Presentation on theme: "The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National."— Presentation transcript:
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National Laboratory, Argonne, IL 2 University of Chicago, Chicago, IL 3 USC Information Sciences Institute, Marina del Rey, CA
March 24, 2003 CHEP032 Outline l Classic Globus Authorization l CAS Concepts l CAS Implementations (Prototypes and Planned Release Version) l CAS and the Globus Toolkit l Future Work
March 24, 2003 CHEP033 Classic Globus Authorization l Unix accounts and gridmap file entries. l The operating system acts as a sandbox; services themselves (e.g. gridftp, gram) do not make their own authorization checks. l Easy for site administrators to understand and verify.
March 24, 2003 CHEP034 Limitations of Classic Globus Authorization l Scalability: each personnel or policy change requires changing policy at each participating site. l Expressivity: native OS methods may not be expressive enough to support VO policies. l Consistency: native OS methods at different sites may not support the same kinds of policies.
March 24, 2003 CHEP035 CAS Concepts l Policy Management l Policy Enforcement l Operations and Deployment
March 24, 2003 CHEP036 CAS Policy Management l Sites maintain site policies; communities maintain community policies. l Site policies are maintained using existing methods (e.g., gridmap files and unix accounts). l Community policies are maintained using the CAS server and CAS administrative protocol. l Sites are not required to manage policy for individual community users or groups.
March 24, 2003 CHEP037 CAS Policy Management: the Resource Providers View l The resource provider grants access to a block of resources to a community, using their existing access-control mechanism for that resource (e.g., grid-mapfile entries, file permissions, etc.). l The resource provider uses native mechanisms (e.g. quotas) to set additional policy for the community as a whole. l The resource provider then installs servers modified to enforce the policy in the CAS credentials.
March 24, 2003 CHEP038 CAS Policy Management: the Communitys View l CAS administrative requests are used to maintain the CAS community policy database, which: –controls what rights the CAS server will grant to which users. –controls the CAS servers own access control policies, and thus can be used to delegate the ability to grant rights, maintain groups, etc. –maintains the list of community members
March 24, 2003 CHEP039 CAS Policy Enforcement l Sites enforce site policies and community policies. l A resource server (e.g., gridftp, gram) may recognize several CAS servers. l A resource server may accept CAS authorization for some resources but not others. l Resource servers (and clients) do not need to contact the CAS server for each request – but they do need fairly recent CAS information.
March 24, 2003 CHEP0310 A Typical CAS Authorization Sequence l A client requests credentials from a CAS server. l The CAS server replies with credentials, based on the communitys policy for that client. l The client presents the CAS credentials to the resource server, which uses them in making policy decisions. This step may be repeated many times using the same credentials. l This slide intentionally left vague.
March 24, 2003 CHEP0311 Two Typical Client Scenarios l A community user can: –Run a client program to get CAS credentials, then –Use a simple wrapper script to run unmodified (gsi) client applications. l An application can be modified to interface directly with the CAS, with no change to the users behavior.
March 24, 2003 CHEP0312 CAS Implementations l Initial CAS Prototype –Based on restricted proxies l Second CAS prototype –Based on signed policy assertions l Upcoming Release Version –Conceptually similar to second prototype, but new code base, protocol, and assertion formats.
March 24, 2003 CHEP0313 Initial CAS Prototype l Based on restricted proxy certificates. l A restricted proxy certificate grants a subset of the issuers rights to whoever holds the certificate. l The end-users identity is not part of the restricted proxy. l Servers that dont understand restricted proxies reject them.
March 24, 2003 CHEP0314 Restricted Proxy Certificate Subject: /O=Grid/CN=VO CAS Server Valid: 3/25/03 13:00 – 3/25/03 15:00 Proxy Certificate conveys the VOs rights to the bearer, for the certificates validity period ProxyRestrictions (critical extension) Only these actions are allowed: Read gridftp://myhost/mydir/* Write gridftp://myhost/myfile Signature (of all above, by the VO CAS Server) Restricted subject to the proxy restrictions
March 24, 2003 CHEP0315 A Typical CAS-alpha1 Request CAS Server What rights does the community grant to this user? Client Resource Server Do the proxy restrictions authorize this request? CAS-maintained community policy database User proxy Community proxy Local policy information Proxy restrictions Is this request authorized for the community?
March 24, 2003 CHEP0316 Effective Policy in CAS-alpha1 Access Granted by site To community Access Granted by Community To user Effective access
March 24, 2003 CHEP0317 Second CAS Prototype l Based on policy assertions signed by the CAS server. l The policy assertions associate a set of access rights with the users identity. l Servers that dont understand policy assertions ignore them and base authorization decisions on the users identity alone. l Servers can implement an additional level of policy enforcement based on users identity, if desired.
March 24, 2003 CHEP0318 Signed Authorization Assertions Subject: /O=Grid/CN=Laura Valid: 3/25/03 11:00 – 3/26/03 11:00 AuthorizationAssertion (non-critical extension): Target Subject: /O=Grid/CN=Laura Valid: 3/25/03 13:00 –15:00 These actions are allowed: Read gridftp://myhost/mydir/* Signature (of assertion, by the VO CAS server) Signature (of all above, by the user) It is only valid when used along with the target users authentication credentials. The authorization assertion is signed by the VOs CAS server. It delegates a subset of the VOs rights to a user, during a validity time.
March 24, 2003 CHEP0319 A Typical CAS-alpha2 Request CAS Server What rights does the community grant to this user? Client Resource Server CAS-maintained community policy database User proxy Local policy information User proxy Does the policy statement authorize the request? What local policy applies to this user? Is this request authorized for the community? Policy statement Community Signature Policy statement Community Signature
March 24, 2003 CHEP0320 Effective Policy in CAS-alpha2 Access Granted by site To community Access Granted by community To user Maximum Access Granted by site To user (e.g., via blacklists, whitelists)
March 24, 2003 CHEP0321 CAS Release Version l Conceptually similar to CAS-alpha2 l New code base (java) l OGSA service based on GT3 l Will use SAML for policy assertion format.
March 24, 2003 CHEP0322 CAS and the Globus Toolkit l Production version will include: –CAS server (GT3/OGSI Service) –CAS client, java client API, and (maybe) C client API –CAS-aware gridftp server –APIs to facilitate CAS-ifying other services. –To be released with or following GT3 in June l An upcoming GT2 release will include a CAS-aware gridftp server.
March 24, 2003 CHEP0323 Future Work: Scalability l Caching Server –Acts as a lightweight partial mirror of a CAS server –Accepts requests for what to mirror (e.g., policy for a particular user) and periodically requests new signed policy statements from a CAS server l Distributed community policy database
March 24, 2003 CHEP0324 Future Work: CAS Operation l Support request-server-pull model (request server, rather than client, contacts CAS server) in addition to current model l Can be combined with caching server for performance and reliability
March 24, 2003 CHEP0325 Future Work: Policy Enforcement l Local Authorization Server: accept authorization queries from request servers, applies all applicable local and community policies, and returns yes or no. l Increased support for authorization in GT3 hosting environments.
March 24, 2003 CHEP0326 For More Information l CAS web page :