UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Slides:



Advertisements
Similar presentations
A Presentation Management System for Collaborative Meetings Krzysztof Wrona (ZEUS) DESY Hamburg 24 March, 2003 ZEUS Electronic Meeting Management System.
Advertisements

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Polish Infrastructure for Supporting Computational Science in the European Research Space EUROPEAN UNION Services and Operations in Polish NGI M. Radecki,
Authz work in GGF David Chadwick
Technical Architectures
Seamless Medical Image Processing on the Grid on the Example of Segmentation and Partition of the Airspaces Andrzej Rutkowski 1, Michał Chlebiej 1, Marcelina.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.
EMI is partially funded by the European Commission under Grant Agreement RI Software stack consolidation Balázs Kónya, Lund University 3rd EMI all-hands,
Advanced Techniques for Scheduling, Reservation, and Access Management for Remote Laboratories Wolfgang Ziegler, Oliver Wäldrich Fraunhofer Institute SCAI.
European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Steering and Interactive Visualization on the Grid Using the UNICORE Grid Middleware K. Benedyczak 1,2, A. Nowiński 1, K.S. Nowiński 1, P. Bała 1,2 (1)ICM,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
1 Andrea Sciabà CERN Critical Services and Monitoring - CMS Andrea Sciabà WLCG Service Reliability Workshop 26 – 30 November, 2007.
EMI INFSO-RI Accounting John Gordon (STFC) APEL PT Leader.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
Installation and Configuration of A-REX Iván Márton (NIIFI) Zsombor Nagy (NIIFI)
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
EMI INFSO-RI EMIR integration in BDII Maria Alandes Pradillo (CERN) Information System Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland t DBCF GT Upcoming Features and Roadmap Ricardo Rocha ( on behalf of the.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland t DBCF GT Overview of DMLite Ricardo Rocha ( on behalf of the LCGDM team.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
HTCondor’s Grid Universe Jaime Frey Center for High Throughput Computing Department of Computer Sciences University of Wisconsin-Madison.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
A service Oriented Architecture & Web Service Technology.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EMI is partially funded by the European Commission under Grant Agreement RI Future Proof Storage with DPM Oliver Keeble (on behalf of the CERN IT-GT-DMS.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Implementation of GLUE 2.0 support in the EMI Data Area Elisabetta Ronchieri on behalf of JRA1’s GLUE 2.0 Working Group INFN-CNAF 13 April 2011, EGI User.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
CREAM Status and plans Massimo Sgaravatto – INFN Padova
Lund All Hands meeting Compute Area Section Massimo Sgaravatto INFN Padova.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
EMI is partially funded by the European Commission under Grant Agreement RI EMI Status And Plans Laurence Field, CERN Towards an Integrated Information.
Piotr Bała, Marcin Radecki, Krzysztof Benedyczak
Argus EMI Authorization Integration
Facade Pattern Jim Fawcett CSE776 – Design Patterns Summer 2010
OGF PGI – EDGI Security Use Case and Requirements
Custom Profile Options
UVOS and VOMS differences
Frame Relay lab1.
Data Bridge Solving diverse data access in scientific applications
Identity Management and Authorization
EMI Interoperability Activities
Global Banning List and Authorization Service
Building Grids with Condor
Facade Pattern Jim Fawcett CSE776 – Design Patterns Summer 2010
John Gordon (STFC) APEL PT Leader
Identity Management and Authorization
Ch > 28.4.
An Introduction to Computer Networking
What’s changed in the Shibboleth 1.2 Origin
O. Otenko PERMIS Project Salford University © 2002
Argus The EMI Authorization Service
Groups and Permissions
INFNGRID Workshop – Bari, Italy, October 2004
JAAS AuthN Tokens in uPortal and Beyond
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT

EMI INFSO-RI ICM, University of Warsaw 2 10/1/2016 Short outline Authorization without Argus in UNICORE What does Argus provide? Integration option 1: usage of Argus PDP Integration option 2: usage of Argus PAP Future work

EMI INFSO-RI ICM, University of Warsaw 3 10/1/2016 USE container and PDP Most of the UNICORE servers (UNICORE/X, Registry, Workflow Service, Service Orchestrator,...) use the same container: UNICORE Services Environment (USE). – UNICORE Gateway and TSI are exceptions. USE provides Grid fabric foundation, including authorization mechanism. – The authZ subsystem is simply called PDP. – AuthZ is therefore configured in the same way for all UNICORE Grid servers and has the same features.

