Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Grid Authorization Thomas Uram Argonne National Laboratory.

Published bySimon Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Grid Authorization Thomas Uram Argonne National Laboratory."— Presentation transcript:

1 Access Grid Authorization Thomas Uram turam@mcs.anl.gov Argonne National Laboratory

2 Agenda Authorization Landscape Role-based Authorization AuthorizationManager API Examples and exercises

3 Landscape PKI –Every user has a unique certificate Web Services –Web-accessible components of the AG software are exposed via SOAP over GSI –GSI connections are authenticated using certificates User’s identity subject to verification by server Server’s identity subject to verification by user –Methods are distinguished by their callability Administrator methods –Venue configuration User methods –Venue entry

4 Landscape Multicas t Audio Service Video Service Venue

5 Role-based Authorization Abstraction layer between objects and persons who will access them Similar to *nix file system concept –Each object has a list of actions that can be performed on it (rwx) –Each action has a list of groups which are allowed to call it –Each group has a list of members (/etc/group)

6 Roles Roles are user groups –Required roles Administrator User –Custom roles Venue.AllowedEntry Venue.RegisteredUsers

7 Actions Actions define operations on web services –In *nix file system analog, read/write/execute are Actions Actions currently map one-to-one to web service methods –VenueServer.GetVenues –Venue.GetStreams

8 Subjects Subject class holds information about a user (in particular, the user’s distinguished name)

9 Policies An authorization policy describes the role/action/subject relationships in force for a service The policy for a service is represented in XML The policy can be modified wholesale, or through individual calls Services define default policies

10 Authorization UI VenueServer

11 Authorization UI Venue

12 AuthorizationManager AccessGrid.Security.AuthorizationManager Exposes interfaces for modifying the authorization policy for a service Used in authorization callback registered with SOAP server

13 AuthorizationManager API

14 Future work Finer-grained authorization –Apply to objects in Venue –Permit authorization of individuals, not just groups Consider integrating a well-established authorization framework

15 Example: List defined Roles #!/usr/bin/python2 import sys from AccessGrid.Toolkit import CmdlineApplication from AccessGrid.Venue import VenueIW from AccessGrid.Security.AuthorizationManager import AuthorizationManagerIW url = sys.argv[1] # Create and initialize application app = CmdlineApplication() app.Initialize('ListRoles') # Get url for authorization manager and create interface wrapper v = VenueIW(url) amurl = v.GetAuthorizationManager() authManager = AuthorizationManagerIW(amurl) # Get roles from venue and process roleList = authManager.ListRoles() for role in roleList: print role.name

16 Exercise: List subjects in Roles

17 Example: Venue ACL manager

Download ppt "Access Grid Authorization Thomas Uram Argonne National Laboratory."

Similar presentations

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
VO. ClientVOMS Resource 1. Authentication 2. Credentials 3. Authentication.

VO. ClientVOMS Resource 1. Authentication 2. Credentials 3. Authentication.
Implementing and Administering AD FS

Implementing and Administering AD FS
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
PAWN: Producer-Archive Workflow Network University of Maryland Institute for Advanced Computer Studies Joseph Ja’Ja, Mike Smorul, Mike McGann.

PAWN: Producer-Archive Workflow Network University of Maryland Institute for Advanced Computer Studies Joseph Ja’Ja, Mike Smorul, Mike McGann.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Understanding Active Directory

Understanding Active Directory
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.

Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.

Similar presentations

Ads by Google