INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

Slides:



Advertisements
Similar presentations
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Advertisements

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Argus EMI Authorization Integration
Trygve Aspelien and Yuri Demchenko
Obligations in the OGSA SAML Authorization Service Interface
A gLite Authorization Framework
AuthZ Interop report out
Global Banning List and Authorization Service
Overview OSG & EGEE Authorization Models
Argus The EMI Authorization Service
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University of Amsterdam

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 2 Outline Goals and background AuthZ components in EGEE/OSG and interoperability picture Obligations – definition and use cases Reference model for Obligations Handling (OHRM) Obligations expression conventions Examples, implementations and (inter)operability tests Issues for discussion

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 3 Goals and background Goals –Common SAML-XACML AuthZ Interface to achieve interoperability between different AuthZ systems –Basis for the Site-Central AuthZ Service (SCAS) History and lessons to be learnt –Started/initiated at MWSG11 meetings March 1-2, 2007 at UCSD –Development stages: Agreement – Discussion – Common understanding – (Analysis, Requirements?) - (Design?) – Alpha implementation – (Design?) – Beta Implementation (planed) JRA1 commissioned AuthZ study and technical document drafting “SAML-XACML Authorisation Interface and XACML Obligations Handling” – obligations-01.pdf

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 4 Document focus “SAML-XACML Authorisation Interface and XACML Obligations Handling” (version 0.1) Analysis of current AuthZ component Basic information on SAML2.0, XACML2.0, and SAML2.0 profile of XACML Proposed design suggestions and solutions –Two basic use cases of the possible SCAS implementation – LCAS/LCMAPS based and native XACML based, that correspondently implement stateful and stateless PDP operational model –Description of different obligation enforcement scenarios –Obligations Handling Reference Model (OHRM) –(Conventional) agreement on the Obligations expression in the XACML policy and applicable XACML Request format –ObligationId format and OHRM related Obligation marking/labelling approach –Basic (design) requirements to the ObligationHandler API –SAML2.0-XACML profile conformance test definition and requirements

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 5 Current AuthZ components in EGEE/OSG L&L plug-ins (regular set of plug-ins) L&L plug-ins (regular set of plug-ins + GPbox) LCAS + LCMAPS Glite: Compute Element or Storage Element edg-gk glexec edg-gridftpgt4-interface pre-WS GT4 gk, gridftp, opensshd LCAS + LCMAPS Worker node glexec L&L plug-ins (regular set of plug-ins) Issues with this setup: share/distribute the gridmapdir for mapping consistency share/distribute the configurations for the nodes share/distribute authorization files, like grid/groupmapfiles and a blacklisting file Scaling issues; lots of node will probably overload an NFS server This slide was borrowed from O.Koeroo’s presentation at MWSG/EGEE07

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 6 SAML-XACML interface based interoperability picture Policy Obligation concept/mechanism identified as a solution to allow specific for Grid account mapping and other types of AuthZ decision enforcement types (quota, path, priority) OSG pre-WS GT4 gk,gridftp, opensshd SAML-XACML Request/Response EGEE glexec edg-gk edg-gridftpd gt4-interface pre-WS GT4 gk, gridftp, opensshd dCache (Common) SAML XACML AuthZ library Plug-in: SAML-XACML LCAS + LCMAPS CREAM Pilot job on Worker Node (both EGEE and OSG) GUMS (+ SAZ) SAML-XACML interface (Common) SAML XACML AuthZ library Front-end node (CE, SE, WN, etc.) LCAS + LCMAPS L&L plug-ins (G-PBox callout) Plug-in: SAML-XACML Prima + gPlazma SAML-XACML interface G-PBox LCAS/LCAMAPS callout G-PBox/SCAS callout gJAFL Site Central AuthZ Service (SCAS)

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 7 Policy enforcement mechanisms and Obligations Policy Obligation is one of the policy enforcement mechanisms –Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision [XACML2.0] Obligations enforcement scenarios –Obligations are enforced by PEP at the time of receiving obligated AuthZ decision from PDP –Obligations are enforced at later time when the requestor accesses the resource or service  Require use of AuthZ assertions/tickets/(restricted proxy?) –Obligations are enforced before or after the resource or service accessed/delivered/consumed  Not discussed in current study/document – refer to OGSA AUTHZ-WG discussions

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 8 Obligations use cases Account mapping Priority/queue Resource/Storage path/location Quota assignment Service combination with implied conditions (e.g., computing and storage resources) Usable resources/quota

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 9 Current OSG-EGEE Obligations List [T] [S] UID + GID [T] [S] Multiple secondary GIDs –Requires UID+GID [T/E] [R] AFS token (type string) –Requires UID+GID [E] [S] Username (for CE) [T/E] [R] Path restriction –Requires UID+GID or Username [A] [S] Storage priorities (gPlazma) –Requires UID+GID or Username [E] [R] File system privilege mask Legend: –[T] – policy may use template Obligation –[E] - policy may use explicit Obligation –[S], [R], [A] – Obligation applied to AuthZ Subject, Resource, Action

