Uploaded image for project: 'SAFe Program'
  1. SAFe Program
  2. SP-2859

IVOA / IAM Wrapping layer

Change Owns to Parent OfsSet start and due date...
    XporterXMLWordPrintable

Details

    • SRCnet
    • Hide

      Storage Inventory uses IVOA-compatible authorisation standards. We need to implement these in IAM to have a safely usable global SI instance authenticated with SRC IAM.

      Show
      Storage Inventory uses IVOA-compatible authorisation standards. We need to implement these in IAM to have a safely usable global SI instance authenticated with SRC IAM.
    • Hide

      Deployed and working.

      Show
      Deployed and working.
    • 19.5
    • Stories Completed, Integrated, Solution Intent Updated, BDD Testing Passes (no errors), Outcomes Reviewed, NFRS met, Demonstrated, Satisfies Acceptance Criteria, Accepted by FO

    • PI24 - UNCOVERED

    • SRC-AAI SRC-DM

    Description

      Document and demonstrate how to use IVOA auth layers from/with IAM

      General

      Authorization decisions in a Storage Inventory (SI) deployment are based on group memberships. These groups are assumed to be known by an implementation of the IVOA Group Membership Service (GMS). Thus, the main goal of this feature is to create an implementation of the GMS protocol based on the group membership information contained in an IAM system. 

      GMS defines a simple REST API that answers the questions:

      • Is this user a member of this group?  (returns: the group if yes, nothing if no)
      • Is this user a member of this set of groups?  (returns: the groups the user is a member of)
      • What groups is this user a member of?  (returns: list of groupURIs)

      The GMS REST API can be found in section 3 of the recommendation:
          https://ivoa.net/documents/GMS/20220222/REC-GMS-1.0.html#tth_sEc3

      The 'user', the subject of the membership inquiry, is the user who is making the REST call to GMS.  Thus, the user's identity must be determined from the call in order to determine who the user is.  The method of collection of this identity is specific to the authentication method being used.  For the purposes of this feature, tokens may be the best choice for authentication.

      Further details

      The process that callers of GMS use to location service involves a registry lookup on the group URI. For example, a group would have a URI like ivo://srcnet.skao.int/gms?TestRead. Callers, through a registry call, would discover that groups with the authority srcnet.skao.int have an associated GMS instance at URL (made up example) https://srcnet.skao.int/gms.

      However, for the scope of this feature, tests to the GMS service can assume that the GMS URL is known.

      The API is very lightweight and so implementation mostly involves querying the back-end group datasource, in this case IAM.

      Next

      Following the completion of this feature will be the need for a token based Credential Delegation Service (CDP).  It is required for callers of GMS to obtain the credentials (token?) needed to call GMS on the original user's behalf.

      Attachments

        1. GMS API Contract.docx
          710 kB
        2. IAM_info.odp
          684 kB
        3. IAM_info.pdf
          581 kB

        Issue Links

          is required by

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-2905 SI and IAM integration

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3063 SI: Rule-based permissions service

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done
          relates to

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3065 Service Registry

          • Could have - Items labelled as "Could have" are desirable but not necessary and could improve the user experience or customer satisfaction for a little development cost. These will typically be included if time and resources permit.
          • Done

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3066 Code review from GMS/ IAM work (SP-2859) (technical debt)

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Discarded
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Structure

            Activity

              People

                R.Tamhane Tamhane, Rajesh
                B.Major Major, Brian
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Feature Progress

                  Story Point Burn-up: (0%)

                  Feature Estimate: 0.0

                  IssuesStory Points
                  To Do00.0
                  In Progress   00.0
                  Complete00.0
                  Total00.0

                  Dates

                    Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel