Presentation is loading. Please wait.

Presentation is loading. Please wait.

Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, 2005 2-4 Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance.

Similar presentations


Presentation on theme: "Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, 2005 2-4 Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance."— Presentation transcript:

1

2 Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance / Argonne National Laboratory / University of Chicago) -

3 Nov 3, 2005BRIITE Meeting: The Globus Toolkit2 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

4 Nov 3, 2005BRIITE Meeting: The Globus Toolkit3 The Globus Alliance Making Grid computing a reality l Close collaboration with real Grid projects in science and industry l Development and promotion of standard Grid protocols (e.g. OGSA) to enable interoperability and shared infrastructure l Development and promotion of standard Grid software APIs and SDKs to enable portability and code sharing l The Globus Toolkit ® : Open source, reference software base for building Grid infrastructure and applications l Global Grid Forum: Development of standard protocols and APIs for Grid computing

5 Nov 3, 2005BRIITE Meeting: The Globus Toolkit4 How Globus Works l Globus is a distributed open source community with many contributors & users u CVS, documentation, bugzilla, lists u Modular structure allows many to contribute l Globus Alliance Board provides governance when needed u Meritocracy: individuals who demonstrate ongoing contributions & commitment u Primarily: what to include, when to release l Globus Alliance is an informal partnership of organizations led by Board members

6 Nov 3, 2005BRIITE Meeting: The Globus Toolkit5

7 Nov 3, 2005BRIITE Meeting: The Globus Toolkit6 The Application-Infrastructure Gap Dynamic and/or Distributed Applications A 1 B Shared Distributed Infrastructure

8 Nov 3, 2005BRIITE Meeting: The Globus Toolkit7 Provisioning Bridging the Gap: Grid Infrastructure l Service-oriented Grid infrastructure u Provision physical resources to support application workloads Appln Service Users Workflows Composition Invocation l Service-oriented applications u Wrap applications as services u Compose applications into workflows

9 Nov 3, 2005BRIITE Meeting: The Globus Toolkit8 Globus is Grid Infrastructure l Software for Grid infrastructure u Service enable new & existing resources u E.g., GRAM on computer, GridFTP on storage system, custom application service u Uniform abstractions & mechanisms l Tools to build applications that exploit Grid infrastructure u Registries, security, data management, … l Open source & open standards u Each empowers the other l Enabler of a rich tool & service ecosystem

10 Nov 3, 2005BRIITE Meeting: The Globus Toolkit9 Globus as Service-Oriented Infrastructure Uniform interfaces, security mechanisms, Web service transport, monitoring ComputersStorage Specialized resource User Application User Application User Application GRAMGridFTP Host Env User Svc DAIS Database Tool Reliable File Transfer MyProxy Host Env User Svc MDS- Index

11 Nov 3, 2005BRIITE Meeting: The Globus Toolkit10 A Typical eScience Use of Globus: Network for Earthquake Eng. Simulation Links instruments, data, computers, people

12 Nov 3, 2005BRIITE Meeting: The Globus Toolkit11 LHC Data Distribution 1 TIPS is approximately 25,000 SpecInt95 equivalents Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPSFrance Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a bunch crossing every 25 nsecs. There are 100 triggers per second Each triggered event is ~1 MByte in size Physicists work on analysis channels. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec or Air Freight (deprecated) Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4

13 Global Community

14 Nov 3, 2005BRIITE Meeting: The Globus Toolkit13 Globus Toolkit l Core Web services u Infrastructure for building new services l Security u Apply uniform policy across distinct systems l Execution management u Provision, deploy, & manage services l Data management u Discover, transfer, & access large data l Monitoring u Discover & monitor dynamic services

15 Nov 3, 2005BRIITE Meeting: The Globus Toolkit14 WSRF & WS-Notification l Naming and bindings (basis for virtualization) u Every resource can be uniquely referenced, and has one or more associated services for interacting with it l Lifecycle (basis for fault resilient state management) u Resources created by services following factory pattern u Resources destroyed immediately or scheduled l Information model (basis for monitoring & discovery) u Resource properties associated with resources u Operations for querying and setting this info u Asynchronous notification of changes to properties l Service Groups (basis for registries & collective svcs) u Group membership rules & membership management l Base Fault type

