Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

Published byBrooke Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security."— Presentation transcript:

1 Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security Group Meeting Gabriele Garzoglio Computing Division, Fermilab

2 Jun 12, 20072/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration Informal Requirements Open Issues Conclusions

3 Jun 12, 20073/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Motivations Modern middleware development requires the integration of software with grid authorization layers. Each grid has a different authorization infrastructure. Authorization call-out protocols are not standardized. Example: SRM/dCache is integrated with the OSG AuthZ infrastructure but not with EGEE. Deployment must still rely on legacy AuthZ mechanisms. Discussion started in Oct 2006 to address authorization interoperability.

4 Jun 12, 20074/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Collaboration OSG (VO Services Project) –Keith Chadwick, Ted Hesselroth, Gabriele Garzoglio, Igor Sfiligoi, Steve Timm, Valery Sergeev, John Weigand –John Hover, Jay Packard EGEE (Site Authorisation and Enforcement Services) –David Groep, Oscar Koeroo –Yuri Derchenko, Joni Hahkala The Globus Toolkit –Rachana Ananthakrishnan, Frank Siebenlist, Dan Fraser

5 Jun 12, 20075/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio A window of opportunity Globus is in the process of developing a new pluggable AuthZ call-out infrastructure for GT4 –OSG and EGEE can contribute in defining real-life use cases EGEE is considering to make the LCMAPS system accessible as a network service –The group needs to decide soon what network protocol to use VO Services project is finishing Phase II on Summer 07 –Effort becomes available for Phase III of the project

6 Jun 12, 20076/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Meetings History Oct 2006: http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=239 http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=239 Feb 2007: http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=323 http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=323 Mar 2007 (discussions at the MWSG 11) http://indico.cern.ch/conferenceDisplay.py?confId=12654 http://indico.cern.ch/conferenceDisplay.py?confId=12654 Apr 2007: http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=333 http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=333 May 2007: http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=338 http://cd-docdb.fnal.gov/cgi- bin/DisplayMeeting?conferenceid=338

7 Jun 12, 20077/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Architecture (the OSG case) AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO

8 Jun 12, 20078/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Architecture (the OSG case) AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO A Common Protocol for OSG and EGEE integrated with the GT

9 Jun 12, 20079/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration  Informal Requirements Open Issues Conclusions

10 Jun 12, 200710/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Background Globus has a prototypical implementation of an authorization call-out library –Developed in collaboration with IBM –Based on XACML 2 / SAML 2 The library is going to be integrated with GT4.x

11 Jun 12, 200711/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Informal Requirements The library should be usable outside of the Globus Toolkit framework –However, the GT4 PEP are natively integrated The library should support remote or local attribute validations –The library should support sending signed assertions through the wire –We will need to standardize the attribute names used in the assertion, to have a consistent semantics across implementations

12 Jun 12, 200712/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Informal Requirements The library should allow signing assertions with different certificates –For example host cert, user cert, pilot admin cert, etc. The library should be able to send some of the PEP context to the PDP –For example: job description parameters, RSL, etc. –The information could be passed to the PDP as a standardized XACML attribute. The library should support arbitrary information from the PDP –Using XACML Obligations…

13 Jun 12, 200713/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio XACML Obligations (PDP Output) OSG and EGEE use cases are almost the same –Return set of UID/GID (CE), Root Path & (optional) Priority (SE) EGEE wants support for more general structures –“Authorization Tickets” to enable session management –Discussed the use case of AFS tokens Clients should be able to declare what obligations they can support –We can use a standardized tag of the "environment" element –Allows “upgradability” of the clients Handling of obligations should be implemented via external handlers –Handlers will be associated to standardized obligation ids.

14 Jun 12, 200714/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Overview Motivations & Collaboration Informal Requirements  Open Issues Conclusions

15 Jun 12, 200715/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Language Support The languages of interest for the library are C and Java The prototype is in Java Server-side: is Java enough? –It might for OSG (both GUMS and SAZ are in Java) Client-side: must support C: –We can generate WSDL bindings in C, but this will lack support for obligations –We can try JNI, but similar attempts (CABig group) have been done outside of the GT4 framework –We can translate the Java library in C, but it will required longer timelines

16 Jun 12, 200716/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Open Issues What are the EGEE time constraints ? What is the schedule of Globus to provide –support for parsing/manipulating obligations –support for a C library (tentatively: α-version by the end of July) What features of the C library are essential to write client software ?

17 Jun 12, 200717/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio Conclusions The window of opportunity to develop an interoperable authorization system is now Globus, OSG & EGEE have laid the groundwork for a successful collaboration For this phase, we still need to –Agree on a common plan and timeline –Formalize requirements –Understand what standards are needed

Download ppt "Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Similar presentations

Ads by Google