Trygve Aspelien and Yuri Demchenko

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Authz work in GGF David Chadwick

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

EGEE is a project funded by the European Union under contract IST Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

JRA Execution Plan 13 January JRA1 Execution Plan Frédéric Hemmer EGEE Middleware Manager EGEE is proposed as a project funded by the European.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans Plzeň, 10 July 2006 Steve Fisher/RAL.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.

MyGrid/Taverna Provenance Daniele Turi University of Manchester OMII f2f Meeting, London, 19-20/4/06.

Grid Authorization Landscape and Futures Von Welch NCSA

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

Security Middleware Andrew McNab University of Manchester.

INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.

CERES-2012 Deliverables Architecture and system overview 21 November 2011 Updated: 12 February

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,

XACML Contributions Hal Lockhart, Oracle Corp. 2 Topics Authorization API Finding Input Attributes.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.

G-PBox Facts and status JRA1 Authz Coord Meeting January CNAF/INFN Bologna Andrea Ferraro.

Argus EMI Authorization Integration

JRA1 Middleware Re-engineering Status Report

SA3’s Responds to the Review Report

Obligations in the OGSA SAML Authorization Service Interface

DJRA3.1 issues Olle Mulmo.

A gLite Authorization Framework

Authorisation service coordination: EGEE internal and inter-project

SAGA API for gLite Service Discovery

OGF 21 Seattle Washington

What’s changed in the Shibboleth 1.2 Origin

Overview and Development Plans

Argus The EMI Authorization Service

Groups and Permissions

Presentation transcript:

gLite Java Authorisation Framework (gJAF) and Authorisation Policy coordination Trygve Aspelien and Yuri Demchenko University of Bergen and University of Amsterdam All-Hands meeting November 8-10, 2006, UK

Outline gJAF Overview and progress Suggested work items Other supporting activities Discussion - Next steps and interaction with other packages JRA1-AH, 8-10 November 2006, Abingdon

gJAF Overview Provided as org.glite.security.authz Java package Uses actively java-utils library for VOMS Called from applications via an interceptor (PEP) {MessageContext, Subject, operation} Contains a configured chain of PIP and PDP modules PIP collects/extracts information to be sent to PDP Each PDP evaluates its relevant attributes against its own Policy Chain is configured to apply PDP decisions combination Problems Requires application specific manual chain configuration Limited use up to now in gLite CE (and some interest from DM) JRA1-AH, 8-10 November 2006, Abingdon

gJAF components and connection to the Grid Service JRA1-AH, 8-10 November 2006, Abingdon

Suggested work items (1) SAML/Shib Credentials support Need to clarify SAML Assertions format and supporting libraries To be provided as internal gJAF package or part of java-utils Will rely on effective cooperation with SWITCH Also expected to be available in GT4-AuthZ with GridShib Using XACML for policy expression Motivation - Standard, Context aware, can be mapped to different formats Used in G-PBox Can be added as XACML PDP plugin to gJAF or GT4-AuthZ Need policy management tool (simple or complex) Other issues found important Enable PDP chain to respond with Obligated decision PDP answer with AuthZ ticket to provide extended/full decision context in response to gJAF/PDP JRA1-AH, 8-10 November 2006, Abingdon

Suggested work items (2) Compatibility and integration with other gLite/EGEE and 3rd party solutions Integration with the G-PBox Needs gJAF AuthZ chain extension to process Obligated decisions Compatibility and integration with the GT4-AuthZ Possibility to reuse available set of PDP’s and PIP’s Interest to cooperate was expressed by the GT4 Security team AuthZ Policy compatibility and coordination Common or mapped attributes semantics Policy formats mapping – XACML -> GACL, ACL, gridmap, BlackList Q: Are all they compatible and convertible to XACML? JRA1-AH, 8-10 November 2006, Abingdon

Other supporting activities gJAF promotion in EGEE and for wider Grid community Time to update gJAF Developer’s guide - https://edms.cern.ch/document/501718 HOWTO and usage examples EGEE AuthZ Policy Coordination First meeting was in Bologna on June 6-7, 2005 Need for next meeting – in December 2006 – January 2007 OGF OGSA-AuthZ Working Group EGEE interest – bring EGEE reality to GGF standardisation Proposed documents on AuthZ service components and protocols CVS – Credentials Validation Service JRA1-AH, 8-10 November 2006, Abingdon

Summary I (Detailed Workplan) General Meeting with the Cream G-Pbox guys to discuss policy handling. Similar to Bologna 2005. Promote use of gJAF (Includes also tests and PDP usage examples) Shared work effort (Yuri & Trygve) Further investigations on the chain sequence Prepare for adding obligations (G-Pbox) and ticket system (developed by UvA, chain sequence is important) JRA1-AH, 8-10 November 2006, Abingdon

Summary II (Detailed Workplan (cont.)) Trygve (UiB) ETICS building of authz-framework Shib/SAML integration (Needs co-operation with SWITCH.) Some open questions e.g. * Content of attributes and validation (MsgCtx) * Library? * Own PDP (e.g. VOMS) (Needs?) / External call-out? * How to get PIP attributes (extend java-utils?) Yuri (UvA) Possible integration of GT4 features. (e.g. Xacml PDP callout functionality) Integrate ticket system from UvA JRA1-AH, 8-10 November 2006, Abingdon

Discussion Any other issues? Interaction with other packages and developers Comments? JRA1-AH, 8-10 November 2006, Abingdon

Additional information (Appendix) GT4 Authorisation Framework JRA1-AH, 8-10 November 2006, Abingdon

GT4 Authorisation Framework Can be configured for Container, Message, Service/Resource Called from the SOAP/Axis message interceptor AuthZ processing sequence includes New! Bootstrapping X.509 PIP – retrieves request parameters from the message Subject, Resource, Action Sequence of pre-configured PIP’s, including SAML Sequence of (specialised) PDP’s Different PDP decisions combination algorithms by AuthZ engine However, multiple policy decision’s consistency is not resolved Available PDP’s ACL and GridMap HostAuthorization and UserNameAuthorization (similar BlackList PDP) SAML AuthZ callout and SAML AuthZ Assertion SelfAuthorization – based on shared/trusted Resource credentials Simple XACML PDP (provided as a placeholder for extension) JRA1-AH, 8-10 November 2006, Abingdon