INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.

Slides:



Advertisements
Similar presentations
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
INFSO-RI Enabling Grids for E-sciencE gLExec, SCAS and the paths forward Introduction to pilot jobs and gLExec and SCAS framework.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE SRMv2.2 in DPM Sophie Lemaitre Jean-Philippe.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The LCG interface Stefano BAGNASCO INFN Torino.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using WMProxy advanced job submission.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
Argus EMI Authorization Integration
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 2 The architecture

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 3 pre-WS GT4 gk,gridftp, opensshd Scope: on one site SAML-XACML Query OSG EGEE glexec edg-gk edg-gridftpd gt4-interface pre-WS GT4 gk, gridftp, opensshd dCache Common SAML XACML library L&L plug-in: SAML-XACML Prima + gPlazma: SAML-XACML LCAS + LCMAPS CREAM Pilot job on Worker Node (both EGEE and OSG) Site Central: SCAS L&L plug-ins (regu. set) Site Central: GUMS (+ SAZ) SAML-XACML interface Common SAML XACML library Front-end node (CE, SE, WN, etc.) gJAF / Globus AuthZ

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 4 How it should work (conceptual) SAML-XACML interface Globus SAML XACML library Site Central LCAS + LCMAPS or GUMS and SAZ SAML-XACML PEP (L&L plug-in or PRIMA) Globus SAML XACML library Set of Obligations Obligation handler[N] SAML-XACML Query Q: map.user.to.some.poolOblg: user001, somegrp R:

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 5 The paper work

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 6 Namespace URI choice: URN vs. URL  URL won –URL-style doesn’t require centralized registration –Can be established by registering the (relevant) domain name to ensure uniqueness Our registered Namespace (owned by David Groep): – Root namespace prefix for all our message elements: –

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 7 Request Attributes: Namespace prefix construction: Subject: /subject Action: /action Resource: /resource Environment: /environment

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 8 Overview of Subject attributes (0) Subject-id  Subject-X509-id –String: OpenSSL oneline notation of the DN Subject-issuer  Subject-X509-Issuer –String: OpenSSL oneline notation of the Issuer DN (new) Subject-Condor-Canonical-Name-id –String: Certificate-Serial-Number –Integer: 42 CA-serial-number –Integer: 1 CA-policy-OID –String: “ ” (Robot Certificate) Cert-Chain (experimental) –base64Binary: “MIICbjCCAVagA……..” Subject-VO –String: “gin.ggf.org”

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 9 Overview of Subject attributes (1) VOMS-signing-subject –String: OpenSSL oneline notation VOMS-signing-issuer –String: OpenSSL oneline notation VOMS-dns-port –String: “kuiken.nikhef.nl:15050” VOMS-FQAN –String: “/gin.ggf.org/APAC/VO-Admin” VOMS-Primary-FQAN –String: “/gin.ggf.org/APAC/VO-Admin”

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 10 Overview of Action attributes Run-type: expressed as the ‘action-id’ (enum. type) –Queue  Requesting execution to a (remote) queue. –Execute-Now  Requesting direct execution (remotely) –Access (file)  Request for (generic) file access

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 11 Overview of Resource attributes Node-type: (enum. type) –CE (Computing Element)  Can also be the head-node or entry point to a cluster –WN (Worker Node)  A node type that will process jobs, typically in a cluster –SE (Storage Element)  (Logical) storage facility or specific storage node Host DNS Name –The name of the host More Resource bound/specific attributes are being discussed Host certificate DN & Host certificate Issuer

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 12 Before we hit the Environment… SAML-XACML interface Globus SAML XACML library Site Central LCAS + LCMAPS or GUMS and SAZ SAML-XACML PEP (L&L plug-in or PRIMA) Globus SAML XACML library Set of Obligations Obligation handler[N] SAML-XACML Query Q: map.user.to.some.poolOblg: user001, somegrp R:

