glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

Similar documents
Authorisation Policy coordination and glite Java Authorisation Framework (gjaf)

Dynamic Security Context Management in Grid-based Applications

Attributes used for Authorisation in Network Resource Provisioning

Lightpath AAA Gap Analysis

Milestone deliverable reference number M.4.1 (Part 1 of the Deliverable D.4.1)

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Deliverable reference number: D.4.1. AAA Architectures for multi-domain optical networking scenario's

SLCS and VASH Service Interoperability of Shibboleth and glite

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

GLOBUS TOOLKIT SECURITY

Using SAML and XACML for Complex Authorisation Scenarios in Dynamic Resource Provisioning

Argus: The Simplified Policy Language

[GSoC Proposal] Securing Airavata API

A Multipolicy Authorization Framework for Grid Security

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications

EU Phosphorus Project Harmony. (on

Federated Authentication with Web Services Clients

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

Authorisation Infrastructure for On-Demand Network Resource Provisioning

An authorization Framework for Grid Security using GT4

Deploying virtualisation in a production grid

Extending Role Based Access Control Model for Distributed Multidomain Applications

KoM WP3 Task3.2 Overview and Next steps. Yuri Demchenko University of Amsterdam

The glite middleware. Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 Enabling Grids for E-sciencE

Security Context Management with XML based security tickets and tokens. Yuri Demchenko AIRG, University of Amsterdam

Policy Based Access Control in Dynamic Grid-based Collaborative Environment

EGEE and Interoperation

The SweGrid Accounting System

INDIGO AAI An overview and status update!

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM

3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids

Published in: Proceedings: Fourth IEEE International Conference on escience: escience 2008

Identity Management in ESA Grid on-demand Infrastructure

Improving Grid User's Privacy with glite Pseudonymity Service

Grid Security: The Globus Perspective

Authorization Strategies for Virtualized Environments in Grid Computing Systems

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Introduction to Grid Security

First Experiences Using XACML for Access Control in Distributed Systems

extensible Access Control Language (XACML)

USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE

Security Assertions Markup Language (SAML)

National R&E Networks: Engines for innovation in research

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

The PRIMA Grid Authorization System

A Concept for Attribute-Based Authorization on D-Grid Resources

SGS11: Swiss Grid School 2011 Argus The EMI Authorization Service

A Simplified Access to Grid Resources for Virtual Research Communities

Understanding StoRM: from introduction to internals


David Chadwick, University of Kent Linying Su, University of Kent 9 July 2008

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth

Grid Technologies for AAI*

The glite middleware. Ariel Garcia KIT

Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)

Grid Scheduling Architectures with Globus

ARDA status. Massimo Lamanna / CERN. LHCC referees meeting, 28 June

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

Dynamic Stateful Service Security

The EGEE-III Project Towards Sustainable e-infrastructures

Failover procedure for Grid core services

NAC 2007 Spring Conference

Implementing GRID interoperability

E G E E - I I. Document identifier: Date: 10/08/06. Document status: Document link:

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

David Chadwick, University of Kent Linying Su, University of Kent 11 June 2008

New trends in Identity Management

Grid Services Security Vulnerability and Risk Analysis

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

I Tier-3 di CMS-Italia: stato e prospettive. Hassen Riahi Claudio Grandi Workshop CCR GRID 2011

Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

A Grid Authorization Model for Science Gateways

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

A Guanxi Shibboleth based Security Infrastructure for e-social Science

Privacy Policy Languages:

Deploying the TeraGrid PKI

Kent Academic Repository

PERMIS: A Modular Authorization Infrastructure

SAP IoT Application Enablement Best Practices Authorization Guide

By Ian Foster. Zhifeng Yun

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

Job submission and management through web services: the experience with the CREAM service

Novell Access Manager 3.1

Fusion of Bandwidth on Demand and Virtual Organizations

StoRM configuration. namespace.xml

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Grid Computing (M) Richard Sinnott

CILogon Project

Identity Provider for SAP Single Sign-On and SAP Identity Management

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Obligation Standardization

IVOA/AstroGrid SSO system and Grid standards

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

Grid Security Incident Handling and Response Guide

Transcription:

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination Yuri Demchenko University of Amsterdam MWSG meeting EGEE 06 Conference, September 27, 2006, Geneve www.eu-egee.org EGEE and glite are registered trademarks

Outline Observations AuthZ in EGEE/LCG and gjaf Difficulties and problems in implementing common AuthZ FW Activities and Initiatives on AuthZ coordination gjaf Overview GT4-AuthZ overview Next steps Discussion Additional - GAAA-AuthZ framework by UvA MWSG, Geneva, September 27, 2006 2

Wide diversity between sites Observations AuthZ in EGEE/LCG Typically based on LCAS/LCMAPS (C-based) Foundation for glite Java AuthZ Framework (gjaf) DJRA3.1 (updated in DJRA3.3) EGEE Security Architecture gjaf Developer s guide - https://edms.cern.ch/document/501718 gjaf initially was developed to be compatible with Globus AuthZ framework Version 1.0 released end 2004, some extensions later! Supports VOMS attributes (VOMS PDP), GridMapFile, BlackList Now GT4-AuthZ significantly developed! More flexible configuration and better user creds handling MWSG, Geneva, September 27, 2006 3

