Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students."— Presentation transcript:

1 Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students enrolled in the Fall 2008 Grid computing course broadcast on the North Carolina Research and Education Network (NCREN) to universities across North Carolina. Oct 23, 2008 5c.1 Globus Authorization

2 Authorization Process of deciding whether a particular identity can access a particular resource –Assumes identify has been previously validated through authentication Access control - what type of access –Finer level of authorization rather than blanket ability to make any type of access 5c.2

3 Access control Users may only have access to their own files or May be allowed to read files of other users in in collaborative projects Well-known situation applied to all computer systems, distributed or not Most common approach - access control lists (ACLs). –Have been around for many years e.g. Linux file permissions 5c.3

4 Accounts Accounts have to exist on each computer system that users wish to access. Each user might have an individual account on each system Setting up individual accounts time- consuming –Multiple system administrators involved. Sometimes, convenient to have a group account for virtual organization and users in virtual organization have access or share this account. 5c.4

5 Accounts A mechanism for creating and managing these accounts very desirable Use a network accessible (LDAP) database that lists users and their access privileges, and incorporates distinguished names format found in X-509 certificates. 5c.5

6 Mapping Distinguished Names to Account gridmap file Very basic Globus way of mapping user’s distinguished names to their account names Used to give access to accounts via their distinguished name found on user’s certificate. Each user entry in list takes form: Distinguished_name local_user_account_name 5c.6

7 Example: "/O=Grid/OU=GlobusTest/OU=simpleCA-coit- grid02.uncc.edu/OU=uncc.edu/CN=student1" student1 Distinguished name given in quotation marks to allow spaces. Must exactly match way it appears in user’s certificate. GSI uses gridmap file to establish that user may access account. 5c.7

8 Multiple gridmap files Fig 5.6 5c.8

9 Account Privileges Gridmap files often compared to access control lists, but they only provide blanket access They do not provide specific types of access (levels of permissions, read/write/execute, group memberships, etc.) User access privileges will derive from local system access control list. Generally, need more powerful mechanism to control type of access, see next. 5c.9

10 Question What is a disadvantage of using gridmap files for access control? (May be more than one) (a)It is difficult to maintain for large grids (b) It does not apply fine grain access control (c) It is difficult to verify user credentials (d) It is difficult to map distinguished names to local accounts (e) It is difficult to maintain in a dynamically changing virtual organization 5c.10

11 Security Assertion Markup Language (SAML) XML language for making “assertions” for authentication and authorization decisions and A request-response protocol for such assertions. Developed by OASIS for facilitating exchange of security information between business partners, in particular to obtain single sign-on for Web users Addresses situation where a user accesses a Web site that might require user’s request to be redirected to another affiliated site after being authenticated, e.g. travel bookings and automobile reservations. Has been applied in Grid computing. 5c.11

12 SAML components for Web site redirection 5c.12

13 SAML provides for communication of user authentication, authorization and attribute information. Three components: Assertions - information being communicated Protocol - way that message exchanges done Binding - mapping to concrete SOAP exchanges and specific protocols (usually HTTP) Three forms of assertions: Authentication statements Attribute statements Authorization decision statements 5c.13

14 Authentication assertion statements –confirm to service provider the user's identity. Attribute assertion statements –Provides specific information about user to establish access decisions. –Attributes might for example include that a users is an administrator (root privileges) or has limited user privileges. SAML authorization decisions –e.g. might state that subject (user) is allowed to perform the specified operation on the specified resource. 5c.14

15 Communication Authorization Service (CAS) Developed to provide authorization service in a Globus environment of using proxy certificates. Part of Globus 4 CAS server issues proxy to user that includes authorization assertions inserted as non-critical X- 509 extensions in certificate. Now uses SAML assertions (not originally). Approach enables proxy certificates to be processed by existing software. 5c.15

16 CAS structure Fig 5.13 5c.16

Download ppt "Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

Similar presentations

Ads by Google