- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.

Slides:



Advertisements
Similar presentations
Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.
Advertisements

Introduction of Grid Security
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
GT4 Architectural Security Review December 17th, 2004.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
|epcc| NeSC Workshop Open Issues in Grid Scheduling Ali Anjomshoaa EPCC, University of Edinburgh Tuesday, 21 October 2003 Overview of a Grid Scheduling.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Scalable Systems Software Center Resource Management and Accounting Working Group Face-to-Face Meeting October 10-11, 2002.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Grid Authorization Landscape and Futures Von Welch NCSA
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Alliance PKI Workshop Technical Discussion/Planning Notes Progress Report.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Grid Security.
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Update on EDG Security (VOMS)
What’s changed in the Shibboleth 1.2 Origin
From Prototype to Production Grid
Presentation transcript:

- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug Olson (LBNL), Laura Pearlman (ISI), Craig Tull (LBNL), Von Welch (ANL) CHEP March 25, 2003 UCSD - La Jolla, CA

- CAS - Role-based Auth (25mar03 - UCSD) Outline Introduction and Motivation CAS Overview & Architecture Rights Granularity Prototype Project Description Goal of Prototype Installation & Setup Execution & Use Summary, Analysis, and Conclusion Suitability of CAS Future Plans

- CAS - Role-based Auth (25mar03 - UCSD) A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) * = Existing IETF standards Others are GGF & IETF drafts A (X.509) proxy certificate is used by an entity to delegate all or part of its own authority.

- CAS - Role-based Auth (25mar03 - UCSD) Community Authorization Service CAS is authorization product of Globus project. In the CAS model, resource providers grant access to blocks of resources to a community as a whole, and the community uses a CAS server to perform fine-grained access control on those resources. Resource providers grant course-grained access to communities. Communities run CAS servers, which keep track of fine- grained access control information and grant restricted proxies to community members. The result is that a CAS user gets the intersection of the rights granted by resource provider to the community and the rights granted by the community to that user.

- CAS - Role-based Auth (25mar03 - UCSD) Normal User Proxy Proxy w/CAS assertion CAS DB Users Objects Rights cas-proxy-init gridftp client (unmodified) gridftp server (modified to do CAS authorization) Authorization Libraries CAS architecture in action CAS Server Gridftp Server CAS Server Request Response Assertion Query Response User CAS Architecture in action

- CAS - Role-based Auth (25mar03 - UCSD) CAS Proxy Format Assertion DN: /C=US/CN=Some User/Proxy Issuer: /C=US/CN=Some User Expires: 11am March 26, 2003 Signature: 76A97…. … Usual user proxy information Non-critical extension: Assertion Issuer: /C=US/CN=VO CAS Signature: 76BE3… (List of Object – Right) /VO/Admingroup Member /foo.edu/file Read

- CAS - Role-based Auth (25mar03 - UCSD) Rights granularity Typical granularity of Grid rights architecture addresses 2 levels: Individual - immutable VO - 100s-1000s of individuals (entire experiment) Experiments have intermediate granularities: Groups - Detector or Physics groups Roles - One or more individuals fulfilling a single role. Individuals may change over time. EG: Release Coordinator, Production Manager, etc.

- CAS - Role-based Auth (25mar03 - UCSD) Goal of Project PPDG Project to test Globus Community Authorization Service Standard usage of CAS Access to file resources (via GSIFTP) Extension of CAS Resource Authorization Define Roles as Resource Demonstrate 1 individual (1 DN) assuming multiple different roles Demonstrate multiple individuals (different DNs) assuming the same role Demonstrate individual divesting role(s)

- CAS - Role-based Auth (25mar03 - UCSD) User is in group Y Policy Granularity: Groups vs Capabilities Capability assertion: Expresses right completely User can access resource (e.g. file, CPU) X Group Assertion: Expresses an attribute. Must be converted to right by local policy. Local Policy Group Y can access resource X Local Domain Policy Enforcement point Resource X

- CAS - Role-based Auth (25mar03 - UCSD) Testbed Setup Three nodes: pdsfgrid3, globicus, globzilla CAS server: pdsfgrid3 Client: globzilla/globicus Grid FTP server with CAS extensions: globicus Ran on alternate port Verified that IP filters and hosts.allow were correct Grid3 Globzilla Globicus Client CAS server GridFTP server

- CAS - Role-based Auth (25mar03 - UCSD) CAS as a Role Manager Installed patched version of CAS-enabled FTP server Add the action group and the service member into the CAS database Create objects for the various groups/roles Grant member privileges to members of the various groups/roles User request specific capabilities from the CAS server to determine role

- CAS - Role-based Auth (25mar03 - UCSD) CAS Authorization for Groups Gridftp server Authorization Libraries group map file grid- mapfile Assertion List of groups 1. Parse assertion 2. Map group to local accounts Group name Account CAS DN Accounts 3. Make sure CAS can legally map to local account

- CAS - Role-based Auth (25mar03 - UCSD) Changes to Gridftp server Normal gridftp server checks grid-mapfile to determine local account Modified gridftp server to check for CAS assertion If present, check for group memberships If present, check for group memberships in local mapping file If present, check legality and use group mapping instead of grid-mapfile

- CAS - Role-based Auth (25mar03 - UCSD) CASGUI Privilege Groups User with permissions

- CAS - Role-based Auth (25mar03 - UCSD) CASGUI User List User Details (eg Cred) atlas-data Role atlas-admin Role

- CAS - Role-based Auth (25mar03 - UCSD) Prototype Experience Extends standard CAS installation which is well documented although involved. Installation was straight forward, even without full a GPT package Sample CAS script to create objects would simplify things for first timers. Some minor bugs found in CAS tools. Correction are being sent to developers.

- CAS - Role-based Auth (25mar03 - UCSD) CAS User Session Initialize Grid certificate % grid-proxy-init Your identity: /O=doesciencegrid.org/OU=People/CN=Craig E. Tull Enter GRID pass phrase for this identity: Creating proxy Done Your proxy is valid until Wed Mar 19 20:30: Initialize 1 CAS certificate for each Role % cas-proxy-init tull % cas-proxy-init -f admin admin % cas-proxy-init -f data data Use Role Tag to connect % cas-wrap data gsincftp -P 2813 pdsfgrid3 NcFTP (April 15, 2001) by Mike Gleason Connecting to pdsfgrid3.nersc.gov FTP server (GridFTP Server CAS enabled [GSI patch v0.5] wu-2.6.2(2) Wed Mar 5 17:42:41 PST 2003) ready. # file containing Role privileges group member atlas/admin wildcard file read ftp://pdsfgrid3.nersc.gov/* wildcard Role Tag Command to wrap

- CAS - Role-based Auth (25mar03 - UCSD) Lessons Learned Feature in CAS DB to allow for easy definition of different objects and actions works as planned. Current CAS authorization API needs extensions to easily handle mapping of user to local accounts and/or groups Currently allows for queries of type Is user in group X? Need to allow for What account should user be in?, What groups should user be in? User may also specify an account, leading to query of form Can user access account Y?

- CAS - Role-based Auth (25mar03 - UCSD) Future Plans Mainline CHEP demo code into CAS? Von - This is a question for you. Extend Globus Gatekeeper for Job Submission Similar code extension to that for FTP server. Standardize service assertion format. This would allow single Grid FTP server or Gatekeeper for CAS and other, similar tools (eg VOMS) Exploration of CAS/Akenti cooperation Akenti for local resource authorization CAS for global (eg VO-wide) individual and role-based authorization

- CAS - Role-based Auth (25mar03 - UCSD) END OF PRESENTATION

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.