Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.

Published byAmanda Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC."— Presentation transcript:

1 Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC

2 EGEE Workshop on Rights Management in Production Grids2 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

3 EGEE Workshop on Rights Management in Production Grids3 GT4 Security l Public-key-based authentication l Extensible authorization framework based on Web services standards u SAML-based authorization callout l As specified in GGF OGSA-Authz WG u Integrated policy decision engine l XACML policy language, per-operation policies, pluggable l Credential management service u MyProxy (One time password support) l Community Authorization Service l Standalone Delegation Service l SimpleCA: Online credential generation l PERMIS: Authorization service callout

4 EGEE Workshop on Rights Management in Production Grids4 Effective Policy Governing Access Within A Collaboration

5 EGEE Workshop on Rights Management in Production Grids5 GT’s Assertion Processing “Problem” l VOMS/Permis/X509/Shibboleth/SAML/Kerberos identity/attribute assertions l XACML/SAML/CAS/XCAP/Permis/ProxyCert authorization assertions l Assertions can be pushed by client, pulled from service, or locally available l Policy decision engines can be local and/or remote l Delegation of Rights is required “feature” implemented through many different means GT-runtime has to mix and match all policy information and decisions in a consistent manner…

6 EGEE Workshop on Rights Management in Production Grids6 GT Authorization Framework

7 EGEE Workshop on Rights Management in Production Grids7 GT’s Authorization Processing Model (1) l Use of a Policy Decision Point (PDP) abstraction that conceptually resembles the one defined for XACML. u Normalized request context and decision format u Modeled PDP as black box authorization decision oracle l After validation, map all attribute assertions to XACML Request Context Attribute format l Create mechanism-specific PDP instances for each authorization assertion and call-out service l The end result is a set of PDP instances where the different mechanisms are abstracted behind the common PDP interface.

8 EGEE Workshop on Rights Management in Production Grids8 GT’s Authorization Processing Model (2) l The Master-PDP orchestrates the querying of each applicable PDP instance for authorization decisions. l Pre-defined combination rules determine how the different results from the PDP instances are to be combined to yield a single decision. l The Master-PDP is to find delegation decision chains by asking the individual PDP instances whether the issuer has delegated administrative rights to other subjects. l the Master-PDP can determine authorization decisions based on delegated rights without explicit support from the native policy language evaluators.

9 EGEE Workshop on Rights Management in Production Grids9 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

10 EGEE Workshop on Rights Management in Production Grids10 One Slide Overview of GridFTP Control Data Control Data Control Data Control Data globus-url-copyRFT Service RFT Client SOAP Messages Notifications (Optional)

11 EGEE Workshop on Rights Management in Production Grids11 What is the problem? l MxN problem u Too many accounts, not scalable l Site wants to authorize by community, but must be able to identify an individual if there is a problem l Process still runs under a UID and file system permissions must be honored. l Requirement for authorization based not only identity, but a role or an attribute. l Scalability u Millions of file, 1000s of users…

12 EGEE Workshop on Rights Management in Production Grids12 Initial Observations l RFT authorization is NOT data access authz u No data access authorization, but right to run (like a job) l GridFTP is more than read and write u Many people use it as a “remote shell” u Listings, file/dir creation and deletion, permissions, etc. l GridFTP is authorization agnostic. u The protocol, nor the Globus implementation of it, has a specified authorization mechanism.

13 EGEE Workshop on Rights Management in Production Grids13 What is provided from Globus l Essentially, we use OS file system permissions l PI typically runs as root during connection establishment u Uses host certificate for authentication l To determine what account to map the user to a security callout is used u CAS enabled l globus_gss_assist_map_and_authorize() u Else l globus_gss_assist_gridmap l globus_gss_assist_userok (specific account requested)

14 EGEE Workshop on Rights Management in Production Grids14 All cases are basically the same l Just as in web services slides, three pieces of information are provided u Security context (DN plus optional assertions. Essentially an opaque structure) u The resource to be acted on u The action being request l A boolean response determines action l Failure propagation is an issue

15 EGEE Workshop on Rights Management in Production Grids15 A little more detail RFT Service RFT Client SOAP Messages Notifications (Optional) Data Channel Protocol Interpreter Master DSI Data Channel Slave DSI IPC Receiver IPC Link Master DSI Protocol Interpreter Data Channel IPC Receiver Slave DSI Data Channel IPC Link ? ?

