Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg.

Slides:



Advertisements
Similar presentations
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
Advertisements

CGW 2009 Vine Toolkit A uniform access and portal solution to existing grid middleware services P.Dziubecki, T.Kuczynski, K.Kurowski, D.Szejnfeld, D.Tarnawczyk,
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.
Peoplesoft: Building and Consuming Web Services
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Authenticating REST/Mobile clients using LDAP and OERealm
Understanding Active Directory
1 1 Interoperating: MIT’s Fusion Center Prototype & JHU/APL’s Back End Attribute Exchange (Identity Management Testbed) January 2013.
Ricerca Distribuita Semantica Protocolli opensource per la condivisione di risorse online.
Intranet, Extranet, Firewall. Intranet and Extranet.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
August 20, 2003 Slide 1 A Middleware Service for Policy Based Authorization Presentation at Nordunet 2003 by Roland Hedberg.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
UNIT Enheten för IT-stöd What is going on in: Sweden Joakim Björklund Director of IT services division Linköpings universitet
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Module 11: Remote Access Fundamentals
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Michael Ghens Information Systems Specialist Santa Barbara City College.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
SPOCP – general authorisation server Presentation at TF-aace meeting in Stockholm 26 nov 2002 Roland Hedberg.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Page 1 © 2001, Epicentric - All Rights Reserved Epicentric Modular Web Services Alan Kropp Web Services Architect WSRP Technical Committee – March 18,
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Module 7 Planning and Deploying Messaging Compliance.
UMBC’s WebAuth Robert Banz – UMBC
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
System/SDWG Update Management Council Face-to-Face Flagstaff, AZ August 22-23, 2011 Sean Hardman.
Oracle HFM Implementation Boot Camp
Overview of Grid Webservices in Distributed Scientific Applications Dennis Gannon Aleksander Slominski Indiana University Extreme! Lab.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
UNCLASSIFIED Service Oriented Architecture, Information Sharing and the FEA DRM 23 January 2006 Bryan Aucoin DNI CIO Chief Architect
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
What is BizTalk ?
Sakai ID & Access Management
High Performance Computing Lab.
Cryptography and Network Security
AMGA Web Interface Salvatore Scifo INFN sez. Catania
IIS.
EPIC INFOTECH CONSULTING GROUP
Privilege Management: the Big Picture
AMGA Web Interface Vincenzo Milazzo
Introduction of Week 11 Return assignment 9-1 Collect assignment 10-1
Signet & Privilege Management
JAAS AuthN Tokens in uPortal and Beyond
Presentation at TF-aace workshop in
Presentation transcript:

Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg

What's SPOCP ● Attribute based 'real-time' authorization server ● Simple query based protocol ● Made to use external information resources ● Uses S-expressions to express policies and requests for permissions. Built around the '<=' operation. ● Returns Yes/No and, if configured so, additional information together with a Yes

Place in the chain SQL PROGRAM SPOCP LDAP SPOCPApplication User

Where are we right now ? ● Latest version ● Getting real-time usage experience ● Working on the administrative interface ● Spocpfied applications: Postfix, uPortal, OpenLDAP ● Access modules: Apache, PAM ● Local applications: NyA, LpW,.... ● Non-AuthZ usages: information access, certificate verification, route daemon ● Client libs: C, Java, Python, Perl

Heads-up ● Message based 'meta directory tool' – We are building a 'meta directory tool' based on XMPP as message passing system – RDF as format for update information – Spocp as message policy server ● SSH – Implement SPOPC support in auth.c:allowed_user. Investigate generalization of the authorized_keys file possibly in conjunction with a generalized.k5login mechanism in Heimdal. ● Heimdal – SPOCP-support in kadmind through general authorization plugin mechanism. SPOCP-support in the kdc (general ticket policy). Look at generalizing the.k5login file.

Administrative interface ● What about it ?

Baseline ● Privilege management system interface based on 'roles' – A role is a convenient 'handle' for a set of attribute-values. – Easier to understand and relate to ● 'Roles' are assigned/constructed by administrators, their names (if they have any) are only valid in the context of the privilege management system. ● Access control system based on attribute values and constraints.

In Spocp terms ● Role ~= Boundary condition expression – Logical operators 'AND', 'OR' and 'NOT' – Boundary condition = relationship between objects or a constraint ● adm-group := "localgroup:{//uid[1]}:adm:${0}" ● rbl := "rbl:{//ip[1]}:blackholes.mail-abuse.org:${0}" – Link to external information resources ● Access right = S-expression Policy = S-expression [ bcondexp ]

The way we plan to do it (the default, there are exceptions) ● Distributed authentication (CWAA) – A framework for authentication between organizations. It is designed to be independent of the authentication system used within a organization – Uses the CMS (Cryptographic Message syntax) protocol – The Authentication server returns a ticket that contains a ID representing the authenticated party – Web apps only ● Distributed authorization (Spocp) – Authorization servers based on affiliation/context – Uses the ID provided by the authN service – Common central Applications publishes the format of the queries they will pose

Plugin examples ● System ● Time ● Spocp ● Ipnum ● Gdbm ● LDAPset ● Flatfile ● Difftime ● Localgroup ● RBL ● Regexp ● SQL

Example (“ladok på webb”) ● LADOK is a central student administration system – Information about courses – Information about student – Local information ● LpW is a set of modules that universities can use in their student portals

LpW -> Spocp queries Query format: (lpw (action )(obj )(subj )) function = “Adresslista”, “Register”, “Uppfolj”,... object = course-ID ID = requestor-ID Local rule: (lpw (action Adresslista)) => (ref lpw-user) “lpw-user” is a locally defined 'role' base on whatever

Example of 'role' definition lpw-user := ldapset: {/lpw/subject/uid[1]} : tonwig1.adm.umu.se ; cn=ladokuser,cn=group,dc=umu,dc=se ; cn=person,dc=umu,dc=se ; \0/uniqueMember & {\1$uid & ${0}}

Privilege Management and Spocp – Set of UI's ● The end user UI should use roles/groups ● In our case roles/groups will be translated into boundary conditions and/or parts of S- expressions ● The type of permissions are application dependent (functions). ● The owners of the resource defines the delegation order.

Our relation to Signet 1.“Privilege Management Recipe” - YES! 2.Privilege Management Toolkit – YES! 3.Internet2 Middleware integration – ? 4.Multi-organizational scenarios - ? 5.Support Group-based PM – YES! 6.Role and PI as EduPerson attributes - ?