Presentation is loading. Please wait.

Presentation is loading. Please wait.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.

Published byAmbrose Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile."— Presentation transcript:

1 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models Authorization Interoperability Profile Implementations, Status, and Plans

2 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 2/18 The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1

3 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 3/18 The Authorization Model The EGEE (EGI) and OSG security model is based on X509 end entity and proxy certificates for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site-central Policy Decision Points (PDP) for authorization decisions

4 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 4/18 Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper LCMAP Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec LCMAP Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

5 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 5/18 Goals for Interoperability Agree on common PEP to PDP call-out protocol and implementation in order to… 1. …share and reuse software developed for EGI and OSG, 2. …give software providers (external to the Grid organizations) reference protocols to integrate with both Grids infrastructures, 3. …enable the seamless deployment of software developed in the US or EU in the EU or US security infrastructures.

6 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 6/18 AuthZ Interoperability Activities 2008  Release XACML profile document: 1+ yr collaboration (OSG, EGEE, Globus, and Condor_  Implementation and integration of XACML AuthZ modules with principal PDPs and PEPs in OSG and EGEE  Demonstrated interoperability of OSG vs. EGEE deployments in ad-hoc scenarios – Goal 3 2009  Discussion on evolutions of the profile in the context of Argus  Argus extends the interoperability profile  External software providers use the profile as reference on authorization for the Grid Domain. TechX: SVOPME project. Globus: GT5 – Goal 2 2010  Consolidation of additional OSG PDPs and PEPs  Start migration of PEPs to LCAS / LCMAS (Nikhef, NL) as common code base – Goal 1 2011  Tune client parameters to sustain authz tsunami  Extend profile with proxy validity attributes  Begin OGF standardization – Goal 2 2012  Work on profile extension for Cloud Authorization

7 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 7/18 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models  Authorization Interoperability Profile Implementations, Status, and Plans

8 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 8/18 Request/Response Attribute Categories Request is made with  Subject attributes  Action attributes  Resource attributes  Environment attributes Response is made with  Permit, Deny, or Indeterminate  Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O

9 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 9/18 Request Attributes (see profile doc for full list) Subject: Subject-X509-id String: OpenSSL DN notation Subject-VO String: “CMS” VOMS-FQAN String: “/CMS/VO-Admin Action: Action-id (enum type) Queue / Execute-Now / Access (file) Res. Spec. Lang. RSL string Resource: Resource-id (enum type) CE / SE / WN Resource X509 Service Certificate Subject resource-x509-id Host DNS Name Dns-host-name Environment: PEP-PDP capability negotiaton. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO”

10 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 10/18 Obligation Attributes UIDGID: UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP Path restriction: RootPath (string): a sub-tree of the FS at the PEP HomePath (string): path to user home area (relative to RootPath) Secondary GIDs: GID (integer): Unix Group ID local to the PEP (Multi recurrence) Storage Priority: Priority (integer): priority to access storage resources. Username: Username (string): Unix username or account name local to the PEP. Access permissions: Access-Permissions (string): “read-only”, “read-write”

11 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 11/18 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models Authorization Interoperability Profile  Implementations, Status, and Plans

12 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 12/18 Implementations SAML v2 - XACML v2 profile  OpenSAML (Java); Globus XACML (C) Authorization Callout Modules and PDPs  LCAS / LCMAPS (L&L) - SCAS plug-in  SCAS (EGI)  PRIMA - gPlazma plug-in  GUMS / SAZ (OSG) Resource Gateways  Computing Element  Pre-WS and WS Gatekeepers 4.2 / 5.2  Storage Element  SRM / dCache; BeStMan; xrootd; GridFTP  Worker Node  gLExec

13 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 13/18 PRIMA GUMS SAML1 SAZ socket gLExecSRM/dCache L&L SAML1 lib SAML1 lib SAZ Clnt SAML Callout Structure in OSG Minimal Code Sharing Pre-WS GK PRIMA SAML1 lib SAZ Clnt WN CE SE Gateway Call-out XACML lib PDP Legend: Cmpnt EGEE Comp. used in OSG WS GK v4.0 PRIMA WS SAML1 lib SAZ Clnt GridFTP PRIMA SAML1 lib SAZ Clnt SAZ Clnt gPlazma SAZ Clnt 2009

14 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 14/18 PRIMA GUMS SAML1 XACML2 SCAS XACML2 SAZ socket gLExecSRM/dCache L&L SAML1 lib XACML2 gLite lib SAML1 lib SAZ Clnt XACML Callout Structure in OSG Transitioning: Using also EMI Code Pre-WS GK PRIMA SAML1 lib XACML2 gLite lib SAZ Clnt WN CE SE Gateway Call-out XACML lib PDP Legend: Cmpnt EGEE Comp. used in OSG WS GK v4.0 PRIMA WS SAML1 lib SAZ Clnt GridFTP PRIMA SAML1 lib XACML2 gLite lib SAZ Clnt SAZ Clnt gPlazma SAZ Clnt XACML2 gLite lib 2010 SRM BeStMan PRIMA SAML1 lib XACML2 gLite lib XACML2

15 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 15/18 GUMS XACML2 gLExecSRM/dCache L&L XACML2 gLite lib gPlazma XACML Callout Structure in OSG Using only EMI Code Pre-WS GK WN CE SE Gateway Call-out XACML lib PDP 2012 GK v5.2 XACML2 gLite lib GridFTP xrootd SRM BeStMan Legend: Cmpnt EGEE Comp. used in OSG XACML2 gLite lib L&L XACML2 gLite lib L&L XACML2 gLite lib L&L XACML2 gLite lib XACML2 gLite lib L&L SAZ XACML2

16 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 16/18 Measured Performance Tuning PEP / PDP connection parameters to sustain authorization “tsunami” * :  Socket connection timeout > 21 s (set to 30 s)  Sysctl parameter 'net.core.somaxconn‘ = max expected job connections (set at 4096 per server)  Apache parameter 'ListenBacklog‘ = same value as above (GUMS only)  Tomcat parameter 'acceptCount‘ = same (SAZ only)  Apache ‘MaxClients’ = 32 (GUMS only) * https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallGlexec#Engineering_Considerationshttps://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallGlexec#Engineering_Considerations MaxClient value GUMS mappings / sec Tuning GUMS Mapping Rate % Mapping success rate

17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 17/18 Status and Plans rpm-based VDT packages L&L / XACML call- out for easy deployment Major OSG sites fully or partially migrated Working with OGF on standardization of the profile Looking for collaborators to extend the standardized profile in support of Cloud Authorization  Goal: reuse stable fine-grain role-based site- central Grid AuthZ infrastructure for Cloud deployments at sites

18 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 18/18 Conclusions An EGEE, OSG, Globus, and Condor collaboration has released in 2008 an Authorization Interoperability profile and XACML implementation Effort on OGF standardization and extension for Cloud computing Call-out module implementations are integrated with major Resource Gateways Performance tuned to support the authorization needs of major OSG Grid sites The major advantages of the infrastructure are: 1. share and reuse software developed for EGI and OSG 2. give software providers reference protocols to integrate with both Grids infrastructures 3. when using the same release of the protocol, enable the deployment of software developed in the US or EU in the EU or US security infrastructures

Download ppt "Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

Similar presentations

Ads by Google