KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.

Slides:

Advertisements

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

Advertisements

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

GT 4 Security Goals & Plans Sam Meder

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

High Performance Computing Course Notes Grid Computing.

Policy Description & Enforcement Languages Anis Yousefi

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

OGSA : Open Grid Services Architecture Ramya Rajagopalan

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

February Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.

Grid Toolkits Globus, Condor, BOINC, Xgrid Young Suk Moon.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Through the development of advanced middleware, Grid computing has evolved to a mature technology in which scientists and researchers can leverage to gain.

Ontology-based and Rule-based Policies: Toward a Hybrid Approach to Control Agents in Pervasive Environments The Semantic Web and Policy Workshop – ISWC.

Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

The Anatomy of the Grid Mahdi Hamzeh Fall 2005 Class Presentation for the Parallel Processing Course. All figures and data are copyrights of their respective.

1 4/23/2007 Introduction to Grid computing Sunil Avutu Graduate Student Dept.of Computer Science.

Enabling Peer-to-Peer SDP in an Agent Environment University of Maryland Baltimore County USA.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

Grid Services I - Concepts

A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Secure Virtual Enclaves February 4, 2000 Deborah Shands, Richard Yee Jay Jacobs, E. John Sebes.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

REST By: Vishwanath Vineet.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan.

INFSO-RI Enabling Grids for E-sciencE Web Services Mike Mineter National e-Science Centre, Edinburgh.

An approach to Web services Management in OGSA environment By Shobhana Kirtane.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Selected Semantic Web UMBC CoBrA – Context Broker Architecture  Using OWL to define ontologies for context modeling and reasoning  Taking.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Current Globus Developments Jennifer Schopf, ANL.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

A System for Monitoring and Management of Computational Grids Warren Smith Computer Sciences Corporation NASA Ames Research Center.

University of Technology

Grid Computing B.Ramamurthy 9/22/2018 B.Ramamurthy.

An Architecture for Policy-based C2 Decision Support Systems

Grid Services B.Ramamurthy 12/28/2018 B.Ramamurthy.

Distributed System using Web Services

The Anatomy and The Physiology of the Grid

The Anatomy and The Physiology of the Grid

Distributed System using Web Services

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture

Outline  Introduction KAoS Overview Integration of OGSA and KAoS Related Work Future Work

Introduction IHMC has developed KAoS Services to manage multi-agent systems. KAoS domain services provide an organizational structure to an agent community which facilitates policy management of agent actions. The general nature of KAoS Services has enabled application in domains outside of agent systems.

Introduction Grid researchers envision the formation of Virtual Organizations (VO’s) 3, where people and resource gather to address complex problems that require extensive collaboration. Most VO’s are managed in a manner similar to network administration, which is inadequate to handle complex permissions and trust relationships.

Community work indicates need The problem of service management and access control is shared by agent-based systems, web services, and Grid computing. Solutions begin to appear in three communities. Grid computing: Community Authorization Service (CAS) 5 Grid computing: Community Authorization Service (CAS) 5 Web services: XACML 9 Web services: XACML 9 Multi-agent systems: KAoS, Rei, Ponder,etc. 12 Multi-agent systems: KAoS, Rei, Ponder,etc. 12

Merging trends indicate opportunity Grid computing and Web services: They face similar challenges such as service advertisement, matchmaking, etc. They face similar challenges such as service advertisement, matchmaking, etc. The Globus Project presents the Open Grid Service Architecture (OGSA) 6 which is based on Web service specifications The Globus Project presents the Open Grid Service Architecture (OGSA) 6 which is based on Web service specifications Agent-based systems, Web services and Grid computing: Work on Semantic Web Services and Semantic Grid makes them much more suited as platforms for multi- agent systems 7,8 Work on Semantic Web Services and Semantic Grid makes them much more suited as platforms for multi- agent systems 7,8

Our approach Apply KAoS Domain and Policy Services to manage the Web Services based OGSA-compliant Globus Toolkit 3 (GT3) Grid environment.

