Adrian Damian (Canadian Astronomy Data Centre (CADC)), Patrick Dowler (CADC), Séverin Gaudet (CADC), Norman Hill (CADC)
The Group Membership Service (GMS), implemented at the Canadian Astronomy Data Centre (CADC), is a prototype of an IVOA standard for a distributed and interoperable group membership protocol. Group membership is the core authorization concept that enables teamwork and collaboration amongst astronomers accessing distributed resources and services. Similarly to Unix system, GMS allows multiple users to be categorized into groups and share access permissions to various resources. The service integrates and complements other access control related IVOA standards such as single-sign-on (SSO) using X.509 proxy certificates and the Credential Delegation Protocol (CDP).
The GMS has been used at CADC for several years now, initially as a subsystem and then as a stand-alone Web service. It is part of the authorization mechanism for controlling the access to proprietary telescope data as well as other restricted resources such as Web pages and group membership. More recently, the GMS has been used in the authorization schema of the VOSpace service hosted by the CADC. The open-source software is available from the CADC Googlecode pages. We present the role that GMS plays within the access control system at CADC, including the functionality of the service and how the different CADC services make use of it to assert user authorization to resources. We also describe the scenarios where multiple GMS services can be used together and why this is desirable.
Paper ID: P028