject process run by a user acting in that role to access a given object.
Two special constraints are needed with role-based access control for ORBIT. A primary goal of ORBIT's is to insure each users has access to data and results only for their project. Second, use of the grid is scheduled and its access control has to be integrated with the ORBIT grid scheduler.
As with any access control mechanism, role-based access control will have some performance penalties. Role-based access control should provide sufficiently flexible control with acceptable performance for reasonable administrative cost. In ORBIT, role-based access control will be implemented using mechanisms provided by LDAP. It is expected that this implementation will have acceptable performance while providing the desired security.
for Solaris RBAC stuff see SolarisRbac
for OASIS RBAC stuff see OasisRbac
References
LDAP Version 2 documents in Adobe Acrobat (.pdf) format
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1959.txt.pdf RFC1959 An LDAP URL format
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2596.txt.pdf RFC2596 Use of Language Codes in LDAP
LDAP Version 3 Documents
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4511.txt.pdf RFC4511 LDAP: The Protocol
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4512.txt.pdf RFC4512 LDAP: Directory Information Models
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4516.txt.pdf RFC4516 LDAP: Uniform Resource Locator
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4517.txt.pdf RFC4517 LDAP: Syntaxes and Matching Rules
ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4519.txt.pdf RFC4519 LDAP: Schema for User Applications
LDAP Data Interchange Format (LDIF)
Role-Based Access Control (RBAC) Documents
Attachments (2)
- rfc4510.txt.pdf (9.7 KB ) - added by 19 years ago.
- ANSI+INCITS+359-2004.pdf (356.3 KB ) - added by 19 years ago.
Download all attachments as: .zip

