1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory

2 Security Components l Features –Authentication –Message security –Authorization –Delegation l Implementations in C and Java l Used in pre-WS and WS components Talk focuses on recent and upcoming work

3 Java Authorization Framework

4 Authorization l Establishing rights of an identity –Can user do some action on some resource l Identity-based authorization –Scalability issues l Attribute-based authorization –Authorization policy can use attributes l Authorization with obligation

5 Authorization Framework l Policy Information Points (PIPs) –Collect attributes (subject, action, resource) –E.g: Operation Parameter PIP l Policy Decision Points (PDPs) –Evaluate authorization policy –E.g: GridMap Authorization, Self Authorization l Authorization Engine –Orchestrates authorization process –Enforce distributed authorization policy –Combining algorithm to render a decision

6 GT 4.0 Authorization Framework Authorization Engine (Deny-override) PIP1PIP2PIPnPDP1PDP2PDPn … … Web Services Message Context (store attributes) Permit Deny Permit Policy Enforcement Point

7 AuthZ Framework Enhancements l Modular code base –Independent module >Removed web services dependency >separated from Java WS Core –Java interfaces l Improved attribute processing –Normalized attribute representation –Comparison of attributes across sources –Merging of attributes of same entities

8 AuthZ Framework Enhancements l Separate interface for request attributes –Bootstrap PIP interface l Improved authorization engine –Pluggable engine algorithm –Decision issuer part of decision making process –Administration and Access privileges –Default Algorithm: Permit-override combining algorithm >Construct decision Chain from Requestor to Owner

9 GT 4.2 Authorization Framework Authorization Engine Policy Enforcement Point bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision

10 Some interesting GT PDP/PIP l SOAP Parameter PIP –Most efficient at application level l Resource Properties PDP –Uses SOAP Parameter PIP l SAML Authorization PDP l XACML Authorization PDP (In Progress)

11 Authorization Policy Management

12 Authorization Policy Management l Currently GridMap files are commonly used –Identity-based authorization –Local user account as obligation l Other requirements –Attribute based authorization for better scalability (roles/groups) –Fine grained authorization –Better management interface

13 Community Authorization Service l Fine grained policy engine –Policy as Tuple –Entity, Action, Resource –E.g Rachana’s DN, read, server1.anl.gov/sandbox/foo –Internal groups for administration l Management interface via web services and command line l Multiple interfaces for obtaining decision/rights –SAML Assertions signed by CAS server Reference:

14 CAS: Push via proxy CAS Server Admin Interface Query Interface User rights assertion Signed SAML Assertion Secure Resource Trust CAS Server Signed SAML Assertion Administrator

15 CAS: Push via SOAP header CAS Server Admin Interface Query Interface Signed SAML Assertion Secure Resource Trust CAS Server Signed SAML Assertion SOAP Headers Administrator Can be GridFTP Control Channel Signed SAML Assertion

16 CAS as AuthZ Service (pull) CAS Server Admin Interface Query Interface Secure Resource Trust CAS Server Signed Assertion Administrator Decision

17 CAS Co-located Java Interface Secure Resource Admin Interface Administrator CAS

18 Other Highlights l Embed key information in Endpoint References (Completed) –Allows for deployment of user-certs on server –Easy key-discovery for ephemeral resources –OGSA Basic Security Profile compliant l OpenSSL upgrade (In progress) –Version in 4.0.x –Uses local OpenSSL in trunk l Signing policy in Java GSI (Planned) l OCSP Support –OGRO Project –User requirements?

19 Questions?

20 Security Committee l Goals –Evaluate and resolve security vulnerabilities prior to making it public –Potential vulnerabilities: l Membership –Any dev.globus committer –Subscribed to –Owns vulnerabilities and has voting rights l Lurkers –Participate in discussions

21 Security Committee l Membership requires approval –Majority quorum amongst members l Participating communities –Receive advance notice of advisory –TeraGrid, VDT, Condor l Community inclusion request –Nominated and voted on by members –GT usage and participation in committee activities