1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

W w w. h p c - e u r o p a. o r g HPC-Europa Portal: Uniform Access to European HPC Infrastructure Ariel Oleksiak Poznan Supercomputing.

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Data Management Expert Panel - WP2. WP2 Overview.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

MyProxy: A Multi-Purpose Grid Authentication Service

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

The EC PERMIS Project David Chadwick

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

1 All-Hands Meeting 2-4 th Sept 2003 e-Science Centre The Data Portal Glen Drinkwater.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

All Hands Meeting 2005 BIRN Portal Architecture: Security Jana Nguyen

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

1 e-Science AHM st Aug – 3 rd Sept 2004 Nottingham Distributed Storage management using SRB on UK National Grid Service Manandhar A, Haines K,

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Authentication, Authorisation and Security

Using E-Business Suite Attachments

Grid accounting system

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Grid Security Jinny Chien Academia Sinica Grid Computing.

Update on EDG Security (VOMS)

The New Virtual Organization Membership Service (VOMS)

Presentation transcript:

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar

2 AHM, 2–4 Sept 2003 e-Science Centre GRID Large scale resource sharing between trusted and untrusted Organizations. Researchers are interested to use the Grid if they can access the resources that they require. Resource providers are keen to host resources in the Grid but would want the control over their resources. Control Reliability Manageable Missing any one of these three would make a Resource provider wary in Collaborating.

3 AHM, 2–4 Sept 2003 e-Science Centre Data Portal CCLRC DataPortal Server Local data Local metadata XML wrapper Facility 1 Local data Local metadata XML wrapper Facility 2 User Broker application that provides a web based interface to access data located in multiple facilities

4 AHM, 2–4 Sept 2003 e-Science Centre Security Validating who the user says he is Use of Certificate Use of delegation features of GSI Architecture Managing what the user is allowed to do Grid Map Files CAS VOMS PERMIS Akenti

5 AHM, 2–4 Sept 2003 e-Science Centre Requirements Scalable Ability to manage increase in users and resources as collaborations between other organizations increase Manageable and maintainable Adding, removing and modifying user privilege need to be kept easy and intuitive Preferably under the control of the resource end Organizations prefer to have control over who have access over their data.

6 AHM, 2–4 Sept 2003 e-Science Centre Requirements 2 Minimum intervention at the Data Portal Layer To keep the points of Security consideration as low as possible. Ability to utilize existing Access Control Models Many resource providers already have existing access control mechanisms that are reliable and proven. Future integration capabilities with other Grid Related Applications

7 AHM, 2–4 Sept 2003 e-Science Centre Globus CAS Presence of a Community authorization server. Resource Providers Grants Privileges to CAS Privileges of the user are stored in CAS User request CAS to receive CAS credential CAS credential is a GSI proxy certificate signed by CAS server with policies and privileges of the user included in an extension. User presents CAS credential for Resource provider in place of proxy certificate.

8 AHM, 2–4 Sept 2003 e-Science Centre PERMIS Presence of a central publicly accessible LDAP sever hosting Attribute Certificates Organization’s Privilege Allocator create Authorization Certificates for users and stored in publicly accessible LDAP Directories Also Authorization policy description are created and stored in publicly accessible LDAP directories. While querying a resource User presents its certificate The Resource’s Access Decision Framework retrieves the user’s Attribute certificate and the policy definition from the LDAP server and enforces the privileges

9 AHM, 2–4 Sept 2003 e-Science Centre EU Data Grid VOMS Classifies authorization information into two categories General information regarding the relationship between the user and the Virtual Organization Information regarding what the user is allowed to do at the Resource Provider Relationship between VO and user is specified as group and role by VOMS server (coarse grained) Information regarding what the user is allowed to access is maintained by the Resource provider. (fine grain)

10 AHM, 2–4 Sept 2003 e-Science Centre Authorization Framework Resource 1 Authorization Server Management Interface User Privilege Database Get Policy Attributes for DN Request Authorizat ion Token Manage User Policies and Policy Description Admin Super Admin Request result (Proxy Cert + Authorization Token + query) Return Authorization Token VO Certificate Store Access Adapter Resource 2 Access Adapter Resource n Access Adapter

11 AHM, 2–4 Sept 2003 e-Science Centre DP with Authorization Framework User MyProxy My-proxy-initBrowser Authentication Module Session Manager Authorization Server Authorization Server Authorization Server Proxy Certificate Authorization Token Save Authorization Token Query (query string, Proxy Cert + Authorization Token) Save Certificate Query (query string + Proxy Cert + Authorization Token) Admin Access Adapter Admin Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Organization 1Organization 2Organization n Data Portal

12 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token Server Management Interface User Privilege Store Get Authorization Token (Proxy Cert, Request Parameters) Manage User Privileges Admin Type 1 Admin Web Service Interface Return (Authorization Token) User Privilege Interface Get DN Privileges for DN Certificate Store Authorization Token Generator

13 AHM, 2–4 Sept 2003 e-Science Centre Resource Access Adapter Resource Request result (Proxy Cert, Authorization Token, query) Access Enforcement Interface Web Service Interface Authorization Token Parser Access Adapter Access Log

14 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token 0.1 user DN issuer DN issuerName MD5withRSA value

15 AHM, 2–4 Sept 2003 e-Science Centre Implications with adding Authorization Framework Organization’s Perspective The organization would only have to maintain the user’s group membership to the organization and host an Authorization Token generation server. Data Portal Perspective It would have to request for Proxy certificate from MyProxy Certificate and an Authorization Token from Organization’s authorization server on behalf of the user and forward these certificates along with the user’s query. User’s Perspective Would need have to have membership with the Organization and will have to request for a Authorization token at the start of the session before being able to query the organization’s resources. Resource Provider’s Perspective The Resource Provider would need to maintain the group mapping to its local access control mechanisms and be able to verify the authenticity of the Certificates.

16 AHM, 2–4 Sept 2003 e-Science Centre Future Formalize the format and structure of Authorization Token Look into the possibilities of replacing web service interface with Grid Service interface and other communication protocols Look in feaibility of using authorization token in HPC portal.

17 AHM, 2–4 Sept 2003 e-Science Centre Summary Better trust for resource providers Better manageability for organizations Use of existing access control mechanisms GSI delegation would remain unaffected

18 AHM, 2–4 Sept 2003 e-Science Centre Questions ?