Message-Id: <199803301626.IAA04180@mailhost1.cac.washington.edu> From: "James W DeRoest" <deroest@cac.washington.edu> To: "AST Webpage" <astweb@u.washington.edu> Subject: Accounting project.... Date: Mon, 30 Mar 1998 08:25:56 -0800 In-Reply-To: <Pine.A41.3.95b.980327115006.31952D-100000@homer25.u.washington.edu>
-----Original Message----- From: Hugh Sheets [mailto:hugh@u.washington.edu] Sent: Friday, March 27, 1998 11:51 AM To: Internal Accounting Group; hornung@u.washington.edu; hugh@cac.washington.edu; ken@cac.washington.edu; pete@cac.washington.edu; remmers@cac.washington.edu; stenvik@cac.washington.edu; yonah@cac.washington.edu Cc: deroest@cac.washington.edu Subject: Accounting project....
We dedicated this meeting to discussing the namespace model. Our latest design is best described by a diagram. In words, the highlights are: - on the Authentication side, we have a single KDC containing all UW NetIDs (which could grow to be a very large quantity). Each UW NetID is unique, for example there is only one "hugh". The KDC contains only the ID and password. Also on the Authentication side, we have another database, called perhaps the Master UW NetID DB, containing on a one-to-one correspondence with the KDC: the KDC ID, owner (SSN, Student number, or ?), probably email forwarding, and category (where the authorization came from and maybe this authorization date).
- on the Authorization side, we have what could be a number of databases containing authorization data - Shuksan is an example of the UW uniform access authorization data. In other authorization databases there could be authorization data for other organizations or entities that want UW NetIDs. A UW NetID can't be created without supporting authorization data. This is because we have to know something about the UW NetID - if this is a UW person we know quite a bit from Shuksan, but if it is an affiliate we at least need to know what entity (department/organization) allowed to make authorization decisions OK'd this person. Since we do not plan to provide administrative services to "outside" departments or organizations, we need to be able to refer to the appropriate "outside" administrator. If we don't have an email address for a UW NetID, this administrator may be the default email address.
- Web New creates/modifies a UW NetID by looking up and comparing authorization data in one or more authorization databases. If this verification passes, a UW NetID is created in the KDC with its corresponding entry in the Master UW NetID DB.
- Administrative interfaces to the various authorization databases need to be provided for trusted administrators (departmental people).
- Not addressed are many things - lots of details, and things like where we keep track of who has accounts on what UA galaxies and caccluster (we need some pwsync-type database) and we need to be sure all the Li functionality is included someplace.