1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Operating System Structures
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Operating Systems Operating system is the “executive manager” of all hardware and software.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci555: Advanced Operating Systems Lecture.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CS582: Distributed Systems Lecture 10, 11 –
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authorization.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Lecture 7 Access Control
Linux Security.
Understanding Active Directory
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Unrestricted Connection manager MIF WG IETF 78, Maastricht Gaëtan Feige, Cisco (presenter) Pierrick Seïté, France Telecom -
Module 6: Designing Active Directory Security in Windows Server 2008.
Chapter 13 – Network Security
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Designing Active Directory for Security
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Configuring Active Directory Objects and Trusts
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Copyright  2002 Urbancode Software Development, Inc. All Rights Reserved. Developing with JAAS Presented by Maciej Zawadzki
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Advanced Operating Systems Lecture notes Dr.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Cherubim Dynamic Security System Roy Campbell and Denny Mickunas Tin Qian, Vijay Raghavan, Tim Fraser, Chuck Willis, Zhaoyu Liu Department of Computer.
Wireless and Mobile Security
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Security mechanisms and vulnerabilities in .NET
Computer Security Distributed System Security
Chapter 29: Program Security
Access Control What’s New?
Presentation transcript:

1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute July, 1998

2 Outline of Presentation u The Prospero Resource Manager (PRM) u Motivation u Overall security model - Extended Access Control List framework - Generic Authorization and Access control API u Applying the model to PRM u Status u Summary

3 The Prospero Resource Manager (PRM) u The System Manager (SM) - allocates resources to jobs u The Job Manager (JM) - requests necessary resources u The Node Manager (NM) - loads and executes tasks

4 Running a job with PRM JM JM requests resources 2. SM allocates resources to the JM, notifies the NMs 3. SM informs the JM of the assigned resources 4. JM requests task initiation 5. NMs create tasks SM NM % appl

5 Motivation u Need for user Authentication u Security policies: - authorized principals - type of granted access - restrictions on granted access and resources u Customization of the policies u Enforcement of the policies Domain ADomain B Request to load an application Security Policy Data Base

6 EACL framework EACL for host kot.isi.edu Prospero Directory Service Principals Access Rights Conditions EACL entry Default EACL for domain isi.edu...

7 EACL Management u Goal: enable easy sharing of a default authorization policy among NMs while allowing customization at host level u The Prospero Directory Service API is used to create virtual links to the EACL files and to specify attributes for the links u Example of attributes for the default EACL file: –SYSTEM_MANAGER darkstar.isi.edu –EACL_DEFAULT True u Example of attributes for a local EACL file: –NODE_MANAGER kot.isi.edu –EXTEND_DEFAULT Append

8 EACL entry structure : Principals TYPE SECURITY MECHANISM ID USER Kerberos.V5 HOST IPaddress APPLICATION Checksum 0x75AA31 GROUP DCE 8 ANYBODY

9 EACL entry structure: Access Rights user-level representation tag value HOST load HOST status DEVICE power_up DEVICE power_down

10 EACL entry structure: Conditions TYPE VALUE location DNS_* _island.com time_window 8AM-6PM time_day Monday-Friday payment $20 CPU_load 30 application_name matlab PRM- SPECIFIC GENERIC

11 Generic Authorization and Access control API (GAA API) Object EACL handle Reference to object Upcall function for EACL retrieval... gaa_check_authorization GAA API Security Context [ operations for authorization ]... gaa_get_object_eacl YES / NO / MAYBE [ list of authorized operations and corresponding conditions, if any ]...

12 GAA API Security Context u Identity u Authorization Attributes u Delegated credentials u Evaluation and Retrieval functions for Upcalls

13 Using the GAA API in PRM gaa_get_object_eacl gaa_check_authorization GAA API SM EACL... GAA API security context 5 5a Kerberos Library a 6 6a 6b (1, 2, 3, 4, 4a) request and verification of principal’s identity (5, 5a) call to gaa_get_object_eacl, retrieval of appropriate EACL (6, 6a, 6b) call to gaa_check_authorization Transport Mechanism

14 EACL Evaluation This is Joe, load matlab, on the host kot.isi.edu GROUP kerberos.v5 * USER kerberos.v5 ISI.EDU load time_w: 6AM-8PM cpu_load : 20 Joe 10:07AM host kot.isi.edu Identity: USER kerberos.v5 ISI.EDU Functions for upcall: GAA API security context EACL associated with the host kot.isi.edu REQUEST PRINCIPALS OPERATIONS CONDITIONS

15 Status u Current Prototype The prototype is used within our current PRM testbed to check user authorization based on the policies in the EACL file. - implemented PRM-specific conditions: time window, idle time and CPU load - only the default policy per domain is used u IETF drafts - draft-ietf-cat-acc-cntrl-frmw-00.txt - draft-ietf-cat-gaa-cbind-00.txt u Future work - implementing the local EACL policy mechanism - other PRM-specific conditions - refining the EACL evaluation algorithm - requesting additional credentials and evaluation of acquired ones

16 Summary u Flexible and configurable security policy u Integration of local and distributed policies u Fine-grained access control u Facilitation of authorization decisions u Contact authors at {grig, bcn,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.