A VO-friendly, Community-based Authorization Framework Part 1: Use Cases, Requirements, and Approach

The era of massive surveys like LSST are driving the increasing necessity for astronomical research that is network-based and features remote data access and remote data analysis. With the development of the Virtual Observatory (VO) come the tools to make remote science easier. The VO community is large—thousands of potential users, and traditional authorization models based on individuals will simply not scale. In traditional models, authorization policies are enforced solely using permissions associated with login accounts; thus, a user or group must exist for every set of authorizations. This three-part document proposes an application of the Globus Community Authorization Service (CAS) to centralize authorization policies that must be enforced by a number of resources, minimizing the authorization intelligence needed by the resources. To ease the burden on users, we introduce the concept of weak certificates that enable a sufficient level of access control common in many existing web based applications today but which is compatible with stricter grid security practices. In part 1, we describe three general use cases that we aim to address, list requirements, and summarize our approach using the Globus CAS. In part 2, we describe how the CASbased model can be applied to a single organization that manages many distributed services and users within a single administration domain. In part 3, we extend the model for use in VO applications that span across administration domains; in this model, VO users can establish a single login that can be used with any compliant portal or service.