Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview OSG & EGEE Authorization Models

Published byRikke Børresen Modified over 5 years ago

Similar presentations

Presentation on theme: "Overview OSG & EGEE Authorization Models"— Presentation transcript:

1 An XACML profile and implementation for Authorization Interoperability between OSG and EGEE
Overview OSG & EGEE Authorization Models Authorization Interoperability Profile Implementations and Deployments Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab

2 The Collaboration John Hover3
Ian Alderman9 Mine Altunay1 Rachana Ananthakrishnan8 Joe Bester8 Keith Chadwick1 Vincenzo Ciaschini7 Yuri Demchenko4 Andrea Ferraro7 Alberto Forti7 Gabriele Garzoglio1 David Groep2 Ted Hesselroth1 John Hover3 Oscar Koeroo2 Chad La Joie5 Tanya Levshina1 Zach Miller9 Jay Packard3 Håkon Sagehaug6 Valery Sergeev1 Igor Sfiligoi1 Neha Sharma1 Frank Siebenlist8 Valerio Venturi7 John Weigand1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA Dave Dykstra

3 The Authorization Model
The EGEE and OSG security model is based on X509 end entity and proxy certificates for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site-central Policy Decision Points (PDP) for authorization decisions Dave Dykstra

4 The Interoperability Problem
EGEE and OSG had developed different authorization infrastructures The two Grids now have a common PEP to PDP call-out protocol to enable interoperability: Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures Software groups in EGEE and OSG can share and reuse common code The common call-out protocol was developed in collaboration with the Globus Toolkit and Condor groups Dave Dykstra

5 Authorization Infrastructure (the EGEE case)
VO Grid Site Site Services PDP VO Services VOMRS VOMS synch SCAS 2 UID/GID Yes / No ID Map? Is Auth? 5 1 register PEPs 3 SE SRM gPlazma CE Gatekeeper SCAS Clnt. WN gLExec SCAS Clnt. Submit request with voms-proxy get voms-proxy 4 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 8 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 6 6 AuthZ Components Legend VO Management Services 7 Dave Dykstra

6 Authorization Infrastructure (the OSG case)
VO Site Services PDP Grid Site VO Services VOMRS VOMS synch GUMS SAZ synch 2 3 ID Mapping? UserName Yes / No + 7 6 Is Auth? Yes / No 1 register PEPs 4 SE SRM gPlazma CE Gatekeeper Prima WN gLExec Prima Submit request with voms-proxy get voms-proxy 5 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 10 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 8 8 AuthZ Components Legend Not Officially In OSG VO Management Services 9 Dave Dykstra

7 Authorization Infrastructure (the OSG case)
A Common Protocol for OSG and EGEE integrated with the GT VO Site Services PDP Grid Site VO Services VOMRS VOMS synch GUMS SAZ synch 2 3 ID Mapping? UserName Yes / No + 7 6 Is Auth? Yes / No 1 register PEPs 4 SE SRM gPlazma CE Gatekeeper Prima WN gLExec Prima Submit request with voms-proxy get voms-proxy 5 Pilot OR Job (UID/GID) Submit Pilot SU Job (UID/GID) 10 (UID/GID) Access Data Batch System Pilot OR Job Schedule Storage 8 8 AuthZ Components Legend Not Officially In OSG VO Management Services 9 Dave Dykstra

8 An XACML profile and implementation for Authorization Interoperability between OSG and EGEE
Overview OSG & EGEE Authorization Models Authorization Interoperability Profile Implementations and Deployments Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab

9 An XACML AuthZ Interop Profile
Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor Releases: v1.1  10/09/08 v1.0  05/16/08 Dave Dykstra

10 SAML, XACML, AuthZ Interop Profile in a nutshell
Existing standards: XACML defines the XML-structures that are exchanged with the PDP to communicate the security context and the rendered authorization decision. SAML defines the on-the-wire messages that envelope XACML's PDP conversation. The Authorization Interoperability profile augments those standards: standardize names, values and semantics for common-obligations and core-attributes such that our applications, PDP-implementations and policy do interoperate. Subject S requests to perform Action A on Resource R within Environment E CE / SE / WN Gateway PEP XACML Request PDP Site Services XACML Response Grid Site Decision Permit, but must fulfill Obligation O Dave Dykstra

