Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002.

Published byJordan Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002."— Presentation transcript:

1 Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002

2 Why have access control?  High value features ex use cases all require Identity, Authentication and Authorization

3 Desirable features  Transparent to end-users: single sign-on.  Globally-unique identities  Secure against misuse  Resource providers (data-centres) retain control of their assets  Users retain control of their private data  Encourage collaboration via sharing of access rights.  Allow one service to call another (transparent composition of jobs). …sounds like the Grid model!

4 X.509 for identification  Distinguished names (ex Grid) for users, e.g.: /C=UK/O=es-grid/OU=ast.cam.ac.uk/CN=Guy Rixon  Also works for software agents  X509 certificates encode the DNs for machine use.  Certificates issued, digitally-signed and managed by Grid organizations.  Certificates include authentication tokens => reduced use of passwords.  Can use one certificate to make another: “proxies”.

5 GSI for authentication  Grid Security Infrastructure (Globus project) is a way to authenticate use of X.509 certificates.  Based on Public Key Cryptography  Authentication without passwords!  Allows services to call other services on user’s behalf.

6 Community based Authorization  Managing access rights is a big job: ~10 3 users, ~10 7 resources, ~10 kinds of permission.  Don’t want to load up data centres with user-management.  Want data-centres to carry on managing data.  (Almost) all access rights come from position in community…  …so manage the users and their relationships as communities, centrally: avoid duplicate work…  …but data-centres still set permissions on data-sets.  Possible community: “Astronomers funded by PPARC” – access rights tend to follow funding arrangements.  Based on Community Access Server from Globus.

7 Partitioning the community  Community is sub-divided into groups of users and group of resources.  Resource providers define resource-groups, grant access on resource groups to appropriate user groups.  Individual members hold rights on private data.  Users can create sub-groups for collaborations.  Access rights can be shared between collaborators.

8 Using access rights with CAS

9 Pragmatic approach  Don’t add restrictions where they’re not needed.  Don’t add security where there are no restrictions.  Pairs of services: –Simple services: anonymous, no security –Full-function services: identified access  System can tell from context which kind of service to call.

Download ppt "Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002."

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.
Introduction of Grid Security

Introduction of Grid Security
A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.
Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.
VOStore meetings, 2005-03-07 Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.

VOStore meetings, Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Why Web services should care about grid security Taavi Hupponen, CSC.

Why Web services should care about grid security Taavi Hupponen, CSC.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Job submission architectures in GRID environment Masamichi Ando M1 Student 26403 Taura Lab. Department of Information Science and Technology.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.
A Computation Management Agent for Multi-Institutional Grids

A Computation Management Agent for Multi-Institutional Grids
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Similar presentations

Ads by Google