A gLite Authorization Framework

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

GT 4 Security Goals & Plans Sam Meder

MyProxy: A Multi-Purpose Grid Authentication Service

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Authz work in GGF David Chadwick

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Dr. Azeddine Chikh IS444: Modern tools for applications development.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

Windows Role-Based Access Control Longhorn Update

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Grid Authorization Landscape and Futures Von Welch NCSA

OSG AuthZ components Dane Skow Gabriele Carcassi.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Argus EMI Authorization Integration

Trygve Aspelien and Yuri Demchenko

AuthN and AuthZ in StoRM A short guide

OGF PGI – EDGI Security Use Case and Requirements

DJRA3.1 issues Olle Mulmo.

R-GMA Security Principles and Plans

Unit – 5 JAVA Web Services

XACML and the Cloud.

Middleware independent Information Service

Update on EDG Security (VOMS)

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Grid Engine Diego Scardaci (INFN – Catania)

Groups and Permissions

Presentation transcript:

A gLite Authorization Framework Thomas Sandholm sandholm@pdc.kth.se Olle Mulmo mulmo@pdc.kth.se

Outline Status Requirements Design Goals Interfaces & Interactions Java Implementation Use Cases Grid Map Black List Local ACL XACML VOMS EDG Authorization Manager UvA GAAAPI/RBAC Open Issues – Q & A MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 2

Status Proof of Concept in SweGrid Accounting System Contribution to Globus Toolkit® Interfaces and Simple Default Implementations in gLite CVS GridMap and BlackList Plug-ins in gLite CVS Section in Global Security Architecture Document Starting Point – Request for Comments Next Step: VOMS, UvA GAAAPI & EDG AuthzManager POCs MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 3

Requirements Currently addressed JRA3 AUZ Requirements: 4.3, 4.4, 4.5, 4.7, 4.8, 5, 6, 10, 12, 22, 30 AUZ Requirements Summary Enable VO membership/role based authz, local user id authz, certificate revocation, combination of authz requirements, no granularity restrictions, resource/action/role authz, application independent authz, authz to be set in all applications authz based on role, file name, storage element name, operation, resource usage limits, directory Gap Analysis: Architecture Configuration Software Platform MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 4

Design Goals Simple (cp. hourglass design) Light-weight Configurable, extensible, easily deployable Agnostic to run-time hosting & network protocols Enforcement, retrieval, evaluation & combination of authz policies Agnostic to policy language Service-oriented Leverage existing authorization systems, POSIX ACL, GACL, VOMS, LCMAPS, LCAS, CAS & Delegent while providing a natural integration with state-of-the-art XML & Web services security technologies such as XACML MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 5

Interfaces & Interactions: Terminology Terminology from GGF Authorization Frameworks and Mechanisms Working Group and XACML Specification PEP – Policy Enforcement Point (enforcing policies) PIP – Policy Information Point (retrieving policy attributes) PDP – Policy Decision Point (making policy decisions) PAP – Policy Administration Point (managing policies) MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 6

Interfaces & Interactions: Core Framework MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 7

Interfaces & Interactions: PDP interface isPermitted() Return true if request is permitted based on local policy Return false if request could not be permitted based on local policy (allows subsequent interceptors to continue evaluation) Throw AuthorizationException if request should be denied without further evaluation (regardless of other interceptors) MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 8

Java Implementation javax.security.auth.Subject (JAAS/J2SE) as evidence cache for authenticated subject Authenticated Subject DN Public/Private Credentials Populated by PIPs javax.xml.rpc.handler.MessageContext (JAX-RPC/J2EE) as execution/environment runtime context java.security.Provider (J2SE) as secure plug-in framework Used to implement different ServiceAuthorizationChain algorithms MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 9

Use Cases: Grid Map, Black List & Local ACL ServicePIP collecting SubjectDN to local user id mappings ServicePDP returning permission denied if no mapping is found Integration with in-memory or file based Globus Grid Maps that may be modified at runtime Black List ServicePDP throwing AuthorizationException if Subject DN is found in blacklist file File may be updated at run-time Local ACL ServicePDP interfacing to a local configuration file with user to allowed operations mappings File may be updated at runtime MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 10

Use Cases: XACML ServicePDP wrapping Sun’s XACML PDP Engine ServicePAP XACML RequestContext created on the fly. Populated with action, subject dn and environment attributes, which are retrieved from JAAS subject public credentials to be used in policy conditions. Resource assumed to be current service XACML ResponseContext parsed to return true/false from isPermitted() AuthorizationException thrown if an error occured while evaluating the policy ServicePAP retrieving/updating the XACML policy making callouts to Delegent Authorization Server based on XDiff update permission to determine whether the update is allowed Policy stored in local Xindice Database, Policy Update Permissions stored in Delegent Authorization Server MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 11

Use Cases: VOMS (Not Yet Implemented) ServicePIP parsing certificate and retrieving VO membership mapping Use VOMS certificate parser and make callouts to VOMS server Populate evidence cache (JAAS Subject) with e.g. attributes that may be used when defining XACML policy conditions or subject permissions ServicePDP checking local policies and role permissions against resource ACLs May be implemented as an XACML (AAA/RBAC) policy engine May be implemented as a simple Local ACL PDP MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 12

EDG Authorization Manager Wrapping Repositories  Chaining PIP/PDPs And, Or, Not combination of repositories  custom ChainConfig and ServiceAuthorizationChain (could be written) Map type file  GridMap PDP, Local ACL PDP Map type db  DB PDP (could be written) Map type regex  RegExp PDP (could be written) Map type cached  ServiceAuthorizationChain or ServicePIP configuration (could be written) Map type table  Local ACL PDP VOMS Repository  VOMS PIP (will be written) MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 13

UvA GAAAPI/RBAC PEPapi.AuthoriseAction  ServiceAuthorizationChain.authorize() MessageContext or Subject credentials could be populated with additional API information like jobid, resourceId, and roles. Action parameter corresponds to operation parameter Local PDP/RemotePDP/GAA  since it accepts XACML requests/reponses it could be integrated in the same way as the XACML PDP described above (i.e. A custom ServicePDP) RBE  custom ServiceAuthorizationChain or hidden in a ServicePDP MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 14

Open Issues - Q & A How should obligations be modelled in a policy language independent way (leave it up to PEP –ServiceAuthorizationChain caller to collect and respond to obligations)? Should we allow authorization on multiple operations/actions in one evaluation request? Level of EDG AuthzManager support (config file backwards compatibilty – feature compatibility)? XACML Profile Support (RBAC/Web services)? MWSG JRA3 Stockholm, 25-26 Aug, 2004 - 15