Drop me links to the AG 2.0 specs after the presentation please

Jay Beavers jbeavers at microsoft.com
Wed Oct 9 19:38:00 CDT 2002


Globus works by providing security principles in the form of X.509 certificates.  As will a future version of Passport, as can any number of 3rd party certificate providers.  WS-Security will accept as the security priniple a X.509 certificate.  When a .NET implemented web service receives a call over WS-Security, it can then extract the associated X.509 certificate and either authorize using that directly or associate it with an Active Directory account and authorize access based on that account.
 
I think we have a good Globus Identity -> WS-Security -> Server side authorization story available to us.
 
 
Regarding back end storage story, it would help provide an interoperability and versioning story if a backend storage schema was defined.  For instance, today we run a couple of different Venue Services on our production venue service box due to the evolving nature of venue functionality, however they all share the same store. Similarly, the AG 1.0 client's expected venue interface could run on a server talking to the same data as the AG 2.0's venue service.
 
 - jcb

	-----Original Message----- 
	From: Ivan R. Judson [mailto:judson at mcs.anl.gov] 
	Sent: Wed 10/9/2002 8:30 AM 
	To: Jay Beavers 
	Cc: Todd Needham; 'Michael E. Papka'; 'Ag-Dev at Mcs. Anl. Gov' 
	Subject: RE: Drop me links to the AG 2.0 specs after the presentation please
	
	
	 
	Hey Jay,
	 
	Thanks for the WSDL pointer.
	 
	My impression was that SASL was an abstraction layer for security APIs. Globus has been bound into an open source SASL library. My though was that if we bound to SASL instead of directly to Globus, the actual security implementation could be more easily exchanged for a different one. If passport were SASL bound, it'd be trivial to switch from globus to passport, for example.
	 
	In terms of data store, I don't think it matters completely. I could envision a flat file system with XML files, an SQL database, or an in-memory structure to store all the information. Part of the challenge is composing basic web services into more advanced services (like Venues). Understanding the right back-end data solution that allows data persistence and web service composition is new to me (and as far as I can tell, everyone ;-).  I'm not opposed to SQL, just want to make sure it's the best choice.
	 
	--Ivan

		-----Original Message-----
		From: Jay Beavers [mailto:jbeavers at microsoft.com] 
		Sent: Friday, October 04, 2002 12:17 PM
		To: judson at mcs.anl.gov
		Cc: Todd Needham; Michael E. Papka; Ag-Dev at Mcs. Anl. Gov
		Subject: RE: Drop me links to the AG 2.0 specs after the presentation please
		
		

		Our latest WSDL can be found at:

		http://services.learningwebservices.com/venueservice/venueservice.asmx?WSDL

		 

		A real brief read of SASL shows it as another authentication protocol, not addressing authorization.

		 

		Well, you are SQL backended today and a goal I would like to reach would be that CXP Venue Service, AG Venue Server, and NCSA Scheduler can all run on the same box sharing the same backend data.  What form of datastore do you feel is appropriate for an AG 2.0 service if not SQL?

		 

		-----Original Message-----
		From: Ivan R. Judson [mailto:judson at mcs.anl.gov] 
		Sent: Wednesday, October 02, 2002 7:21 PM
		To: Jay Beavers
		Cc: Todd Needham; 'Michael E. Papka'; 'Ag-Dev at Mcs. Anl. Gov'
		Subject: RE: Drop me links to the AG 2.0 specs after the presentation please

		 

		 

		Hey Jay,

		 

		Thanks for the feedback already.  I need to read over the WS-Security spec, I know it's been in flux lately, but I need to get more familiar with it. Maybe while I'm home after the baby comes tomorrow (shyeah).

		 

		We do have this general problem of thinking of ACE/ACL's and enforcement infrastructure, which i think is rich for work.  We do have to leverage Globus for our security, but I know Globus has done some work on SASL integration.  Has Passport done anything to be a SASL option?  If so, we could consider targeting SASL abstracting the actual security implementation out of the infrastructure (which might benefit everyone).  I'll read up on SASL to see if this makes more or less sense.

		 

		We haven't specified SQL schemas yet since that assumes a SQL database as a web service backend.  I'd be happy if we get interfaces concretely defined in WSDL, leveraging data types defined by XML Schemas.  Those map directly to SQL data structures with .Net but also leave us the option of other implementations.

