DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Slides:

Advertisements

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Advertisements

Introduction of Grid Security

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Lecture 23 Internet Authentication Applications

GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Security Mechanisms The European DataGrid Project Team

Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Data Management GridPP and EDG Gavin McCance University of Glasgow May 9, 2002

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

THE STEPS TO MANAGE THE GRID

Update on EDG Security (VOMS)

Grid Security Infrastructure

Presentation transcript:

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2

DGC Paris A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) * = Existing IETF standards Others are GGF & IETF drafts

DGC Paris X.509 Proxy Certificates A proxy certificate is used by an entity to delegate all or part of its own authority. –A proxy certificate is a special type of X.509 certificate that is signed by a normal end entity cert (or by another proxy). –A proxy certificate grants the bearer (whoever knows the private key) some or all of the issuing entity’s authority.

DGC Paris Unrestricted Proxies An unrestricted proxy certificate delegates all of the issuer’s authority. –Supports single sign-on & delegation through “impersonation” –Relying parties grant the same rights to an unrestricted proxy certificate that they would to the entity that issued the proxy (subject to any additional local policy) –“grid-proxy-init” creates an unrestricted proxy certificate –This is what is in current (2.0) Globus software.

DGC Paris Restricted Proxies A restricted proxy delegates a subset of the issuer’s authority. –A restricted proxy cert contains a policy statement limiting what that cert can be used for. –Relying parties authorize requests only if the request would have been granted for the proxy’s issuer, and the request is consistent with the policy embedded in the cert, and any additional local policy requirements are met. –Thus, a restricted proxy grants (at most) the intersection of the issuer’s rights as granted by the local policy and the rights granted by the proxy’s embedded policy.

DGC Paris Community Authorization Service In the CAS model, resource providers grant access to blocks of resources to a community as a whole, and the community uses a CAS server to perform fine- grained access control on those resources. –Resource providers grant course-grained access to communities. –Communities run CAS servers, which keep track of fine-grained access control information and grant restricted proxies to community members. –The result is that a CAS user gets the intersection of the rights granted by resource provider to the community and the rights granted by the community to that user.

DGC Paris A Typical CAS Request 2.CAS reply, including restricted proxy cred: CAS Server What rights does the community grant to this user? User 1.CAS request, authenticated with Resource Server Do the proxy restrictions authorize this request? 3. Resource request, authenticated with CAS proxy 4. Resource reply CAS-maintained community policy database User credential Community subject name Is this request authorized for the community? Local policy information Policy restrictions

DGC Paris CAS Policy Management: the Resource Provider’s View The resource provider grants access to a block of resources to the community, using their existing access-control mechanism for that resource(e.g., grid- mapfile entries, file permissions, Akenti, etc.). The resource provider uses normal local mechanisms (e.g. quotas) to set policy for the community as a whole. The resource provider can grant access to different resources to CAS servers representing different communities. The resource provider then installs servers modified to enforce the policy in the CAS restricted proxies.

DGC Paris CAS Policy Management: the Community’s View CAS administrative requests are used to maintain the CAS community policy database, which: –controls what rights the CAS server will grant to which users. –controls the CAS server’s own access control policies, and thus can be used to delegate the ability to grant rights, maintain groups, etc. –maintains the list of community members

DGC Paris Policy Language Restricted proxies can use any policy language (the format consists of an identifying OID and an opaque policy field). We currently use a very simple policy language –Resource (e.g. host and filename) –Positive rights (e.g. read, write, create) –Can specify subtrees (/home/user/*) Policy language need only be understood by CAS and end resources –Opaque to users and protocol –Allows for more advanced languages Need deployment and feedback to understand what is needed in more advanced language.

DGC Paris Spitfire Security Mechanism Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Request and connection ID Connection Pool

DGC Paris Service CAS Request 3.CAS reply, including restricted proxy cred: CAS Server What rights does the community grant to this user? User 1.CAS request, authenticated with 2. Resource request, authenticated with User credentials 4. Resource reply CAS-maintained community policy database User credential Community subject name Resource Server Do the proxy restrictions authorize this request? Is this request authorized for the community? Local policy information Policy restrictions User credential