Outline Introduction  KAoS Overview Integration of OGSA and KAoS Related Work Future Work

KAoS overview KAoS is a collection of componentized domain and policy services oriented to complex agent environments. Based on the pluggable infrastructure of Java Agent Services (JAS 1 ), KAoS is compatible with a number of agent or non-agent platforms, including the DARPA CoABS Grid, the DARPA CoABS Grid, Brahms, etc., Brahms, etc., and now GT3. and now GT3.

KAoS domain services KAoS domain services structure groups of agents/resources/services into domains and subdomains. Domains can represent any sort of group imaginable. Complex organizational structures. Complex organizational structures. Dynamic task-oriented teams. Dynamic task-oriented teams. Grid Virtual Organizations for resource sharing. Grid Virtual Organizations for resource sharing.

KAoS policy services KAoS policy services allow for specification, management, conflict resolution and disclosure of policies within domains.

Policy representation KAoS policies are represented in DAML/OWL and are based on the KAoS Policy Ontologies (KPO) The current version of KPO defines concepts including actions, actors, places, groups, policies, etc, defines concepts including actions, actors, places, groups, policies, etc, distinguishes between authorizations and obligations, and distinguishes between authorizations and obligations, and can be extended with additional classes and rules for a given application. can be extended with additional classes and rules for a given application.

Policy specification KAoS Policy Administration Toolkit (KPAT) makes policy creation and management easier.

Policy distribution and enforcement Each agent is associated with a Guard. All policies that pertain to an agent will be distributed to its Guard. A platform-specific Enforcer intercepts the agent’s actions and queries the Guard to decide whether the actions are authorized. If not, the actions will be blocked by platform- specific enforcement mechanisms.

Outline Introduction KAoS Overview  Integration of OGSA and KAoS Related Work Future Work

Overview of the integration KAoS and GT3 are perfect complements because: 1. KAoS provides policy and domain services needed by GT3. 2. GT3 GSI provides platform-specific enforcement mechanisms required by KAoS. The KAoS Grid service provides an interface between GT3 and KAoS.

KAoS Grid Service Architecture Container Client Grid Service Stub KAoS Grid Service JAS KAoS Guard KAoS Domain and Policy Services JAS

Registration A client must register with KAoS Grid service in order to use the domain and policy services. Clients that are not in a domain will only have limited default authorizations. Clients that are not in a domain will only have limited default authorizations. Clients send their own X.509 proxy certificates to the KAoS Grid Service for authentication. Clients send their own X.509 proxy certificates to the KAoS Grid Service for authentication.

Grid policy expression Sample policy format: It is permitted for actor(s) X to perform action(s) Y on target(s) Z. It is permitted for actor(s) X to perform action(s) Y on target(s) Z. Coarse-grain policies are based on the existing KPO, and are based on the existing KPO, and permit or forbid overall access to a Grid service. permit or forbid overall access to a Grid service. An example: An example: It is forbidden for Client X to perform a communication action if the action has a destination of Chat Service Y. Fine-grain policies require extending KPO with new concepts, and require extending KPO with new concepts, and permit or forbid access to an operation of a Grid service. permit or forbid access to an operation of a Grid service.

Ontology creation Since Grid service requires a extension to KPO, we are working on a tool to generate a DAML/OWL ontology for a given WSDL document. The generated ontologies can be modified to refer to a generic ontology. Grid administrators load the ontology extension and specify the policies using KPAT.

Policy deconfliction KAoS provides the capability to identify confliction of policies through a theorem prover and can harmonize them if desired.

Policy enforcement Policies are forwarded to the Guard associated with the KAoS Grid service. When a client requests for a service, the KAoS Grid service checks if the requested action is authorized by querying the Guard. If the action is authorized, the KAoS Grid service returns a restricted proxy certificate that can be used to access the service. The local security mechanism uses the restricted proxy certificate to allow or block the actions.

Local Security Mechanism Stub Grid Service KAoS Grid Service Credential Client KAoS (Checks whether the arrows match) (The arrows represent SOAP messages) (if authorized) WS Security Request Handler

Impact on GT3 GT3 components that need to be modified: The Grid service skeleton that all Grid services are based on. The Grid service skeleton that all Grid services are based on. WS Security Request Handler, which intercepts all incoming messages of a service container. WS Security Request Handler, which intercepts all incoming messages of a service container. Client stubs. Client stubs. Things that do not need to be modified: Service source code. Service source code. Client source code. Client source code.

