Presentation is loading. Please wait.

Presentation is loading. Please wait.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

Published byGodwin Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk."— Presentation transcript:

1 > > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk

2 > > Participants >EGEE >VO Services (‘Privilege’) Project >Globus >Condor >VDT (OSG) Joint development and definition effort 2007 until early 2009 In production phase as of mid 2008 Institutes: ANL, BCCS, BNL, FNAL, INFN, Nikhef, Switch, UvA, UWMadison April 2009 2 The Authz-Interop Collaboration

3 > > What did we start with? >GUMS and PRIMA using proprietary SAML1 based protocol >SAZ (authorization service) >GT3, GT4 ‘authz callout’ for PRIMA by Markus Lorch >LCAS/LCMAPS >gLExec >gPlazma Not only used GUMS and the ‘EGEE’ a different logical model of dealing with attributes and authorization (local VOMS dumps vs. VOMS attribute push) Also, the services build in one ecosystem (e.g. ‘EGEE’) could not be used in the other (‘OSG’) → hacks and double work April 2009The Authz-Interop Collaboration 3

4 > > AuthZ Components Legend VO Management Services Grid Site SCAS Site Services CE Gatekeeper SCAS Clnt. Is Auth? ID Map? Yes / No UID/GID SE SRM gPlazma VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy 1 3 4 5 2 WN gLExec SCAS Clnt. Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 6 6 Schedule Pilot OR Job 7 Pilot SU Job (UID/GID) 8 VO PDP PEPs Original (interim) EGEE scenario plan April 2009 4

5 > > Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO The Aut hz- Inte rop Coll abo rati on PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services OSG Authorization Infrastructure A Common Protocol for OSG and EGEE integrated with the GT April 2009 5

6 > > Aims of the authz-interop project >Provide interoperability within the authorization infrastructures of OSG, EGEE, Globus and Condor Through >Common communication protocol >Common attribute and obligation definition >Common semantics and actual interoperation of production system So that services can use either framework and be used in both infrastructures April 2009 6 The Authz-Interop Collaboration

7 > > Two Elements for interop >Common communications profile >Agreed on use of SAML2-XACML2 >http://www.switch.ch/grid/support/documents/xacmlsaml.pdfhttp://www.switch.ch/grid/support/documents/xacmlsaml.pdf >Common attributes and obligations profile >List and semantics of attrbutes sent and obligations received between a ‘PEP’ and ‘PDP’ >Now at version 1.1 >http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2952http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2952 >http://edms.cern.ch/document/929867http://edms.cern.ch/document/929867 April 2009The Authz-Interop Collaboration 7

8 > > >Existing standards: >XACML defines the XML-structures that are exchanged with the PDP to communicate the security context and the rendered authorization decision. >SAML defines the on-the-wire messages that envelope XACML's PDP conversation. >The Authorization Interoperability profile augments those standards: >standardize names, values and semantics for common-obligations and core-attributes such that our applications, PDP- implementations and policy do interoperate. PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O April 2009 8 Profile in a nutshell The Authz-Interop Collaboration

9 > An XACML AuthZ Interop Profile >Authorization Interoperability Profile based on the SAML v2 profile of XACML v2 >Result of a 1yr collaboration between OSG, EGEE, Globus, and Condor >Releases: v1.1  10/09/08 v1.0  05/16/08 Slide _ 9 The Authz-Interop Collaboration

10 > > Structure of the AuthZ Interop Profile >Subject: /subject/ >Action: /action/ >Resource: /resource/ >Environment: /environment/ Obligation Attribute Identifiers ObligationId: /obligation/ AttributeId: /attributes/ Namespace prefix: http://authz-interop.org/xacml Request Attribute Identifiers April 2009 10 The Authz-Interop Collaboration

11 > > Most Common Request attributes >Subject (see profile doc for full list) >Subject-X509-id String: OpenSSL DN notation >Subject-VO String: “CMS” >VOMS-FQAN String: “/CMS/VO-Admin” >Resource (see doc for full list) >Resource-id (enum type) CE / SE / WN >Resource X509 Service Certificate Subject resource-x509-id >Host DNS Name Dns-host-name >Action > Action-id (enum type) Queue / Execute-Now / Access (file) > Res. Spec. Lang. RSL string >Environment > PEP-PDP capability negot. PEP sends to PDP supported Obligations Enables upgrading of the PEPs and PDPs independently > Pilot Job context (pull-WMS) Pilot job invoker identity Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO” April 2009 11 see document for all attributes and obligations The Authz-Interop Collaboration

