The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

Slides:



Advertisements
Similar presentations
Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.
Advertisements

Introduction of Grid Security
- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
GT4 Architectural Security Review December 17th, 2004.
MyProxy Jim Basney Senior Research Scientist NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Grid Tech Team Certificates, Monitoring, & Firewall September 15, 2003 Chiang Mai, Thailand Allan Doyle, NASA With the help of the entire Grid Tech Team.
GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Globus Computing Infrustructure Software Globus Toolkit 11-2.
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
GRAM: Software Provider Forum Stuart Martin Computational Institute, University of Chicago & Argonne National Lab TeraGrid 2007 Madison, WI.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Grid Authorization Landscape and Futures Von Welch NCSA
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Current Globus Developments Jennifer Schopf, ANL.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Viet Tran Institute of Informatics Slovakia
The New Virtual Organization Membership Service (VOMS)
A Grid Authorization Model for Science Gateways
Grid Security Infrastructure
NSF Middleware Initiative: GridShib
Presentation transcript:

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National Laboratory, Argonne, IL 2 University of Chicago, Chicago, IL 3 USC Information Sciences Institute, Marina del Rey, CA

March 24, 2003 CHEP032 Outline l Classic Globus Authorization l CAS Concepts l CAS Implementations (Prototypes and Planned Release Version) l CAS and the Globus Toolkit l Future Work

March 24, 2003 CHEP033 Classic Globus Authorization l Unix accounts and gridmap file entries. l The operating system acts as a sandbox; services themselves (e.g. gridftp, gram) do not make their own authorization checks. l Easy for site administrators to understand and verify.

March 24, 2003 CHEP034 Limitations of Classic Globus Authorization l Scalability: each personnel or policy change requires changing policy at each participating site. l Expressivity: native OS methods may not be expressive enough to support VO policies. l Consistency: native OS methods at different sites may not support the same kinds of policies.

March 24, 2003 CHEP035 CAS Concepts l Policy Management l Policy Enforcement l Operations and Deployment

March 24, 2003 CHEP036 CAS Policy Management l Sites maintain site policies; communities maintain community policies. l Site policies are maintained using existing methods (e.g., gridmap files and unix accounts). l Community policies are maintained using the CAS server and CAS administrative protocol. l Sites are not required to manage policy for individual community users or groups.

March 24, 2003 CHEP037 CAS Policy Management: the Resource Providers View l The resource provider grants access to a block of resources to a community, using their existing access-control mechanism for that resource (e.g., grid-mapfile entries, file permissions, etc.). l The resource provider uses native mechanisms (e.g. quotas) to set additional policy for the community as a whole. l The resource provider then installs servers modified to enforce the policy in the CAS credentials.

March 24, 2003 CHEP038 CAS Policy Management: the Communitys View l CAS administrative requests are used to maintain the CAS community policy database, which: –controls what rights the CAS server will grant to which users. –controls the CAS servers own access control policies, and thus can be used to delegate the ability to grant rights, maintain groups, etc. –maintains the list of community members

March 24, 2003 CHEP039 CAS Policy Enforcement l Sites enforce site policies and community policies. l A resource server (e.g., gridftp, gram) may recognize several CAS servers. l A resource server may accept CAS authorization for some resources but not others. l Resource servers (and clients) do not need to contact the CAS server for each request – but they do need fairly recent CAS information.

March 24, 2003 CHEP0310 A Typical CAS Authorization Sequence l A client requests credentials from a CAS server. l The CAS server replies with credentials, based on the communitys policy for that client. l The client presents the CAS credentials to the resource server, which uses them in making policy decisions. This step may be repeated many times using the same credentials. l This slide intentionally left vague.

March 24, 2003 CHEP0311 Two Typical Client Scenarios l A community user can: –Run a client program to get CAS credentials, then –Use a simple wrapper script to run unmodified (gsi) client applications. l An application can be modified to interface directly with the CAS, with no change to the users behavior.

March 24, 2003 CHEP0312 CAS Implementations l Initial CAS Prototype –Based on restricted proxies l Second CAS prototype –Based on signed policy assertions l Upcoming Release Version –Conceptually similar to second prototype, but new code base, protocol, and assertion formats.

