Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Published byJayson Morris Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar."— Presentation transcript:

1 1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar

2 2 AHM, 2–4 Sept 2003 e-Science Centre GRID Large scale resource sharing between trusted and untrusted Organizations. Researchers are interested to use the Grid if they can access the resources that they require. Resource providers are keen to host resources in the Grid but would want the control over their resources. Control Reliability Manageable Missing any one of these three would make a Resource provider wary in Collaborating.

3 3 AHM, 2–4 Sept 2003 e-Science Centre Data Portal CCLRC DataPortal Server Local data Local metadata XML wrapper Facility 1 Local data Local metadata XML wrapper Facility 2 User Broker application that provides a web based interface to access data located in multiple facilities

4 4 AHM, 2–4 Sept 2003 e-Science Centre Security Validating who the user says he is Use of Certificate Use of delegation features of GSI Architecture Managing what the user is allowed to do Grid Map Files CAS VOMS PERMIS Akenti

5 5 AHM, 2–4 Sept 2003 e-Science Centre Requirements Scalable Ability to manage increase in users and resources as collaborations between other organizations increase Manageable and maintainable Adding, removing and modifying user privilege need to be kept easy and intuitive Preferably under the control of the resource end Organizations prefer to have control over who have access over their data.

6 6 AHM, 2–4 Sept 2003 e-Science Centre Requirements 2 Minimum intervention at the Data Portal Layer To keep the points of Security consideration as low as possible. Ability to utilize existing Access Control Models Many resource providers already have existing access control mechanisms that are reliable and proven. Future integration capabilities with other Grid Related Applications

7 7 AHM, 2–4 Sept 2003 e-Science Centre Globus CAS Presence of a Community authorization server. Resource Providers Grants Privileges to CAS Privileges of the user are stored in CAS User request CAS to receive CAS credential CAS credential is a GSI proxy certificate signed by CAS server with policies and privileges of the user included in an extension. User presents CAS credential for Resource provider in place of proxy certificate.

8 8 AHM, 2–4 Sept 2003 e-Science Centre PERMIS Presence of a central publicly accessible LDAP sever hosting Attribute Certificates Organization’s Privilege Allocator create Authorization Certificates for users and stored in publicly accessible LDAP Directories Also Authorization policy description are created and stored in publicly accessible LDAP directories. While querying a resource User presents its certificate The Resource’s Access Decision Framework retrieves the user’s Attribute certificate and the policy definition from the LDAP server and enforces the privileges

9 9 AHM, 2–4 Sept 2003 e-Science Centre EU Data Grid VOMS Classifies authorization information into two categories General information regarding the relationship between the user and the Virtual Organization Information regarding what the user is allowed to do at the Resource Provider Relationship between VO and user is specified as group and role by VOMS server (coarse grained) Information regarding what the user is allowed to access is maintained by the Resource provider. (fine grain)

10 10 AHM, 2–4 Sept 2003 e-Science Centre Authorization Framework Resource 1 Authorization Server Management Interface User Privilege Database Get Policy Attributes for DN Request Authorizat ion Token Manage User Policies and Policy Description Admin Super Admin Request result (Proxy Cert + Authorization Token + query) Return Authorization Token VO Certificate Store Access Adapter Resource 2 Access Adapter Resource n Access Adapter

11 11 AHM, 2–4 Sept 2003 e-Science Centre DP with Authorization Framework User MyProxy My-proxy-initBrowser Authentication Module Session Manager Authorization Server Authorization Server Authorization Server Proxy Certificate Authorization Token Save Authorization Token Query (query string, Proxy Cert + Authorization Token) Save Certificate Query (query string + Proxy Cert + Authorization Token) Admin Access Adapter Admin Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Access Adapter Resource 1 Access Adapter Resource 2 Organization 1Organization 2Organization n Data Portal

12 12 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token Server Management Interface User Privilege Store Get Authorization Token (Proxy Cert, Request Parameters) Manage User Privileges Admin Type 1 Admin Web Service Interface Return (Authorization Token) User Privilege Interface Get DN Privileges for DN Certificate Store Authorization Token Generator

13 13 AHM, 2–4 Sept 2003 e-Science Centre Resource Access Adapter Resource Request result (Proxy Cert, Authorization Token, query) Access Enforcement Interface Web Service Interface Authorization Token Parser Access Adapter Access Log

14 14 AHM, 2–4 Sept 2003 e-Science Centre Authorization Token 0.1 user DN issuer DN issuerName MD5withRSA value

15 15 AHM, 2–4 Sept 2003 e-Science Centre Implications with adding Authorization Framework Organization’s Perspective The organization would only have to maintain the user’s group membership to the organization and host an Authorization Token generation server. Data Portal Perspective It would have to request for Proxy certificate from MyProxy Certificate and an Authorization Token from Organization’s authorization server on behalf of the user and forward these certificates along with the user’s query. User’s Perspective Would need have to have membership with the Organization and will have to request for a Authorization token at the start of the session before being able to query the organization’s resources. Resource Provider’s Perspective The Resource Provider would need to maintain the group mapping to its local access control mechanisms and be able to verify the authenticity of the Certificates.

16 16 AHM, 2–4 Sept 2003 e-Science Centre Future Formalize the format and structure of Authorization Token Look into the possibilities of replacing web service interface with Grid Service interface and other communication protocols Look in feaibility of using authorization token in HPC portal.

17 17 AHM, 2–4 Sept 2003 e-Science Centre Summary Better trust for resource providers Better manageability for organizations Use of existing access control mechanisms GSI delegation would remain unaffected

18 18 AHM, 2–4 Sept 2003 e-Science Centre Questions ?

Download ppt "1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
W w w. h p c - e u r o p a. o r g HPC-Europa Portal: Uniform Access to European HPC Infrastructure Ariel Oleksiak Poznan Supercomputing.

W w w. h p c - e u r o p a. o r g HPC-Europa Portal: Uniform Access to European HPC Infrastructure Ariel Oleksiak Poznan Supercomputing.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Similar presentations

Ads by Google