16 Data MgmtSecurity Common Runtime Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Authentication Authorization GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery C Common Libraries Authentication Authorization Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Java WS Core Community Authorization Replica Location eXtensible IO (XIO) Credential Mgmt Community Scheduling Framework Delegation Globus Toolkit version 4 (GT4) Data Replication Trigger C WS Core Python WS Core WebMDS Workspace Management Grid Telecontrol Protocol Contrib/ Preview Core Depre- cated

17 Nov 3, 2005BRIITE Meeting: The Globus Toolkit16 Java Services in Apache Axis Plus GT Libraries and Handlers Your Java Service Your Python Service Your Java Service RFT GRAM Delegation Index Trigger Archiver pyGlobus WS Core Your C Service C WS Core RLS Pre-WS MDS CAS Pre-WS GRAM SimpleCAMyProxy OGSA-DAI GTCP GridFTP C Services using GT Libraries and Handlers SERVER CLIENT Interoperable WS-I-compliant SOAP messaging Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client X.509 credentials = common authentication Python hosting, GT Libraries GT4 Components

18 Nov 3, 2005BRIITE Meeting: The Globus Toolkit17 Our Goals for GT4 l Usability, reliability, scalability, … u Web service components have quality equal or superior to pre-WS components u Documentation at acceptable quality level l Consistency with latest standards (WS-*, WSRF, WS-N, etc.) and Apache platform u WS-I Basic Profile compliant u WS-I Basic Security Profile compliant l New components, platforms, languages u And links to larger Globus ecosystem

19 Nov 3, 2005BRIITE Meeting: The Globus Toolkit18 Contrib/ Preview Core Data MgmtSecurity Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Authentication Authorization GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Authentication Authorization Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Community Authorization Replica Location Credential Mgmt Community Scheduling Framework Delegation Data Replication Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core GT4 Common Runtime

20 Nov 3, 2005BRIITE Meeting: The Globus Toolkit19 Custom Web Services WS-Addressing, WSRF, WS-Notification Custom WSRF Web Services GT4 WSRF Web Services WSDL, SOAP, WS-Security User Applications Registry Administration GT4 Container GT4 Web Services Core

21 Nov 3, 2005BRIITE Meeting: The Globus Toolkit20 GT4 Web Services Core l Supports both GT (GRAM, RFT, Delegation, etc.) & user-developed services l Redesign to enhance scalability, modularity, performance, usability l Leverages existing WS standards u WS-I Basic Profile: WSDL, SOAP, etc. u WS-Security, WS-Addressing l Adds support for emerging WS standards u WS-Resource Framework, WS-Notification l Java, Python, & C hosting environments u Java is standard Apache

22 Nov 3, 2005BRIITE Meeting: The Globus Toolkit21 WSRF & WS-Notification l Naming and bindings (basis for virtualization) u Every resource can be uniquely referenced, and has one or more associated services for interacting with it l Lifecycle (basis for fault resilient state mgmt) u Resources created by services following factory pattern u Resources destroyed immediately or scheduled l Information model (basis for monitoring, discovery) u Resource properties associated with resources u Operations for querying and setting this info u Asynchronous notification of changes to properties l Service groups (basis for registries, collective svcs) u Group membership rules & membership management l Base Fault type

23 Nov 3, 2005BRIITE Meeting: The Globus Toolkit22 Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Execution Mgmt Info Services Web Services Components Non-WS Components GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Replica Location Community Scheduling Framework Data Replication Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Security Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation

24 Nov 3, 2005BRIITE Meeting: The Globus Toolkit23 Globus Security l Control access to shared services u Address autonomous management, e.g., different policy in different work-groups l Support multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Allow users and application communities to set up dynamic trust domains u Personal/VO collection of resources working together based on trust of user/VO

25 Nov 3, 2005BRIITE Meeting: The Globus Toolkit24 GT4 Security l Public-key-based authentication l Extensible authorization framework based on Web services standards u SAML-based authorization callout l As specified in GGF OGSA-Authz WG u Integrated policy decision engine l XACML policy language, per-operation policies, pluggable l Credential management service u MyProxy (One time password support) l Community Authorization Service l Standalone Delegation Service

26 Nov 3, 2005BRIITE Meeting: The Globus Toolkit25 GT4s Use of Security Standards Supported, Supported, Fastest, but slow but insecure so default

