Liang Fang, Dennis Gannon Indiana University Frank Siebenlist

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Federated Identity for Grid Architects Tom Scavo NCSA
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
MyProxy: A Multi-Purpose Grid Authentication Service
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Report on Attribute Certificates By Ganesh Godavari.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
DAME Collaborative Workflow & Access Control Duncan Russell University of Leeds.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
The Grid System Design Liu Xiangrui Beijing Institute of Technology.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
NCSA Alliance Portal Expedition Demo Marlon Pierce, Greg Daues, Gopi Kandaswamy, and Liang Fang Supercomputing 2004 Pittsburg, PA.
Grid Authorization Landscape and Futures Von Welch NCSA
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Access Policy - Federation March 23, 2016
Grid Computing Security Mechanisms: the state-of-the-art
OGF PGI – EDGI Security Use Case and Requirements
OGSA-WG Basic Profile Session #1 Security
Grid Security.
Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.
HMA Identity Management Status
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
University of Virginia, USA GGF9, Chicago, Illinois, US
Update on EDG Security (VOMS)
NAAS 2.0 Features and Enhancements
O. Otenko PERMIS Project Salford University © 2002
Tim Bornholtz Director of Technology Services
Chapter 4 Cryptography / Encryption
Grid Security Infrastructure
Presentation transcript:

XPOLA—An Extensible Capability-based Authorization Infrastructure for Grids Liang Fang, Dennis Gannon Indiana University Frank Siebenlist Argonne National Laboratory

Outline The Grid security The problems to be solved XPOLA Macroscopic view Microscopic view User’s view Challenges and future work Conclusion 1/11/2019 PKI R&D 05

The Grid OGSA Pre-Web services era Grid service = Web service + OGSA A type of distributed system that enables resource sharing across administrative domains. A Skynet with better security 1997 2002 2004 Pre-Web services era (SOAP-based) Web services era Grid service = Web service + OGSA 1/11/2019 PKI R&D 05

Grid Security Infrastructure (GSI) GSI adopts public key cryptography as the basis to provide the Grid three main functionalities: Secure communication: SSL, WS Security Mutual authentication: PKI Delegation: proxy certificate Authorization (& Authentication): A gatekeeper daemon maps a Grid identity to a local account at run time according to a gridmap file. The Grid identity is allowed to do all the account’s rights. 1/11/2019 PKI R&D 05

A Grid User’s Odyssey Alice wants to access a Grid service. Unfortunately, she has to … Account Application Certificate Application Grid-map Registration ~3days ~1wk ~0.5 day (Learn how to) Manage her X.509 cert Finally, Time to use the Grid service. (Learn how to) Configure Her Service Environment (Learn how to) Get her Grid proxy cert ready ~1day ~0.5 hr ~0.5 day 1/11/2019 PKI R&D 05

The Authorization Problems in Real Grid Applications Inscalable in administration and maintenance Host accounts X.509 certificates Coarse-grained authorization An authorized user can do much more than accessing a service For example, in Linked Environments for Atmospheric Discovery (LEAD) project How to provide the authorization to meteorological Grid services running on TeraGrid to THOUSANDS of scientists and grade school students? Only a few privileged UNIX accounts available. Grid services could be dynamically generated (by workflow engines as well as individual scientists). Of course, no security breach is acceptable . TeraGrid is the world's largest, most comprehensive, distributed infrastructure, in the meaning of both software and hardware, for open scientific research. 1/11/2019 PKI R&D 05

Existing Grid Security Solutions to Fine-grained Authorization ACL Model Akenti, Shibboleth, PERMIS Capability Model CAS, VOMS, PRIMA Why we need XPOLA The above (was) not addressing general Web/Grid services in compliant with Web services security specs. With central admins, most of them do not address dynamic services well. R1 R2 R3 Alice x Bob Carol The Access Control Matrix 1 Client Resource Authority 2 ACL vs Capability Less load on resource ACL is coarse grained Capability P Most of them address the problem of accessing static resources. However, when it comes to harder ones such as a dynamic Grid service, they have difficult answers. They are not friendly to Alice GSI: mutual authentication, secure communication and sso delegation GSI2: transport level GSI3: message level As a payload Extended Proxy Certificate (CAS) Attribute Certificate (VOMS) SOAP (Cardea) The ACL Model Client Resource Authority 1 2 1/11/2019 PKI R&D 05 The Capability Model

XPOLA: The Characteristics Principle of Least Authority/Privilege (POLA)-compliant: Strictly fine-grained authorization. Scalable in administration and maintenance: It is never assumed that the service user has an account on the machines. The infrastructure is built on a Peer-to-peer chain-of-trust model. No central administrator involved. WS-Security Compliant: Conforms to WS-Security for both persistent and transient Web/Grid services. Extensible: PKI and SAML-based, but allows other alternatives. Dynamic and Reusable: Grid resources (Web services and Grid services) are made available to users through manually or automatically generated capabilities, which can be used for multiple requests in their valid lifetimes. 1/11/2019 PKI R&D 05

XPOLA: The Big Picture Registry Community Informative Authority Host Service Provider Persistent Storage Request Processing create Registry (EPRservice A, …) Capability Manager (Capman) Community Informative Authority update Capability Request destroy Like a policy-level CA, but managed by the service provider himself. Host Token Agent Processing Stack SVC A capability token Service Requester 1/11/2019 PKI R&D 05

XPOLA: Capabilities A capability includes: Policy Document Bindings of the provider’s distinguished name (DN), as well as the users’ DNs. Identifier of the Grid resource. Optional: operations of a Web service instance Life time (notbefore, notafter) The provider’s signature generated with his private key. Security Assertion Markup Language (SAML): Each capability is a set of SAML assertions AuthorizationDecisionStatement However the policy document and protection mechanism can be extensible: XACML, symmetric keys, … 1/11/2019 PKI R&D 05

XPOLA: Web Services Security A series of emerging XML-based security standards from W3C and OASIS for SOAP-based Web services, to provide authentication, integrity, confidentiality and so on. XSOAP conforms to Web services security. SOAP Binding SOAP Message Header Capability Token Policies (SAML Assertions) Provider’s Signature WS Security Section (User’s Signature, …) Body 1/11/2019 PKI R&D 05

XPOLA: Enforcement Application Service Authentication Processing Node SOAP Sig Verification SOAP Sig Generation Valid? Fault Generation Token Verification Y Token Sig Valid? Owner/User Match? Policy Decision? Expired? Application Service Token Insertion Authentication Processing Node Authorization N Other Processing Nodes An arriving SOAP Msg A dispatched The processing chain 1/11/2019 PKI R&D 05

XPOLA: User’s View in Grid Portals Provider User capability token Capability Manager Portlet Proxy Manager Portlet Weather Service Portlet Weather Service capability token proxy certificate proxy certificate capability token capability token XPOLA makes it possible that all the PKI and authorization details are hidden from the users. capability token Grid Portal User Context 1/11/2019 PKI R&D 05

Challenges and Future Work Revocation Performance and Scalability Message level session-based communication Load balancing Denial of Service (DoS) Mitigation 1/11/2019 PKI R&D 05

Conclusion XPOLA provides fine-grained authorization infrastructure to general Web and Grid services. More than that It scales Extensible WS-Security compliant Adaptable for dynamic services Reusable User (as well as provider) friendly 1/11/2019 PKI R&D 05

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.