Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trygve Aspelien and Yuri Demchenko

Published byRichard Hicks Modified over 6 years ago

Similar presentations

Presentation on theme: "Trygve Aspelien and Yuri Demchenko"— Presentation transcript:

1 gLite Java Authorisation Framework (gJAF) and Authorisation Policy coordination
Trygve Aspelien and Yuri Demchenko University of Bergen and University of Amsterdam All-Hands meeting November 8-10, 2006, UK

2 Outline gJAF Overview and progress Suggested work items
Other supporting activities Discussion - Next steps and interaction with other packages JRA1-AH, 8-10 November 2006, Abingdon

3 gJAF Overview Provided as org.glite.security.authz Java package
Uses actively java-utils library for VOMS Called from applications via an interceptor (PEP) {MessageContext, Subject, operation} Contains a configured chain of PIP and PDP modules PIP collects/extracts information to be sent to PDP Each PDP evaluates its relevant attributes against its own Policy Chain is configured to apply PDP decisions combination Problems Requires application specific manual chain configuration Limited use up to now in gLite CE (and some interest from DM) JRA1-AH, 8-10 November 2006, Abingdon

4 gJAF components and connection to the Grid Service
JRA1-AH, 8-10 November 2006, Abingdon

5 Suggested work items (1)
SAML/Shib Credentials support Need to clarify SAML Assertions format and supporting libraries To be provided as internal gJAF package or part of java-utils Will rely on effective cooperation with SWITCH Also expected to be available in GT4-AuthZ with GridShib Using XACML for policy expression Motivation - Standard, Context aware, can be mapped to different formats Used in G-PBox Can be added as XACML PDP plugin to gJAF or GT4-AuthZ Need policy management tool (simple or complex) Other issues found important Enable PDP chain to respond with Obligated decision PDP answer with AuthZ ticket to provide extended/full decision context in response to gJAF/PDP JRA1-AH, 8-10 November 2006, Abingdon

6 Suggested work items (2)
Compatibility and integration with other gLite/EGEE and 3rd party solutions Integration with the G-PBox Needs gJAF AuthZ chain extension to process Obligated decisions Compatibility and integration with the GT4-AuthZ Possibility to reuse available set of PDP’s and PIP’s Interest to cooperate was expressed by the GT4 Security team AuthZ Policy compatibility and coordination Common or mapped attributes semantics Policy formats mapping – XACML -> GACL, ACL, gridmap, BlackList Q: Are all they compatible and convertible to XACML? JRA1-AH, 8-10 November 2006, Abingdon

7 Other supporting activities
gJAF promotion in EGEE and for wider Grid community Time to update gJAF Developer’s guide - HOWTO and usage examples EGEE AuthZ Policy Coordination First meeting was in Bologna on June 6-7, 2005 Need for next meeting – in December 2006 – January 2007 OGF OGSA-AuthZ Working Group EGEE interest – bring EGEE reality to GGF standardisation Proposed documents on AuthZ service components and protocols CVS – Credentials Validation Service JRA1-AH, 8-10 November 2006, Abingdon

8 Summary I (Detailed Workplan)
General Meeting with the Cream G-Pbox guys to discuss policy handling. Similar to Bologna 2005. Promote use of gJAF (Includes also tests and PDP usage examples) Shared work effort (Yuri & Trygve) Further investigations on the chain sequence Prepare for adding obligations (G-Pbox) and ticket system (developed by UvA, chain sequence is important) JRA1-AH, 8-10 November 2006, Abingdon

9 Summary II (Detailed Workplan (cont.))
Trygve (UiB) ETICS building of authz-framework Shib/SAML integration (Needs co-operation with SWITCH.) Some open questions e.g. * Content of attributes and validation (MsgCtx) * Library? * Own PDP (e.g. VOMS) (Needs?) / External call-out? * How to get PIP attributes (extend java-utils?) Yuri (UvA) Possible integration of GT4 features. (e.g. Xacml PDP callout functionality) Integrate ticket system from UvA JRA1-AH, 8-10 November 2006, Abingdon

10 Discussion Any other issues?
Interaction with other packages and developers Comments? JRA1-AH, 8-10 November 2006, Abingdon

11 Additional information (Appendix)
GT4 Authorisation Framework JRA1-AH, 8-10 November 2006, Abingdon

12 GT4 Authorisation Framework
Can be configured for Container, Message, Service/Resource Called from the SOAP/Axis message interceptor AuthZ processing sequence includes New! Bootstrapping X.509 PIP – retrieves request parameters from the message Subject, Resource, Action Sequence of pre-configured PIP’s, including SAML Sequence of (specialised) PDP’s Different PDP decisions combination algorithms by AuthZ engine However, multiple policy decision’s consistency is not resolved Available PDP’s ACL and GridMap HostAuthorization and UserNameAuthorization (similar BlackList PDP) SAML AuthZ callout and SAML AuthZ Assertion SelfAuthorization – based on shared/trusted Resource credentials Simple XACML PDP (provided as a placeholder for extension) JRA1-AH, 8-10 November 2006, Abingdon

Download ppt "Trygve Aspelien and Yuri Demchenko"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester
EGEE is a project funded by the European Union under contract IST-2003-508833 Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.

EGEE is a project funded by the European Union under contract IST Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Similar presentations

Ads by Google