27 Nov 3, 2005BRIITE Meeting: The Globus Toolkit26 GT-XACML Integration l eXtensible Access Control Markup Language u OASIS standard, open source implementations l XACML: sophisticated policy language l Globus Toolkit ships with XACML runtime u Included in every client and server built on GT u Turned-on through configuration l … that can be called transparently from runtime and/or explicitly from application … l … and we use the XACML-model for our Authz Processing Framework

28 Nov 3, 2005BRIITE Meeting: The Globus Toolkit27 Other Security Services Include … l MyProxy u Simplified credential management u Web portal integration u Single-sign-on support l KCA & kx.509 u Bridging into/out-of Kerberos domains l SimpleCA u Online credential generation l PERMIS u Authorization service callout

29 Nov 3, 2005BRIITE Meeting: The Globus Toolkit28 Contrib/ Preview Core Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Grid Resource Allocation & Management Index Community Scheduling Framework Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Data Management Data Mgmt GridFTP Reliable File Transfer Data Access & Integration Replica Location Data Replication

30 Nov 3, 2005BRIITE Meeting: The Globus Toolkit29 GT4 Data Management l Stage/move large data to/from nodes u GridFTP, Reliable File Transfer (RFT) u Alone, and integrated with GRAM l Locate data of interest u Replica Location Service (RLS) l Replicate data for performance/reliability u Distributed Replication Service (DRS) l Provide access to diverse data sources u File systems, parallel file systems, hierarchical storage: GridFTP u Databases: OGSA DAI

31 Nov 3, 2005BRIITE Meeting: The Globus Toolkit30 GridFTP in GT4 l 100% Globus code u No licensing issues u Stable, extensible l IPv6 Support l XIO for different transports l Striping multi-Gb/sec wide area transport u 27 Gbit/s on 30 Gbit/s link l Pluggable u Front-end: e.g., future WS control channel u Back-end: e.g., HPSS, cluster file systems u Transfer: e.g., UDP, NetBLT transport Disk-to-disk on TeraGrid

32 Nov 3, 2005BRIITE Meeting: The Globus Toolkit31 Reliable File Transfer: Third Party Transfer RFT Service RFT Client SOAP Messages Notifications (Optional) Data Channel Protocol Interpreter Master DSI Data Channel Slave DSI IPC Receiver IPC Link Master DSI Protocol Interpreter Data Channel IPC Receiver Slave DSI Data Channel IPC Link GridFTP Server l Fire-and-forget transfer l Web services interface l Many files & directories l Integrated failure recovery l Has transferred 900K files

33 Nov 3, 2005BRIITE Meeting: The Globus Toolkit32 Replica Location Service l Identify location of files via logical to physical name map l Distributed indexing of names, fault tolerant update protocols l GT4 version scalable & stable l Managing ~40 million files across ~10 sites Index Local DB Update send (secs) Bloom filter (secs) Bloom filter (bits) 10K<121 M M 5 M M

34 Nov 3, 2005BRIITE Meeting: The Globus Toolkit33 Cardiff AEI/Golm Birmingham Reliable Wide Area Data Replication Replicating >1 Terabyte/day to 8 sites >30 million replicas so far MTBF = 1 month LIGO Gravitational Wave Observatory

35 Nov 3, 2005BRIITE Meeting: The Globus Toolkit34 Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Info Services Web Services Components Non-WS Components GridFTP Pre-WS Monitoring & Discovery Reliable File Transfer Data Access & Integration Index Replica Location Data Replication Trigger WebMDS Depre- cated GT4 Execution Management Execution Mgmt Pre-WS Grid Resource Alloc. & Mgmt Grid Resource Allocation & Management Community Scheduling Framework Workspace Management Grid Telecontrol Protocol

36 Nov 3, 2005BRIITE Meeting: The Globus Toolkit35 Execution Management (GRAM) l Common WS interface to schedulers u Unix, Condor, LSF, PBS, SGE, … l More generally: interface for process execution management u Lay down execution environment u Stage data u Monitor & manage lifecycle u Kill it, clean up l A basis for application-driven provisioning

37 Nov 3, 2005BRIITE Meeting: The Globus Toolkit36 GT4 WS GRAM l 2nd-generation WS implementation optimized for performance, flexibility, stability, scalability l Streamlined critical path u Use only what you need l Flexible credential management u Credential cache & delegation service l GridFTP & RFT used for data operations u Data staging & streaming output

