handling complicated identity-equivalencies for authorization
Over time, dataone users will accumulate multiple institutional accounts that will be linked via equivalent-identity mappings, representable as a graph of identities linked with bidirectional equivalencies (each knows the other as an equivalent identity). These graphs are encapsulated and persisted in collection of Person objects the CN identityManager maintains, and need to be available to entities (CNs and MNs) responsible for authorizing a requestor's action.
Dataone needs to articulate both:
* the desired behavior of authorization with regards to the "transitivity" of permissions across these graphs (does group membership convey? does verified status? is either limited somehow? etc.)
* the responsibilities of each of the players involved in authorizing actions for users (the CNs, CILogon, and the MNs) to meet the desired behavior
Responsibilities for the CNs include:
* what Persons to return in the SubjectInfo, and are they guaranteed to be equivalent identities (can the authorizing agent trust that)?
* is that set of Persons the complete graph?
Responsibilities for CILogon:
* guarantee to return only unadulterated SubjectInfo from getSubjectInfo in the certificate?
For the authorizing entity:
* Does it need to recurse the set of Persons provided with the certificate SubjectInfo, or can it just include all of those subjects?
* Is it expected to call cn.listSubjects() to complete the graph if there are missing Persons from what was provided?
* Does it apply the appropriate restrictions on transitivity if that's the policy?
#2 Updated by Rob Nahf about 10 years ago
Three approaches were proposed with regards to what to put in the getSubjectInfo() response that's handed to CILogon and stuffed into a certificate:
put a "starter set" of Person objects in the SubjectInfo that represents the Person of the connecting subject and it's immediate (1st degree) equivalent identities. This would be the full graph for the majority of users, and would save the cost of recursion for the cn in processing getSubjectInfo.¶
include the entire set of Person objects in the equivalant-identities graph.¶
Fully connect the graph so that approach 1 would equal approach 2, and save the recurring cost of recursion for an upfront hit to connect the graph.¶
Fully connecting the graph may be problematic to long term maintenance of identities - if an errant equivalency is made and needs to be retracted, it would be impossible to disconnect the two sub-graphs unless some sort of history of the datastore is maintained.