Download presentation
Presentation is loading. Please wait.
Published byJayson Morris Allen Modified over 8 years ago
1
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar
2
2 AHM, 2–4 Sept 2003 e-Science Centre GRID Large scale resource sharing between trusted and untrusted Organizations. Researchers are interested to use the Grid if they can access the resources that they require. Resource providers are keen to host resources in the Grid but would want the control over their resources. Control Reliability Manageable Missing any one of these three would make a Resource provider wary in Collaborating.
3
3 AHM, 2–4 Sept 2003 e-Science Centre Data Portal CCLRC DataPortal Server Local data Local metadata XML wrapper Facility 1 Local data Local metadata XML wrapper Facility 2 User Broker application that provides a web based interface to access data located in multiple facilities
4
4 AHM, 2–4 Sept 2003 e-Science Centre Security Validating who the user says he is Use of Certificate Use of delegation features of GSI Architecture Managing what the user is allowed to do Grid Map Files CAS VOMS PERMIS Akenti
5
5 AHM, 2–4 Sept 2003 e-Science Centre Requirements Scalable Ability to manage increase in users and resources as collaborations between other organizations increase Manageable and maintainable Adding, removing and modifying user privilege need to be kept easy and intuitive Preferably under the control of the resource end Organizations prefer to have control over who have access over their data.
6
6 AHM, 2–4 Sept 2003 e-Science Centre Requirements 2 Minimum intervention at the Data Portal Layer To keep the points of Security consideration as low as possible. Ability to utilize existing Access Control Models Many resource providers already have existing access control mechanisms that are reliable and proven. Future integration capabilities with other Grid Related Applications
7
7 AHM, 2–4 Sept 2003 e-Science Centre Globus CAS Presence of a Community authorization server. Resource Providers Grants Privileges to CAS Privileges of the user are stored in CAS User request CAS to receive CAS credential CAS credential is a GSI proxy certificate signed by CAS server with policies and privileges of the user included in an extension. User presents CAS credential for Resource provider in place of proxy certificate.
8
8 AHM, 2–4 Sept 2003 e-Science Centre PERMIS Presence of a central publicly accessible LDAP sever hosting Attribute Certificates Organization’s Privilege Allocator create Authorization Certificates for users and stored in publicly accessible LDAP Directories Also Authorization policy description are created and stored in publicly accessible LDAP directories. While querying a resource User presents its certificate The Resource’s Access Decision Framework retrieves the user’s Attribute certificate and the policy definition from the LDAP server and enforces the privileges
9
9 AHM, 2–4 Sept 2003 e-Science Centre EU Data Grid VOMS Classifies authorization information into two categories General information regarding the relationship between the user and the Virtual Organization Information regarding what the user is allowed to do at the Resource Provider Relationship between VO and user is specified as group and role by VOMS server (coarse grained) Information regarding what the user is allowed to access is maintained by the Resource provider. (fine grain)
10
10 AHM, 2–4 Sept 2003 e-Science Centre Authorization Framework Resource 1 Authorization Server Management Interface User Privilege Database Get Policy Attributes for DN Request Authorizat ion Token Manage User Policies and Policy Description Admin Super Admin Request result (Proxy Cert + Authorization Token + query) Return Authorization Token VO Certificate Store Access Adapter Resource 2 Access Adapter Resource n Access Adapter
11
11 AHM, 2–4 Sept 2003 e-Science Centre DP with Authorization Framework User MyProxy My-proxy-initBrowser Authentication Module Session Manager Authorization Server Authorization Server Authorization Server Proxy Certificate Authorization Token Save Authorization Token Query (query string, Proxy Cert + Authorization Token) Save Certificate Query (query string + Proxy Cert + Authorization Token) Admin Access Adapter Admin Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Organization 1Organization 2Organization n Data Portal
12
12 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token Server Management Interface User Privilege Store Get Authorization Token (Proxy Cert, Request Parameters) Manage User Privileges Admin Type 1 Admin Web Service Interface Return (Authorization Token) User Privilege Interface Get DN Privileges for DN Certificate Store Authorization Token Generator
13
13 AHM, 2–4 Sept 2003 e-Science Centre Resource Access Adapter Resource Request result (Proxy Cert, Authorization Token, query) Access Enforcement Interface Web Service Interface Authorization Token Parser Access Adapter Access Log
14
14 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token 0.1 user DN issuer DN issuerName MD5withRSA value
15
15 AHM, 2–4 Sept 2003 e-Science Centre Implications with adding Authorization Framework Organization’s Perspective The organization would only have to maintain the user’s group membership to the organization and host an Authorization Token generation server. Data Portal Perspective It would have to request for Proxy certificate from MyProxy Certificate and an Authorization Token from Organization’s authorization server on behalf of the user and forward these certificates along with the user’s query. User’s Perspective Would need have to have membership with the Organization and will have to request for a Authorization token at the start of the session before being able to query the organization’s resources. Resource Provider’s Perspective The Resource Provider would need to maintain the group mapping to its local access control mechanisms and be able to verify the authenticity of the Certificates.
16
16 AHM, 2–4 Sept 2003 e-Science Centre Future Formalize the format and structure of Authorization Token Look into the possibilities of replacing web service interface with Grid Service interface and other communication protocols Look in feaibility of using authorization token in HPC portal.
17
17 AHM, 2–4 Sept 2003 e-Science Centre Summary Better trust for resource providers Better manageability for organizations Use of existing access control mechanisms GSI delegation would remain unaffected
18
18 AHM, 2–4 Sept 2003 e-Science Centre Questions ?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.