Authorization types

Finally, we're going to describe the different authorization types in GSI. Remember that, although authorization is not one of the 'fundamental pillars' of a secure conversation, it is nonetheless a very important concept. Authorization refers to who is authorized to perform a certain task. In a Grid Services context, we will generally need to know who is authorized to use a certain grid service.

GSI supports authorization in both the server-side and the client-side. Each have three authorization mechanisms, and we will be able to choose one of them when we start writing secure grid services.

Server-side authorization

The server has three authorization modes. Depending on the authorization mode we choose, the server will decide if it accepts or declines an incoming invocation.

  • None: This is the simplest type of authorization. No authorization will be performed.

  • Self: A client will be allowed to use a grid service if the client's identity is the same as the service's identity.

  • Gridmap: A gridmap is a list of 'authorized users' akin to an ACL (Access Control List). We will see them in detail later on. When this type of authorization is used, only the users that are listed in the service's gridmap may invoke it.

Client-side authorization

This allows the client to figure out when it will allow a grid service to be invoked. This might seem like an odd type of authorization, since authorization is generally seen from the server's perspective ("Do I allow client FOO to connect to grid service BAR?"). However, in GSI, clients have every right to be picky about the services they can access.

  • None: No authorization will be performed.

  • Self: The client will authorize an invocation if the service's identity is the same as the client. If we use both client-side and server-side Self authorization, a service can be invoked if and only if its identity matches the client's.

  • Host: The client will authorize an invocation if the host returns an identity containing the hostname. This is done using host certificates. The tutorial currently doesn't cover host certificates, although a future version will.

Please note that it's very easy to mistake client- and server-side authorization because they have two mechanisms in common.