Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Slides:

Advertisements

Similar presentations

Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.

Advertisements

VO Support and directions in OMII-UK Steven Newhouse, Director.

Authorization Policy in a PKI Environment

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

The EC PERMIS Project David Chadwick

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Akenti Distributed Access Control Application By Jiewei Lin.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.

Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, May 2008.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Adding Distributed Trust Management to Shibboleth

O. Otenko PERMIS Project Salford University © 2002

Presentation transcript:

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group

4 Dec 2002Managing Access to Grid Resources2 Overview What is Akenti? What are its key design goals? How does it achieve these? Who uses it? How can it be deployed in Grid contexts? References for further reading

4 Dec 2002Managing Access to Grid Resources3 Origins of Akenti Developed at Lawrence Berkeley National Laboratory Designed to address complex authorisation problems involving multiple administrative domains and multiple stakeholders Assumes a public-key environment (identity certs, digital signatures etc.) First announced in 1998, considerably enhanced since that time

4 Dec 2002Managing Access to Grid Resources4 Goals of Akenti (1) To reflect accurately the access control policies (authority, and authority delegation) present in real environments To achieve the same level of expressiveness of access control as a human controller would be able to do

4 Dec 2002Managing Access to Grid Resources5 Goals of Akenti (2) At a more detailed level, Akenti aims to Allow each stakeholder to impose its access control requirements independently of other stakeholders Provide for changes in stakeholder requirements to take immediate effect Support high standards of integrity and non-repudiation in the expression and enforcement of access control requirements

4 Dec 2002Managing Access to Grid Resources6 How does Akenti work? Akenti is based on digitally signed assertions (of 4 types) Authentication is via standard X.509 identity certificates Authorisation involves three types of signed certificate defined in Akenti –Policy certificates –User attribute certificates –Resource use-condition certificates –[N.B. The latter 3 types are formulated in XML, not X.509 format]

4 Dec 2002Managing Access to Grid Resources7 High level diagram

4 Dec 2002Managing Access to Grid Resources8 Policy certificates One per resource But resources can be hierarchical (useful for tree-structured file systems) Contain Name of resource List of trusted CAs Names of stakeholders (or groups) Optional list of attribute cert locations Signed by a stakeholder (i.e. effectively self-signed, must be stored securely)

4 Dec 2002Managing Access to Grid Resources9 Use-condition certificates Apply to resources Each stakeholder must supply at least one use-condition cert These contain Conditions – Boolean expressions defining user attributes needed Signing authority for the attribute certs to be matched against these conditions Rights – list of possible actions applying to the resource

4 Dec 2002Managing Access to Grid Resources10 Example conditions Components of user’s identity certificate e.g. CN=, O=, OU= etc. Additional parameters defined in policy cert and contained in user attribute certs e.g. role or group membership Environmental parameters e.g. time of day, system load

4 Dec 2002Managing Access to Grid Resources11 User attribute certificates These contain The identity of the user to whom the attribute cert applies (and the name of the issuer of this identity) An attribute-value pair defining the attribute which this certificate expresses A digital signature by the person or authority who asserts that the subject of the certificate possesses the defined attribute

4 Dec 2002Managing Access to Grid Resources12 Akenti in use The user request access to the resource and is first authenticated Then The resource gateway contacts Akenti Akenti locates the policy certificate Akenti collects the resource’s use- condition certs and the user’s attribute certs (possibly from multiple locations) The Akenti policy engine makes the access control decision

4 Dec 2002Managing Access to Grid Resources13 High level diagram

4 Dec 2002Managing Access to Grid Resources14 Usage scenarios The Akenti service can be invoked as a function call by a gatekeeper program e.g. it has been interfaced to the Globus job submission process Or, in a web context, access control can be effected via an Apache module mod_Akenti, freely available

4 Dec 2002Managing Access to Grid Resources15 Administrative tools The Akenti distribution includes graphical user interface tools to create Policy certificates Resource use-condition certificates User attribute certificates Once created and stored, a web interface allows stakeholders to review the access control scheme

4 Dec 2002Managing Access to Grid Resources16 Deployment To date most production use has been in US Department of Energy projects Akenti has been extensively used by the US DoE Combustion Collaboratory It is now being deployed in the US National Fusion Grid (

4 Dec 2002Managing Access to Grid Resources17 UK activity Two JISC projects funded to gain knowledge and experience of Akenti Manchester Computing + ESNW – use of Akenti to manage access to web-based resources University of Salford – architectural comparison of Akenti and Permis A further study (Univ of Warwick) will also be benchmarked against Akenti

4 Dec 2002Managing Access to Grid Resources18 Conclusions Akenti is a comparatively mature and sophisticated authorisation scheme, with Considerable flexibility in access control policies and parameters Implementation hooks for both Globus and web environments A very useful looking toolset A possible reservation is that its own “certificates” are not standards-based

4 Dec 2002Managing Access to Grid Resources19 References Akenti home page Links from here to project description, documentation, download page etc. Akenti papers and presentations For a good overview, see in the above publications list “Authorisation Policy in a PKI Environment” [from Proceedings of the 1 st Annual NIST Workshop on PKI, Gaithersburg, April 2002]

Supporting further and higher education Questions?