gtr at ast.cam.ac.uk
Thu Aug 4 01:47:47 PDT 2005
On Wed, 3 Aug 2005, Matthew Graham wrote:
> A VOStore can run in two modes: authorized and unauthorized. An
> unauthorized VOStore is semantically equivalent to an anonymous ftp
> site: any authenticated user (we still maintain security) can put
> something in, move/rename it, get it and delete it.
Yes, and this mode also works as a shared workspace, so may be useful in the
longer term. When we work out how to register stores then we should allow this
mode to be registered.
I suggest that for the ADASS demo we could use the unauthorized mode for
"private" data on an honour system.
However, there's a third mode: "locally authorized". In this, the store
manages its own authorization policy. The simplest policy is that each data
item is owned by the account that creates it, as determined in the
authentication of the creation request, and the owner has implicit read, write
and delete permissions on the owned items. If we allow direct access to stores
that are not soley used as shared workspaces, which was implied by the Kyoto
discussions, then we need this mode. I expect that AstroGrid will implement
this mode, and we may do it in time for ADASS.
> An authorized VOStore will only allow the requested operation if a valid
> authentication token is included in the request - all the VOStore has to
> do here is validate the authentication token. The generation of the
> authentication token is handled by VOSpace: it makes sure that the
> authenticated user has permission to do what they are requesting and if
> so, places a valid token in the request down to the VOStore.
Sounds good. One way of doing the "token" would be a service certificate for
the VOspace service s.t that service makes requests to the stores in its own
name. It would be better to reuse the authentication code that we already have
then to introduce a new system.
This form for the space-store communication fits with the locally-authorized
store. The space is a kind of super-user with full access to all data items,
extending slightly the authorization policy of the stores.
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the vospace