> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

Slides:



Advertisements
Similar presentations
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 December 2007.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
Open Science Grid Consortium Storage on Open Science Grid Placing, Using and Retrieving Data on OSG Resources Abhishek Singh Rana OSG Users Meeting July.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
Argus EMI Authorization Integration
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk

> > Participants >EGEE >VO Services (‘Privilege’) Project >Globus >Condor >VDT (OSG) Joint development and definition effort 2007 until early 2009 In production phase as of mid 2008 Institutes: ANL, BCCS, BNL, FNAL, INFN, Nikhef, Switch, UvA, UWMadison April The Authz-Interop Collaboration

> > What did we start with? >GUMS and PRIMA using proprietary SAML1 based protocol >SAZ (authorization service) >GT3, GT4 ‘authz callout’ for PRIMA by Markus Lorch >LCAS/LCMAPS >gLExec >gPlazma Not only used GUMS and the ‘EGEE’ a different logical model of dealing with attributes and authorization (local VOMS dumps vs. VOMS attribute push) Also, the services build in one ecosystem (e.g. ‘EGEE’) could not be used in the other (‘OSG’) → hacks and double work April 2009The Authz-Interop Collaboration 3

> > AuthZ Components Legend VO Management Services Grid Site SCAS Site Services CE Gatekeeper SCAS Clnt. Is Auth? ID Map? Yes / No UID/GID SE SRM gPlazma VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy WN gLExec SCAS Clnt. Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 6 6 Schedule Pilot OR Job 7 Pilot SU Job (UID/GID) 8 VO PDP PEPs Original (interim) EGEE scenario plan April

> > Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO The Aut hz- Inte rop Coll abo rati on PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services OSG Authorization Infrastructure A Common Protocol for OSG and EGEE integrated with the GT April

> > Aims of the authz-interop project >Provide interoperability within the authorization infrastructures of OSG, EGEE, Globus and Condor Through >Common communication protocol >Common attribute and obligation definition >Common semantics and actual interoperation of production system So that services can use either framework and be used in both infrastructures April The Authz-Interop Collaboration

> > Two Elements for interop >Common communications profile >Agreed on use of SAML2-XACML2 > >Common attributes and obligations profile >List and semantics of attrbutes sent and obligations received between a ‘PEP’ and ‘PDP’ >Now at version 1.1 > > April 2009The Authz-Interop Collaboration 7

> > >Existing standards: >XACML defines the XML-structures that are exchanged with the PDP to communicate the security context and the rendered authorization decision. >SAML defines the on-the-wire messages that envelope XACML's PDP conversation. >The Authorization Interoperability profile augments those standards: >standardize names, values and semantics for common-obligations and core-attributes such that our applications, PDP- implementations and policy do interoperate. PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O April Profile in a nutshell The Authz-Interop Collaboration

> An XACML AuthZ Interop Profile >Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 >Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor >Releases: v1.1  10/09/08 v1.0  05/16/08 Slide _ 9 The Authz-Interop Collaboration

> > Structure of the AuthZ Interop Profile >Subject: /subject/ >Action: /action/ >Resource: /resource/ >Environment: /environment/ Obligation Attribute Identifiers ObligationId: /obligation/ AttributeId: /attributes/ Namespace prefix: Request Attribute Identifiers April The Authz-Interop Collaboration

> > Most Common Request attributes >Subject (see profile doc for full list) >Subject-X509-id String: OpenSSL DN notation >Subject-VO String: “CMS” >VOMS-FQAN String: “/CMS/VO-Admin” >Resource (see doc for full list) >Resource-id (enum type) CE / SE / WN >Resource X509 Service Certificate Subject resource-x509-id >Host DNS Name Dns-host-name >Action > Action-id (enum type) Queue / Execute-Now / Access (file) > Res. Spec. Lang. RSL string >Environment > PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently > Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” April see document for all attributes and obligations The Authz-Interop Collaboration

> > Most Common Obligation Attributes >UIDGID >UID (integer): Unix User ID local to the PEP >GID (integer): Unix Group ID local to the PEP >Secondary GIDs >GID (integer): Unix Group ID local to the PEP (Multi recurrence) >Username >Username (string): Unix username or account name local to the PEP. >Path restriction > RootPath (string): a sub-tree of the FS at the PEP > HomePath (string): path to user home area (relative to RootPath) >Storage Priority > Priority (integer): priority to access storage resources. >Access permissions > Access-Permissions (string): “read-only”, “read-write” April see document for all attributes and obligations The Authz-Interop Collaboration

> > Full interoperability April 2009The Authz-Interop Collaboration 13

> > What has been achieved now >All profiles written and implemented >Common libraries available in Java and C implementing the communications protocol >Common handlers for Joint Interoperable Attribute and Obligations >Integrated in all relevant middleware in EGEE and OSG: >Clients: lcg-CE (via LCMAPS scasclient), CREAM and gLExec (ditto), GT pre-WS gram (both prima and LCMAPS), GT GridFTP, GT4.2 WS-GRAM, dCache/SRM >Servers: GUMS, SCAS >Other (lower-prio) components in progress >SAZ, RFT, GT4.x native-AuthZ, Condor (& -G), BeStMan April 2009The Authz-Interop Collaboration 14

> > OSG Integration Test Results April 2009The Authz-Interop Collaboration 15 ComponentTest PDP Component Old GUMSNew GUMSSCAS WS-Gatekeeper (Out of Scope) Test call-out component NOYES Run job w/o Delegation or File TransferNOYES out of scope Run job with Delegation and File TransferNOYES out of scope SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-outYES NO AuthZ call via XACML protocol call-outNOYES Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocolYES NO Run job. AuthZ via XACML protocolNOYES GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocolYES NO Transfer file. AuthZ via XACML protocolNOYES gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocolYES NO Run pilot job. AuthZ via XACML protocolNOYES SRM/dCache gPlazma (REL. Jan 20) Transfer file. AuthZ via Legacy protocolYES NO Transfer file. AuthZ via XACML protocolNOYES

> > Latest news >dCache v has been released this week. Pre-release tests have been conducted successfully against GUMS and SCAS. Will be the recommended release in a few months! >What are the EGEE deployment plans? >Development of native authz XACML call-out module for GridFTP: tests with the Globus Toolkit call-out module for authorization speaking the interop protocol start this week April 2009The Authz-Interop Collaboration 16

> > What next? Keeping interop (in ‘maintenance mode’) is most important! >Continued software support from contributing partners >Interdependency in timing between OSG and GT may lead to Catch-22 in prioritizing native GT4.2 implementation >Support in Delegation Service and RTF is needed for full production, and before existing legacy solutions can be phased out >Continued close coordination on the specification of the Authorization Profile. New uses cases must be coordinated and no ‘proprietary’ extensions should added, as that breaks the interop. Continuous communations and coordination remains essential. April 2009The Authz-Interop Collaboration 17

> > Conclusions >EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation >Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 >Call-out module implementations are integrated with major Resource Gateways >The major advantages of the infrastructure are: >Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures >Software groups in EGEE and OSG can share and reuse common code >Production deployments in OSG and EGEE April 2009The Authz-Interop Collaboration 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.