1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

Slides:



Advertisements
Similar presentations
Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Understanding WebLogic Security
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Grid Computing Security Lê Thị Minh Châu Huỳnh Thị Khánh Duyên Trần Thị Thanh Thủy May 11, 2010.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
Grid Authorization Landscape and Futures Von Welch NCSA
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
1 GT4 Security Tutorial Rachana Ananthakrishnan Charles Bacon.
OGSA-WG Basic Profile Session #1 Security
DJRA3.1 issues Olle Mulmo.
A gLite Authorization Framework
Update on EDG Security (VOMS)
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
Presentation transcript:

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist

2 Authentication Framework

3 Authentication Schemes l Secure Transport u Secure Sockets (https) u Anonymous access support u Container-level configuration l Secure Message u Each individual message is secured u Replay Attack Prevention l Secure Conversation u Handshake to establish secure context u Anonymous access support

4 Server-side features l Message Protection options u Integrity and Privacy l Configure required authentication as policy u At service or resource level u Programmatic or security descriptors l Server response u Same authentication scheme as request

5 Client-side features l Configurable client side authentication u Per invocation granularity u Properties on the Stub u Programmatically or Security Descriptors l Message Protection options u Integrity and Privacy u Default: Integrity protection

6 Planned Work l Pluggable Path Validation u Allow OCSP integration u Allows XKMS and trust-root provisioning schemes l Kerberos Work (long term) u If a real user requirement is motivated l Requirements ?

7 Delegation

8 Delegation Service l Higher level service l Authentication protocol independent l Refresh interface l Delegate once, share across services and invocation Client Service1 Service2 Service3 Delegation Service Hosting Environment Resources Delegate EPR Refresh DelegateRefresh

9 Delegation l Secure Conversation u Can delegate as part of protocol u Extra round trip with delegation u Delegation Service is preferred way of delegating l Secure Message and Secure Transport u Cannot delegate as part of protocol

10 Planned Work l Client side support for X509Extensions l Consolidation with EGEE’s equivalent solution l Requirements ?

11 Authorization Framework

12 Server-side Authorization Framework l Establishes if a client is allowed to invoke an operation on a resource l Only authenticated calls are authorized l Authorization policy configurable at resource, service or container level

13 Server-side Authorization Framework l Policy Information Points (PIPs) u Collect attributes (subject, action, resource) u Ex: Parameter PIP l Policy Decision Points (PDPs) u Evaluate authorization policy u Ex: GridMap Authorization, Self Authorization, XACML, SAML authZ call-out l Authorization Engine u Orchestrates authorization process u Enforce authorization policy u Combining algorithm to renders a decision

14 GT 4.0 Authorization Framework Authorization Engine (Deny-override) PIP1PIP2PIPnPDP1PDP2PDPn … … Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine Message Context (store attributes) Permit Deny Permit

15 GT 4.2 Attribute Framework l Normalized Attribute representation u Attribute Identifier: l Unique Id (URI) l Data Type (URI) l Is Identity Attribute ? (boolean) u Set of values u Valid from u Valid to u Issuer l Comparing attributes

16 Entity Attributes Attribute1 Attribute2 AttributeB AttributeA AttributeX Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Attribute2 AttributeB AttributeA AttributeX Merge Entity1 Entity2

17 Sample Attribute l Attribute Identifier u Unique Id: urn:oasis:names:tc:xacml:1.0:subject:subject-id u Data Type: urn:globus:4.0:datatype:java:set:principal u Identity Attribute: true l Set of values: /C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef l Valid from: Wed Oct 18 10:33:03 CDT 2006 l Valid till: Infinity l Issuer:

18 GT 4.2 Attribute Framework l Bootstrap PIP u Collects attributes about the request: subject, action and resource u Example: X509BootstrapPIP

19 GT 4.2 PDP Interface l Access rights u canAccess() l Administrative rights u canAdmin() l Return type: Decision u PERMIT/DENY/INDETERMINATE u Issuer of decision u Validity u Exception, if any

