Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Slides:

Advertisements

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Advertisements

GT 4 Security Goals & Plans Sam Meder

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Inter-Institutional Registration UNC Cause December 4, 2007.

High Performance Computing Course Notes Grid Computing.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Lecture 23 Internet Authentication Applications

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

5-1.1 Grid Security © 2011 B. Wilkinson/Clayton Ferner. Fall 2011 Grid computing course. Modification date: July 15, 2011.

5-1.1 Grid Security © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification date: Feb 3, 2010.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

5-1.1 Grid Security Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 5, pp

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Tutorial on Distributed High Performance Computing 14:30 – 19:00 (2:30 pm – 7:00 pm) Wednesday November 17, 2010 Jornadas Chilenas de Computación 2010.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

5-1.1 Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 5, pp For educational.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Access Policy - Federation March 23, 2016

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Update on EDG Security (VOMS)

Tim Bornholtz Director of Technology Services

Liang Fang, Dennis Gannon Indiana University Frank Siebenlist

Grid Computing Software Interface

Presentation transcript:

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students enrolled in the Fall 2008 Grid computing course broadcast on the North Carolina Research and Education Network (NCREN) to universities across North Carolina. Oct 23, c.1 Globus Authorization

Authorization Process of deciding whether a particular identity can access a particular resource –Assumes identify has been previously validated through authentication Access control - what type of access –Finer level of authorization rather than blanket ability to make any type of access 5c.2

Access control Users may only have access to their own files or May be allowed to read files of other users in in collaborative projects Well-known situation applied to all computer systems, distributed or not Most common approach - access control lists (ACLs). –Have been around for many years e.g. Linux file permissions 5c.3

Accounts Accounts have to exist on each computer system that users wish to access. Each user might have an individual account on each system Setting up individual accounts time- consuming –Multiple system administrators involved. Sometimes, convenient to have a group account for virtual organization and users in virtual organization have access or share this account. 5c.4

Accounts A mechanism for creating and managing these accounts very desirable Use a network accessible (LDAP) database that lists users and their access privileges, and incorporates distinguished names format found in X-509 certificates. 5c.5

Mapping Distinguished Names to Account gridmap file Very basic Globus way of mapping user’s distinguished names to their account names Used to give access to accounts via their distinguished name found on user’s certificate. Each user entry in list takes form: Distinguished_name local_user_account_name 5c.6

Example: "/O=Grid/OU=GlobusTest/OU=simpleCA-coit- grid02.uncc.edu/OU=uncc.edu/CN=student1" student1 Distinguished name given in quotation marks to allow spaces. Must exactly match way it appears in user’s certificate. GSI uses gridmap file to establish that user may access account. 5c.7

Multiple gridmap files Fig 5.6 5c.8

Account Privileges Gridmap files often compared to access control lists, but they only provide blanket access They do not provide specific types of access (levels of permissions, read/write/execute, group memberships, etc.) User access privileges will derive from local system access control list. Generally, need more powerful mechanism to control type of access, see next. 5c.9

Question What is a disadvantage of using gridmap files for access control? (May be more than one) (a)It is difficult to maintain for large grids (b) It does not apply fine grain access control (c) It is difficult to verify user credentials (d) It is difficult to map distinguished names to local accounts (e) It is difficult to maintain in a dynamically changing virtual organization 5c.10

Security Assertion Markup Language (SAML) XML language for making “assertions” for authentication and authorization decisions and A request-response protocol for such assertions. Developed by OASIS for facilitating exchange of security information between business partners, in particular to obtain single sign-on for Web users Addresses situation where a user accesses a Web site that might require user’s request to be redirected to another affiliated site after being authenticated, e.g. travel bookings and automobile reservations. Has been applied in Grid computing. 5c.11

SAML components for Web site redirection 5c.12

SAML provides for communication of user authentication, authorization and attribute information. Three components: Assertions - information being communicated Protocol - way that message exchanges done Binding - mapping to concrete SOAP exchanges and specific protocols (usually HTTP) Three forms of assertions: Authentication statements Attribute statements Authorization decision statements 5c.13

Authentication assertion statements –confirm to service provider the user's identity. Attribute assertion statements –Provides specific information about user to establish access decisions. –Attributes might for example include that a users is an administrator (root privileges) or has limited user privileges. SAML authorization decisions –e.g. might state that subject (user) is allowed to perform the specified operation on the specified resource. 5c.14

Communication Authorization Service (CAS) Developed to provide authorization service in a Globus environment of using proxy certificates. Part of Globus 4 CAS server issues proxy to user that includes authorization assertions inserted as non-critical X- 509 extensions in certificate. Now uses SAML assertions (not originally). Approach enables proxy certificates to be processed by existing software. 5c.15

CAS structure Fig c.16