Access Grid Authorization Thomas Uram Argonne National Laboratory.

Slides:

Advertisements

Similar presentations

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development

Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

VO. ClientVOMS Resource 1. Authentication 2. Credentials 3. Authentication.

Implementing and Administering AD FS

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

PAWN: Producer-Archive Workflow Network University of Maryland Institute for Advanced Computer Studies Joseph Ja’Ja, Mike Smorul, Mike McGann.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Introduction To Windows NT ® Server And Internet Information Server.

Peoplesoft: Building and Consuming Web Services

Understanding Active Directory

Managing Client Access

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.

Microsoft Installer Technologies and patch management approaches.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Digital Object Architecture

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

@CloudOps_www.cloudops.com Swift UI in CloudStack with Single Sign-On CloudStack Collaboration Conference 2012.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Building Security into Your System Bill Major Gregory Ponto.

Shannon Hastings Multiscale Computing Laboratory Department of Biomedical Informatics.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Access Grid Workshop – APAC ‘05 Introduction to Access Grid Development.

Access Grid Workshop – APAC ‘05 Access Grid Overview Access Grid Workshop APAC 05

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

I Copyright © 2007, Oracle. All rights reserved. Module i: Siebel 8.0 Essentials Training Siebel 8.0 Essentials.

NPMap What Can it Do For You? insidemaps.nps.gov & maps.nps.gov.

Overview and update Pete Raymond. » Purpose of this presentation » Background » JSR Requirements » Key concepts » Relationship to other standards/approaches.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Shell Interface Shell Interface Functions Data. Graphical Interface Graphical Interface Command-line Interface Command-line Interface Experiments Private.

Oracle HFM Implementation Boot Camp

Configuring and Running the OPC.NET Generic Clients 1.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.

Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Registration StratusLab Tutorial (Orsay, France) 28 November 2012.

1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.

Access Grid Workshop – APAC ‘05 Node Services Development Thomas D. Uram Argonne National Laboratory.

Some considerations and ideas for the (next) future Roberto Barbera University of Catania and INFN IWSG’10.

Chapter 4. CONCEPT OF THE OPERATING SYSTEM MANAGING ESSENTIAL FILE OPERATIONS.

REMI Database Antall Fernandes. REMI ● A relational database to facilitate data - metadata organization of various research studies. ● Interface into.

PTC Navigate & Thingworx based App Development

Integrating ArcSight with Enterprise Ticketing Systems

Integrating ArcSight with Enterprise Ticketing Systems

Mobility for Real Estate – Extending JDE Core Data to User Fingertips

A gLite Authorization Framework

Administration GUI for the Authorization Manager

Viet Tran Institute of Informatics Slovakia

NAAS 2.0 Features and Enhancements

EPIC INFOTECH CONSULTING GROUP

PLANNING A SECURE BASELINE INSTALLATION

Building Security into Your System

Grid Security Infrastructure

REST Easy - Instant APIs for Your Database

Presentation transcript:

Access Grid Authorization Thomas Uram Argonne National Laboratory

Agenda Authorization Landscape Role-based Authorization AuthorizationManager API Examples and exercises

Landscape PKI –Every user has a unique certificate Web Services –Web-accessible components of the AG software are exposed via SOAP over GSI –GSI connections are authenticated using certificates User’s identity subject to verification by server Server’s identity subject to verification by user –Methods are distinguished by their callability Administrator methods –Venue configuration User methods –Venue entry

Landscape Multicas t Audio Service Video Service Venue

Role-based Authorization Abstraction layer between objects and persons who will access them Similar to *nix file system concept –Each object has a list of actions that can be performed on it (rwx) –Each action has a list of groups which are allowed to call it –Each group has a list of members (/etc/group)

Roles Roles are user groups –Required roles Administrator User –Custom roles Venue.AllowedEntry Venue.RegisteredUsers

Actions Actions define operations on web services –In *nix file system analog, read/write/execute are Actions Actions currently map one-to-one to web service methods –VenueServer.GetVenues –Venue.GetStreams

Subjects Subject class holds information about a user (in particular, the user’s distinguished name)

Policies An authorization policy describes the role/action/subject relationships in force for a service The policy for a service is represented in XML The policy can be modified wholesale, or through individual calls Services define default policies

Authorization UI VenueServer

Authorization UI Venue

AuthorizationManager AccessGrid.Security.AuthorizationManager Exposes interfaces for modifying the authorization policy for a service Used in authorization callback registered with SOAP server

AuthorizationManager API

Future work Finer-grained authorization –Apply to objects in Venue –Permit authorization of individuals, not just groups Consider integrating a well-established authorization framework

Example: List defined Roles #!/usr/bin/python2 import sys from AccessGrid.Toolkit import CmdlineApplication from AccessGrid.Venue import VenueIW from AccessGrid.Security.AuthorizationManager import AuthorizationManagerIW url = sys.argv[1] # Create and initialize application app = CmdlineApplication() app.Initialize('ListRoles') # Get url for authorization manager and create interface wrapper v = VenueIW(url) amurl = v.GetAuthorizationManager() authManager = AuthorizationManagerIW(amurl) # Get roles from venue and process roleList = authManager.ListRoles() for role in roleList: print role.name

Exercise: List subjects in Roles

Example: Venue ACL manager