12 > > Most Common Obligation Attributes >UIDGID >UID (integer): Unix User ID local to the PEP >GID (integer): Unix Group ID local to the PEP >Secondary GIDs >GID (integer): Unix Group ID local to the PEP (Multi recurrence) >Username >Username (string): Unix username or account name local to the PEP. >Path restriction > RootPath (string): a sub-tree of the FS at the PEP > HomePath (string): path to user home area (relative to RootPath) >Storage Priority > Priority (integer): priority to access storage resources. >Access permissions > Access-Permissions (string): “read-only”, “read-write” April 2009 12 see document for all attributes and obligations The Authz-Interop Collaboration

13 > > Full interoperability April 2009The Authz-Interop Collaboration 13

14 > > What has been achieved now >All profiles written and implemented >Common libraries available in Java and C implementing the communications protocol >Common handlers for Joint Interoperable Attribute and Obligations >Integrated in all relevant middleware in EGEE and OSG: >Clients: lcg-CE (via LCMAPS scasclient), CREAM and gLExec (ditto), GT pre-WS gram (both prima and LCMAPS), GT GridFTP, GT4.2 WS-GRAM, dCache/SRM >Servers: GUMS, SCAS >Other (lower-prio) components in progress >SAZ, RFT, GT4.x native-AuthZ, Condor (& -G), BeStMan April 2009The Authz-Interop Collaboration 14

15 > > OSG Integration Test Results April 2009The Authz-Interop Collaboration 15 ComponentTest PDP Component Old GUMSNew GUMSSCAS WS-Gatekeeper (Out of Scope) Test call-out component NOYES Run job w/o Delegation or File TransferNOYES out of scope Run job with Delegation and File TransferNOYES out of scope SCAS / PRIMA cmd line tool (OOS) AuthZ call via Legacy protocol call-outYES NO AuthZ call via XACML protocol call-outNOYES Pre-WS Gatekeeper (VTB-TESTED) Run job. AuthZ via Legacy protocolYES NO Run job. AuthZ via XACML protocolNOYES GridFTP (VTB-TESTED) Transfer file. AuthZ via Legacy protocolYES NO Transfer file. AuthZ via XACML protocolNOYES gLExec (REL. Jan 20) Run pilot job. AuthZ via Legacy protocolYES NO Run pilot job. AuthZ via XACML protocolNOYES SRM/dCache gPlazma (REL. Jan 20) Transfer file. AuthZ via Legacy protocolYES NO Transfer file. AuthZ via XACML protocolNOYES

16 > > Latest news >dCache v1.9.2-4 has been released this week. Pre-release tests have been conducted successfully against GUMS and SCAS. Will be the recommended release in a few months! >What are the EGEE deployment plans? >Development of native authz XACML call-out module for GridFTP: tests with the Globus Toolkit call-out module for authorization speaking the interop protocol start this week April 2009The Authz-Interop Collaboration 16

17 > > What next? Keeping interop (in ‘maintenance mode’) is most important! >Continued software support from contributing partners >Interdependency in timing between OSG and GT may lead to Catch-22 in prioritizing native GT4.2 implementation >Support in Delegation Service and RTF is needed for full production, and before existing legacy solutions can be phased out >Continued close coordination on the specification of the Authorization Profile. New uses cases must be coordinated and no ‘proprietary’ extensions should added, as that breaks the interop. Continuous communations and coordination remains essential. April 2009The Authz-Interop Collaboration 17

18 > > Conclusions >EGEE, OSG, Globus, and Condor have collaborated since Feb 2007 on an Authorization Interoperability profile and implementation >Interoperability is achieved through an AuthZ Interop Profile, based on the SAML v2 profile of XACML v2 >Call-out module implementations are integrated with major Resource Gateways >The major advantages of the infrastructure are: >Software developed in the US or EU can seamlessly be deployed in the EU or US security infrastructures >Software groups in EGEE and OSG can share and reuse common code >Production deployments in OSG and EGEE April 2009The Authz-Interop Collaboration 18

Download ppt "> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Globus 4 Guy Warner NeSC Training.

Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Similar presentations

Ads by Google