Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

Legacy code support for commercial production Grids G.Terstyanszky, T. Kiss, T. Delaitre, S. Winter School of Informatics, University.

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Interaction model of grid services in mobile grid environment Ladislav Pesicka University of West Bohemia.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.

Web Services Web Services are the basic fundamental building blocks of invoking features that can be accessed by an application program. The accessibility.

Trust, Security and Privacy in Learning Networks Daniel Olmedilla L3S Research Center / Hannover University Learning Networks in Practice 10 th May, 2007.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

This product includes material developed by the Globus Project ( Introduction to Grid Services and GT3.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Implementing and Administering AD FS

Management Framework for Amazon EC2 Speaker: Frank Bitzer

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Massimo Cafaro GridLab Review GridLab WP10 Information Services Massimo Cafaro CACT/ISUFI University of Lecce, Italy.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Philipp Kärger, Daniel Olmedilla, Wolf-Tilo Balke L3S Research.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Kmi.open.ac.uk Semantic Execution Environments Service Engineering and Execution Barry Norton and Mick Kerrigan.

© DSRG 2001www.cs.agh.edu.pl Cross Grid Workshop - Kraków Krzysztof Zieliński, Sławomir Zieliński University of Mining and Metallurgy {kz,

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Asynchronous Web Services Approach Enrique de Andrés Saiz.

A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

Technical Introduction to caGrid Service Development caGrid 1.3 Justin Permar caGrid Knowledge Center

Polish Infrastructure for Supporting Computational Science in the European Research Space Policy Driven Data Management in PL-Grid Virtual Organizations.

1 J2EE Components. 2 Application Servers relieve the programming burden for business distributed components. They provide support for system level services.

CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,

Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.

OPEN GRID SERVICES ARCHITECTURE AND GLOBUS TOOLKIT 4

ANSTO E-Science workshop Romain Quilici University of Sydney CIMA CIMA Instrument Remote Control Instrument Remote Control Integration with GridSphere.

WSRF & WSRF’s Application in VO-DAS Haijun Tian ChinaVO

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

GRAM5 - A sustainable, scalable, reliable GRAM service Stuart Martin - UC/ANL.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Shannon Hastings Multiscale Computing Laboratory Department of Biomedical Informatics.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Code Applications Tamas Kiss Centre for Parallel.

The Globus Toolkit 4 (GT4) A brief introduction. Web Services, WSRF, OGSA and GT4.

Introduce Grid Service Authoring Toolkit Shannon Hastings, Scott Oster, Stephen Langella, David Ervin Ohio State University Software Research Institute.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Introduction to Server-Side Web Development Introduction to Server-Side Web Development using JSP and Web Services JSP and Web Services 18 th March 2005.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Wrapping Scientific Applications As Web Services Using The Opal Toolkit Wrapping Scientific Applications As Web Services Using The Opal Toolkit Sriram.

A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.

Institute For Digital Research and Education Implementation of the UCLA Grid Using the Globus Toolkit Grid Center’s 2005 Community Workshop University.

22/01/2004Daniel Olmedilla1 INTEGRATING PROLOG IN TRUST NEGOTIATION Software Project / Summer Semester /04/2004 Daniel Olmedilla L3S / University.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Automatic Trust Negotiation Rajesh Gangam

1 Service Creation, Advertisement and Discovery Including caCORE SDK and ISO21090 William Stephens Operations Manager caGrid Knowledge Center February.

16/11/ Semantic Web Services Language Requirements Presenter: Emilia Cimpian

Policy-driven Negotiation for Authorization in the Grid 8 th IEEE POLICY Bologna, Italy, 15 th June 2007 Ionut ConstandacheDuke University Daniel OlmedillaL3S.

Condor Services for the Global Grid: Interoperability between OGSA and Condor Clovis Chapman 1, Paul Wilson 2, Todd Tannenbaum 3, Matthew Farrellee 3,

Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan.

Newcastle uopn Tyne, September 2002 V. Ghini, G. Lodi, N. Mezzetti, F. Panzieri Department of Computer Science University of Bologna.

WP3 Implementing R-GMA grid services in GT3 Abdeslem Djaoui & WP3 Grid Services Task Force 7 th EU Datagrid meeting 26/09/2003

DataGrid is a project funded by the European Commission EDG Conference, Heidelberg, Sep 26 – Oct under contract IST OGSI and GT3 Initial.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

December, 2006 ws-VLAM Workflow Management System a Re-factoring of VLAM Dmitry Vasyunin Adianto Wibisono Adam Belloum.

Third Party Transfers & Attribute URI ideas

A gLite Authorization Framework

Experiences in Deploying Services within the Axis Container

The Anatomy and The Physiology of the Grid

Presentation transcript:

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05 Galway, Ireland, 7 th November 2005

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop2 Motivating Scenario (I) Grid Limitations

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop3 Policy-Driven Negotiation (I) Characteristics Both client and servers are semantically annotated with policies Annotations specify constraints and capabilities  access control requirements -which certificates must be presented to gain access to it -who is responsible for obtaining and presenting these certificates are used during a negotiation  to reason about and to communicate the need to see certain credentials from the other party  to determine whether requested credentials can be obtained and revealed. User involvement is drastically reduced in favor of automated interactions.