16 EGEE Workshop on Rights Management in Production Grids16 GridFTP can’t have a single system l The system behind the Data Storage Interface can be complex, with its own authorization system u HPSS uses Kerberos and LDAP lookups u SRB maps DN to SRB credential l Different VOs will have their own system. l So far, this has been sufficient

17 EGEE Workshop on Rights Management in Production Grids17 Odds and Ends… l Web services version of GridFTP u Reproduce the PDPs of Java container? l NFSv4 integration of DN into file attributes sounds interesting as a solution to the dynamic account problem u Doesn’t address roles / attributes l UID does provide other useful functionality u Quotas for instance l Authorization of Connections u Have a prototype developed with UWis / Condor u Proposal in to improve

18 EGEE Workshop on Rights Management in Production Grids18 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

19 EGEE Workshop on Rights Management in Production Grids19 Globus Replica Location Service A Replica Location Service (RLS) is a distributed registry that records the locations of data copies and allows replica discovery u RLS maintains mappings between logical identifiers and target names u Must perform and scale well: support hundreds of millions of objects, hundreds of clients l E.g., LIGO (Laser Interferometer Gravitational Wave Observatory) Project u RLS servers at 10 sites u Maintain associations between 6 million+ logical file names & 120 million physical file locations

20 EGEE Workshop on Rights Management in Production Grids20 LRC RLI LRC Replica Location Indexes Local Replica Catalogs Replica Location Index (RLI) nodes aggregate information about one or more LRCs LRCs use soft state update mechanisms to inform RLIs about their state: relaxed consistency of index Optional compression of state updates reduces communication, CPU and storage overheads RLS Features Local Replica Catalogs (LRCs) contain consistent information about logical-to-target mappings

21 EGEE Workshop on Rights Management in Production Grids21 Current Authorization in RLS l Gridmap files and ACLs l Allow users to associate read, write permissions with users l Emphasis on scalability and performance l Problems: u No finer grained access control u Undesirable for VOs to share RLS servers, since a writer in one VO can alter entries in another l How to provide additional functionality without destroying performance for power users? u Need to register and discover millions of files quickly

22 EGEE Workshop on Rights Management in Production Grids22 Planned Support for Multiple VOs to Coexist Safely l Dynamic deployment of new VOs within existing LRC deployment u Possibly by deploying separate tables l VO-specific index layer: lighter-weight, bitmaps in memory l Callout to PDP for SAML authorization: identify user’s VO VO1 LRC VO2 LRC VO1 LRC VO2 LRC CAS/ PDP VO1 Index Cloud Shared server VO2 Index Cloud Pull- based Push- based

23 EGEE Workshop on Rights Management in Production Grids23 Longer-Term: Fine-grained Authorization l On a per-file or group of files basis u LRC makes authz callout, providing operation and policy ID u Policy engine decides based on credentials, operations, policy DB l Is this level of write authorization needed at the catalogs? u Typically a small group of privileged publishers who have broad permissions u Medical applications, others…

24 EGEE Workshop on Rights Management in Production Grids24 WS-RLS and DRS l WS RLS: new Web Service interface to RLS l Data Replication Service (DRS): combines RFT, RLS operations u Both WS-RF compatible interfaces l Can make use of GT4 authorization infrastructure u Configure a chain of authorization mechanisms and allow plug-ins of new authorization schemes u Evaluate a chain of Policy Decision Points (PDPs) u Includes a SAML callout, mechanism for grid-mapfile authorization u Make authorization decisions at container level l Support for adding custom authorization modules u Passes full client request message to the custom call-out u PDP can access the internal state of service to extract information needed to make authorization decisions

Download ppt "Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC."

Similar presentations

Giggle: A Framework for Constructing Scalable Replica Location Services Ann Chervenak, Ewa Deelman, Ian Foster, Leanne Guy, Wolfgang Hoschekk, Adriana.

Giggle: A Framework for Constructing Scalable Replica Location Services Ann Chervenak, Ewa Deelman, Ian Foster, Leanne Guy, Wolfgang Hoschekk, Adriana.
The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.

The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.
Globus DataGrid Overview Bill Allcock, ANL GridPP Meeting 30 June 2003.

Globus DataGrid Overview Bill Allcock, ANL GridPP Meeting 30 June 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Globus 4 Guy Warner NeSC Training.

Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google