Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthZ Interop report out

Published byWhitney George Modified over 5 years ago

Similar presentations

Presentation on theme: "AuthZ Interop report out"— Presentation transcript:

1 AuthZ Interop report out
for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk

2 Participants EGEE VO Services (‘Privilege’) Project Globus Condor
VDT (OSG) Joint development and definition effort 2007 until early 2009 In production phase as of mid 2008 Institutes: ANL, BCCS, BNL, FNAL, INFN, Nikhef, Switch, UvA, UWMadison The Authz-Interop Collaboration April 2009 2

3 What did we start with? GUMS and PRIMA using proprietary SAML1 based protocol SAZ (authorization service) GT3, GT4 ‘authz callout’ for PRIMA by Markus Lorch LCAS/LCMAPS gLExec gPlazma Not only used GUMS and the ‘EGEE’ a different logical model of dealing with attributes and authorization (local VOMS dumps vs. VOMS attribute push) Also, the services build in one ecosystem (e.g. ‘EGEE’) could not be used in the other (‘OSG’) → hacks and double work The Authz-Interop Collaboration April 2009 3

4 Original (interim) EGEE scenario plan
VO Grid Site Site Services PDP VO Services VOMRS VOMS synch SCAS 2 UID/GID Yes / No ID Map? Is Auth? 5 1 PEPs 3 SE SRM gPlazma CE Gatekeeper SCAS Clnt. WN gLExec SCAS Clnt. register Submit request with voms-proxy get voms-proxy 4 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 8 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 6 6 AuthZ Components Legend VO Management Services 7 April 2009 4

5 OSG Authorization Infrastructure
A Common Protocol for OSG and EGEE integrated with the GT VO PDP Grid Site Site Services VO Services VOMRS VOMS synch GUMS SAZ synch 2 3 ID Mapping? UserName Yes / No + 7 6 Yes / No Is Auth? 1 PEPs 4 SE SRM gPlazma CE Gatekeeper Prima WN gLExec Prima register Submit request with voms-proxy get voms-proxy 5 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 10 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 8 8 AuthZ Components Legend Not Officially In OSG VO Management Services 9 April 2009 5 The Authz-Interop Collaboration

6 Aims of the authz-interop project
Provide interoperability within the authorization infrastructures of OSG, EGEE, Globus and Condor Through Common communication protocol Common attribute and obligation definition Common semantics and actual interoperation of production system So that services can use either framework and be used in both infrastructures The Authz-Interop Collaboration April 2009 6

7 Two Elements for interop
Common communications profile Agreed on use of SAML2-XACML2 Common attributes and obligations profile List and semantics of attrbutes sent and obligations received between a ‘PEP’ and ‘PDP’ Now at version 1.1 The Authz-Interop Collaboration April 2009 7

8 Profile in a nutshell Existing standards:
XACML defines the XML-structures that are exchanged with the PDP to communicate the security context and the rendered authorization decision. SAML defines the on-the-wire messages that envelope XACML's PDP conversation. The Authorization Interoperability profile augments those standards: standardize names, values and semantics for common-obligations and core-attributes such that our applications, PDP-implementations and policy do interoperate. Subject S requests to perform Action A on Resource R within Environment E CE / SE / WN Gateway PEP XACML Request PDP Site Services XACML Response Grid Site Decision Permit, but must fulfill Obligation O The Authz-Interop Collaboration April 2009 8

9 An XACML AuthZ Interop Profile
Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor Releases: v1.1  10/09/08 v1.0  05/16/08 The Authz-Interop Collaboration Slide_9

10 Structure of the AuthZ Interop Profile
Namespace prefix: Request Attribute Identifiers Subject: <ns-prefix>/subject/<subject-attr-name> Action: <ns-prefix>/action/<action-attr-name> Resource: <ns-prefix>/resource/<resource-attr-name> Environment: <ns-prefix>/environment/<env-type> Obligation Attribute Identifiers ObligationId: <ns-prefix>/obligation/<obligation-name> AttributeId: <ns-prefix>/attributes/<obligation-attr-name> The Authz-Interop Collaboration April 2009 10 10