38 Nov 3, 2005BRIITE Meeting: The Globus Toolkit37 GRAM services GT4 Java Container GRAM services Delegation RFT File Transfer request GridFTP Remote storage element(s) Local scheduler User job Compute element GridFTP sudo GRAM adapter FTP control Local job control Delegate FTP data Client Job functions Delegate Service host(s) and compute element(s) GT4 WS GRAM Architecture SEG Job events

39 Nov 3, 2005BRIITE Meeting: The Globus Toolkit38 Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Execution Mgmt Web Services Components Non-WS Components GridFTP Pre-WS Grid Resource Alloc. & Mgmt Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Replica Location Community Scheduling Framework Data Replication Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Information Services Info Services Pre-WS Monitoring & Discovery Index Trigger WebMDS

40 Nov 3, 2005BRIITE Meeting: The Globus Toolkit39 Monitoring and Discovery l Every service should be monitorable and discoverable using common mechanisms u WSRF/WSN provides those mechanisms l A common aggregator framework for collecting information from services, thus: u MDS-Index: Xpath queries, with caching u MDS-Trigger: perform action on condition u (MDS-Archiver: Xpath on historical data) l Deep integration with Globus containers & services: every GT4 service is discoverable u GRAM, RFT, GridFTP, CAS, …

41 Nov 3, 2005BRIITE Meeting: The Globus Toolkit40 GT4 Container GT4 Monitoring & Discovery GRAMUser MDS- Index GT4 Cont. RFT MDS- Index GT4 Container MDS- Index GridFTP adapter Registration & WSRF/WSN Access Custom protocols for non-WSRF entities Clients (e.g., WebMDS) Automated registration in container WS-ServiceGroup

42 Nov 3, 2005BRIITE Meeting: The Globus Toolkit41 GT4 Documentation is Extensive!

43 Nov 3, 2005BRIITE Meeting: The Globus Toolkit42 Working with GT4 l Download and use the software, and provide feedback u Join mail list l Review, critique, add to documentation u Globus Doc Project: l Tell us about your GT4-related tool, service, or application u

44 Nov 3, 2005BRIITE Meeting: The Globus Toolkit43 Time Success/Maturity/Acceptance DCE CORBA WebServices Globus + OGSA + WSRF + WebServices Silver Bullet Hype-Curve… OGSA: Open Grid Services Architecture WSRF: WebServices Resource Framework

45 Nov 3, 2005BRIITE Meeting: The Globus Toolkit44 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

46 Nov 3, 2005BRIITE Meeting: The Globus Toolkit45 Objective: Enable Cross-Organizational Collaboration

47 Nov 3, 2005BRIITE Meeting: The Globus Toolkit46 Security of Grid Brokering Services It is expected brokers will handle resource coordination for users Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services QoS/QoP Negotiation and multi-level delegation

48 Nov 3, 2005BRIITE Meeting: The Globus Toolkit47 Security Objective: Forceful Enforcement (?)

49 Nov 3, 2005BRIITE Meeting: The Globus Toolkit48 Security Services Objectives l Its all about Policy u (Virtual) Organizations Security Policy u Security Services facilitate the enforcement l Security Policy to facilitate Business Objectives u Related to higher level agreement l Security Policy often delicate balance u More security Higher costs u Less security Higher exposure to loss u Risk versus Rewards u Legislation sometimes mandates minimum security

50 Nov 3, 2005BRIITE Meeting: The Globus Toolkit49 Security: Risk versus Reward

51 Nov 3, 2005BRIITE Meeting: The Globus Toolkit50 Agreement VO Security Policy Price Cost Obligations QoS T&Cs …………… Security …………… trust anchors (initial) members (initial) resources (initial) roles Access rules Privacy rules (Business) Agreement Dynamic VO Security Policy members resources roles Attribute mgmt Authz mgmt Static Initial VO Security Policy

52 Nov 3, 2005BRIITE Meeting: The Globus Toolkit51 Virtual Organization (VO) Concept l VO for each application/workload/collaboration l Carve out and configure resources for a particular use and set of users