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop4 Policy-Driven Negotiation (& II) Example: Security & Privacy Step 1: Alice requests a service from Bob Step 5: Alice discloses her VISA card credential Step 4: Bob discloses his BBB credential Step 6: Bob grants access to the service Service BobAlice Step 2: Bob discloses his policy for the serviceStep 3: Alice discloses her policy for VISA

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop5 Policy-Driven Negotiation on the Grid (I) Example scenario With only one certificate to access the online repository The delegated certificate is used to retrieve the requested certificates Server informs the client about its access control policy

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop6 Policy-Driven Negotiation on the Grid (II) Enhanced Characteristics Distributed authorization mechanisms  Driven by policies, not hardcoded Bilateral policy specification Access is negotiated Dynamic credential fetching  Now possible to use discovery and scheduling services to locate the best available resources  Otherwise, impossible to predict before hand what exact service instances would be used and which certificates required Capability based authorization architecture  Instead of identity based No previous trust relationships required Monitoring and explanation of authorization decision

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop7 Policy-Driven Negotiation on the Grid (III) Implementation on Globus Toolkit 4.0 Directed integrated with the grid services paradigm Extension to GSI pluggable to any GT4.0 compliant grid service or client Only requirement: Java based grid services We use:  Custom PDP as part of the Client Call Interceptor -Redirects to a negotiation if required  Asynchronous negotiations are achieved through WS- Base Notification and WS-Topics CAS integration into negotiations API for easy integration within client code

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop8 Policy-Driven Negotiation on the Grid (& IV) Architecture Service wsdl file Service Deployment Descriptor

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop9 Conclusions & Future Work (I) Conclusions Main Features Self-describing resources for access requirements  Based on properties Dynamic negotiation for service authorization Automatic credential fetching Implementation in Java Extension of GSI in GT4.0 Backwards compatible

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop10 Conclusions & Future Work (& II) Further Work Study performance impact of negotiations And approaches to minimize the extra load  Limit number of iterations -E.g. 2 steps negotiations  Advertise policies before the service is invoked Improve credential repositories  Integration of TN in MyProxy Investigate the use of XACML  Delegation not yet supported but planned Use of traceable negotiations  E.g. monitoring or accounting

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop11 Questions? - Thanks!

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop12 Implementation in GT4 Easy Integration with Current Grid Services Service - include one jar file containing the policy based trust negotiation engine - minor add-ons to the service wsdl file (import one wsdl file and extend one port type) and wsdd file (add one more provider and install a security descriptor) - have a resource (if not available) - re-deploy the service Client - use one jar file containing the policy based trust negotiation engine - invoke the service as usual / or call directly for a trust negotiation process - look for authorization exceptions and if one triggered by trust negotiation failure make simple calls to the negotiation engine

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop13 Integration into Globus Toolkit 4.0 (I) Grid Service Descriptor Descriptors: - grid service descriptor (wsdl file): TrustNegotiation.wsdl - defines the data types and functions for exchanging trust negotiation messages The grid service should extend the NotificationProducer port type (used for asynchronous communication with the client) and the TrustNegotiation port type(used for exposing the functions used by the client to push proofs/requirements to the grid service).

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop14 Integration into Globus Toolkit 4.0 (II) Grid Service Deployment Descriptor Descriptors: - grid service deployment descriptor (wsdd file): Rely on GT4.0 providers for notification usage and use a TrustNegotiationProvider implementing the logic for policy based dynamic negotiation Install a security descriptor specifying the use of a PDP for filtering client calls/managing authorization information.

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop15 Integration into Globus Toolkit 4.0 (& III) Requirements Resource: - the grid service should use a resource implementing TopicListAccessor - a topic would be added by TrustNegotiationProvider for trust negotiation (using this topic the service pushes proofs/requirements on the client side)

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop16 Client Service

Daniel Olmedilla Nov 7th, 2005Semantic Web Policy Workshop17 Client Factory Service Instance Service Resource Exposes a topic like TrustNegotiationTopic for asynchronous communication with the client. Notify the client when his requests are fulfilled or further requirements are imposed by the service 9. Notify the client about service policies and further requirements PDP specified in the Instance service descriptor that intercepts operation calls. It checks if operation invoked is authorized. Operations getNegotiationTopic() and trustNegotiate() are permitted by default and all the other operations are denied unless a trust negotiation process has succeeded. Have the instance service extend the standard port types Subscribe and GetMessage (used by notifications) and a port type which we provide TrustNegotiationProvider which is going to expose 2 operations getNegotiationTopic() and trustNegotiation(). Receive through them the client requests and proofs with regard to service authorization 5. Catch the exception 10. Operation executed on resource if the trust negotiation process was successful 3. Operation called on the resource 4. Client is not authorized to make the call throw an exception. 8. Client call trustNegotiation() operation for sending client policies and proofs 1. Requests create resource 2. Creates the resource 7. Register with TrustNegotiation Topic for notifications 6. Client call getNegotiationTopic() receive the QName of the negotiation topic.