11 Structure of the AuthZ Interop Profile
Namespace prefix: Request Attribute Identifiers Subject: <ns-prefix>/subject/<subject-attr-name> Action: <ns-prefix>/action/<action-attr-name> Resource: <ns-prefix>/resource/<resource-attr-name> Environment: <ns-prefix>/environment/<env-type> Obligation Attribute Identifiers ObligationId: <ns-prefix>/obligation/<obligation-name> AttributeId: <ns-prefix>/attributes/<obligation-attr-name> Dave Dykstra

12 Request attributes Subject (see profile doc for full list)
Subject-X509-id String: OpenSSL DN notation Subject-VO String: “CMS” VOMS-FQAN String: “/CMS/VO-Admin” Resource (see doc for full list) Resource-id (enum type) CE / SE / WN Resource X509 Service Certificate Subject resource-x509-id Host DNS Name Dns-host-name Action Action-id (enum type) Queue / Execute-Now / Access (file) Res. Spec. Lang. RSL string Environment PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” Dave Dykstra

13 Obligation Attributes
UIDGID UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP Secondary GIDs GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username Username (string): Unix username or account name local to the PEP. Path restriction RootPath (string): a sub-tree of the FS at the PEP HomePath (string): path to user home area (relative to RootPath) Storage Priority Priority (integer): priority to access storage resources. Access permissions Access-Permissions (string): “read-only”, “read-write” Dave Dykstra

14 An XACML profile and implementation for Authorization Interoperability between OSG and EGEE
Overview OSG & EGEE Authorization Models Authorization Interoperability Profile Implementations and Deployments Mar 26, 2009 On behalf of the Authorization Interoperability Collaboration Dave Dykstra Computing Division, Fermilab

15 Implementation SAML-XACML libraries Authorization Modules
OpenSAML (Java); Globus XACML (C) Authorization Modules XACML messages within a SOAP envelope over SSL transport LCAS / LCMAPS (L&L) / SCAS plug-in (EGEE); PRIMA / gPlazma plug-in (OSG) Resource Gateways Computing Element Pre-WS Gatekeeper; WS-Gatekeeper (native call-out) Storage Element SRM / dCache; BeStMan; GridFTP (native call-out in progress) Worker Node gLExec Dave Dykstra

16 Module Dependencies (EGEE case)
PDP GUMS SAML1 XACML2 SCAS XACML2 SAZ Internal XACML2 XACML lib XACML2 gLite lib XACML2 gLite lib XACML2 gLite lib XACML2 GT4.2 PEP XACML2 priv. lib Call-out L&L L&L L&L GT4.2 Security gPlazma Gateway gLExec Pre-WS GK GridFTP SRM/dCache WN SE CE Cmpnt Legend: Component or dependency available by 01/2010

17 Module Dependencies (OSG case)
PDP GUMS SAML1 XACML2 SCAS XACML2 SAZ Internal XACML2 To SAZ clnts XACML lib SAML1 lib XACML2 gLite lib SAML1 lib SAML1 lib XACML2 gLite lib SAML1 lib XACML2 gLite lib SAML1 priv. lib XACML2 priv. lib Call-out PRIMA SAZ Clnt PRIMA WS SAZ Clnt PRIMA SAZ Clnt PRIMA SAZ Clnt L&L gPlazma Gateway gLExec WS GK v4.0 Pre-WS GK GridFTP SRM/dCache WN SE CE Legend: Cmpnt EGEE Comp. used in OSG

18 Module Dependencies (OSG case in 2010)
PDP GUMS SAML1 XACML2 SCAS XACML2 SAZ Internal XACML2 XACML lib XACML2 gLite lib XACML2 GT4.2 PEP XACML2 gLite lib XACML2 GT4.2 PEP XACML2 priv. lib Call-out L&L GT4.2 Security L&L GT4.2 Security gPlazma Gateway gLExec WS GK v4.2 Pre-WS GK GridFTP SRM/dCache WN SE CE Cmpnt Legend: Component or dependency foreseen by 01/2010 EGEE Comp. used in OSG

19 Deployments The EGEE certification process is focusing on SCAS and gLExec. gLExec passed certification. EGEE Pre-Production Sites (PPS) are involved. gLExec/SCAS deployed in production at Nikhef. OSG Integration Test Bed (ITB) will certify the software stack for production at the end of March. OSG production is deploying the infrastructure as an Update to OSG v1.0 in April. Dave Dykstra

20 Conclusions EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 Call-out module implementations are integrated with major Resource Gateways The major advantages of the infrastructure are: Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures Software groups in EGEE and OSG can share and reuse common code Production deployments are under way in OSG and EGEE Dave Dykstra