March 24, 2003 CHEP0313 Initial CAS Prototype l Based on restricted proxy certificates. l A restricted proxy certificate grants a subset of the issuers rights to whoever holds the certificate. l The end-users identity is not part of the restricted proxy. l Servers that dont understand restricted proxies reject them.

March 24, 2003 CHEP0314 Restricted Proxy Certificate Subject: /O=Grid/CN=VO CAS Server Valid: 3/25/03 13:00 – 3/25/03 15:00 Proxy Certificate conveys the VOs rights to the bearer, for the certificates validity period ProxyRestrictions (critical extension) Only these actions are allowed: Read gridftp://myhost/mydir/* Write gridftp://myhost/myfile Signature (of all above, by the VO CAS Server) Restricted subject to the proxy restrictions

March 24, 2003 CHEP0315 A Typical CAS-alpha1 Request CAS Server What rights does the community grant to this user? Client Resource Server Do the proxy restrictions authorize this request? CAS-maintained community policy database User proxy Community proxy Local policy information Proxy restrictions Is this request authorized for the community?

March 24, 2003 CHEP0316 Effective Policy in CAS-alpha1 Access Granted by site To community Access Granted by Community To user Effective access

March 24, 2003 CHEP0317 Second CAS Prototype l Based on policy assertions signed by the CAS server. l The policy assertions associate a set of access rights with the users identity. l Servers that dont understand policy assertions ignore them and base authorization decisions on the users identity alone. l Servers can implement an additional level of policy enforcement based on users identity, if desired.

March 24, 2003 CHEP0318 Signed Authorization Assertions Subject: /O=Grid/CN=Laura Valid: 3/25/03 11:00 – 3/26/03 11:00 AuthorizationAssertion (non-critical extension): Target Subject: /O=Grid/CN=Laura Valid: 3/25/03 13:00 –15:00 These actions are allowed: Read gridftp://myhost/mydir/* Signature (of assertion, by the VO CAS server) Signature (of all above, by the user) It is only valid when used along with the target users authentication credentials. The authorization assertion is signed by the VOs CAS server. It delegates a subset of the VOs rights to a user, during a validity time.

March 24, 2003 CHEP0319 A Typical CAS-alpha2 Request CAS Server What rights does the community grant to this user? Client Resource Server CAS-maintained community policy database User proxy Local policy information User proxy Does the policy statement authorize the request? What local policy applies to this user? Is this request authorized for the community? Policy statement Community Signature Policy statement Community Signature

March 24, 2003 CHEP0320 Effective Policy in CAS-alpha2 Access Granted by site To community Access Granted by community To user Maximum Access Granted by site To user (e.g., via blacklists, whitelists)

March 24, 2003 CHEP0321 CAS Release Version l Conceptually similar to CAS-alpha2 l New code base (java) l OGSA service based on GT3 l Will use SAML for policy assertion format.

March 24, 2003 CHEP0322 CAS and the Globus Toolkit l Production version will include: –CAS server (GT3/OGSI Service) –CAS client, java client API, and (maybe) C client API –CAS-aware gridftp server –APIs to facilitate CAS-ifying other services. –To be released with or following GT3 in June l An upcoming GT2 release will include a CAS-aware gridftp server.

March 24, 2003 CHEP0323 Future Work: Scalability l Caching Server –Acts as a lightweight partial mirror of a CAS server –Accepts requests for what to mirror (e.g., policy for a particular user) and periodically requests new signed policy statements from a CAS server l Distributed community policy database

March 24, 2003 CHEP0324 Future Work: CAS Operation l Support request-server-pull model (request server, rather than client, contacts CAS server) in addition to current model l Can be combined with caching server for performance and reliability

March 24, 2003 CHEP0325 Future Work: Policy Enforcement l Local Authorization Server: accept authorization queries from request servers, applies all applicable local and community policies, and returns yes or no. l Increased support for authorization in GT3 hosting environments.

March 24, 2003 CHEP0326 For More Information l CAS web page :

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.