AuthZ Interop report out

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
June 5, 2006gLexec1 gLexec (within the OSG and Fermilab) June 5, 2006 Keith Chadwick.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab
Argus EMI Authorization Integration
f f FermiGrid – Site AuthoriZation (SAZ) Service
TCG Discussion on CE Strategy & SL4 Move
Overview OSG & EGEE Authorization Models
GIN & the Standards Activity
Presentation transcript:

AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk

Participants EGEE VO Services (‘Privilege’) Project Globus Condor VDT (OSG) Joint development and definition effort 2007 until early 2009 In production phase as of mid 2008 Institutes: ANL, BCCS, BNL, FNAL, INFN, Nikhef, Switch, UvA, UWMadison The Authz-Interop Collaboration April 2009 2

What did we start with? GUMS and PRIMA using proprietary SAML1 based protocol SAZ (authorization service) GT3, GT4 ‘authz callout’ for PRIMA by Markus Lorch LCAS/LCMAPS gLExec gPlazma Not only used GUMS and the ‘EGEE’ a different logical model of dealing with attributes and authorization (local VOMS dumps vs. VOMS attribute push) Also, the services build in one ecosystem (e.g. ‘EGEE’) could not be used in the other (‘OSG’) → hacks and double work The Authz-Interop Collaboration April 2009 3

Original (interim) EGEE scenario plan VO Grid Site Site Services PDP VO Services VOMRS VOMS synch SCAS 2 UID/GID Yes / No ID Map? Is Auth? 5 1 PEPs 3 SE SRM gPlazma CE Gatekeeper SCAS Clnt. WN gLExec SCAS Clnt. register Submit request with voms-proxy get voms-proxy 4 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 8 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 6 6 AuthZ Components Legend VO Management Services 7 April 2009 4

OSG Authorization Infrastructure A Common Protocol for OSG and EGEE integrated with the GT VO PDP Grid Site Site Services VO Services VOMRS VOMS synch GUMS SAZ synch 2 3 ID Mapping? UserName Yes / No + 7 6 Yes / No Is Auth? 1 PEPs 4 SE SRM gPlazma CE Gatekeeper Prima WN gLExec Prima register Submit request with voms-proxy get voms-proxy 5 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 10 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 8 8 AuthZ Components Legend Not Officially In OSG VO Management Services 9 April 2009 5 The Authz-Interop Collaboration

Aims of the authz-interop project Provide interoperability within the authorization infrastructures of OSG, EGEE, Globus and Condor Through Common communication protocol Common attribute and obligation definition Common semantics and actual interoperation of production system So that services can use either framework and be used in both infrastructures The Authz-Interop Collaboration April 2009 6

Two Elements for interop Common communications profile Agreed on use of SAML2-XACML2 http://www.switch.ch/grid/support/documents/xacmlsaml.pdf Common attributes and obligations profile List and semantics of attrbutes sent and obligations received between a ‘PEP’ and ‘PDP’ Now at version 1.1 http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2952 http://edms.cern.ch/document/929867 The Authz-Interop Collaboration April 2009 7

Profile in a nutshell Existing standards: XACML defines the XML-structures that are exchanged with the PDP to communicate the security context and the rendered authorization decision. SAML defines the on-the-wire messages that envelope XACML's PDP conversation. The Authorization Interoperability profile augments those standards: standardize names, values and semantics for common-obligations and core-attributes such that our applications, PDP-implementations and policy do interoperate. Subject S requests to perform Action A on Resource R within Environment E CE / SE / WN Gateway PEP XACML Request PDP Site Services XACML Response Grid Site Decision Permit, but must fulfill Obligation O The Authz-Interop Collaboration April 2009 8

An XACML AuthZ Interop Profile Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor Releases: v1.1  10/09/08 v1.0  05/16/08 The Authz-Interop Collaboration Slide_9