Difficulties and problems in implementing common AuthZ FW Enabling Grids for E-sciencE Human and Legacy type (Developers and implementers) Successful only when smoothly migrated and easier achieved obvious benefits! When implementing/debugging security solution is too hard, developers will do it in their own way GGF16 AuthZ Workshop Working with the distributed computing paradigm (computer clusters and pool accounts) Technical Coordination and application specific (incl. legacy solutions) Fine-grained and consistent access control with ACL! Local security and resource context is often implicit! Problem with replica data access policy => Common PEP and context/environment aware Policy MWSG, Geneva, September 27, 2006 4

Activities and Initiatives EGEE AuthZ Policy Coordination Meeting in Bologna June 6-7, 2005 GGF-AuthZ Working Group EGEE interest bring EGEE reality to GGF standardisation Other GGF/EGEE/LCG activities LCG AuthZ workshops interoperability between current solutions GIN Grid Interoperation Now! Use of VOMS attributes for AuthZ in Grid TONIC Taskforce Organizing Near-term Interoperation for Credentials MWSG, Geneva, September 27, 2006 5

gjaf Overview Provided as org.glite.security.authz Java package Called from applications via interceptor SOAP/Axis or application specific Presumably orthogonal to application and easy integrated Contains a configured chain of PIP and PDP modules PIP collects/extracts information to be sent to PDP Each PDP evaluates its relevant attributes against its own Policy Chain is configured to apply PDP decisions combination Problems Requires application specific manual chain configuration Unchanged but GT4-AuthZ is evolving Limited use up to now! CE (and some interest from DM) MWSG, Geneva, September 27, 2006 6

gjaf components and connection to the Grid Service Grid Service Srv Request Service Gateway (SOAP Msg Interceptor) PEP Call from SrvGw or Msg Interceptor AuthZ Attr/Data PIP chain PDP chain PIP PIP PIP AuthZ Decision Combination AuthZ Decision User/Local Attr VO Attr External Attr Call PDP (BL) PDP Ext PDP Callout Ext. AttrAuth (e.g. Shibboleth) PAP Ext. PDP (e.g. G-PBox) MWSG, Geneva, September 27, 2006 7

GT4 Authorisation Framework Can potentially be configured for Container, Message, Service/Resource But all based on SOAP/Axis msg processing by Axis interceptor AuthZ processing sequence includes New! Bootstrapping X.509 PIP retrieves request parameters from the message! Subject, Resource, Action Sequence of pre-configured PIP s, including SAML Sequence of (specialised) PDP s Different PDP decisions combination algorithms by AuthZ engine! However, multiple policy decision s consistency is not resolved Available PDP s ACL and GridMap HostAuthorization and UserNameAuthorization SAML AuthZ callout and SAML AuthZ Assertion SelfAuthorization based on shared/trusted Resource credentials Simple XACML PDP (provided as a placeholder for extension) MWSG, Geneva, September 27, 2006 8

Next steps Compatibility and integration with other and 3rd party solutions Integration with the G-PBox Compatibility and integration with (or move to) the GT4-AuthZ! Can get workforce support from GT4 Security team Other issues found important! Enable PDP chain to respond with Obligated decision! PDP answer with AuthZ ticket to provide extended/full decision context in response to gjaf/pdp MWSG, Geneva, September 27, 2006 9

Next steps (2) AuthZ Policy compatibility and coordination Common or mapped attributes semantics Policy formats mapping Using XACML for policy expression Standard, Context aware! Used in G-PBox Can be added as XACML PDP plugin to gjaf or GT4-AuthZ Need policy management tool (simple or complex) SAML/Shib Credentials support Coming in GT4-AUthZ with GridShib Will rely on effective cooperation with SWITCH MWSG, Geneva, September 27, 2006 10

Discussion Any other issues? MWSG, Geneva, September 27, 2006 11

Additional information Overview GAAA-AuthZ framework by UvA Major focus AuthZ for dynamic services and CRP Implemented in GAAA_tk but moving just to provide specific extensions to GT4-AuthZ Major application areas Grid-based Collaborative systems Complex Resource Provisioning (CRP), e.g. Optical LightPath Provisioning (OLPP) as service on demand Projects and cooperation EGEE, NextGRID, PHOSPHORUS GT4-AuthZ Team, TF-EMC2 Recent developments GAAAPI package SAML and XACML v2.0 and v3.0 Dynamic security context management Authorisation Session support! AuthZ tickets (both proprietary and SAML-based)! Delegation and roles management/restrictions MWSG, Geneva, September 27, 2006 12

Functionality provided by GAAPI Specific functionality provided by GAAPI package Considered as extension to GT4-AuthZ Authorisation tickets and tokens handling for performance optimisation and advanced Authorisation Session management! SAML and Proprietary AuthZ tickets format Support extended AuthZ session context and Delegation Complex XACML policies evaluation to provide fine-grained access control! Supports hierarchical resource management and administration policy management (including delegation) With XACML RBAC and Hierarchical Resources special profiles and XACML 3.0 Administrative Policy Flexible trust domains and request/attributes semantics configurations and management MWSG, Geneva, September 27, 2006 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback