Usecases and Requirements for OGSA-Security

Slides:



Advertisements
Similar presentations
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Using VO based federation model for dynamic resource provisioning or VO devirtualised TF-EMC2 – 8-9 September 2005, Barcelona Yuri Demchenko Advanced Internet.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
High Performance Computing Course Notes Grid Computing.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, May 2008.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.
AN INTEGRATED FRAMEWORK FOR VO-ORIENTED AUTHORIZATION, POLICY-BASED MANAGEMENT AND ACCOUNTING Andrea Caltroni 3, Vincenzo Ciaschini 1, Andrea Ferraro 1,
Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
© 2004 IBM Corporation ICSOC2004 Panel Discussion: Grid Systems: What is needed from web service standards? Jeffrey Frey IBM.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.
Newcastle uopn Tyne, September 2002 V. Ghini, G. Lodi, N. Mezzetti, F. Panzieri Department of Computer Science University of Bologna.
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
AuthN and AuthZ in StoRM A short guide
OGF PGI – EDGI Security Use Case and Requirements
David Kelsey CCLRC/RAL, UK
OGSA-WG Basic Profile Session #1 Security
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
Federated IdM Across Heterogeneous Clouding Environment
EMI Interoperability Activities
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
THE STEPS TO MANAGE THE GRID
OGSA-WG Interim F2F Meeting Security Feb. 9-10,2004
Adding Distributed Trust Management to Shibboleth
University of Virginia, USA GGF9, Chicago, Illinois, US
Update on EDG Security (VOMS)
Management of Virtual Execution Environments 3 June 2008
OGSA-WG Security Use Cases Jan 29, 2004
OGF 21 Seattle Washington
Message Security, User Authentication, and Key Management
The New Virtual Organization Membership Service (VOMS)
Liang Fang, Dennis Gannon Indiana University Frank Siebenlist
Service Oriented Architecture (SOA)
Presentation transcript:

Usecases and Requirements for OGSA-Security Dec. 17th, 2003 Takuya Mori <moritaku@bx.jp.nec.com> NEC Corporation.

Usecase: Resource Sharing across Data Centers Chalie, is a service provider and also a Gold Member of DC_Alice, is going to host his services on a data center operated by DC_Alice. DCA manages resource sharing among the affiliated data centers User_Charlie Grid_DCA (Data Center Affiliation) Contract Data Center Alice Data Center Bob a Gold Member may use XYZ GB of storage, etc... SLAs or contracts are managed by the VO SLA (Contract) a prior bidirectional contract such as, "a Gold Member of DC_Alice can use resources of DC_Bob upto PQR GB of storage, ...", etc...

Configuration of a VO Data Center Alice Data Center Bob Users and all these resources are added to the VO Authentication Service VO Management Service is created on some Grid Environment by a VO Manager VO Factory Service User_Charlie Grid_DCA (Data Center Affiliation) Trust relationship between the VO and the RO registered... Trust Service Data Center Alice Data Center Bob SLAs, Resource allocation policies, etc... are added to the VO Policy Service SLA (Contract)

Job submission & Resource Allocation Chalie is a Gold Member of DC_Alice Authentication Service User_Charlie job DC_Alice grants its Gold Member to submit a job Grid_DCA (Data Center Affiliation) Policy Service Data Center Alice Data Center Bob sub- job sub- job sub- job sub- job sub- job sub- job Server_1 Server_2 SLA (Contract) Resource allocation policy to a Gold Member to be enforced Policy Service Server_3 Server_4 Storage_1 Storage_2

Allocation of Shared Resources (1) Chalie is a Gold Member of DC_Alice Authentication Service User_Charlie DC_Alice is a member Grid_DCA Attribute Service Grid_DCA (Data Center Affiliation) DC_Bob grants a Gold Member of DC_Alice to use their resources Data Center Alice Data Center Bob Authorization Service job job Policy Service sub- job sub- job sub- job sub- job Server_1 sub- job Heavy workload!! Server_2 SLA (Contract) sub- job sub- job sub- job Storage_1 sub- job

Allocation of Shared Resources (2) Chalie is a Bronze User of Grid_DCA Attribute Service Chalie, is a service provider, a Gold Member of DC_Alice and also a Bronze User of Grid_DCA, is going to host his services on a data center operated by DC_Alice. DC_Bob grants a Bronze User of Grid_DCA to use their resources User_Charlie Grid_DCA (Data Center Affiliation) Policy Service Data Center Alice Data Center Bob job job sub- job sub- job sub- job sub- job Server_1 sub- job Heavy workload!! Server_2 SLA (Contract) sub- job sub- job sub- job Storage_1 sub- job

Requirements a VO to manage its memberships Possible members are: users and resources, etc... a VO and a RO is also a kind of resources... a VO to manage attributes of its members Possible attributes are: groups, roles, etc... a VO to manage policies or agreements related to the VO possible polices or agreements are: resource allocation policies, authorization policies, etc... these policies and agreements can be associaated to requests as a VO context Trust Relationships No dynamic establishment of trust relationships is required in this usecase a manually configurable trust management mechanism is needed

Security Services Virtual Organization ? ? Real Organization 1 a VO and a RO Management are very similar services Virtual Organization Policy and Agreement Services (Authorization) ? VO Management Services Attribute Service VO Policy Service ? Authentication Service (Id Authority) VO Membership Service Authorization Service Authorization Service Policy and Agreement Services (Authorization) Policy and Agreement Services (Authorization) RO Management Attribute Service Attribute Service Authentication Service (Id Authority) Authentication Service (Id Authority) Real Organization 1 Real Organization 2 Underlying Security Layers: Security Policy (QoP) Exchange & Expression Described in OGSA Discussed in OGSA-AuthZ-WG Missing in OGSA or OGSA-AuthZ Session Security (based on WS-SecureConversation) Message Security (based on WS-Security) Naming Stuff

Security Services VO Management Services Policy and Agreement Referred in the subsection 6.2 of OGSA document VO Factory Service VO Membership Service Manages VO membership (users, resources ...) Issues membership attribute assertions It means VO Membership Service is a kind of attribute service. VO Policy Service VO-wide policy service (possible policies include authorization policy, trust policy, and privacy policy) Policy and Agreement Described in the subsection 6.16 of OGSA document

Security Services (Contd.) Authorization Service Discussed in OGSA-AuthZ-WG, but not in OGSA document Attribute Service (Will be) discussed in OGSA-AuthZ-WG Not described in OGSA document now Issues an attribute assertion that is used for various policy decisions Authentication Service (Credential Validation) Not described in OGSA document Validates a credential and identifies a requestor Support for PKI and Kerberos is mandatory Trust Management Service a manually configurable trust management mechanism

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.