Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Slides:



Advertisements
Similar presentations
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Apr 26, 20071/3 OSG Executive Board Meeting Gabriele Garzoglio OSG Executive Board Meeting Gabriele Garzoglio VO Services, PL Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
Argus EMI Authorization Integration
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models Authorization Interoperability Profile Implementations, Status, and Plans

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 2/17 The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 3/17 The Authorization Model The EGEE (EGI) and OSG security model is based on X509 end entity and proxy certificates for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site-central Policy Decision Points (PDP) for authorization decisions

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 4/17 Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper LCMAP Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec LCMAP Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 5/17 Goals for Interoperability Agree on common PEP to PDP call-out protocol and implementation to… 1. …share and reuse software developed for EGI and OSG 2. …give software providers (external to the Grid organizations) reference protocols to integrate with both Grids infrastructures 3. …enable the seamless deployment of software developed in the US or EU in the EU or US security infrastructures

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 6/17 AuthZ Interoperability Activities 2008  Release XACML profile document: 1+ yr collaboration (OSG, EGEE, Globus, and Condor_  Implementation and integration of XACML AuthZ modules with principal PDPs and PEPs in OSG and EGEE  Demonstrated interoperability of OSG vs. EGEE deployments in ad-hoc scenarios – Goal  Discussion on evolutions of the profile in the context of Argus  Argus extends the interoperability profile  External software providers use the profile as reference on authorization for the Grid Domain. TechX: SVOPME project. Globus: GT5 – Goal  Consolidation of additional OSG PDPs and PEPs  Start migration of PEPs to LCAS / LCMAS (Nikhef, NL) as common code base – Goal  Tune client parameters to sustain authz tsunami  Extend profile with proxy validity attributes  Begin OGF standardization – Goal  Work on profile extension for Cloud Authorization

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 7/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models  Authorization Interoperability Profile Implementations, Status, and Plans

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 8/17 Request/Response Attribute Categories Request is made with  Subject attributes  Action attributes  Resource attributes  Environment attributes Response is made with  Permit, Deny, or Indeterminate  Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 9/17 Request Attributes Subject (see profile doc for full list)  Subject-X509-id  String: OpenSSL DN notation  Subject-VO  String: “CMS”  VOMS-FQAN  String: “/CMS/VO-Admin” Resource (see doc for full list)  Resource-id (enum type)  CE / SE / WN  Resource X509 Service Certificate Subject  resource-x509-id  Host DNS Name  Dns-host-name Action  Action-id (enum type)  Queue / Execute-Now / Access (file)  Res. Spec. Lang.  RSL string Environment  PEP-PDP capability negot.  PEP sends to PDP supported Obligations  Enables upgrading of the PEPs and PDPs independently  Pilot Job context (pull- WMS)  Pilot job invoker identity  Policy statement example: “User access to the WN execution environment can be granted only if the pilot job belongs to the same VO as the user VO”

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 10/17 Obligation Attributes UIDGID  UID (integer): Unix User ID local to the PEP  GID (integer): Unix Group ID local to the PEP Secondary GIDs  GID (integer): Unix Group ID local to the PEP (Multi recurrence) Username  Username (string): Unix username or account name local to the PEP. Path restriction  RootPath (string): a sub-tree of the FS at the PEP  HomePath (string): path to user home area (relative to RootPath) Storage Priority  Priority (integer): priority to access storage resources. Access permissions  Access-Permissions (string): “read-only”, “read-write”

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 11/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview OSG & EGI Authorization Models Authorization Interoperability Profile  Implementations, Status, and Plans

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 12/17 Implementations SAML v2 - XACML v2 profile  OpenSAML (Java); Globus XACML (C) Authorization Callout Modules and PDPs  LCAS / LCMAPS (L&L) - SCAS plug-in  SCAS (EGI)  PRIMA - gPlazma plug-in  GUMS / SAZ (OSG) Resource Gateways  Computing Element  Pre-WS and WS Gatekeepers 4.2 / 5.2  Storage Element  SRM / dCache; BeStMan; xrootd; GridFTP  Worker Node  gLExec

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 13/17 PRIMA GUMS SAML1 XACML2 SCAS XACML2 SAZ socket gLExecSRM/dCache L&L SAML1 lib XACML2 gLite lib SAML1 lib SAZ Clnt XACML Callout Structure - using EMI code in OSG Pre-WS GK PRIMA SAML1 lib XACML2 gLite lib SAZ Clnt WN CE SE Gateway Call-out XACML lib PDP Legend: Cmpnt EGEE Comp. used in OSG WS GK v4.0 PRIMA WS SAML1 lib SAZ Clnt GridFTP PRIMA SAML1 lib XACML2 gLite lib SAZ Clnt SAZ Clnt gPlazma SAZ Clnt XACML2 gLite lib 2010 SRM BeStMan PRIMA SAML1 lib XACML2 gLite lib XACML2

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 14/17 GUMS XACML2 gLExecSRM/dCache L&L XACML2 gLite lib gPlazma XACML Callout Structure - using EMI code in OSG Pre-WS GK WN CE SE Gateway Call-out XACML lib PDP 2012 GK v5.2 XACML2 gLite lib GridFTP xrootd SRM BeStMan Legend: Cmpnt EGEE Comp. used in OSG XACML2 gLite lib L&L XACML2 gLite lib L&L XACML2 gLite lib L&L XACML2 gLite lib XACML2 gLite lib L&L SAZ XACML2

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 15/17 Performance Tuning PEP time-out to help PDP sustain authorization tsunami ADD PLOTS AND DATA

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 16/17 Status and Plans rpm-based VDT packages L&L / XACML call- out for easy deployment Major OSG sites fully or partially migrated Working with OGF on standardization of the profile Looking for collaborators to extend the standardized profile in support of Cloud Authorization  Goal: reuse stable fine-grain role-based site- central Grid AuthZ infrastructure for Cloud deployments at sites

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 17/17 Conclusions An EGEE, OSG, Globus, and Condor collaboration has released in 2008 an Authorization Interoperability profile and XACML implementation Effort on OGF standardization and extension for Cloud computing Call-out module implementations are integrated with major Resource Gateways Performance tuned to support the authorization needs of major OSG Grid sites The major advantages of the infrastructure are: 1. share and reuse software developed for EGI and OSG 2. give software providers reference protocols to integrate with both Grids infrastructures 3. when using the same release of the protocol, enable the deployment of software developed in the US or EU in the EU or US security infrastructures

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.