53 Nov 3, 2005BRIITE Meeting: The Globus Toolkit52 Effective Policy Governing Access Within A Collaboration

54 Nov 3, 2005BRIITE Meeting: The Globus Toolkit53 Why Grid Security is Hard… (1) l Resources being used may be valuable & the problems being solved sensitive u Both users and resources need policy enforcement l Dynamic formation and management of Virtual Organizations (VOs) u Large, dynamic, unpredictable… l VO Resources and Users are often located in distinct administrative domains u Cant assume cross-organizational trust agreements u Different mechanisms & credentials l X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), l X.509 attribute certs vs SAML assertions

55 Nov 3, 2005BRIITE Meeting: The Globus Toolkit54 Why Grid Security is Hard… (2) l Interactions are not just client/server, but service-to-service on behalf of the user u Requires delegation of rights by user to service u Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use of resources/services l Implementation must be broadly available & applicable u Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined u Varying formats l Want to hide as much as possible from applications!

56 Nov 3, 2005BRIITE Meeting: The Globus Toolkit55 The Grid Trust solution l Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) => set up trust at the user/resource level l Virtual Organizations (VOs) for multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Users able to set up dynamic trust domains u Personal collection of resources working together based on trust of user

57 Nov 3, 2005BRIITE Meeting: The Globus Toolkit56 GT4 Security VO Users Compute Center Services (running on users behalf) Rights Local policy on VO identity or attribute authority Rights CAS or VOMS issuing SAML or X.509 ACs Rights SSL/WS-Security with Proxy Certificates Access AuthZ Policy Enforcement KCA MyProxy

58 Nov 3, 2005BRIITE Meeting: The Globus Toolkit57 Propagation of Requesters Rights through Job Scheduling and Submission Process Dynamically limit the Delegated Rights more as Job specifics become clear Trust parties downstream to limit rights for you… or let them come back with job specifics such that you can limit them Virtualization complicates Least Privilege Delegation of Rights

59 Nov 3, 2005BRIITE Meeting: The Globus Toolkit58 Grid Security must address… l Trust between resources without organization support l Bridging differences between mechanisms u Authentication, assertions, policy… l Allow for controlled sharing of resources u Delegation from site to VO l Allow for coordination of shared resources u Delegation from VO to users, users to resources l...all with dynamic, distributed user communities and least privilege.

60 Nov 3, 2005BRIITE Meeting: The Globus Toolkit59 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

61 Nov 3, 2005BRIITE Meeting: The Globus Toolkit60 Security Services with VO

62 Nov 3, 2005BRIITE Meeting: The Globus Toolkit61 GTs GGFs Authorization Call-Out Support l GGFs OGSA-Authz WG: Use of SAML for OGSA Authorization u Authorization service specification u Extends SAML spec for use in WS-Grid u Recently standardized by GGF l Conformant call-out integrated in GT u Transparently called through configuration l Permis interoperability u Ready for GT4! l Futures… u SAML2.0 compliance … XACML2.0-SAML2.0 profile

63 Nov 3, 2005BRIITE Meeting: The Globus Toolkit62 GT-XACML Integration l eXtensible Access Control Markup Language (XACML) u OASIS standard u Open source implementations l XACML: sophisticated policy language l Globus Toolkit ships with XACML runtime u Integrated in every client and server build on GT u Turned-on through configuration l …can be called transparently from runtime and/or explicitly from application… l …and were using the XACML-model for our Authz Processing Framework…

64 Nov 3, 2005BRIITE Meeting: The Globus Toolkit63 GTs Assertion Processing Problem l VOMS/Permis/X509/Shibboleth/SAML/Kerberos identity/attribute assertions l XACML/SAML/CAS/XCAP/Permis/ProxyCert authorization assertions l Assertions can be pushed by client, pulled from service, or locally available l Policy decision engines can be local and/or remote l Delegation of Rights is required feature implemented through many different means GT-runtime has to mix and match all policy information and decisions in a consistent manner…

65 Nov 3, 2005BRIITE Meeting: The Globus Toolkit64 Delegation of Rights Complexity Can Bob have glass of lemonade? Sure, Bob is my friend Ivan Ivans policy: I dont know any Bob…(?) I do know John, Mary, Carol, Olivia, … Can I have glass of lemonade? Bob Carol Carols policy: Bob is my friend and Ill share my lemonade with him Olivias policy: If Carol likes Bob, I hate him! Marys policy: I like Bob a little bit Lucys policy: I sometimes like Carol Anns policy: I like Ivan very much! Joggers policy: Id like a glass too Johns policy: I dont like girls Bills policy: Lemonade is bad for you Frostys policy: Only share lemonade with ice Aunts policy: Sharing is good Lauras policy: Share if he pays! Davids policy: Ask Laura Accountants policy: Only if he signs here Ritas policy: No lemonade after eight Neighbor's policy: Lets party! Emmas policy: Only on his birthday Ivan: HELP (non-normative evaluated decision) Ivan

