Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

Slides:



Advertisements
Similar presentations
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Apr 26, 20071/3 OSG Executive Board Meeting Gabriele Garzoglio OSG Executive Board Meeting Gabriele Garzoglio VO Services, PL Computing Division, Fermilab.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
April 18, 2006FermiGrid Project1 FermiGrid Project Status April 18, 2006 Keith Chadwick.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab
Argus EMI Authorization Integration
Trygve Aspelien and Yuri Demchenko
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security Group Meeting Gabriele Garzoglio Computing Division, Fermilab

Jun 12, 20072/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration Informal Requirements Open Issues Conclusions

Jun 12, 20073/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Motivations Modern middleware development requires the integration of software with grid authorization layers. Each grid has a different authorization infrastructure. Authorization call-out protocols are not standardized. Example: SRM/dCache is integrated with the OSG AuthZ infrastructure but not with EGEE. Deployment must still rely on legacy AuthZ mechanisms. Discussion started in Oct 2006 to address authorization interoperability.

Jun 12, 20074/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Collaboration OSG (VO Services Project) –Keith Chadwick, Ted Hesselroth, Gabriele Garzoglio, Igor Sfiligoi, Steve Timm, Valery Sergeev, John Weigand –John Hover, Jay Packard EGEE (Site Authorisation and Enforcement Services) –David Groep, Oscar Koeroo –Yuri Derchenko, Joni Hahkala The Globus Toolkit –Rachana Ananthakrishnan, Frank Siebenlist, Dan Fraser

Jun 12, 20075/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio A window of opportunity Globus is in the process of developing a new pluggable AuthZ call-out infrastructure for GT4 –OSG and EGEE can contribute in defining real-life use cases EGEE is considering to make the LCMAPS system accessible as a network service –The group needs to decide soon what network protocol to use VO Services project is finishing Phase II on Summer 07 –Effort becomes available for Phase III of the project

Jun 12, 20076/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Meetings History Oct 2006: bin/DisplayMeeting?conferenceid=239 bin/DisplayMeeting?conferenceid=239 Feb 2007: bin/DisplayMeeting?conferenceid=323 bin/DisplayMeeting?conferenceid=323 Mar 2007 (discussions at the MWSG 11) Apr 2007: bin/DisplayMeeting?conferenceid=333 bin/DisplayMeeting?conferenceid=333 May 2007: bin/DisplayMeeting?conferenceid=338 bin/DisplayMeeting?conferenceid=338

Jun 12, 20077/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Architecture (the OSG case) AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO

Jun 12, 20078/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Architecture (the OSG case) AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO A Common Protocol for OSG and EGEE integrated with the GT

Jun 12, 20079/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration  Informal Requirements Open Issues Conclusions

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Background Globus has a prototypical implementation of an authorization call-out library –Developed in collaboration with IBM –Based on XACML 2 / SAML 2 The library is going to be integrated with GT4.x

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Informal Requirements The library should be usable outside of the Globus Toolkit framework –However, the GT4 PEP are natively integrated The library should support remote or local attribute validations –The library should support sending signed assertions through the wire –We will need to standardize the attribute names used in the assertion, to have a consistent semantics across implementations

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Informal Requirements The library should allow signing assertions with different certificates –For example host cert, user cert, pilot admin cert, etc. The library should be able to send some of the PEP context to the PDP –For example: job description parameters, RSL, etc. –The information could be passed to the PDP as a standardized XACML attribute. The library should support arbitrary information from the PDP –Using XACML Obligations…

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio XACML Obligations (PDP Output) OSG and EGEE use cases are almost the same –Return set of UID/GID (CE), Root Path & (optional) Priority (SE) EGEE wants support for more general structures –“Authorization Tickets” to enable session management –Discussed the use case of AFS tokens Clients should be able to declare what obligations they can support –We can use a standardized tag of the "environment" element –Allows “upgradability” of the clients Handling of obligations should be implemented via external handlers –Handlers will be associated to standardized obligation ids.

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration Informal Requirements  Open Issues Conclusions

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Language Support The languages of interest for the library are C and Java The prototype is in Java Server-side: is Java enough? –It might for OSG (both GUMS and SAZ are in Java) Client-side: must support C: –We can generate WSDL bindings in C, but this will lack support for obligations –We can try JNI, but similar attempts (CABig group) have been done outside of the GT4 framework –We can translate the Java library in C, but it will required longer timelines

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Open Issues What are the EGEE time constraints ? What is the schedule of Globus to provide –support for parsing/manipulating obligations –support for a C library (tentatively: α-version by the end of July) What features of the C library are essential to write client software ?

Jun 12, /17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Conclusions The window of opportunity to develop an interoperable authorization system is now Globus, OSG & EGEE have laid the groundwork for a successful collaboration For this phase, we still need to –Agree on a common plan and timeline –Formalize requirements –Understand what standards are needed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.