June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.

Slides:



Advertisements
Similar presentations
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
Internet Technologies (Grid Computing (OGSA, WSRF) )
The Globus Toolkit and OMII-Europe Neil Chue Hong EPCC, University of Edinburgh Thanks to Ian Foster and the Globus Team for slides.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
MTA SZTAKI Hungarian Academy of Sciences Grid Computing Course Porto, January Introduction to Grid portals Gergely Sipos
Seminar Grid Computing ‘05 Hui Li Sep 19, Overview Brief Introduction Presentations Projects Remarks.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Globus Toolkit 4 hands-on Gergely Sipos, Gábor Kecskeméti MTA SZTAKI
Seminar Grid Computing ‘06 Hui Li Sep 18, Overview Brief Introduction Presentations –Architecture –Functionality/Middleware –Applications Projects.
4a.1 Grid Computing Standards ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4a.
The Globus Toolkit Gary Jackson. Introduction The Globus Toolkit is a product of the Globus Alliance ( It is middleware for developing.
1 July 30, 2005 Grid Computing Principles Consortium for Computational Science and High Performance Computing 2005 Summer Workshop, July 29-July 31, 2005.
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
14.1 “Grid-enabling” applications ITCS 4146/5146 Grid Computing, 2007, UNC-Charlotte, B. Wilkinson. March 27, 2007.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Globus Computing Infrustructure Software Globus Toolkit 11-2.
1 Globus Developments Malcolm Atkinson for OMII SC 18 th January 2005.
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Java Services in Apache Axis Plus GT Libraries and Handlers Your Python Service Flac WS RFT GRAM Delegation Index Trigger Python WS Core Your C Service.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Core Grid Functions: A Minimal Architecture for Grids William E. Johnston Lawrence Berkeley National Lab and NASA Ames Research Center (www-itg.lbl.gov/~wej)
Grid Computing for Real World Applications Suresh Marru Indiana University 5th October 2005 OSCER OU.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.
OPEN GRID SERVICES ARCHITECTURE AND GLOBUS TOOLKIT 4
Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
ChinaGrid Experience with GT4 Hai Jin Huazhong University of Science and Technology
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
OGSA Hauptseminar: Data Grid Thema 2: Open Grid Service Architecture
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Grid Services I - Concepts
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Grid Authorization Landscape and Futures Von Welch NCSA
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Data Manipulation with Globus Toolkit Ivan Ivanovski TU München,
Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
DataGrid is a project funded by the European Commission EDG Conference, Heidelberg, Sep 26 – Oct under contract IST OGSI and GT3 Initial.
The GT 4 GRAM Service Sam Meder Middleware Workshop.
Current Globus Developments Jennifer Schopf, ANL.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Parallel Computing Globus Toolkit – Grid Ayaka Ohira.
A gLite Authorization Framework
Liang Fang, Dennis Gannon Indiana University Frank Siebenlist
Presentation transcript:

June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service Provider into GT4” Jesús Luna G. Manel Medina L. Oscar Manso C. Universitat Politècnica de Catalunya Departament d’Arquitectura de Computadors

June 30th, 2005EuroPKI2005 Agenda –Motivation –Background –Objective –Proof of concept –Related work –Future work

June 30th, 2005EuroPKI2005 Motivation

June 30th, 2005EuroPKI2005 Grid Services Open Grid Services Architecture (OGSA): Service orientation to virtualize resources -> everything is a service. A standard substrate: the Grid service. Standard interfaces (OGSI) and behaviors that address key distributed system issues: naming, service state, lifetime, notification. Grid service = Web service + OGSA + OGSI Grid services are moving from eScience to eBusiness.

June 30th, 2005EuroPKI2005 Oracle’s Use of Grid Technology* Use Grid technology to build better products –Oracle Database 10g Enhanced scalability, relocation, & distributed SQL Max database size -> 8 exabytes –Oracle Application Server 10g Already based on J2EE/Web Services Extending to include OGSI yields powerful capabilities Improves scalability and flexibility Increases in both scalability and efficiency Improves competitiveness of existing products “Open Grid Services Architecture: A tutorial”. Foster, Ian.

