Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Slides:



Advertisements
Similar presentations
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Apr 26, 20071/3 OSG Executive Board Meeting Gabriele Garzoglio OSG Executive Board Meeting Gabriele Garzoglio VO Services, PL Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.
An Introduction to Campus Grids 19-Apr-2010 Keith Chadwick & Steve Timm.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
Argus EMI Authorization Integration
Trygve Aspelien and Yuri Demchenko
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
EMI Interoperability Activities
Overview OSG & EGEE Authorization Models
Presentation transcript:

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm Authorization Interoperability Profile for the Cloud Implementations and Status

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 2/17 The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 3/17 The Authorization Model The EGEE (EGI) and OSG security model is based on X509 end entity and proxy credentials for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates  Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site-central Policy Decision Points (PDP) for authorization decisions

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 4/17 Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper LCMAP Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMS-admin VOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec LCMAP Storage Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services Batch System

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 5/17 Goals for Interoperability Agree on common PEP to PDP call-out protocol and implementation in order to… 1. …share and reuse software developed for EGI and OSG, 2. …give software providers (external to the Grid organizations) reference protocols to integrate with both Grids infrastructures, 3. …enable the seamless deployment of software developed in the US or EU in the EU or US security infrastructures.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 6/17 Standardization based on experience It takes many trials & errors (…and many years…) to  …put together a collaboration  …agree on a working profile  …implement libraries for multiple languages  …integrate libraries with existing infrastructure – PEP / PDP  …tune the system to production standards  …widely deploy a solution The Authorization Interoperability is being standardized by OGF in 2012 after 5 years Example of Experience-first / Standardize-later as opposed to the more typical approach: Standardize-first / Experience-later Arguably, the resulting standard is “stronger”

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 7/17 AuthZ Interop is standardized at age  Release XACML profile document: 1+ yr collaboration (OSG, EGEE, Globus, and Condor_  Implementation and integration of XACML AuthZ modules with principal PDPs and PEPs in OSG and EGEE  Demonstrated interoperability of OSG vs. EGEE deployments in ad-hoc scenarios – Goal  Discussion on evolutions of the profile in the context of Argus  Argus extends the interoperability profile  External software providers use the profile as reference on authorization for the Grid Domain. TechX: SVOPME project. Globus: GT5 – Goal  Consolidation of additional OSG PDPs and PEPs  Start migration of PEPs to LCMAPS (Nikhef, NL) as common code base – Goal  Tune client parameters to sustain authz tsunami  Extend profile with proxy validity attributes  Begin OGF standardization – Goal  Plan to complete OGF standardization – Goal 2  Work on profile extension for Cloud Authorization

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 8/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm  Authorization Interoperability Profile for the Cloud Implementations and Status

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 9/17 Authorization Interoperability and the Cloud The Grid relies on infrastructure that has been made stable and reliable throughout the years. Many communities are now deploying Cloud infrastructure  on-demand user-sized machine instantiation based on virtualization We want to reuse the Grid authorization infrastructure for the Cloud Strategy: extend the authorization interoperability profile and reuse 99% of the implementation for the Grid We seek collaborators

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 10/17 FermiCloud Authentication / Authorization FermiCloud is Infrastructure as a Service (IaaS) Cloud Computing in support of the Fermilab Scientific Program  See Keith Chandwick’s talk “FermiGrid and FermiCloud Update” on Feb 28, 2012 FermiCloud is currently based on Open Nebula (ONe) In collaboration with ONe, the FermiCloud project has integrated X509 Authentication for ONe Currently, we have a proof-of-principle authorization call-out from ONe to GUMS ONe v3.2 supports authorization plug-ins: planning to use X509 identity in that context for call-out 0.6 FTE from Mar 12, 2012

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 11/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm Authorization Interoperability Profile for the Cloud  Implementations and Status

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 12/17 Request/Response Attribute Categories Request is made with  Subject attributes  Action attributes  Resource attributes  Environment attributes Response is made with  Permit, Deny, or Indeterminate  Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 13/17 Implementations for the Grid SAML v2 - XACML v2 profile  OpenSAML (Java); Globus XACML (C) Authorization Callout Modules and PDPs  LCAS / LCMAPS (L&L) - SCAS plug-in  SCAS (EGI)  PRIMA - gPlazma plug-in  GUMS / SAZ (OSG) Resource Gateways  Computing Element  Pre-WS and WS Gatekeepers 4.2 / 5.2  Storage Element  SRM / dCache; BeStMan; xrootd; GridFTP  Worker Node  gLExec

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 14/17 GUMS XACML2 gLExecSRM/dCache LCMAPS XACML2 gLite lib gPlazma XACML Callout Structure in OSG Using only EMI Code Pre-WS GK WN CE SE Gateway Call-out XACML lib PDP 2012 GK v5.2 XACML2 gLite lib GridFTP xrootd SRM BeStMan Legend: Cmpnt EGEE Comp. used in OSG XACML2 gLite lib LCMAPS XACML2 gLite lib LCMAPS XACML2 gLite lib LCMAPS XACML2 gLite lib XACML2 gLite lib LCMAPS SAZ XACML2

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 15/17 Measured Performance Tuning PEP / PDP connection parameters to sustain authorization “tsunami” * :  Socket connection timeout > 21 s (set to 30 s)  Sysctl parameter 'net.core.somaxconn‘ = max expected job connections (set at 4096 per server)  Apache parameter 'ListenBacklog‘ = same value as above (GUMS only)  Tomcat parameter 'acceptCount‘ = same (SAZ only)  Apache ‘MaxClients’ = 32 (GUMS only) * MaxClient value GUMS mappings / sec Tuning GUMS Mapping Rate % Mapping success rate

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 16/17 Future: integration with new identity models Several communities are investigating models for identity management other than x509  OpenID, Shibboleth, InCommon, … As support for these new models become wide-spread, we envision the need to integrate these with the Auth Interop profile The work will probably focus on the “subject” context of the profile

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 17/17 Conclusions Major OSG sites fully or partially migrated  rpm-based VDT packages L&L / XACML call- out for easy deployment Working with OGF on standardization of the profile following Experience-first / Standardize-later model Looking for collaborators to extend the standardized profile in support of Cloud Authorization  Goal: reuse stable fine-grain role-based site- central Grid AuthZ infrastructure for Cloud deployments at sites

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.