Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Slides:

Advertisements

Similar presentations

Authentication Authorization Accounting and Auditing

Advertisements

Generic AAA* based Bandwidth on Demand EVL at UIC meeting Leon Gommans

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

GT 4 Security Goals & Plans Sam Meder

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Report on Attribute Certificates By Ganesh Godavari.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Authz work in GGF David Chadwick

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

The EC PERMIS Project David Chadwick

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 CHEETAH software OCS/AAA module Routing decision module Signaling module VLSR module Include TL1 proxy for Cisco MSPP Router disconnect module.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

SWIM-SUIT Information Models & Services

Generic AAA* based Bandwidth on Demand MB-NG workshop UCL London 20/02/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

1 Policy-based architecture. 2 Policy management view of the architecture IP MMed domain is a converged services domain where voice, video, data are provided.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

The concepts of Generic AAA are described in RFC2903 [1] (Generice AAA Architecture) and RFC2904 [2] (Authorization Framework). Several.

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Policy based co-allocation of connection oriented network resources using the principles of Generic AAA ON*VECTOR 3rd Annual Photonics Workshop San Diego.

Secure middleware patterns E.B.Fernandez. Middleware security Architectures have been studied and several patterns exist Security aspects have not been.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Generic AAA* based Bandwidth on Demand UKERNA meeting Amsterdam 24/04/2003 Leon Gommans Advanced Internet Research Group University of Amsterdam

PAPI-PERMIS Integration Project Proposal David Chadwick

Interconnecting Autonomous Medical Domains Gritzalis, S.Gritzalis, S. ; Belsis, P. ; Katsikas, S.K. ; Univ. of the Aegean, Samos Belsis, P.Katsikas, S.K.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

Multi-domain provisioning of Lower Layer Network Transports based on Generic AAA TERENA TF-AACE Workshop 21/11/03 Leon Gommans University of Amsterdam.

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

OGSA-WG Basic Profile Session #1 Security

Grid Network Services: Lessons from SC04 draft-ggf-bas-sc04demo-0.doc

Adding Distributed Trust Management to Shibboleth

Computer Science Department

O. Otenko PERMIS Project Salford University © 2002

AAA: A Survey and a Policy- Based Architecture and Framework

Presentation transcript:

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet Research Group University of Amsterdam

Overview Why a “concepts” work item Similar Authorization Framework RFC2904 for sequences and show them with: Example 1: ISO Access Control Framework Example 2: PERMIS Privilige Management Infrastructure Example 3: RFC 2903 Generic AAA Architecture Conclusion

Goals of concepts workitem There are a many authorization mechanisms… One can think of a number of different classes of differences. Position current authorization mechanisms in a number classes and frameworks based on common concepts. Each class may look at different aspect of authorization for example: communication of ~, representation of ~, handling of ~, securing ~, mapping one ~ into another ~ etc. Describe a common set of issues : sequences, protocols, API’s, trust relationships, mappings, interoperability, contractual relationships, binding of AuthN and AuthZ, domains, etc. Not indented as a detailed analyses but should be adequate to make rough high level design decisions or comparisons.

Example: RFC2904 framework. Framework for authorization communication sequences, roles and functions. Originated from IRTF AAA Architecture Research Group It could be expanded into the Grid when describing authorization sequences between a number of fundamental functional roles (User, AAA entity, Service, User Home Organization etc.) Recognize more roles and functions.

RFC 2904 Generic AAA Framework basic principles 3 fundamentally different user initiated authorization sequences. Note: RFC2904 does not show step 5 – service access. Service AAA User Service AAA User Service AAA User Pull sequence NAS (remote access) RSVP (network QoS) Agent sequence Agents, Brokers, Proxy’s. Push sequence. Tokens, Tickets, AC’s etc

“Roaming” Scenario’s Separating the User Awareness from the Service yield Roaming Models: Example roaming pull model. Service AAA User AAA 3 4 User Home Organization Service Provider

Distributed Services over administrative domains Distributed Services Models allow many types and combination of authorization sequences.. Service AAA User AAA User Home Organization Service Provider A Service AAA Service Provider B AAA Client

Example: ISO Access Control Framework ADF AEF InitiatorTarget AAA Service AEF: Access Enforcement Function ADF : Access Decision Function The dotted boxes are not defined in the ISO framework, but doing so, it may be made to look like the RFC 2904 pull model but also.. User

ISO ADF Target AAA Service AEF: Access Enforcement Function ADF : Access Decision Function.. the RFC 2904 agent model depending in which box you implement enforcement function. Initiator AEF User

Example 2: PERMIS Slides provided by Prof. David Chadwick IS Institute University of Salford, UK

ADF The PERMIS PMI API User Target Submit Access Request Present Access Request Decision Request Decision Retrieve Policy and Role ACs AEF Authentication Service Application Gateway LDAP Directories Source: Dave Chadwick – University of Salford AAA Agent model Service

Features Permis is a Policy driven Role Based Access Control (RBAC) Privilege Management Infrastructure (PMI). Policy is written in XML and stored in a policy X.509 attribute certificates (AC) in the local LDAP directory Credentials (roles) are stored in X.509 AC may be widely distributed Access Control Decision Function (ADF) with 3 simple calls and a constructor: GetCreds, Decision, Finalise –This increases performance for multiple actions per user –It also allows the dynamic changing of the policy Is authentication agnostic. Any mechanism can be used e.g. Kerberos, Un/Pw, digital certificates. The ADF only needs the DN of the authenticated user Source: Dave Chadwick – University of Salford

Supports Push or Pull Modes In pull mode the X.509 ACs are stored in multiple LDAP directories and automatically retrieved by the ADF. This allows the distributed management of roles –Note. To remove a privilege the corresponding X.509 AC needs to be deleted from the LDAP directory In push mode the Application (AEF) passes the X.509 ACs to the ADF. This allows the user to exercise privacy. –Note. ACRLs are not yet supported by the ADF so this mode may be less secure than pull. We currently have a research bid to add this feature Source: Dave Chadwick – University of Salford

Example 3: RFC 2903 Generic AAA Architecture Policy Decision Point Policy Enforcement Point Fundamental idea’s inspired by work of the IETF RAP WG that in RFC 2753 describes a framework for Policy-based Admission Control. Foundation for COPS The point where policy decisions are made. The point where the policy decisions are actually enforced. Request Decision Policy Repository Basic Goal Generic AAA: Allow policy decisions to be made by multiple PDP’s belonging to different administrative domains.

Generic AAA Architecture Application Specific Module Policy Enforcement Point Rule Based Engine Policy Repository PDP = AAA entity Archieve goal by by separating the logical decision process from the application specific parts within the PDP. User * Sequences depend on model described in RFC 2904 and are implemented using some or API * ** Service

Example of Generic AAA Architecture – RFC2903 Application Specific Module Bandwidth Broker Rule Based Engine Policy Repository Application Specific Module Rule Based Engine Policy Repository Users Application Specific Module Rule Based Engine Policy Repository Contracts Budgets Registration Dept.Purchase Dept. Bandwidth Provider AAA Server AAA Server AAA Server (Virtual) User Organization QoS Enabled Network User Service Service Organization

Conclusions Concepts (chapter in) document intended to help get a better (overall) picture. Needs to include existing and emerging (OGSA) mechanisms. It observes and recognizes but does not specify anything. RFC 2904 could be expanded for describing sequences. Other frameworks are needed.