Presentation is loading. Please wait.

Presentation is loading. Please wait.

A gLite Authorization Framework

Published byDuane Briggs Modified over 6 years ago

Similar presentations

Presentation on theme: "A gLite Authorization Framework"— Presentation transcript:

1 A gLite Authorization Framework
Thomas Sandholm Olle Mulmo

2 Outline Status Requirements Design Goals Interfaces & Interactions
Java Implementation Use Cases Grid Map Black List Local ACL XACML VOMS EDG Authorization Manager UvA GAAAPI/RBAC Open Issues – Q & A MWSG JRA3 Stockholm, Aug,

3 Status Proof of Concept in SweGrid Accounting System
Contribution to Globus Toolkit® Interfaces and Simple Default Implementations in gLite CVS GridMap and BlackList Plug-ins in gLite CVS Section in Global Security Architecture Document Starting Point – Request for Comments Next Step: VOMS, UvA GAAAPI & EDG AuthzManager POCs MWSG JRA3 Stockholm, Aug,

4 Requirements Currently addressed JRA3 AUZ Requirements: 4.3, 4.4, 4.5, 4.7, 4.8, 5, 6, 10, 12, 22, 30 AUZ Requirements Summary Enable VO membership/role based authz, local user id authz, certificate revocation, combination of authz requirements, no granularity restrictions, resource/action/role authz, application independent authz, authz to be set in all applications authz based on role, file name, storage element name, operation, resource usage limits, directory Gap Analysis: Architecture Configuration Software Platform MWSG JRA3 Stockholm, Aug,

5 Design Goals Simple (cp. hourglass design) Light-weight
Configurable, extensible, easily deployable Agnostic to run-time hosting & network protocols Enforcement, retrieval, evaluation & combination of authz policies Agnostic to policy language Service-oriented Leverage existing authorization systems, POSIX ACL, GACL, VOMS, LCMAPS, LCAS, CAS & Delegent while providing a natural integration with state-of-the-art XML & Web services security technologies such as XACML MWSG JRA3 Stockholm, Aug,

6 Interfaces & Interactions: Terminology
Terminology from GGF Authorization Frameworks and Mechanisms Working Group and XACML Specification PEP – Policy Enforcement Point (enforcing policies) PIP – Policy Information Point (retrieving policy attributes) PDP – Policy Decision Point (making policy decisions) PAP – Policy Administration Point (managing policies) MWSG JRA3 Stockholm, Aug,

7 Interfaces & Interactions: Core Framework
MWSG JRA3 Stockholm, Aug,

8 Interfaces & Interactions: PDP interface
isPermitted() Return true if request is permitted based on local policy Return false if request could not be permitted based on local policy (allows subsequent interceptors to continue evaluation) Throw AuthorizationException if request should be denied without further evaluation (regardless of other interceptors) MWSG JRA3 Stockholm, Aug,

9 Java Implementation javax.security.auth.Subject (JAAS/J2SE) as evidence cache for authenticated subject Authenticated Subject DN Public/Private Credentials Populated by PIPs javax.xml.rpc.handler.MessageContext (JAX-RPC/J2EE)  as execution/environment runtime context java.security.Provider (J2SE) as secure plug-in framework Used to implement different ServiceAuthorizationChain algorithms MWSG JRA3 Stockholm, Aug,

10 Use Cases: Grid Map, Black List & Local ACL
ServicePIP collecting SubjectDN to local user id mappings ServicePDP returning permission denied if no mapping is found Integration with in-memory or file based Globus Grid Maps that may be modified at runtime Black List ServicePDP throwing AuthorizationException if Subject DN is found in blacklist file File may be updated at run-time Local ACL ServicePDP interfacing to a local configuration file with user to allowed operations mappings File may be updated at runtime MWSG JRA3 Stockholm, Aug,

11 Use Cases: XACML ServicePDP wrapping Sun’s XACML PDP Engine ServicePAP
XACML RequestContext created on the fly. Populated with action, subject dn and environment attributes, which are retrieved from JAAS subject public credentials to be used in policy conditions. Resource assumed to be current service XACML ResponseContext parsed to return true/false from isPermitted() AuthorizationException thrown if an error occured while evaluating the policy ServicePAP retrieving/updating the XACML policy making callouts to Delegent Authorization Server based on XDiff update permission to determine whether the update is allowed Policy stored in local Xindice Database, Policy Update Permissions stored in Delegent Authorization Server MWSG JRA3 Stockholm, Aug,

12 Use Cases: VOMS (Not Yet Implemented)
ServicePIP parsing certificate and retrieving VO membership mapping Use VOMS certificate parser and make callouts to VOMS server Populate evidence cache (JAAS Subject) with e.g. attributes that may be used when defining XACML policy conditions or subject permissions ServicePDP checking local policies and role permissions against resource ACLs May be implemented as an XACML (AAA/RBAC) policy engine May be implemented as a simple Local ACL PDP MWSG JRA3 Stockholm, Aug,

13 EDG Authorization Manager
Wrapping Repositories  Chaining PIP/PDPs And, Or, Not combination of repositories  custom ChainConfig and ServiceAuthorizationChain (could be written) Map type file  GridMap PDP, Local ACL PDP Map type db  DB PDP (could be written) Map type regex  RegExp PDP (could be written) Map type cached  ServiceAuthorizationChain or ServicePIP configuration (could be written) Map type table  Local ACL PDP VOMS Repository  VOMS PIP (will be written) MWSG JRA3 Stockholm, Aug,

14 UvA GAAAPI/RBAC PEPapi.AuthoriseAction  ServiceAuthorizationChain.authorize() MessageContext or Subject credentials could be populated with additional API information like jobid, resourceId, and roles. Action parameter corresponds to operation parameter Local PDP/RemotePDP/GAA  since it accepts XACML requests/reponses it could be integrated in the same way as the XACML PDP described above (i.e. A custom ServicePDP) RBE  custom ServiceAuthorizationChain or hidden in a ServicePDP MWSG JRA3 Stockholm, Aug,

15 Open Issues - Q & A How should obligations be modelled in a policy language independent way (leave it up to PEP –ServiceAuthorizationChain caller to collect and respond to obligations)? Should we allow authorization on multiple operations/actions in one evaluation request? Level of EDG AuthzManager support (config file backwards compatibilty – feature compatibility)? XACML Profile Support (RBAC/Web services)? MWSG JRA3 Stockholm, Aug,

Download ppt "A gLite Authorization Framework"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.

Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google