Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.

Slides:



Advertisements
Similar presentations
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Advertisements

AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt (
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.
The EC PERMIS Project David Chadwick
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
E-Science Education Workshop, 1-2 Nov 2004 Teaching Grid Computing Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth: An Introduction
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
State of e-Authentication in Higher Education August 20, 2004.
E-Authentication in Higher Education April 23, 2007.
Delegation of Authority David Chadwick
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
GridShib Grid-Shibboleth Integration An Overview Von Welch
Glen Dobson, Lancaster University Service Grids Workshop NeSC Edinburgh 23/7/04 Endpoint Services Glen Dobson Lancaster University,
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
PAPI-PERMIS Integration Project Proposal David Chadwick
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Virtual Organisations for Trials and Epidemiological Studies (VOTES) Overview VOTES is a pioneering project investigating the application of Grid technology.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Secure Single Sign-On Across Security Domains
Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.
e-Infrastructure Workshop 28th March 2006, University of Leeds
Adding Distributed Trust Management to Shibboleth
What’s changed in the Shibboleth 1.2 Origin
Hao Yin1, Sofia Brenes-Barahona2, Donald F. McMullen
Overview and Development Plans
NSF Middleware Initiative: GridShib
O. Otenko PERMIS Project Salford University © 2002
The JISC Core Middleware Call
Presentation transcript:

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow

Overview DyVOSE Overview PERMIS Static PMI Implementation Shibboleth and the SAAM Module Dynamic Delegation Future Work

Dynamic Virtual Organisations for e-Science Education (DyVOSE) project Two year project started 1 st May 2004 funded by JISC Exploring advanced authorisation infrastructures for security in context of education  University of Kent provide authorisation software (PERMIS) and security expertise  Applied in Grid Computing module part of advanced MSc at the University of Glasgow –Will provide insight into rolling out authorisation infrastructures/Grid to the masses –Exploration of current state of the art in authorisation infrastructures –Second phase of work involves NeSC Edinburgh –Extensions to the existing PERMIS infrastructure to provide dynamic delegation of authority and recognition of authority Project website: DyVOSE Overview

DyVOSE Participants Dynamic Virtual Organisations in e-Science Education (DyVOSE) team Principal Investigators  Dr Richard Sinnott (NeSC Glasgow)  Prof David Chadwick (Kent) Implementation  Dr John Watt (NeSC Glasgow)  Dr Sassa Otenko (Kent)  Mr Tuan Anh Nguyen (Kent)  Mr Wensheng Xu (Kent) Other Key People Involved  Dr David Berry (NeSC Edinburgh)  Dr Sandy Shaw (EDINA) – SDSS/Shibboleth

Looking at applying existing PERMIS technology to establish static Privilege Management Infrastructure at GU DyVOSE Workplan Phase 1 ScotGrid Authorisation decisions Authorisation checks PERMIS based authorisation Education VOpolicies GU Condor pool Other (known!) Grid resources

DyVOSE Workplan Phase 2/3 ScotGrid PERMIS based Authorisation checks/decisions Glasgow Education VO policies Condor pool Edinburgh Education VO policies Shibboleth Blue Dwarf GlasgowEdinburgh Dynamically established VO resources/users Delegated VO policies

Authorisation Technologies CAS/VOMS Rights/roles asserted by centralised server  No interpretation needed at resource end Flexible at VO level, but no resource level decisions Akenti Access Control at Resource end (not central)  Desirable Not VO specific PERMIS X509 and SAML

PERMIS PrivilEge and Role Management Infrastructure Standards validation X509 Role Based Access Control (RBAC) Attribute Certificates hold user roles in LDAP XML policy defines the access control Java API allows any app to be protected Complex Policies and multiple Attribute Authorities supported

PERMIS Functionality PERMIS allows to Define roles for who can do what on what  Policy = { Role x Target x Action } –Can user X invoke service Y and access or change data Z? »Policies created with PERMIS PolicyEditor (output is XML file)

PERMIS XML Policy

PERMIS based Authorisation PERMIS Privilege Allocator then used to associate roles with specific users  Signed policies are stored as attribute certificates in LDAP server Exploiting the GGF AuthZ specification  Generic way to authorise access to Grid services using SAML callouts –Based on GT3.3 – PERMIS »Grid service (WSDD) has policy information associated with it »DN of clients, target and actions checked when attempts made to invoke services  “BRIDGES and DyVOSE only projects exploiting this API right now” (Von Welch at AHM 2004)

Explorations in Grid Course Students applied Policy Editor to develop security policy for use in their assignment Sorting/searching “works of Shakespeare” … run on single PC, … using training lab Condor pool, … * as GT3.3/Condor service, … as GT3.3 service using GSI,  To see how authorisation at service level achieved –Service should be accessible by themselves and lecturing staff only … using * for GT3.3-PERMIS authorised service  To see how authorisation at method level achieved –Students split into groups (Gp1, Gp2) »Sort method available to their group and lecturers only »Search method available to all Performance aspects investigated throughout…

Long time wrestling with GT3.3-PERMIS integration Some delays due to version issues with GT3.3  Also required some debugging of GT3.3 (commenting out code) Continued feedback on PERMIS tools  Policy editor refinements –Numerous discussions/meetings with Salford team on sorting out PERMIS-GT3.3 issues Certificate dependencies in using PERMIS  Expects certificates created using openSSL Experienced gained for DyVOSE Phase 2… PERMIS/Globus Issues

SSO and Access Control on Web Resources Home Institution AUTHENTICATES  Recognised across the federation –Temporary handle created  Releases user attributes to service providers –User can restrict attribute set release Resource Institution AUTHORISES  Using attributes passed by the home institution –Resource has final access decision Resource trusts Home to release correct info… We have V1.2 operating as part of SDSS…  Walkthrough provided on DyVOSE website

Messages are secure, attributes may not be! Shibboleth encodes its messages in SAMLv1.1  But attributes are not digitally signed (plaintext) Authz Configuration is Apache-based Any changes to rules requires complete restart of Web Server Multiple Attribute Authorities unsupported Coarse grained access control function “User A with Attribute B can access C”

Could PERMIS resolve these issues? Attributes are stored in digitally signed X509 ACs  User attributes are now secure PERMIS PMI controls the Authorisation  No Shibboleth/Apache restart when rules change PERMIS supports multiple Sources of Authority  User may select attributes from more than one AA Complex access control policies  Conditionals, Role Hierarchies …again!

The PERMIS SAAM Module Apache module providing an authorisation handling function mod_permis loaded BEFORE Shibboleth module in Apache configuration file httpd.conf  Requires alteration of approx 5 files at federation sites mod_permis can either  Collect the ACs from LDAP itself (PULL mode)  Be provided the ACs for decision (PUSH mode) “Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server” D.Chadwick, O.Otenko, W.Xu

The PERMIS SAAM Module

Dynamic Delegation Static PMI successfully built at Glasgow Goal is to build a PMI-based VO between Glasgow and Edinburgh Requires provision for Dynamic Delegation of Authority Extensions to the PERMIS software will implement this infrastructure Two cases will be investigated:  Static Delegation (easily done by adding Edinburgh SOA and Roles to Policy)  Simple Dynamic delegation (this year’s Grid Course…)

Static Delegation

Simple Dynamic Delegation

Future Work Implementation of new PERMIS Dynamic Delegation Software DIS (Delegation Issuing Service) Cross-certification Role Mapping Design of final student use-case to demonstrate dynamic PMI Final Report on best practices and methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.