Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
NRL Security Architecture: A Web Services-Based Solution
Distributed Systems basics
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
Management Framework for Amazon EC2 Speaker: Frank Bitzer
Authz work in GGF David Chadwick
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
6th Biennial Ptolemy Miniconference Berkeley, CA May 12, 2005 Distributed Computing in Kepler Ilkay Altintas Lead, Scientific Workflow Automation Technologies.
The Open Grid Service Architecture (OGSA) Standard for Grid Computing Prepared by: Haoliang Robin Yu.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
Overview of the Database Development Process
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.
Presenter: Dipesh Gautam.  Introduction  Why Data Grid?  High Level View  Design Considerations  Data Grid Services  Topology  Grids and Cloud.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
9/14/2012ISC329 Isabelle Bichindaritz1 Database System Life Cycle.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Middleware for Grid Computing and the relationship to Middleware at large ECE 1770 : Middleware Systems By: Sepehr (Sep) Seyedi Date: Thurs. January 23,
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Introduction to Java Beans CIS 421 Web-based Java Programming.
CIS/SUSL1 Fundamentals of DBMS S.V. Priyan Head/Department of Computing & Information Systems.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
MyGrid/Taverna Provenance Daniele Turi University of Manchester OMII f2f Meeting, London, 19-20/4/06.
Grid Authorization Landscape and Futures Von Welch NCSA
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance.
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Active Objects Based Application over Grid Environment Rares Barbantan, Dorian Gorgan Computer Science Department, Technical University of Cluj-Napoca.
ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.
Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.
OGSA. Introduction Built next generation of service Based on web service technology 3 main areas: – Manage creation, destruction & lifecycle management.
Distributed Data Access Control Mechanisms and the SRM Peter Kunszt Manager Swiss Grid Initiative Swiss National Supercomputing Centre CSCS GGF Grid Data.
GT3 Index Services Lecture for Cluster and Grid Computing, CSCE 490/590 Fall 2004, University of Arkansas, Dr. Amy Apon.
Copyright © 2004, Keith D Swenson, All Rights Reserved. OASIS Asynchronous Service Access Protocol (ASAP) Tutorial Overview, OASIS ASAP TC May 4, 2004.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
DataTAG is a project funded by the European Union International School on Grid Computing, 23 Jul 2003 – n o 1 GridICE The eyes of the grid PART I. Introduction.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.
ISC321 Database Systems I Chapter 2: Overview of Database Languages and Architectures Fall 2015 Dr. Abdullah Almutairi.
Grid Account Management: A Case Study GGF 9 PGM-RG Chicago, IL October 5-8, 2003 Doru Marcusiu Assistant Director Grid and Security.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Grid Security.
The Open Grid Service Architecture (OGSA) Standard for Grid Computing
Identity Management and Authorization
GGF OGSA-WG, Data Use Cases Peter Kunszt Middleware Activity, Data Management Cluster EGEE is a project funded by the European.
OGSA-WG Interim F2F Meeting Security Feb. 9-10,2004
OGSA Data Architecture Scenarios
Update on EDG Security (VOMS)
OGSA-WG Security Use Cases Jan 29, 2004
Chapter 2: Database System Concepts and Architecture
The Globus Toolkit™: Information Services
Grid Services B.Ramamurthy 12/28/2018 B.Ramamurthy.
Chapter 2: Operating-System Structures
Service Oriented Architecture (SOA)
The Anatomy and The Physiology of the Grid
Groups and Permissions
Database System Architectures
Chapter 2: Operating-System Structures
Presentation transcript:

Policy Management for OGSA Applications as Grid Services Lavanya Ramakrishnan

Overview Motivation Architecture Scenarios Implementation Future Directions

Policy requirements The system maybe – a personal IR system – shared IR system Shared services from different domains Various levels security – Method – Service data – Factory Dynamic policy Security should be independent of application logic Tedious to write policy files Persistent queries Grid Query Processor Collection Manager Indexer GridIR – Grid Information Retrieval

PolicyManager Service Architecture Authorization Service Policy Store Policy Cache Fetch Policy Policy Change

Features Separation of duty – Between policy management and decision points – Synchronization of policy – Policy Management is data intensive – Authorization Service is compute intensive – Scalability of functionalities Flexibility – Authorization at various levels Pluggability – Application specific security independent of application logic

Features Dynamic Policy – Policy can be updated through the PolicyManager – Notification passes from the PolicyManager to AuthorizationService Trust between two entities – Reduces exposure of functionality Only Service Owners can change policy Authorization services can access only specific policies Registered services will have access to the Authorization Service – Can be run as secure services Usability – Graphical user interface to write policy

Virtual Organization Discussions - Scenarios Personal Policy Manager and Authorization Service Application Authorization PolicyManager Application Authorization PolicyManager

Discussions - Scenarios Group Policy Manager and Authorization Service Virtual Organization Application Authorization PolicyManager

Discussions - Scenarios Multiple Policy Manager and Authorization Service Application Authorization PolicyManager Authorization PolicyManager Local policies Decision Merging VO policies Policies to merge decisions PolicyManager Dynamic policies based on load, etc. Common policies Local policies to be enforced in the VO

Service Creation Time PolicyManager GUI Client PolicyManagerService Authorization Service OGSA Service Instance OGSA Service Factory Authorization Service Factory Initialize the policy Create service instance Create OGSA service Create Personal Authz service if required Create Authz service Register Subscribe to policy changes Get policy eg: gridmap

Service Call Time PolicyManagerService AuthorizationService OGSA Service Instance OGSA Service Client XACML PDP Call to service Check Authorization Get policy files if required

Policy Representation - 1 … GSH of the service … OperationName

Policy Representation - 2 … Distinguished Name of client … …

Service Data Policy Manager – Subscribe to policy change for a certain service’s policy – Notification data Something has changed in the policy for a particular service Future – Investigate sending the change in policy – Larger problem of data merging on the receiving end – Changed data may itself be huge Authorization Service – Services will be able to subscribe to notification on decision change Useful for long running jobs Need to evaluate risks

Future directions Extend Policy Representation and Management interfaces – Time conditions – Compatible with interfaces from OGSA-Authz WG Performance measurements of the calls Expand architecture if feasible and required – To allow flexibility to launch them as a single service if required – Send “diff” of policy as notification Caching mechanisms Experimenting with combinations of the services

Acknowledgements NASA Virtual Collaborative Center Sousan Karimi, Kevin Gamiel, Jeremiah Morris, Travis Walsh

Interfaces Operation NameInput MessageOutput Message PolicyManager generatePolicyserviceId – xsd:string acl - custom structure Success – xsd:boolean updatePolicyserviceId – xsd:string acl – custom structure Success – xsd:boolean getGridmapserviceId – xsd:stringgridmapFilePath xsd:string getACLserviceId – xsd:stringpolicyFilePath[] xsd:string Authorization registerpolicyMgrHandle – xsd:string - checkAuthorizationContext – clientId, service, operation authorizedValue – xsd:boolean

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.