		 

		Can you remind me of where the WSDL descriptions of the components you developed are?

		 

		Thanks,

		 

		--Ivan

			-----Original Message-----
			From: Jay Beavers [mailto:jbeavers at microsoft.com] 
			Sent: Tuesday, October 01, 2002 1:40 PM
			To: judson at mcs.anl.gov
			Cc: Todd Needham; Michael E. Papka
			Subject: RE: Drop me links to the AG 2.0 specs after the presentation please

			Some thoughts for you:

			 

			Authentication / Authorization

			 

			Have you looked at the WS-Security specification?  It provides for attaching X.509 certificates to SOAP messages and signing the messages.  In reviewing the Globus Toolkit 2.0’s security model, it seemed that WS-Security would be a great way of using Globus certificates with web service calls.  The “Web Services Development Kit” has a preview implementation of WS-Security for .NET  You can download the WSDK Preview <http://msdn.microsoft.com/downloads/default.asp?URL=/downloads/sample.asp?url=/MSDN-FILES/027/001/997/msdncompositedoc.xml> .  See Using WS_Security with the WSDK <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/wssecwithwsdk.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/wssecwithwsdk.asp>  for an example with source code of how to use the WSDK to sign and authenticate a web service call using X.509 v3 certificates.

			 

			Unfortunately, the WSDK still doesn’t have ACL/ACE functionality for authorizing users’ access to objects.  I’m prototyping a couple of classes that basically mirror the ACL/ACE/group design from VMS/NT for an unrelated project if you’re interested in collaborating in this area.  The idea is to have a generic “authorization” object that you can “attach” to an object, set the ACL, serialize the ACL for easy storage, and perform authorization checks.

			 

			SQL Schemas

			 

			I didn’t see any details on web service interfaces of SQL schema in the discussions.  I’d like to talk at this level so that we can get interoperability going.  I’ve done a first pass at SQL schema synchronization with Shawn Davis and I think I should be AG Venue Server functionality compatible with my next venue server release.  I’d love to be in a position where we (MSR) release a subset of functionality and both ANL and NCSA are able to add on functionality to the same server by adding additional functionality on top of the same data store.

			 

			Web Service Interfaces

			 

			I’d like to synchronize on web service interfaces too.  I’ve provided you guys with our WSDL and source for the web service calls used by CXP.  I’d like to get feedback and to synchronize these as well, probably following the same pattern as above where we provide a subset of functionality but that subset is 100% compatible.

			 

			 

			I look forward to talking more after the retreat.

			 

			 - jcb

			 

			-----Original Message-----
			From: Ivan R. Judson [mailto:judson at mcs.anl.gov] 
			Sent: Monday, September 30, 2002 7:57 PM
			To: Jay Beavers
			Cc: Todd Needham; 'Michael E. Papka'
			Subject: RE: Drop me links to the AG 2.0 specs after the presentation please

			 

			 

			Hey Dude,

			 

			Don't worry about it; sometimes that happens.

			 

			http://www.mcs.anl.gov/fl/events/agtech/

			 

			These aren't as detailed as I'd like, but they are a start. We'll see if things work tomorrow :-)

			 

			--Ivan

			 

				-----Original Message-----
				From: Jay Beavers [mailto:jbeavers at microsoft.com] 
				Sent: Monday, September 30, 2002 10:16 AM
				To: Judson at MCS.anl.gov
				Cc: Todd Needham
				Subject: Drop me links to the AG 2.0 specs after the presentation please

				Sorry I couldn’t join you this morn Ivan.  Seems technical difficulties were to be the order of the day.

				 

				I was unable to use OpenMash instead of ddvic to enable sending of my video.  If I switched from ddvic to OpenMash, all video windows came in as blank grey.

				 

				I was unable to send audio from rat.  It would see the signal locally, but my send indicators stayed grey instead of green.

				 

				I was unable to connect to the DPPT server.  Don’t ask me why, I don’t know.

				 

				 

				So if you could, please drop me the PPT links later.  I’ll take a look at them and send feedback via email.

				 

				- jcb




More information about the ag-dev mailing list