Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.

Slides:



Advertisements
Similar presentations
Giggle: A Framework for Constructing Scalable Replica Location Services Ann Chervenak, Ewa Deelman, Ian Foster, Leanne Guy, Wolfgang Hoschekk, Adriana.
Advertisements

The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.
Globus DataGrid Overview Bill Allcock, ANL GridPP Meeting 30 June 2003.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Data Replication Service Ann Chervenak Robert Schuler USC Information Sciences Institute.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.
OPEN GRID SERVICES ARCHITECTURE AND GLOBUS TOOLKIT 4
Globus Data Replication Services Ann Chervenak, Robert Schuler USC Information Sciences Institute.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
ESP workshop, Sept 2003 the Earth System Grid data portal presented by Luca Cinquini (NCAR/SCD/VETS) Acknowledgments: ESG.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
MySQL and GRID Gabriele Carcassi STAR Collaboration 6 May Proposal.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
The Replica Location Service The Globus Project™ And The DataGrid Project Copyright (c) 2002 University of Chicago and The University of Southern California.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey.
Wide Area Data Replication for Scientific Collaborations Ann Chervenak, Robert Schuler, Carl Kesselman USC Information Sciences Institute Scott Koranda.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Grid Authorization Landscape and Futures Von Welch NCSA
OSG AuthZ components Dane Skow Gabriele Carcassi.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Database authentication in CORAL and COOL Database authentication in CORAL and COOL Giacomo Govi Giacomo Govi CERN IT/PSS CERN IT/PSS On behalf of the.
ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
The AstroGrid-D Information Service Stellaris A central grid component to store, manage and transform metadata - and connect to the VO!
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
A gLite Authorization Framework
Presentation transcript:

Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC

EGEE Workshop on Rights Management in Production Grids2 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

EGEE Workshop on Rights Management in Production Grids3 GT4 Security l Public-key-based authentication l Extensible authorization framework based on Web services standards u SAML-based authorization callout l As specified in GGF OGSA-Authz WG u Integrated policy decision engine l XACML policy language, per-operation policies, pluggable l Credential management service u MyProxy (One time password support) l Community Authorization Service l Standalone Delegation Service l SimpleCA: Online credential generation l PERMIS: Authorization service callout

EGEE Workshop on Rights Management in Production Grids4 Effective Policy Governing Access Within A Collaboration

EGEE Workshop on Rights Management in Production Grids5 GT’s Assertion Processing “Problem” l VOMS/Permis/X509/Shibboleth/SAML/Kerberos identity/attribute assertions l XACML/SAML/CAS/XCAP/Permis/ProxyCert authorization assertions l Assertions can be pushed by client, pulled from service, or locally available l Policy decision engines can be local and/or remote l Delegation of Rights is required “feature” implemented through many different means GT-runtime has to mix and match all policy information and decisions in a consistent manner…

EGEE Workshop on Rights Management in Production Grids6 GT Authorization Framework

EGEE Workshop on Rights Management in Production Grids7 GT’s Authorization Processing Model (1) l Use of a Policy Decision Point (PDP) abstraction that conceptually resembles the one defined for XACML. u Normalized request context and decision format u Modeled PDP as black box authorization decision oracle l After validation, map all attribute assertions to XACML Request Context Attribute format l Create mechanism-specific PDP instances for each authorization assertion and call-out service l The end result is a set of PDP instances where the different mechanisms are abstracted behind the common PDP interface.

EGEE Workshop on Rights Management in Production Grids8 GT’s Authorization Processing Model (2) l The Master-PDP orchestrates the querying of each applicable PDP instance for authorization decisions. l Pre-defined combination rules determine how the different results from the PDP instances are to be combined to yield a single decision. l The Master-PDP is to find delegation decision chains by asking the individual PDP instances whether the issuer has delegated administrative rights to other subjects. l the Master-PDP can determine authorization decisions based on delegated rights without explicit support from the native policy language evaluators.

EGEE Workshop on Rights Management in Production Grids9 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

EGEE Workshop on Rights Management in Production Grids10 One Slide Overview of GridFTP Control Data Control Data Control Data Control Data globus-url-copyRFT Service RFT Client SOAP Messages Notifications (Optional)

EGEE Workshop on Rights Management in Production Grids11 What is the problem? l MxN problem u Too many accounts, not scalable l Site wants to authorize by community, but must be able to identify an individual if there is a problem l Process still runs under a UID and file system permissions must be honored. l Requirement for authorization based not only identity, but a role or an attribute. l Scalability u Millions of file, 1000s of users…

EGEE Workshop on Rights Management in Production Grids12 Initial Observations l RFT authorization is NOT data access authz u No data access authorization, but right to run (like a job) l GridFTP is more than read and write u Many people use it as a “remote shell” u Listings, file/dir creation and deletion, permissions, etc. l GridFTP is authorization agnostic. u The protocol, nor the Globus implementation of it, has a specified authorization mechanism.