EMI INFSO-RI ICM, University of Warsaw 4 10/1/2016 Authorization in USE By default USE provides two similar implementations of the PDP: XACML 1.x and XACML 2.0 – both are configured by a XACML document(s) stored in file(s) on local disk, The UNICORE policy is designed in such way that administrator rarely (if ever) needs to tweak it. – Conventions are used, e.g. all with the role='user' can submit jobs, all with the role='admin' can do everything. USE provides a very flexible mechanism to collect user's attributes, which are the input for the policy evaluation.

EMI INFSO-RI ICM, University of Warsaw 5 10/1/2016 Argus system Argus is name of 4 servers and some additional libraries. Three of them are tightly coupled: – PAP – provides an administrative interface to manage policies, using a simplified policy language. It is translated to XACML 2.0 by the PAP. – PDP – takes XACML policies from PAP and can evaluate XACML requests. – PEP – takes authZ requests in lightweight Hessian based proprietary protocol, translates to XACML and forwards to PDP. Separation of PDP and PEP is at least questionable.

EMI INFSO-RI ICM, University of Warsaw 6 10/1/2016 Argus system There is also Argus-EES (early development stage) which handles post authorization task: it is preparing job's execution environment. – Typically this means: assigning pool account and or pool group. Probably it isn't used anywhere yet(??)

EMI INFSO-RI ICM, University of Warsaw 7 10/1/2016 UNICORE and Argus PDP The first integration option of UNICORE is to use Argus PDP directly instead of local policy file(s). Why we don't use Argus PEP? – PEP was implemented to allow gLite C clients not to use XML/SOAP/XACML stack, but something simple. For UNICORE (as it has this stack anyway) it is just an additional overhead. This feature is already implemented however not useful yet. – Argus PDP can take policies only from Argus PAP. Argus PAP uses simplified policy language which is too simple to express the default UNICORE authZ policy. Will be fixed in Argus...

EMI INFSO-RI ICM, University of Warsaw 8 10/1/2016 Disadvantages of Argus PDP usage Despite of pros (see later) there are obvious disadvantages of using Argus PDP in comparison to the local UNICORE policy: – UNICORE performs authZ queries very often. When those queries are done via remote WS calls a significant overhead is added. – Argus PDP is an (another) potential failure point. If it fails (or network connection to the PDP) then the whole UNICORE system is also down. Redundant Argus servers, network links, dynamic routing etc. help but this greatly complicates setup and maintenance for potential administrators.

EMI INFSO-RI ICM, University of Warsaw 9 10/1/2016 UNICORE and Argus PAP Alternative solution is being developed for UNICORE: – Argus PDP can be ignored as its functionality is anyway in the USE. – Policies can be downloaded from the PAP server directly as PAP server uses a standard protocol to publish them. Such approach: – Eliminates overhead of authZ query over the net. – Is fault-resistant (the only problem is that the downloaded policy might be slightly outdated, what is negligible). – Provides an additional feature: local policy rules can be merged with the downloaded one. Therefore even without Argus changes this solution will be useful right after being finished.

EMI INFSO-RI ICM, University of Warsaw 10 10/1/2016 When to use Argus in UNICORE? In most cases administrator can control users via attributes. If it is enough then Argus is spurious. However if: – Administrators do not want to play with attribute assignments (e.g. site is using many central attribute authorities and locally overriding them turns out to be complicated). – Site wants to deploy different middlewares and control access in a uniform way. – Admins need to change the default UNICORE policy and it happens that those changes can be expressed in the Argus simplified policy language. then Argus is a good option.

EMI INFSO-RI ICM, University of Warsaw 11 10/1/2016 Future plans Currently there is not direct work to support Argus-EES. – This is not easy as there is no natural plug-in point for it in USE. UNICORE uses a quite different approach to the problem. There are some initial plans to refactor USE to provide a place to call Argus-EES but this won't be done in a close future and requires more discussions and investigation. – Anyway it seems that Argus-EES offers only minimal set of features right now.

EMI is partially funded by the European Commission under Grant Agreement RI Thank you!