21 Additional Slides Dave Dykstra

22 Related Work The goal of the Authorization Interoperability collaboration is to provide a common PEP to PDP call-out protocol between OSG, EGEE, and major software providers, such as Globus and Condor The Open Grid Service Architecture (OGSA) Authorization Working Group (WG) in OGF defines the specifications needed to allow for pluggable and interoperable authorization components from multiple authorization domains in the OGSA framework. The scope of OGSA-AuthZ WG is broader and includes interoperability across several authorization standards. Several members of our collaboration also participate in the OGSA-AuthZ WG Dave Dykstra

23 Subject attributes (1) Subject-X509-id Subject-X509-Issuer
String: OpenSSL oneline notation of the DN Subject-X509-Issuer String: OpenSSL oneline notation of the Issuer DN Subject-Condor-Canonical-Name-id String: Subject-VO String: “gin.ggf.org” VOMS-signing-subject String: OpenSSL oneline notation VOMS-signing-issuer VOMS-FQAN String: “/gin.ggf.org/APAC/VO-Admin” VOMS-Primary-FQAN Dave Dykstra

24 Subject attributes (2) - Optional
Certificate-Serial-Number Integer: 42 CA-serial-number Integer: 1 Subject End-Entity X509v3 Certificate Policies OID String: “ ” (Robot Certificate) Cert-Chain base64Binary: “MIICbjCCAVagA……..” VOMS-dns-port String: “kuiken.nikhef.nl:15050” Dave Dykstra

25 Action attributes Action-type: ‘action-id’ (enumerated type)
Queue Requesting execution to a (remote) queue. Execute-Now Requesting direct execution (remotely) Access (file) Request for (generic) file access Action-specific attributes Resource Specification Language RSL string Dave Dykstra

26 Resource attributes Resource-type: ‘resource-id’ (enumerated type)
CE (Computing Element) Can also be the head-node or entry point to a cluster WN (Worker Node) A node type that will process jobs, typically in a cluster SE (Storage Element) (Logical) storage facility or specific storage node Resource-specific attributes Resource X509 Service Certificate Subject resource-x509-id Resource X509 Service Certificate Issuer resource-x509-issuer Host DNS Name Dns-host-name Dave Dykstra

27 Environment attributes
PEP-PDP capability negotiation - Supported Obligations PEP sends to PDP a list of the supported obligations The PDP can choose to return an appropriate set of obligations from this list Allows upgradeability of the PEPs and PDPs independently by deploying new functionalities step by step Pilot Job context To support pull-based job management model Policy statement example “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” Pilot job invoker identity These attributes define the identity of the pilot job invoker Dave Dykstra

28 Obligations (1) UIDGID Multiple Secondary GIDs Username
UID (integer): Unix User ID local to the PEP GID (integer): Unix Group ID local to the PEP Stakeholder: Common Must be consistent with: Username Multiple Secondary GIDs Multi recurrence Stakeholder: EGEE Needs obligation(s): UIDGID Username Username (string): Unix username or account name local to the PEP. Stakeholder: OSG Must be consistent with: UIDGID Dave Dykstra

29 Obligations (2) AFSToken Path restriction (root-and-home-paths)
AFSToken (string) in base64: AFS Token passed as a string Stakeholder: EGEE Needs obligation(s): UIDGID Path restriction (root-and-home-paths) RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. Stakeholder: OSG Needs obligation(s): UIDGID or Username Dave Dykstra

30 Obligations (3) Storage Priority Access permissions Stakeholder: OSG
Priority (integer): an integer number that defines the priority to access storage resources. Stakeholder: OSG Needs obligations: UIDGID or Username Access permissions Access-Permissions (string): Access permissions to a file that is requested Allowed values: “read-only”, “read-write” Dave Dykstra

31 OSG Integration Tests Component Test PDP Component Dave Dykstra
Old GUMS New GUMS SCAS WS-Gatekeeper (Out of Scope) Test call-out component NO YES Run job w/o Delegation or File Transfer out of scope Run job with Delegation and File Transfer SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-out AuthZ call via XACML protocol call-out Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocol Run job. AuthZ via XACML protocol GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocol Transfer file. AuthZ via XACML protocol gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocol Run pilot job. AuthZ via XACML protocol SRM/dCache gPlazma (REL. Jan 20) Dave Dykstra

Download ppt "Overview OSG & EGEE Authorization Models"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Similar presentations

Ads by Google