EGEE Workshop on Rights Management in Production Grids13 What is provided from Globus l Essentially, we use OS file system permissions l PI typically runs as root during connection establishment u Uses host certificate for authentication l To determine what account to map the user to a security callout is used u CAS enabled l globus_gss_assist_map_and_authorize() u Else l globus_gss_assist_gridmap l globus_gss_assist_userok (specific account requested)

EGEE Workshop on Rights Management in Production Grids14 All cases are basically the same l Just as in web services slides, three pieces of information are provided u Security context (DN plus optional assertions. Essentially an opaque structure) u The resource to be acted on u The action being request l A boolean response determines action l Failure propagation is an issue

EGEE Workshop on Rights Management in Production Grids15 A little more detail RFT Service RFT Client SOAP Messages Notifications (Optional) Data Channel Protocol Interpreter Master DSI Data Channel Slave DSI IPC Receiver IPC Link Master DSI Protocol Interpreter Data Channel IPC Receiver Slave DSI Data Channel IPC Link ? ?

EGEE Workshop on Rights Management in Production Grids16 GridFTP can’t have a single system l The system behind the Data Storage Interface can be complex, with its own authorization system u HPSS uses Kerberos and LDAP lookups u SRB maps DN to SRB credential l Different VOs will have their own system. l So far, this has been sufficient

EGEE Workshop on Rights Management in Production Grids17 Odds and Ends… l Web services version of GridFTP u Reproduce the PDPs of Java container? l NFSv4 integration of DN into file attributes sounds interesting as a solution to the dynamic account problem u Doesn’t address roles / attributes l UID does provide other useful functionality u Quotas for instance l Authorization of Connections u Have a prototype developed with UWis / Condor u Proposal in to improve

EGEE Workshop on Rights Management in Production Grids18 Outline l Brief discussion of Globus Authorization in General l Authorization in GridFTP and related tools l Authorization in the Globus Replica Location Service and related tools.

EGEE Workshop on Rights Management in Production Grids19 Globus Replica Location Service A Replica Location Service (RLS) is a distributed registry that records the locations of data copies and allows replica discovery u RLS maintains mappings between logical identifiers and target names u Must perform and scale well: support hundreds of millions of objects, hundreds of clients l E.g., LIGO (Laser Interferometer Gravitational Wave Observatory) Project u RLS servers at 10 sites u Maintain associations between 6 million+ logical file names & 120 million physical file locations

EGEE Workshop on Rights Management in Production Grids20 LRC RLI LRC Replica Location Indexes Local Replica Catalogs Replica Location Index (RLI) nodes aggregate information about one or more LRCs LRCs use soft state update mechanisms to inform RLIs about their state: relaxed consistency of index Optional compression of state updates reduces communication, CPU and storage overheads RLS Features Local Replica Catalogs (LRCs) contain consistent information about logical-to-target mappings

EGEE Workshop on Rights Management in Production Grids21 Current Authorization in RLS l Gridmap files and ACLs l Allow users to associate read, write permissions with users l Emphasis on scalability and performance l Problems: u No finer grained access control u Undesirable for VOs to share RLS servers, since a writer in one VO can alter entries in another l How to provide additional functionality without destroying performance for power users? u Need to register and discover millions of files quickly

EGEE Workshop on Rights Management in Production Grids22 Planned Support for Multiple VOs to Coexist Safely l Dynamic deployment of new VOs within existing LRC deployment u Possibly by deploying separate tables l VO-specific index layer: lighter-weight, bitmaps in memory l Callout to PDP for SAML authorization: identify user’s VO VO1 LRC VO2 LRC VO1 LRC VO2 LRC CAS/ PDP VO1 Index Cloud Shared server VO2 Index Cloud Pull- based Push- based

EGEE Workshop on Rights Management in Production Grids23 Longer-Term: Fine-grained Authorization l On a per-file or group of files basis u LRC makes authz callout, providing operation and policy ID u Policy engine decides based on credentials, operations, policy DB l Is this level of write authorization needed at the catalogs? u Typically a small group of privileged publishers who have broad permissions u Medical applications, others…

EGEE Workshop on Rights Management in Production Grids24 WS-RLS and DRS l WS RLS: new Web Service interface to RLS l Data Replication Service (DRS): combines RFT, RLS operations u Both WS-RF compatible interfaces l Can make use of GT4 authorization infrastructure u Configure a chain of authorization mechanisms and allow plug-ins of new authorization schemes u Evaluate a chain of Policy Decision Points (PDPs) u Includes a SAML callout, mechanism for grid-mapfile authorization u Make authorization decisions at container level l Support for adding custom authorization modules u Passes full client request message to the custom call-out u PDP can access the internal state of service to extract information needed to make authorization decisions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.