This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5957?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:04:58 GMT SourceForge : artf5957: Kerberos Token Forwarding Use Case

Project Home

Tracker

Documents

Tasks

Source Code

Discussions

File Releases

Wiki

Project Admin

Glance

Calendar
Search Tracker
Project: OGSA-WG     Trackers > Information security use cases > View Artifact
Artifact artf5957 : Kerberos Token Forwarding Use Case
Tracker: Information security use cases
Title: Kerberos Token Forwarding Use Case
Description:
Kerberos Token Forwarding Use Case

 

This use case describes a desired operational mode supporting use of a deployed Kerberos authentication infrastructure 
for grid access control. The grid environment could be within a single organization, or span multiple organizations if 
cross-realm Kerberos trusts have been established. The requirement is to support resource access by a job (J) running on
 behalf of a user (U) based on authenticated user identity and attribute information conveyed in a Kerberos token. The 
user is assumed to only communicate directly with a scheduling service (S) (for example, a BES container service). S 
then determines a suitable computational host and communicates the information necessary to run the user's job on that 
host. It is assumed all the grid services are web services which communicate using SOAP-based protocols.

 

To support this use case, U must be able to authenticate to S using Kerberos. S is then responsible for binding the 
Kerberos authentication information to U's job request. Note that U doesn't know which execution host will eventually 
run J, and therefore can not supply a Kerberos service ticket for the execution host. When S schedules J, it 
authenticates to the execution host based on its identity, and must securely communicates U's Kerberos authentication 
information as part of the job creating request. The execution host then uses U's Kerberos authentication information (
user's account and group membership) to establish the job's security context. This could involve running the job under 
the user's account or obtaining new Kerberos service tickets on-behalf of the user for any required job resources. The 
security context provides the authenticated information that determines the job's rights to access local and/or remote 
resources.

 

Regards,

Blair Dillaway
Submitted By: Hiro Kishimoto
Submitted On: 07/22/2007 4:02 AM EDT
Last Modified: 07/22/2007 4:02 AM EDT

Status / Comments Change Log Associations Attachments  
Status  
Group: *
Status:* Open
Category: *
Customer: *
Priority: * 3
Assigned To: * Duane Merrill
Reported in Release: *
Fixed in Release: *
Estimated Hours: * 0
Actual Hours: * 0
Comments
Hiro Kishimoto: 07/22/2007 4:02 AM EDT
  Action: Create


 
 
 
< Previous
 
 
Next >
 


The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5957?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:04:58 GMT