Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.

Published byAudra Jefferson Modified over 7 years ago

Similar presentations

Presentation on theme: "March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability."— Presentation transcript:

1 March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE globusWorld, March 2, 2010 On behalf of the Authorization Interoperability Collaboration Ted Hesselroth Computing Division, Fermilab Overview OSG & EGEE Authorization Models Authorization Interoperability Profile Implementations and Deployments

2 March 2, 20102/20 An XACML profile and implementation for Authorization Interoperability The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1 Ted Hesselroth

3 March 2, 20103/20 An XACML profile and implementation for Authorization Interoperability The Authorization Model The EGEE and OSG security model is based on X509 end entity and proxy certificates for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site- central Policy Decision Points (PDP) for authorization decisions Ted Hesselroth

4 March 2, 20104/20 An XACML profile and implementation for Authorization Interoperability The Interoperability Problem EGEE and OSG had developed different authorization infrastructures The two Grids now have a common PEP to PDP call-out protocol to enable interoperability: –Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures –Software groups in EGEE and OSG can share and reuse common code The common call-out protocol was developed in collaboration with the Globus Toolkit and Condor groups Ted Hesselroth

5 March 2, 20105/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the EGEE case) AuthZ Components Legend VO Management Services Grid Site SCAS Site Services CE Gatekeeper SCAS Clnt. Is Auth? ID Map? Yes / No UID/GID SE (dCache) SRM gPlazma VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy 1 3 4 5 2 WN gLExec SCAS Clnt. Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 6 6 Schedule Pilot OR Job 7 Pilot SU Job (UID/GID) 8 VO Ted Hesselroth PDP PEPs Attribute Authority

6 March 2, 20106/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO Ted Hesselroth PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

7 March 2, 20107/20 An XACML profile and implementation for Authorization Interoperability Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO Ted Hesselroth PDP A Common Protocol for OSG and EGEE integrated with the GT PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

8 March 2, 20108/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab Overview OSG & EGEE Authorization Models  Authorization Interoperability Profile Implementations and Deployments

9 March 2, 20109/20 An XACML profile and implementation for Authorization Interoperability XACML and the Grid Domain Existing standards: –XACML defines ways to express, combine, and evaluate policies. Motivation was mainly to unify and manage policies. –Allows for domain-specific definitions of attributes of authorization requests and responses. –Definitions for the “Grid Domain” are the authorization interoperability profile. –Attributes for requests and responses determined to be useful for grid authorization Ted Hesselroth

10 March 2, 201010/20 An XACML profile and implementation for Authorization Interoperability An XACML AuthZ Interop Profile Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor Releases: v1.1  10/09/08 v1.0  05/16/08 Dave DykstraTed Hesselroth

11 March 2, 201011/20 An XACML profile and implementation for Authorization Interoperability Request/Response Attribute Categories Request is made with –Subject attributes –Action attributes –Resource attributes –Environment attributes Response is made with –Permit, Deny, or Indeterminate –Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O Ted Hesselroth

12 March 2, 201012/20 An XACML profile and implementation for Authorization Interoperability Request Attributes Subject (see profile doc for full list) –Subject-X509-id String: OpenSSL DN notation –Subject-VO String: “CMS” –VOMS-FQAN String: “/CMS/VO-Admin” Resource (see doc for full list) –Resource-id (enum type) CE / SE / WN –Resource X509 Service Certificate Subject resource-x509-id –Host DNS Name Dns-host-name Action –Action-id (enum type) Queue / Execute-Now / Access (file) –Res. Spec. Lang. RSL string Environment –PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently –Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” Ted Hesselroth

13 March 2, 201013/20 An XACML profile and implementation for Authorization Interoperability Obligation Attributes UIDGID –UID (integer): Unix User ID local to the PEP –GID (integer): Unix Group ID local to the PEP Secondary GIDs –GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username –Username (string): Unix username or account name local to the PEP. Path restriction –RootPath (string): a sub-tree of the FS at the PEP –HomePath (string): path to user home area (relative to RootPath) Storage Priority –Priority (integer): priority to access storage resources. Access permissions –Access-Permissions (string): “read-only”, “read-write” Ted Hesselroth

14 March 2, 201014/20 An XACML profile and implementation for Authorization Interoperability Implementation Agreement: SAML and SOAP Security Assertion Markup Language SAML Implementations provide marshalling/unmarshalling of XML SOAP messaging for web service call Ted Hesselroth X509 Credentials Plus Desired Operation XACML Request Attributes SAML Objects SAML XML (XACML profile) SOAP Wrapper Web Service RPC SSL