66 Nov 3, 2005BRIITE Meeting: The Globus Toolkit65 What are the Grid/P2P issues with distributed authorization? (1) l Many different parties want to express their opinion about each others access rights u Anybody can say anything about anyone else l Expressed in many different languages u Enforcement of single policy language impossible/not-desirable l Some parties can be asked about their opinion u Expose themselves as an AuthZ-oracle (PDP) l Other parties send their opinion as statements u Authenticated policy/decision statements/assertions expressed in their favorite language

67 Nov 3, 2005BRIITE Meeting: The Globus Toolkit66 What are the Grid/P2P issues with distributed authorization? (2) l Some of that advise is from parties youve never met before u So they must be empowered by those you do know… l Some advise does not apply, is mal-formed, malicious, fake, erroneous, …. u …often you do not know that by looking at them… l Different parties will use different names for the same subject u Need identity federation for mapping l Different parties will use different groups/roles in their policy expressions u Only the group/role that is actually used in a relevant policy expression is of interest…

68 Nov 3, 2005BRIITE Meeting: The Globus Toolkit67 Attribute Collection Framework

69 Nov 3, 2005BRIITE Meeting: The Globus Toolkit68 GTs Authorization Processing Model (1) l Use of a Policy Decision Point (PDP) abstraction that conceptually resembles the one defined for XACML. u Normalized request context and decision format u Modeled PDP as black box authorization decision oracle l After validation, map all attribute assertions to XACML Request Context Attribute format l Create mechanism-specific PDP instances for each authorization assertion and call-out service l The end result is a set of PDP instances where the different mechanisms are abstracted behind the common PDP interface.

70 Nov 3, 2005BRIITE Meeting: The Globus Toolkit69 GTs Authorization Processing Model (2) l The Master-PDP orchestrates the querying of each applicable PDP instance for authorization decisions. l Pre-defined combination rules determine how the different results from the PDP instances are to be combined to yield a single decision. l The Master-PDP is to find delegation decision chains by asking the individual PDP instances whether the issuer has delegated administrative rights to other subjects. l the Master-PDP can determine authorization decisions based on delegated rights without explicit support from the native policy language evaluators.

71 Nov 3, 2005BRIITE Meeting: The Globus Toolkit70 GT Authorization Framework (1)

72 Nov 3, 2005BRIITE Meeting: The Globus Toolkit71 GT Authorization Framework (2) AAA/PERMIS/XACML PDP AAA token AAA PDP

73 Nov 3, 2005BRIITE Meeting: The Globus Toolkit72 GT Authorization Framework (3)

74 Nov 3, 2005BRIITE Meeting: The Globus Toolkit73 GT Authorization Framework (3) l Master-PDP accessed all mechanism-specific PDPs through same Authz Query Interface u SAML-XACML-2 profile l Master PDP acts like XACML Combinator u Permit-Overrides rules l Negative permissions are evil… l Delegation-chains found through exhaustive search u …with optimization to evaluate cheap decisions first… l Blacklist-PDPs are consulted separately u Statically configured, call-out only PDPs u Deny-Overrides only for the blacklist-PDPs… l Pragmatic compromise to keep admin simple

75 Nov 3, 2005BRIITE Meeting: The Globus Toolkit74 Big Picture & Conclusion l GT4 is security buzzword compliant! u …probably the most full-featured-security ws-toolkit… l WebServices technologies provide low-level plumbing u following all relevant standards l Portals growing as a user interface u Clients use http-browsers, … but portals will use WS-protocols! u PURSE, ESG, GridSite, LEAD Portal, … l New Deployment Paradigms (GridLogon, VMs) u Driven by inability to protect… l Authorization still the big focus u unification framework needed to support different mechanisms and formats => GT4.2 u Required for fine-grained VO-policy

76 Nov 3, 2005BRIITE Meeting: The Globus Toolkit75 Q?


Download ppt "Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, 2005 2-4 Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance."

Similar presentations


Ads by Google