INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML interoperability Oscar Koeroo.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
INFSO-RI Enabling Grids for E-sciencE Glexec Gerben Venekamp NIKHEF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
Enabling Grids for E-sciencE EGEE-II INFSO-RI Status of SRB/SRM interface development Fu-Ming Tsai Academia Sinica Grid Computing.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Argus EMI Authorization Integration
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 2 index The current setup The architectural big picture (EGEE/OSG) How will this work The requirements Work done and decisions made Stuff to do

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 3 L&L plug-ins (regular set of plug-ins) L&L plug-ins (regular set of plug-ins + GPbox) Our current architecture LCAS + LCMAPS Glite: Compute Element or Storage Element edg-gk glexec edg-gridftpgt4-interface pre-WS GT4 gk, gridftp, opensshd LCAS + LCMAPS Worker node glexec L&L plug-ins (regular set of plug-ins) Issues with this setup: share/distribute the gridmapdir for mapping consistency share/distribute the configurations for the nodes share/distribute authorization files, like grid/groupmapfiles and a blacklisting file Scaling issues; lots of node will probably overload an NFS server GPbox infrastructure [xacml]

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 4 pre-WS GT4 gk,gridftp, opensshd The big picture SAML-XACML Query OSG EGEE glexec edg-gk edg-gridftpd gt4-interface pre-WS GT4 gk, gridftp, opensshd dCache Common SAML XACML library L&L plug-in: SAML-XACML Prima + gPlazma: SAML-XACML LCAS + LCMAPS CREAM Pilot job on Worker Node (both EGEE and OSG) Site Central: LCAS + LCMAPS L&L plug-ins (regu. set) Site Central: GUMS (+ SAZ) SAML-XACML interface Common SAML XACML library Front-end node (CE, SE, WN, etc.) L&L plug-ins (w/ GPbox) GPbox infrastructure [xacml] GPbox infrastructure [saml-xacml]

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 5 How it should work (conceptual) SAML-XACML interface Globus SAML XACML library Site Central LCAS + LCMAPS or GUMS and SAZ SAML-XACML PEP (L&L plug-in or PRIMA) Globus SAML XACML library Set of Obligations Obligation handler[N] SAML-XACML Query Q: map.user.to.some.poolOblg: user001, somegrp R:

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 6 SAML-XACML lib requirements Requirements to Globus –Initial focus on Java and C environment  C-clients (PEP) & C-service (PDP) Prima & gPlazma LCAS and LCMAPS plug-ins Newly to be created Site Central service with the LCAS and LCMAPS back-end will be C-based  Java initially server-side only (PDP) The GUMS server is a Java-Tomcat environment –Uses TLS connection for client (PEP) / server (PDP) comm. –Must be able to mix our PDP and PEP implementations –Must be separate from the existing Globus Toolkit  We want the library to be lightweight and easily portable

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 7 SAML-XACML lib requirements Requirements to ourselves –Easy interoperation  Understand a common set of obligations and its attributes –Scalability  Low network traffic  Low overhead at the end points –Keeping compatibility with existing LCAS and LCMAPS plug-ins and their functionalities

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 8 Work done and decisions made Understanding the scope of usage  Interesting for everybody who was not at the MWSG UCSD lunch Understanding the term stateful PDP  Note: XACML PDP is (usually only) stateless  Passing stateful information (the results of a pool account mapping) from the obligations’ attributes Discussing SAML-XACML protocol details –“Using standard protocols” != “Being standards compliant” –Generation of the protocol stack must be reproducible Using Globus SAML-XACML instead of OpenSAML –Globus is committed to fix potential deviation to the specs Testing the alfa version of the SAML-XACML library –C and Java; Ongoing process… Compilation of a tentative lists of obligations –for EGEE and OSG (next slide…)

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 9 Tentative lists of obligations EGEE Obligations: –UID + GID –Optional multiple 2ndary GIDs –Optional AFS token (type string) VO Services Obligations (to be checked with representative from Storage): –Username (for CE) –UID + GID (common w/ EGEE) –RootPath + HomeDir (gPlazma) –Priorities (gPlazma) –File creation mask + directory creation mask

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 10 Stuff to do…. Other obligations (or no obligation, just a binary AuthZ decision) Reproducibility of the protocol stack, credits to: –Yuri Demchenko –Valerio Venturi –Vincenzo Ciaschini –Alberto Forti –and others… Timeline: –Library beta:~end of October ‘07 –Client (LCMAPS plugin)Library beta + 1 month –Service (beta)Library beta + 2 months –Service (production)~Q1 2008

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 11 Final words The site central solution allows for improved emergency response –Central blacklist –Consistent mappings across a cluster or a site for all the services The interface is going to be standards compliant with SAML2-XACML2 Globus library will be the first implementation of the protocol stack, hopefully many to follow

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 12 Alterative setups SAML-XACML interface Site Central: LCAS + LCMAPS L&L plug-ins (regular set of plug-ins) LCAS + LCMAPS Glite: Compute Element or Storage Element glexec gt4-interface LCAS + LCMAPS Worker node glexec L&L plug-in: SAML-XACML edg-gk edg-gridftp pre-WS GT4 gk, gridftp, opensshd L&L plug-ins (regular set of plug-ins) NFS mount SAML-XACML protocol

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 13 The big picture (Glite) SAML-XACML interface Site Central: LCAS + LCMAPS L&L plug-ins (regular set of plug-ins) LCAS + LCMAPS Glite: Compute Element or Storage Element glexec gt4-interface L&L plug-in: SAML-XACML LCAS + LCMAPS Worker node glexec L&L plug-in: SAML-XACML Oblg: user001, somegrp SAML-XACML Query Q: R: map.user.to.some.pool GPBox LCMAPS plug-in edg-gk edg-gridftp pre-WS GT4 gk, gridftp, opensshd

Enabling Grids for E-sciencE INFSO-RI EGEE'07: MWSG Budapest 14 The big picture (OSG) SAML-XACML interface GUMS + SAZ LCAS + LCMAPS Worker node glexec L&L plug-in: SAML-XACML Oblg: user001, somegrp SAML-XACML Query Q: R: map.user.to.some.pool Oblg: Prima + gPlazma: SAML-XACML OSG: Compute Element or Storage Element GT4 gatekeeper, gridftp, (opensshd) dCache

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.