11 Most Common Request attributes
Subject (see profile doc for full list) Subject-X509-id String: OpenSSL DN notation Subject-VO String: “CMS” VOMS-FQAN String: “/CMS/VO-Admin” Resource (see doc for full list) Resource-id (enum type) CE / SE / WN Resource X509 Service Certificate Subject resource-x509-id Host DNS Name Dns-host-name Action Action-id (enum type) Queue / Execute-Now / Access (file) Res. Spec. Lang. RSL string Environment PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” see document for all attributes and obligations The Authz-Interop Collaboration April 2009 11 11

12 Most Common Obligation Attributes
UIDGID UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP Secondary GIDs GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username Username (string): Unix username or account name local to the PEP. Path restriction RootPath (string): a sub-tree of the FS at the PEP HomePath (string): path to user home area (relative to RootPath) Storage Priority Priority (integer): priority to access storage resources. Access permissions Access-Permissions (string): “read-only”, “read-write” see document for all attributes and obligations The Authz-Interop Collaboration April 2009 12 12

13 Full interoperability
The Authz-Interop Collaboration April 2009 13

14 What has been achieved now
All profiles written and implemented Common libraries available in Java and C implementing the communications protocol Common handlers for Joint Interoperable Attribute and Obligations Integrated in all relevant middleware in EGEE and OSG: Clients: lcg-CE (via LCMAPS scasclient), CREAM and gLExec (ditto), GT pre-WS gram (both prima and LCMAPS), GT GridFTP, GT4.2 WS-GRAM, dCache/SRM Servers: GUMS, SCAS Other (lower-prio) components in progress SAZ, RFT, GT4.x native-AuthZ, Condor (& -G), BeStMan The Authz-Interop Collaboration April 2009 14

15 OSG Integration Test Results
Component Test PDP Component Old GUMS New GUMS SCAS WS-Gatekeeper (Out of Scope) Test call-out component NO YES Run job w/o Delegation or File Transfer out of scope Run job with Delegation and File Transfer SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-out AuthZ call via XACML protocol call-out Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocol Run job. AuthZ via XACML protocol GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocol Transfer file. AuthZ via XACML protocol gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocol Run pilot job. AuthZ via XACML protocol SRM/dCache gPlazma (REL. Jan 20) The Authz-Interop Collaboration April 2009 15

16 Latest news dCache v has been released this week. Pre-release tests have been conducted successfully against GUMS and SCAS. Will be the recommended release in a few months! What are the EGEE deployment plans? Development of native authz XACML call-out module for GridFTP: tests with the Globus Toolkit call-out module for authorization speaking the interop protocol start this week The Authz-Interop Collaboration April 2009 16

17 What next? Keeping interop (in ‘maintenance mode’) is most important!
Continued software support from contributing partners Interdependency in timing between OSG and GT may lead to Catch-22 in prioritizing native GT4.2 implementation Support in Delegation Service and RTF is needed for full production, and before existing legacy solutions can be phased out Continued close coordination on the specification of the Authorization Profile. New uses cases must be coordinated and no ‘proprietary’ extensions should added, as that breaks the interop. Continuous communations and coordination remains essential. The Authz-Interop Collaboration April 2009 17

18 Conclusions EGEE, OSG, Globus, and Condor have collaborated since Feb on an Authorization Interoperability profile and implementation Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 Call-out module implementations are integrated with major Resource Gateways The major advantages of the infrastructure are: Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures Software groups in EGEE and OSG can share and reuse common code Production deployments in OSG and EGEE The Authz-Interop Collaboration April 2009 18

Download ppt "AuthZ Interop report out"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Similar presentations

Ads by Google