15 March 2, 201015/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability between OSG and EGEE Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab Overview OSG & EGEE Authorization Models Authorization Interoperability Profile  Implementations and Deployments

16 March 2, 201016/20 An XACML profile and implementation for Authorization Interoperability Implementations SAML-XACML profile –OpenSAML (Java); Globus XACML (C) Authorization Callout Modules –LCAS / LCMAPS (L&L) / SCAS plug-in (EGEE); PRIMA / gPlazma plug-in (OSG)/GUMS (OSG) Resource Gateways –Computing Element Pre-WS Gatekeeper 2.0 (5.0 in progress) WS-Gatekeeper 4.2 –Storage Element SRM / dCache; BeStMan; GridFTP –Worker Node gLExec Ted Hesselroth

17 March 2, 201017/20 An XACML profile and implementation for Authorization Interoperability Cmpnt Legend: Component or dependency available by 01/2011 Pre-WS GK GUMS XACML2 SCAS XACML2 SAZ XACML2 GridFTPgLExecSRM/dCache L&L XACML2 gLite lib XACML2 gLite lib XACML2 gLite lib gPlazma XACML2 priv. lib XACML Callout Structure (EGEE case) L&L WN CE SE Gateway Call-out XACML lib PDP L&L

18 March 2, 201018/20 An XACML profile and implementation for Authorization Interoperability PRIMA Pre-WS GK GUMS SAML1 XACML2 SCAS XACML2 SAZ socket GridFTPgLExec WS GK v4.0 SRM/dCache L&L SAML1 lib XACML2 gLite lib PRIMA WS SAML1 lib PRIMA SAML1 lib XACML2 gLite lib PRIMA SAML1 lib XACML2 gLite lib gPlazma SAML1 priv. lib XACML2 priv. lib SAZ Clnt SAZ Clnt SAZ Clnt SAZ Clnt XACML Callout Structure(OSG case) WN CE SE Gateway Call-out XACML lib PDP Legend: Cmpnt EGEE Comp. used in OSG

19 March 2, 201019/20 An XACML profile and implementation for Authorization Interoperability Pre-WS GK GUMS XACML2 SCAS XACML2 SAZ XACML2 GridFTPgLExecSRM/dCache L&L XACML2 gLite lib GT5.0 Security XACML2 gLite lib gPlazma XACML2 priv. lib XACML2 GT5.0 PEP XACML Callout Structure OSG case, 2011 L&L GT5.0 Security WN CE SE XACML2 GT5.0 PEP Gateway Call-out XACML lib PDP Cmpnt Legend: Component or dependency foreseen by 01/2011 Cmpnt EGEE Comp. used in OSG GK v5.0

20 March 2, 201020/20 An XACML profile and implementation for Authorization Interoperability Deployments Except for those in the dashed boxes, clients and services have all passed certification and are available for production. Ted Hesselroth

21 March 2, 201021/20 An XACML profile and implementation for Authorization Interoperability Conclusions EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 Call-out module implementations are integrated with major Resource Gateways The major advantages of the infrastructure are: –Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures –Software groups in EGEE and OSG can share and reuse common code Production deployments are under way in OSG and EGEE Ted Hesselroth

22 March 2, 201022/20 An XACML profile and implementation for Authorization Interoperability Additional Slides Ted Hesselroth

23 March 2, 201023/20 An XACML profile and implementation for Authorization Interoperability Related Work The goal of the Authorization Interoperability collaboration is to provide a common PEP to PDP call- out protocol between OSG, EGEE, and major software providers, such as Globus and Condor The Open Grid Service Architecture (OGSA) Authorization Working Group (WG) in OGF defines the specifications needed to allow for pluggable and interoperable authorization components from multiple authorization domains in the OGSA framework. The scope of OGSA-AuthZ WG is broader and includes interoperability across several authorization standards. Several members of our collaboration also participate in the OGSA-AuthZ WG Ted Hesselroth

24 March 2, 201024/20 An XACML profile and implementation for Authorization Interoperability Subject attributes (1) Subject-X509-id –String: OpenSSL oneline notation of the DN Subject-X509-Issuer –String: OpenSSL oneline notation of the Issuer DN Subject-Condor-Canonical-Name-id –String: “user@host[.domain]” Subject-VO –String: “gin.ggf.org” VOMS-signing-subject –String: OpenSSL oneline notation VOMS-signing-issuer –String: OpenSSL oneline notation VOMS-FQAN –String: “/gin.ggf.org/APAC/VO-Admin” VOMS-Primary-FQAN –String: “/gin.ggf.org/APAC/VO-Admin” Ted Hesselroth