Structure of the AuthZ Interop Profile Namespace prefix: http://authz-interop.org/xacml Request Attribute Identifiers Subject: <ns-prefix>/subject/<subject-attr-name> Action: <ns-prefix>/action/<action-attr-name> Resource: <ns-prefix>/resource/<resource-attr-name> Environment: <ns-prefix>/environment/<env-type> Obligation Attribute Identifiers ObligationId: <ns-prefix>/obligation/<obligation-name> AttributeId: <ns-prefix>/attributes/<obligation-attr-name> The Authz-Interop Collaboration April 2009 10 10

Most Common Request attributes Subject (see profile doc for full list) Subject-X509-id String: OpenSSL DN notation Subject-VO String: “CMS” VOMS-FQAN String: “/CMS/VO-Admin” Resource (see doc for full list) Resource-id (enum type) CE / SE / WN Resource X509 Service Certificate Subject resource-x509-id Host DNS Name Dns-host-name Action Action-id (enum type) Queue / Execute-Now / Access (file) Res. Spec. Lang. RSL string Environment PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” see document for all attributes and obligations The Authz-Interop Collaboration April 2009 11 11

Most Common Obligation Attributes UIDGID UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP Secondary GIDs GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username Username (string): Unix username or account name local to the PEP. Path restriction RootPath (string): a sub-tree of the FS at the PEP HomePath (string): path to user home area (relative to RootPath) Storage Priority Priority (integer): priority to access storage resources. Access permissions Access-Permissions (string): “read-only”, “read-write” see document for all attributes and obligations The Authz-Interop Collaboration April 2009 12 12

Full interoperability The Authz-Interop Collaboration April 2009 13

What has been achieved now All profiles written and implemented Common libraries available in Java and C implementing the communications protocol Common handlers for Joint Interoperable Attribute and Obligations Integrated in all relevant middleware in EGEE and OSG: Clients: lcg-CE (via LCMAPS scasclient), CREAM and gLExec (ditto), GT pre-WS gram (both prima and LCMAPS), GT GridFTP, GT4.2 WS-GRAM, dCache/SRM Servers: GUMS, SCAS Other (lower-prio) components in progress SAZ, RFT, GT4.x native-AuthZ, Condor (& -G), BeStMan The Authz-Interop Collaboration April 2009 14

OSG Integration Test Results Component Test PDP Component Old GUMS New GUMS SCAS WS-Gatekeeper (Out of Scope) Test call-out component NO YES Run job w/o Delegation or File Transfer out of scope Run job with Delegation and File Transfer SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-out AuthZ call via XACML protocol call-out Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocol Run job. AuthZ via XACML protocol GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocol Transfer file. AuthZ via XACML protocol gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocol Run pilot job. AuthZ via XACML protocol SRM/dCache gPlazma (REL. Jan 20) The Authz-Interop Collaboration April 2009 15

Latest news dCache v1.9.2-4 has been released this week. Pre-release tests have been conducted successfully against GUMS and SCAS. Will be the recommended release in a few months! What are the EGEE deployment plans? Development of native authz XACML call-out module for GridFTP: tests with the Globus Toolkit call-out module for authorization speaking the interop protocol start this week The Authz-Interop Collaboration April 2009 16

What next? Keeping interop (in ‘maintenance mode’) is most important! Continued software support from contributing partners Interdependency in timing between OSG and GT may lead to Catch-22 in prioritizing native GT4.2 implementation Support in Delegation Service and RTF is needed for full production, and before existing legacy solutions can be phased out Continued close coordination on the specification of the Authorization Profile. New uses cases must be coordinated and no ‘proprietary’ extensions should added, as that breaks the interop. Continuous communations and coordination remains essential. The Authz-Interop Collaboration April 2009 17

Conclusions EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 Call-out module implementations are integrated with major Resource Gateways The major advantages of the infrastructure are: Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures Software groups in EGEE and OSG can share and reuse common code Production deployments in OSG and EGEE The Authz-Interop Collaboration April 2009 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.