CTA - Authentication and Authorization Infrastructure API

Introduction

The INAF CTA Authentication and Authorization Infrastructure provides functionalities enforcing the protection of CTA resources and digital assets by means of a role based authorization and by allowing both a federated  authentication (based on eduGAIN inter-federation) and a centralized authorization managed at consortium level. The infrastructure offers a proper environment for enforcing accountability allowing maintenance and audit of logs for relevant events.

The current implementation of the INAF-CTA Authentication and Authorization Infrastructure provision more than 1000  consortium SAML identities and is releasing a persistent and non-reassignable ID as requested by CTA user requirements. Authentication of Observers and Guest Users can be achieved also using eduGAIN  inter-federation. The authorization is performed through a dedicated Attribute Authority which grants the definition, management and provisioning of roles based on groups and subgroups. Web interfaces are provided for group administration and web services allows access to those functionalities in a service oriented architecture.

Attribute Authority Interface Description

Interface with the Attribute Authority is implemented through web services  which exposes the entire business logic through SOAP and REST APIs.

Endpoint: https://grouper.oact.inaf.it/grouper-ws

Useful operations include:

• Stem management, such as
  •         findStems: search for stems based on name, attribute, parent stem, etc. Can build queries with group math (AND / OR / MINUS)
  •         stemSave: insert or update a stem's uuid, extension, display name, or description
  •         stemDelete: delete a stem
• Membership management, such as
  •         addMember: assign a member to a group.
  •         deleteMember: unassign a member from a group
  •         getMembers: return the members (including subject data) in a group (from direct or indirect membership)
  •         hasMember: check if a subject is a member of a group
• Group management, such as:
  •         getGroups: list groups for a given subject
  •         groupSave: create or update a group
  •         groupDelete: delete a group

The CTA prototype for Proposal Handling System offers an example of  implementation of a system leveraging the INAF Attribute Authority Services. In this context the Attribute Authority web services allow to manage submissions of Guest Observer proposals from compilation and transmission to their valuation and scheduling.

The role-based authorization is extensively used to identify e.g. Observers (astronomers that can submit proposals to perform observations) or Reviewers (members of the time allocation committee who will review the submitted proposals).

In this case a new stem is created for each proposal id (e.g. proposalId = 003), new groups are created within the proposal to describe user roles (e.g. “PI” and “CO-I” groups) and new members are assigned to the groups.

Source Code and Documentation

API Source Code: https://github.com/Internet2/grouper

API Samples: https://github.com/Internet2/grouper/tree/master/grouper-ws/grouper-ws/doc/samples

API Documentation: https://spaces.internet2.edu/display/Grouper/Grouper+Web+Services

Contact

• Alessandro Costa    INAF-OACT

• Eva Sciacca        INAF-OACT 

• Fabio Vitello        INAF-OACT