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 10 Obligations Handling Reference Model Generic AuthZ service model PEP – Policy Enforcement Point PDP – Policy Decision Point PAP – Policy Authority Point OH – Obligation Handler CtxHandler – Context Handler (S, R, A, E) – components of the AuthZ request (Subject, Resource, Action, Environment) SAML-XACML RR CVS (extern) Obligation Handler (OH-PDP) Obligation Handler (OH-PEP) Context Handler PEP PDP PAP State DB (Usage Controller) AuthZ Gateway (AuthZ Handler) SAML-XACML RR PIP (Ctx Hdlr) Service/ Resource ServReq(Srv,An,Az) Resource ObligHdlr (OH-R) AzResp(Dcsn,Oblig2) AzReq(Srv,Subj,Act)) XACMLAzReq (S,R,A,E) WSDL AuthZ PT (SOAP/SSL) SAMLXACMLReq (S,R,A,E) XACMLAzResp (Dcsn,Oblig1) SAMLXACMLResp (Decsn,Oblig) XACMLAzReq (S,R,A,E) XACMLAzResp (Dcsn,Oblig1) XACMLAzResp (Dcsn,Oblig0) XACMLPolicy (Target(S,R,A,E), Rules(S,R,A,E), Oblig0) Resource Site Site Central AuthZ Service (SCAS) ServReq(Srv,Oblig2) Rsr Environm, state

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 11 Obligations Handling in gJAF gJAF Obligations Handling Dataflow

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 12 Obligations Handling Stages Obligation0 = tObligation => Obligation1 (“OK?”, (Attributes1 v Environments1)) => Obligation2 (“OK?”, (Attributes2 v Environments2)) => Obligation3 (Attributes3 v Environments3) Obligation0 – (stateless or template) Obligations are returned by the PDP in a form as they are written in the policy. These obligations can be also considered as a kind of templates or instructions, tObligation. Obligation1 and Obligation 2 Obligations have been handled by Obligation handler at the SCAS/PDP side or at the PEP side, depending on implementation. Templates or instructions of the Obligation0 are replaced with the real attributes in Obligation1/2, e.g. in a form of “name-value” pair. –The result of Obligations processing/enforcement is returned in a form of modified AuthzResponce (Obligation1) or global Resource environment changes –Obligation handler should return notification about fulfilled obligated actions, e.g. in a form of Boolean value “False” or “True”, which will be taken into account by PEP or other processing module to finally permit or deny service request by PEP. –Note. Obligation1 handling at the SCAS or PDP side allows stateful PDP/SCAS. Obligation3 Final stage when an Obligation actually takes effect (Obligations “termination”). This is done by the Resource itself or by services managed/controlled by the Resource.

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 13 Obligation expression in XACML General Obligation term Obligation = Apply (TargetAttribute, Operation (Variables)) Obligation = Apply (TargetAttribute, Operation (Variables), Chronicle) Ref: Chronicle attribute was proposed by OGSA AUTHZ-WG <AttributeAssignment DataType= AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:access-subject"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType=" <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:poolaccount" DataType=" <PoolAccountDesignator AttributeId=" DataType=" egee-pool-next-available

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 14 ObligationId format and semantics ObligationId format –should use OASIS SAML/XACML prefix –agreed namespace identifier for the target project or use cases –may use either URN or URI form Suggested namespace identifiers –glite:security:authz:(policy | policy:obligation) – Suggested sub-trees for management and deployment purposes –orgname/projname or servicename –example –test Adding suffices for versioning and staging –version0.1 –stage0 –template

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 15 Examples ObligationId Examples using SAML/XACML URN style urn:oasis:names:tc:xacml:2.0:glite:security:authz:policy:obligation:obligation.UID urn:oasis:names:tc:xacml:2.0:glite:security:authz:example007:policy:obligation:obligation.UID urn:oasis:names:tc:xacml:2.0:glite:security:authz:EGEE:policy:obligation:obligation.UID Examples using general URI style –Note: Consider URI security issues Examples adding versioning/staging suffix urn:oasis:names:tc:xacml:2.0:glite:security:authz:policy:obligation:obligation.UID:version0.1

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 16 Globus, G-PBox, gJAF implementations and interoperability tests Globus SAML-XACML Library –C and Java based SAML-XACML library –Axis2 generated + supported classes –No native XACML PDP G-PBox –SAML-XACML library generated from schema –Native XACML PDP and XACML policies gJAF –OpenSAML2.0 extensions for SAML-XACML profile –SunXACML based native XACML PDP Tests done so far –Globus alpha test setup – OK, however problems to integrate XACML PDP –G-PBox library (with gJAF) - OK –Calling Globus with G-PBox libraries - Fail

Enabling Grids for E-sciencE INFSO-RI JRA1-AH: SAML-XACML Interface 17 Issues to discuss Reference model for Obligations handling (OHRM) –AuthZ ticket/assertion for the Obligated AuthZ decision integrity Obligation expression format ObligationId and namespace(s) ObligationHandler API Interoperability and conformance test suite

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.