Outline Introduction KAoS Overview Integration of OGSA and KAoS  Related Work Future Work

Related work Web service approaches: WS-Security, XACML and SAML WS-Security, XACML and SAML Globus approach: Community Authorization Service Community Authorization Service

Web service approaches WS-Security is complementary to this work, providing for the basic needs of message integrity, confidentiality, and single-message authentication 10 XACML provides schema and namespaces for for access control policies 9 The disadvantage of XACML is that the meanings are implicit. The disadvantage of XACML is that the meanings are implicit. Implicit semantics assume a consensus in human interpretation. Ambiguity arises when interpretations differ. Implicit semantics assume a consensus in human interpretation. Ambiguity arises when interpretations differ. DAML-based policies can be mapped to lower- level XACML representations. DAML-based policies can be mapped to lower- level XACML representations.

Web service approaches (cont’d) SAML allows for exchanging authentication and authorization information 10 In the SAML model, policies are gathered at the Policy Decision Point (PDP). In the SAML model, policies are gathered at the Policy Decision Point (PDP). PDP returns the policy decision to the Policy Enforcement Point (PEP). PDP returns the policy decision to the Policy Enforcement Point (PEP). Disadvantage of SAML model: SAML puts too much burden on services by requiring them to gather the evidence needed for policy decision. SAML puts too much burden on services by requiring them to gather the evidence needed for policy decision.

Comparison of CAS and KAoS Compatibility: CAS is a prototype that only works with a special version of Grid FTP service of GT2. CAS is a prototype that only works with a special version of Grid FTP service of GT2. KAoS is designed to work with OGSA-compliant GT3. KAoS is designed to work with OGSA-compliant GT3. Policy expression and reasoning: CAS server stores the policies as a list of rights. CAS server stores the policies as a list of rights. KAoS uses DAML/OWL and Java Theorem Prover (JTP) to express and reason about policies. KAoS uses DAML/OWL and Java Theorem Prover (JTP) to express and reason about policies.

Outline Introduction KAoS Overview Integration of OGSA and KAoS Related Work  Future Work

Obligations Authorization vs. Obligation authorizations = constraints that permit or forbid some action authorizations = constraints that permit or forbid some action obligations = constraints that require some action to be performed, or else serve to waive such a requirement obligations = constraints that require some action to be performed, or else serve to waive such a requirement KAoS Obligations are working in other areas (CoAX, NASA IS, HyRes, etc.) Implementing Obligations with Grid services will require some additional handlers and more sophisticated action to ontology mapping, but should still not impact the client or service source code Enablers are components that provide capabilities the client may lack in order to meet an obligation

Generalization to Web services Our KAoS implementation on GT3 actually governs all GSI-enabled Web services. We are monitoring the progress of Web service security standards. Web services GSI-enabled Web services Grid services Secure Grid services

Questions?

References 1.Arnold, G., J. Bradshaw, B. de hOra, D. Greenwood, M. Griss, D. Levine, F. McCabe, A. Spydell, H. Suguri, S. Ushijima. (2002) Java Agent Services Specification. 2.Foster, I., Kesselman, C., Nick, J., & Tuecke, S. (2002). The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration. Open Grid Service Infrastructure Working Group, Global Grid Forum, 22 June. 3.Foster, I., Kesselman, C., and Tuecke, S. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Organizations International J. Supercomputer Applications, 15(3) 4.Foster, I., and C. Kesselman. (1998) The Globus Project: A Status Report. Heterogeneous Computing Workshop, IEEE Press, 1998, Pearlman, L., Welch, V., Foster, I., Kesselman, C., & Tuecke, S. (2002) Community Authorization Service for Group Collaboration. IEEE Workshop on Policies for Distributed Systems and Networks. 6.Tuecke, S., Czajkowski, K., Foster, I., Frey, J., Graham, S., & Kesselman, C. (2002) Grid Service Specification Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., & Uszok, A. (2003), Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. Submitted to the 2nd International Semantic Web Conference (ISWC2003), Sanibel Island, Florida, USA.