June 30th, 2005EuroPKI2005 Oracle Grid Product Offerings Oracle Database 10g –Transportable tables –Distributed SQL –Managed using OGSI- compliant interfaces(?) Oracle Application Server 10g –Hosting for OGSI- compliant Grid services –Development environment –Application Server can be managed and configured using OGSI-compliant interfaces(?)

June 30th, 2005EuroPKI2005 Performance & Security ….but Is the traditional Grid Security Infrastructure (GSI) framework ready for Grid Services?

June 30th, 2005EuroPKI2005 Background

June 30th, 2005EuroPKI2005 Pre-WS Authentication Authorization Data Management Security Common Runtime Execution Management Information Services GridFTP Web Services Components Non-WS Components Grid Resource Allocation Mgmt (Pre-WS GRAM) Monitoring & Discovery System (MDS2) C Common Libraries GT2GT2 WS Authentication Authorization Reliable File Transfer (RFT) OGSA-DAI [Tech Preview] Grid Resource Allocation Mgmt (WS GRAM) Monitoring & Discovery System (MDS4) Java WS Core CAS GT3GT3 Replica Location Service (RLS) XIO GT3GT3 Credential Management GT4GT4 Python WS Core [contribution] C WS Core Community Scheduler Framework [contribution] Delegation Service GT4GT4 Globus Toolkit

June 30th, 2005EuroPKI2005 GT4 Container Open Source implementation of Grid Services through a WSRF Container: Custom Web Services WS-Addressing, WSRF, WS-Notification Custom WSRF Web Services GT4 WSRF Web Services WSDL, SOAP, WS-Security User Applications Registry Administration GT4 Container

June 30th, 2005EuroPKI2005 GT4’s Use of Security Standards

June 30th, 2005EuroPKI2005 GT4: AA Framework Delegated Proxy 2.Service Request 7.Service Response Subject 1.Proxy Initialization Grid Services WSRF Container 3.Authentication Request 4.Authentication Response 5.Authorization Request 6.Authorization Response 3a.Authentication Decision 5a.Authorization Decision 8.Proxy Destruction Container or Service AuthZ PDPs AuthZ SOAs

June 30th, 2005EuroPKI2005 Conceptual Grid Authorization Framework* –Trust Management. –Privilege Management. –Attribute Authorities. –Privilege Assignment. –Attribute Assertions Management. –Policy Management. –Authorization Context. –Authorization Server. –Enforcement Mechanisms. “Conceptual Grid Authorization Framework and Classification”, R. Baker, L. Gommans, A. McNab, M. Lorch, L. Ramakrishnan, K. Sarkar, and M. R. Thompson Global Grid Forum Working Group on Authorization Frameworks and Mechanisms. February 2003,

June 30th, 2005EuroPKI2005 Objective Improve GT4 Container’s security and performance through the integration of common AuthN and AuthZ features into a Unified Authentication and Authorization Infrastructure (AAI).

June 30th, 2005EuroPKI2005 AA Performance and Security Delegated Proxy 2.Service Request 7.Service Response Subject 1.Proxy Initialization Grid Services WSRF Container 3.Authentication Request 4.Authentication Response 5.Authorization Request 6.Authorization Response 3a.Authentication Decision 5a.Authorization Decision 8.Proxy Destruction Container or Service AuthZ PDPs AuthZ SOAs

June 30th, 2005EuroPKI2005 Proposed Unified AAI Delegated Proxy Subject Grid Services WSRF Container Unified AAI

June 30th, 2005EuroPKI2005 Proposed Validation Policy Delegated Proxy Subject Grid Services WSRF Container Unified AAI Subject + HO AA Rules Resource + VO AA Rules VO Distributed Validation Policy

June 30th, 2005EuroPKI2005 Proposed Trust Engine Delegated Proxy Subject Grid Services WSRF Container Unified AAI VO Distributed Validation Policy T r u s t E n g i n e

June 30th, 2005EuroPKI2005 Unified AAI Proposal Delegated Proxy 4.Service Request 7.Service Response Subject 3.Proxy Initialization Grid Services WSRF Container 1.Validaton and AccreditationRequest Unified AAI 5.Accreditation Request 6.Accreditation Response 5a.Accreditation Decision 8.Proxy Destruction 2.Validation and Accreditation Response T r u s t E n g i n e

June 30th, 2005EuroPKI2005 Grid Services Authentication Challenges –X.509 Credentials life-cycle management. –Single Sign-On. –Delegation. –Identity Federation. –Trust conditions. –Privacy and anonymity. –Interoperability and extensibility. –Authentication Architecture. –Subject and Resource Authentication Policies. –Use of formal methods. –Authentication traffic.