25 March 2, 201025/20 An XACML profile and implementation for Authorization Interoperability Subject attributes (2) - Optional Certificate-Serial-Number –Integer: 42 CA-serial-number –Integer: 1 Subject End-Entity X509v3 Certificate Policies OID –String: “1.2.840.113612.5.2.4” (Robot Certificate) Cert-Chain –base64Binary: “MIICbjCCAVagA……..” VOMS-dns-port –String: “kuiken.nikhef.nl:15050” Ted Hesselroth

26 March 2, 201026/20 An XACML profile and implementation for Authorization Interoperability Action attributes Action-type: ‘action-id’ (enumerated type) –Queue Requesting execution to a (remote) queue. –Execute-Now Requesting direct execution (remotely) –Access (file) Request for (generic) file access Action-specific attributes –Resource Specification Language RSL string Ted Hesselroth

27 March 2, 201027/20 An XACML profile and implementation for Authorization Interoperability Resource attributes Resource-type: ‘resource-id’ (enumerated type) –CE (Computing Element) Can also be the head-node or entry point to a cluster –WN (Worker Node) A node type that will process jobs, typically in a cluster –SE (Storage Element) (Logical) storage facility or specific storage node Resource-specific attributes –Resource X509 Service Certificate Subject resource-x509-id – Resource X509 Service Certificate Issuer resource-x509-issuer –Host DNS Name Dns-host-name Ted Hesselroth

28 March 2, 201028/20 An XACML profile and implementation for Authorization Interoperability Environment attributes PEP-PDP capability negotiation - Supported Obligations –PEP sends to PDP a list of the supported obligations –The PDP can choose to return an appropriate set of obligations from this list –Allows upgradeability of the PEPs and PDPs independently by deploying new functionalities step by step Pilot Job context –To support pull-based job management model –Policy statement example “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” –Pilot job invoker identity These attributes define the identity of the pilot job invoker Ted Hesselroth

29 March 2, 201029/20 An XACML profile and implementation for Authorization Interoperability Obligations (1) UIDGID UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP –Stakeholder: Common –Must be consistent with: Username Multiple Secondary GIDs –Multi recurrence GID (integer): Unix Group ID local to the PEP –Stakeholder: EGEE –Needs obligation(s): UIDGID Username Username (string): Unix username or account name local to the PEP. –Stakeholder: OSG –Must be consistent with: UIDGID Ted Hesselroth

30 March 2, 201030/20 An XACML profile and implementation for Authorization Interoperability Obligations (2) AFSToken AFSToken (string) in base64: AFS Token passed as a string –Stakeholder: EGEE –Needs obligation(s): UIDGID Path restriction (root-and-home-paths) RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Stakeholder: OSG –Needs obligation(s): UIDGID or Username Ted Hesselroth

31 March 2, 201031/20 An XACML profile and implementation for Authorization Interoperability Obligations (3) Storage Priority Priority (integer): an integer number that defines the priority to access storage resources. –Stakeholder: OSG –Needs obligations: UIDGID or Username Access permissions Access-Permissions (string): Access permissions to a file that is requested Allowed values: “read-only”, “read-write” –Stakeholder: OSG –Needs obligations: UIDGID or Username Ted Hesselroth

32 March 2, 201032/20 An XACML profile and implementation for Authorization Interoperability OSG Integration Tests ComponentTest PDP Component Old GUMS New GUMS SCAS WS-Gatekeeper (Out of Scope) Test call-out component NOYES Run job w/o Delegation or File Transfer NOYES out of scope Run job with Delegation and File Transfer NOYES out of scope SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-outYES NO AuthZ call via XACML protocol call-outNOYES Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocolYES NO Run job. AuthZ via XACML protocolNOYES GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocol YES NO Transfer file. AuthZ via XACML protocol NOYES gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocol YES NO Run pilot job. AuthZ via XACML protocol NOYES SRM/dCache gPlazma (REL. Jan 20) Transfer file. AuthZ via Legacy protocol YES NO Transfer file. AuthZ via XACML protocol NOYES Ted Hesselroth

Download ppt "March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Similar presentations

Ads by Google