[alf-req] ALF Requirements Meeting Minutes 9/7/2005

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[alf-req] ALF Requirements Meeting Minutes 9/7/2005

From: "Kelly Shaw" <kshaw@xxxxxxxxxx>
Date: Wed, 7 Sep 2005 12:39:49 -0700
Delivered-to: alf-req@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/alf-req>
List-help: <mailto:alf-req-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/alf-req>, <mailto:alf-req-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/alf-req>, <mailto:alf-req-request@eclipse.org?subject=unsubscribe>
Thread-index: AcWz4+h/a/NlKssrTTKtT/hOnLiJKw==
Thread-topic: ALF Requirements Meeting Minutes 9/7/2005

ALF Requirements Meeting Minutes

9/7/2005

Security Roles in ALF

Discussion: Today's meeting concentrated on resolving the 'roles issue' within ALF. The central question is 'What roles do roles play within ALF.' We had two competing opinions about this issue, summarized below.

Roles are necessary in ALF to enable service flows to execute with confidence. Without some central role administration capability, the tools themselves would be responsible for maintaining security and permissions, causing an administrative nightmare. Also, without these roles to manage permissions and authorizations across all tools, we have a free-for-all where every service call has the potential to cause a cascading and complex necessity to invoke compensating services. Rather than increasing the complexity of ALF, including both role and user administration will reduce its complexity.
Roles have no place in ALF, at least for now. First, since we have already decided that ALF will not require user administration, there will be no users with which to associate ALF role permissions. Second, tool vendors will be unlikely to delegate security to an integration platform such as ALF, so administering ALF roles would require role administration within the tools as well, which is unworkable. Third, requiring web services to authenticate or retrieve role information from ALF would require vendors to write services specifically for consumption by ALF, setting the ALF compliance bar too high.

We debated these two viewpoints, and came to the following conclusions.

we can't force vendors to adopt LDAP for role definition. That would set the ALF entry bar too high.
we can't force vendors to respect ALF roles. That would set the ALF entry bar too high.
We need to allow vendors to respect ALF security roles, if these roles exist. Therefore, there must be a hook into ALF for defining security roles. This means an SPI.
We need to architect ALF in such a way that security roles can be added to the core product in the future.

The team agreed to monitor the open source and standards bodies such as Eclipse, Apache and Oasis to see if some security or trust system emerges that should be adopted by ALF. Meanwhile, we will ask potential ALF customers how they see the role of roles in ALF.

Action Items:

Committee to continue discussions on roles, and continue to monitor Higgins (WS-TRUST) and other security projects to see if one of them should be adopted as the ALF authorization standard.
Committee members to discuss role requirements with potential ALF adopters.
Committee to continue discussions within the newsgroup.
Committee members also on the Architecture team to convey the need for a role-hole to be designed into ALF.

Decision:

ALF can't dictate a role administration structure at this time. However, ALF should allow implementation sites to incorporate role administration, perhaps through a SPI. Additionally, ALF should be architected and designed to allow role administration to be added in the future.

UDDI - Service Directory within ALF

Discussion: The committee needs to address the following questions.

Does ALF need a Service Directory?
If so, what are the use cases for Service Directory use within ALF? What are the requirements?
Given the requirements, is the UDDI standard appropriate?
Are there other Service Directory standards at which we should be looking?
Should we allow vendors to publish a directory of ALF-enabled services on the ALF site? Will we lose credibility as an open source project if we allow vendors to 'advertise' their services?

At this time nobody could think of a competitive alternative to UDDI. UDDI has many features that would make it interesting within the AL framework.

Action Item: Committee members will get smart about UDDI and any other Service Directory standards available. This discussion will continue next week.

Decision: None.

Next Meeting

The next requirements meeting will be from 10:00 - 11:00 Pacific on Wednesday, 14 September. Shaw will send the meeting announcement to alf-events and alf-req. Shaw will send an agenda to the mail group alf-req.

Kelly Shaw

Sr. Product Marketing Manager

Serena Software

719-457-8811

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Prev by Date: [alf-req] Agenda for the ALF requirements meeting on 9/7/2003
Next by Date: [alf-req] ALF Architecture Meeting
Previous by thread: [alf-req] Agenda for the ALF requirements meeting on 9/7/2003
Next by thread: [alf-req] ALF Architecture Meeting
Index(es):
- Date
- Thread

Breadcrumbs