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 13 Overview of Environment attrib’s Supported Obligations –Announces the capabilities of the PEP to a PDP by sending the obligation IDs that it supports –The PDP can choose to return an appropriate set of obligations from this list –Allows upgradeability of the PEPs and PDPs independently by deploying new functionalities step by step Invoker identity –Used in Pilot job and in new Condor use cases –These attributes resemble the identity of the pilot job invoker –Contains the set of attributes known to be found in the Subject section Invoker type –The value of this element will describe very explicitly what kind of invoker scenario is at hand  Pilot job: as we know it in the WLCG / OSG environment  Unprivileged Condor daemon: new run mode which uses glexec as the only element that requires root privileges

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 14 Obligations Namespace prefix construction: Obligations: /obligation Attributes: /attributes

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 15 Obligations (0) UIDGID  UID (integer): Unix User ID local to the PEP  GID (integer): Unix Group ID local to the PEP –Stakeholder: Common –Must be consistent with: Username Username  Username (string): Unix username or account name local to the PEP. –Stakeholder: VO Services Project –Must be consistent with: UIDGID SecondaryGIDs –Multi recurrence  GID (integer): Unix Group ID local to the PEP –Stakeholder: EGEE –Needs obligation(s): UIDGID

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 16 Obligations (1) AFSToken  AFSToken (string) in base64: AFS Token passed as a string –Stakeholder: EGEE –Needs obligation(s): UIDGID

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 17 Obligations (2) RootAndHomePaths  RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. The PEP should mount this sub-tree as the “root” mount point (‘/’) of the execution environment. This is an absolute path.  HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username StorageAccessPriority  Priority (integer): an integer number that defines the priority to access storage resources. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 18 Open issues & way forward Adding the host credentials (when available) Adding the current Unix UID and Unix GID(s) from the originating resource process Using the XACML Category element –Sorry I don’t have all the details about this –Pushes the Invoker identity into one element Document will reach version 1.0 within two weeks –Means feature freeze in the list of understood attributes, formatting and structuring –The implementations will base their functionality on this version Risk: Uncertain if we might be incompatible with true XACML- policy engines

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 19 ?

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 20 The implementation

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 21 It works! (server side) oscars-computer:~/dvl/saml2-xacml2 okoeroo$ bin/xacml-server -i Server ready... listening on port Pausing... Accepted connection from remote host: localhost - Warning: Data Oscar Koeroo and host localhost do not match! /C=NL/CN=Oscar Koeroo /C=NL/CN=DutchGrid CA [0] 1 [0] /gin.ggf.org [0] /gin.ggf.org [1] /gin.ggf.org/pragma

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 22 It works! (client side) oscars-computer:~/dvl/saml2-xacml2 okoeroo$ test/runtest.sh - Warning: Data asen.nikhef.nl and host localhost do not match! UIDGID: Got obligation [ = [ = 500 Server said: urn:oasis:names:tc:SAML:2.0:status:Success:0 oscars-computer:~/dvl/saml2-xacml2 okoeroo$

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 23 The C implementation Globus has provided the SAML2-XACML2 implementation around the gSOAP library –Able to override data transport layer with basic I/O hooks  Used to implement an SSL/TLS layer (SOAP over HTTPS) –Helper functions  Registration of the supported obligations with obligation handlers  Adding the registered obligations into the request message declared as supported obligations

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 24 Performance Localhost tests mostly –Hardware limited to this laptop The bottleneck turns out to be the CPU for the SSL negotiation phase, still reaching: –Nominal: 7 Hz –Burst: 15 Hz –Interval to burst: 12 seconds

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 25 Work Lot of time spend on the document, not in the code Feedback loop is slow –Mostly due to timezone differences Prototype finished and meets basic requirements Integration with the LCMAPS framework is almost finished Prototype has been send to Jay Packard to work on the Java side for GUMS

Enabling Grids for E-sciencE INFSO-RI MWSG Bologna Status of Profile Doc 26 ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.