20 GT 4.2 Authorization Engine l Pluggable combining algorithm l AbstractEngine.java u Initializes PIPs and PDPs with configured parameters u Invokes collectAttributes() on all PIPs u Merges the entity attributes returned by PIPs u Abstract method engineAuthorize process PDPs l Combines decisions from individual PDPs l Returns Decision l Default combining algorithm u Permit override with delegation of rights u At-least one decision chain from resource owner to requestor for a PERMIT u Resolves delegation of rights chains

21 GT 4.2 Authorization Framework Authorization Engine Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision

22 Authorization Engine Precedence l Authorization engine used u Administrative authorization engine (container) 1. Resource level authorization engine 2. Service level authorization engine 3. Container level authorization engine l Default: u X509BootstrapPIP and Self authorization

23 Some 4.2 PDP/PIP Examples l Parameter PIP l VOMs PIP l SAML AuthN Assertion PIP l Access Control List PDP l Parameter-based Resource Property PDP l SAML AuthZ Assertion PDP

24 l Determines if said service/resource is allowed to cater to the client’s request l Pluggable authorization scheme u Defined interface, implement custom schemes l Configured as property on stub or using security descriptors l Examples: Self, Host, Identity, None l Default: Host l Required when secure conversation is used with delegation Client-side Authorization

25 GT 4.2 Enhancements l HostOrSelf Authorization u Algorithm: l Do host authorization l If it fails, do self authorization u Set as default in 4.2 code base l Service Key information embedded in EPR

26 Planned Work l Authorization engine as separate module u Plain Java interfaces (facilitate use at application level) u Standardize the Java interfaces in GGF l Re-factor PDP/PIP collection l Remote attribute push u SAML/X509 attribute assertions pushed in SOAP header or embedded in proxy l Requirements ?

27 Security Descriptor Framework

28 Security Descriptor Overview l Used to configure security properties l Declarative security u Configure properties in files l Different types of descriptors for container, service, resource and client security properties l GT 4.2 Enhancements u Defined schema for each descriptor

29 Community Authorization Service

30 Community Authorization Service l Question: How does a large community grant its users access to a large set of resources? l Community Authorization Service (CAS) u Outsource policy admin to VO sub-domain u Enables fine-grained policy l Resource owner sets course-grained policy rules for foreign domain on “CAS-identity” l CAS sets policy rules for its local users l Requestors obtain capabilities from their local CAS that get enforced at the resource u Uses SAML standard

31 Community Authorization Service Domain A Policy Authority Domain B Sub-Domain A1 Sub-Domain B1 CAS identity "trusted" Requestor Server request + CAS assertions Virtual Organization Domain capability assertions Community Authorization Svc enforcement on CAS-identity and requestor's capabilities

32 “Generic” Policy Enforcement

33 “Generic” CAS Policy Engine CAS as Local PDP CAS Pull Model CAS Push Model

34 Example: CAS for WS Policy Management

35 Planned Work l Attribute service interface u Deploy CAS as an attribute service l External attributes consumption u Pass attribute assertions in the query l XACML-2/SAML-2 AuthZ Query Interface u Support the passing of attributes l Requirements ?

36 PURSe Architecture l Portal extensions (CGI scripts) that automate user registration requests. u Solicits basic data from user. u Generates cert request from VO CA (implemented with “simple CA” from GT). u Admin interface allows CA admin to accept/reject request. u Generates a certificate and stores in MyProxy service. u Gives user ID/password for MyProxy. l Benefits u Users never have to deal with certificates. u Portal can get user cert from MyProxy when needed. u Database is populated with user data. u Users are assigned to one or several user groups (with different data access permissions)

37 WS C Security Features (Joe Bester) l WS-Secure Conversation implementation (client/server) l Service/operation level authorization l C Delegation client program l Delegation service implementation

38 Pre-WS C Features (Raj Kettimuthu) l Gridmap callout for CAS l Upgrade openssl version used by GSI l GridFTP over SSH (Planned) u Add functionality to server/client to allow control channel connection as ssh session. u No proxies, certs, or CAs are needed for a secure control channel u If you can ssh to the host, you can establish a secure GridFTP session. l Data channel authentication for non-GSI connections (Planned) u Potentially with pre-shared keys

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.