June 30th, 2005EuroPKI2005 Grid Services Authorization Challenges –Interoperability and extensibility. –Use of formal methods. –Policy writing. –Distributed Policy Management. –Subject-side and Resource-side Authorization Rules. –Authorization Architecture and Performance. –Authorization Assertion's security. –Fine grain Authorization for Grid Services Operations (portTypes) and Service Data Elements (SDE). –Session-based Authorization. –Conditional Replies.

June 30th, 2005EuroPKI2005 Proof of concept: An Enhanced OCSP Service Provider for GT4

June 30th, 2005EuroPKI2005 Why OCSP in Grids? Used to provide near real-time certificate status for Grid relying parties. Avoid burden of managing local CRLs at Grid clients. May allow support for Proxy Certificates revocation. OCSP Service requirements for Grids: discoverable, fault tolerant and low latency. OCSP support not implemented into GT4. Grids need to define an OCSP Policy (GGF CAOPS-WG).

June 30th, 2005EuroPKI2005 CertiVeR Enhanced OCSP Service Provider Distributed architecture. May work as Trusted or Authorized Responder. Able to parse customized OCSP Response Extensions, which may include AuthZ related information. Supports Proxy Certificate Revocation

June 30th, 2005EuroPKI2005 Adding OCSP support to GT4 CertiVeR OCSP Java API integrated into CoG’s ProxyPathValidator class. Same CoG class used into Java WS Core. First the EEC chain is built by the client… …then is sent to validation in a single OCSP Request and… Finally is received again in a single OCSP Response. Fully compliant with RFC2560.

June 30th, 2005EuroPKI2005

June 30th, 2005EuroPKI2005 Related Work

June 30th, 2005EuroPKI2005 Akenti (Berkeley Lab): –Not exactly an AAI. –Manages distributed AuthZ. –Pre-WS Grid integration in progress. PERMIS (UE Funded Project): –AuthZ based on Attributes Certificates. –AuthN agnostic. –Recently integrating with GT4 and SAML. Shibboleth (Internet2/IBM): –Designed for Web Services. –Supports interinstitutional AA based on existing security schemes. –Delivers user’s privacy through anonymity. –GridShib in progress (NSF). Cardea (NASA): –Designed for NASA’s Information Power Grid. –Uses XACML. –Manages distributed AuthZ. VOMS: –AuthZ is established by enforcing agreements between Resource Providers (RP) and VOs. –Information about user rights at a RP is defined in Extended ACL and depends on his VO membership. –Uses GSI AuthN and delegation mechanisms. –Based on DataGrid and DataTAG frameworks.

June 30th, 2005EuroPKI2005 Future Work and Conclusions

June 30th, 2005EuroPKI2005 OCSP and GT4 OCSP Policy fine-tuning to balance Security and Performance (signed Responses, use of nonces, etc.). Enable full Proxy Certificate Revocation support with any of two mechanisms: 1.Sending the Proxy Cert into the OCSP Request ->Depends on OCSP Service Provider. 2.Without sending the Proxy Cert into the OCSP Request -> Any OCSP Service Provider. To be included into next release of GT4. Work in Progress: “OCSP Requirements for Grids” with CAOPS-WG into GGF.

June 30th, 2005EuroPKI2005 Validation Policy: –Full definition based on Unified AA Framework. –Move to XACML? –Build upon ETSI’s Signature Policy concept? Unified AAI: –SAML adoption for GT4 interoperability (callouts). –Fault tolerant architecture. Trust Engine: –Distributed Validation Policy evaluation and management (maybe with a parallel paradigm?). –Use CertiVeR’s enhanced Responses to convey signed evidence and thus optimize evaluation process. Traditional Web Services (non WSRF-based) can also make use of the Unified AAI. Unified AAI: next steps

June 30th, 2005EuroPKI2005 Moltes mercès!