A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft Corporation.

2 Today’s Talk Presents research results on a new approach for addressing Grid access control requirements Comprehensive solution with uniform semantics Flexibility to support different operational models Fine-grained trusts and constrained delegation Results based on a new security policy language design and prototype implementation

3 Security Policy Assertion Language (SecPAL) Declarative, logic-based, security language Easily read as English sentences with a restricted grammar Supports distributed policy authoring and composition Simple syntactic checks ensure evaluation safety Complete solution for access control requirements trust, authorization, and delegation policies, auditing, PKI for identity management XML implementation; uses standard parsers, XML DSig, XMLEnc Some features not covered in this talk (revocation, audit,…)

4 Partial SecPAL Grammar assertion ::= Principal says fact [ if existsFact1 and... and existsFactN and c] fact ::= principal can actionVerb resource [qualifiers] | principal possess attribute [qualifiers] | principal can say fact principal ::= typically a cryptographic identifier (K-Bob) resource ::= URL, hierarchical namespaces supported actionVerb :: = read | write | list | call | send …. attribute ::= type=value ; (rfc822Name, groupName, serviceName, …) qualifiers ::= timespan (i.e., [T1, T2]) existsFact ::= principal actionVerb resource [qualifiers] | principal possess attribute [qualifiers] c ::= t2-t1 ≤ A | t1 ≤ Current-Time() ≤ t2 | !c | c1 ^ c2 Authorization Queries principal says existsFact | query1 ^ query2 | query1 v query2 | !query | c Assertions can use concrete values or variables, optionally restricted by a pattern.

5 Exemplary Grid Environment

6 Prototype Implementation Supports a multi-domain Windows® environment Major security components SecPAL libraries and web service protocol integration SecPAL STS Authentication, Authorization, and Audit Gateways Integrates with Windows Compute Cluster Server 2003 Windows Communication Foundation (aka ‘Indigo’).NET Framework Windows identity management (Active Directory®, Kerberos, X.509) XML and Web Service protocol standards

7 The Problem How do we implement a complete access control solution that allows Bob to delegate only required access rights to his job running on a C-HPC cluster? Requires: Managing trust relationships Authentication supporting multiple principal types Authorization for job scheduling and FR data access Constrained delegation mechanism Subsequent slides describe one approach investigated

8 Cross-Domain Trusts Define the ResGrid VO, C-HPC, Birch relationships As with other PKIs, domain STS keys discovered using an out-of-band mechanism SecPAL explicit trust policies, for example K-CHPC says K-ResGrid can say x possess groupName==^ResGrid/\w+$, roleName==^ResGrid/\w+/\w+$ [t1,t2] if t1 ≤ Current-Time() ≤ t2 K-CHPC says K-Birch can say x possess serviceName=^https?://\w+\.birch\.edu/\w+$ [t1,t2] if t1 ≤ Current-Time() ≤ t2

9 Principal Security Tokens Token acquisition can use mechanisms similar to those for other public-key based systems. An example, bootstrapping from organizational X.509 user certificates using WS-Trust SecPAL profile

10 Principal Security Tokens (2 of 2) Bob’s attributes from X.509 certificate and the directory K-Contoso says K-Bob possess commonName=Bob Jones, organizationName=Contoso K-Dir says K-Bob possess groupName=ResGrid/ProjectX, roleName=ResGrid/ProjectX/Researcher SecPAL policy can control attribute inclusion K-ResGrid says K-Contoso can say x possess K-ResGrid says K-Dir can say x possess groupName=.+, roleName=.+ Query for all attribute types; valid bindings for x, e, g, and r only K-ResGrid says x possess rfc822Name=e v … groupName=g v … roleName=r v … commonName=c v … organizationName=o Issued token K-ResGrid says K-Bob possess groupName=ResGrid/ProjectX, roleName=ResGrid/ProjectX/Researcher [9/12/2006, 10/11/2006]

11 Master Scheduler Access Control Access control policy K-Sched says K-CHPC can say x can say y possess groupName=.+, roleName=.+ K-Sched says x read, write, list, delete //queue/ProjectX if x possess groupName=ResGrid/ProjectX Bob creates new ProjectX job using his token K-ResGrid says K-Bob possess groupName=ResGrid/ProjectX … Combined with C-HPC trust policy lets one conclude: K-Sched says K-Bob read, write, list, delete //queue/ProjectX Bob can also authentic the scheduler based on its token

12 Cluster Access Control Clusters accept jobs from Master Scheduler, rely on the user’s attributes for isolating job information ClusterA’s policy: K-ClusterA says K-CHPC can say x can say y possess groupName=.+, roleName=.+ K-ClusterA says K-CHPC can say x possess serviceName= ^ K-ClusterA says y read, write, list, delete //queue/ProjectX if x possess groupName=ResGrid/ProjectX and y possess serviceName= ^ Master scheduler sends a job request to ClusterA, authenticates using its token and includes the job’s user token. Can deduce K-ClusterA says K-Sched read, write, list, delete //queue/ProjectX

13 File Repository Policy FR stores data by project, per-user isolation inside a project FR policy for the ProjectX directory : K-FR says K-Birch can say x can say y possess rfc822Name=.+, groupName=.+, roleName= K-FR says K-Birch can say x can say y possess appName=.+, dnsName= K-FR says x read, write, list //fs/ProjectX if x possess groupName=ResGrid/ProjectX K-FR says x can say y v r [t1,t2] if x v r and y possess appName=.+, dnsName=.+ and t2-t1<5Days ^ t1<Current-Time()<t2 Bob creates directory ‘//fs/ProjectX/Bob’, authenticating with his token, FR autogenerates the appropriate policy: K-FR says x read, write, list, delete //fs/ProjectX/Bob if x possess groupName=ResGrid/ProjectX Combined with 1, 2, and 4 above

14 Bob’s Delegation Bob’s job needs rights to //fs/ProjectX/Bob. Bob doesn’t know the job identity so authorizes the Master Scheduler to delegate K-Bob says K-Sched can say x read,write,list //fs/ProjectX/Bob [t1,t2] if t2-t1<5Days When ClusterA starts Bob’s job, it collects required tokens K-CHPC says K-Job possess dnsName=clustera.c-hpc.com, appName= ‘Blast, Version=1.0’ [9/12/2006, 9/16/2006] K-Sched says K-Job read, write, list file://fs/ProjectX/Bob [9/12/2006, 9/16/2007] The job can access Bob’s data using job and delegation tokens, FR evaluates ‘K-FR says K-Job read,write,list //fs/ProjectX/Bob’. Using assertions from K-Bob and K-Sched we conclude K-Bob says K-Job read, write, list file://fs/ProjectX/Bob [ 9/12/2006, 9/16/2007] Using Bob’s identity token FR can conclude K-FR says K-Bob can say K-Job read, write, list, delete file://fs/ProjectX/Bob [t1,t2] if t2-t1<5Days ^ t1<Current-Time()<t2

Demo

16 Continuing Research Automated delegation generation Revocation infrastructure Other forms of delegation Job management rights Constrained trust management Mobile code policies For more information see For more information see