Portals @ Extreme! Lab
XPOLA -- Capability-Based Fine-Grained Authorization Framework
XPOLA is a capability-based fine-grained authorization framework for Web services and Grid services. Represented in Security Assertion Markup Language 1.1 (SAML), each XPOLA capability is a set of access policies concerning a specific service instance. Given the capability token, a service user will be able to access a service instance in a way that is strictly limited to the XPOLA policy, which conforms to the principle of least privilege/authority (POLA). The capability token is tamper-proof protected with the issuer's signature.
A set of services and tools are also implemented with the XPOLA framework, including the capability manager service (Capman), group manager service (Groupman) and their corresponding clients in the forms of both command line as well as portlets. Capman allows the service provider to manage and distribute their capabilities to the service users, while Groupman enables role-based authorization. The generated capabilities are stored in a database and can be fetched through either clients or XPOLA API programmatically.
For instance, a WRF service provider wants a group of undergrads to run experiments on one of his service instances. He or the service that represents him will create a set of capabilities for an "undergrad" group which contains a list of users' distinguished names (DN). In addition, the capability's policy explicitly states that the "Run" method is allowed while the "Shutdown" method may be forbidden for the "undergrad" users. The capabilities are kept by capman storage. When an "undergrad" user or the service that represents him tries to access that specific service, through either portal or another service, the capability token is to be fetched implicitly. The user may not be aware of the capability if he is a valid user. He will be denied for the service if the capability is not issued for him.
DownloadXPOLA has been integrated into XSUL as a component, please download it from CVS.