Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Community Security Policies for Trustworthy e/cyberinfrastructure Jens Jensen, STFC (UK) Paolo Mori, CNR (IT) Stephan Kindermann, DKRZ (DE)

Published byJane Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing Community Security Policies for Trustworthy e/cyberinfrastructure Jens Jensen, STFC (UK) Paolo Mori, CNR (IT) Stephan Kindermann, DKRZ (DE)"— Presentation transcript:

1 Implementing Community Security Policies for Trustworthy e/cyberinfrastructure Jens Jensen, STFC (UK) Paolo Mori, CNR (IT) Stephan Kindermann, DKRZ (DE) Mark van de Sanden, SurfSARA (NL) International Symposium on Grids and Clouds (ISGC) 2014, Academia Sinica, Taipei, March 2014

2 Contents Background – the problem, the projects What are policies? AAI deployment Requirements Implementation

3 BACKGROUND The problem, the projects

4 Background – The Problem e/cyber infrastructures are providing services Mostly federation rules are quite simple –D Kelsey et al – WLCG federation rules –WLCG has a simple VO structure (see later) However, user communities will diversify –And complexificate –And future developments may also have an effect

5 Background – The Relevance e-/cyber-infrastructures support diverse communities Scale – more users, more data, complexity Make use of standards – tools, implementations, protocols Stds 1+1i Users

6 Background – the Projects Federated access to clouds: ConSec: framework for AAI Data e-Infrastructure

7 7 Data StagingSafe ReplicationSimple Store AAIMetadata Catalogue Dynamic replication to HPC workspace for processing Data curation and access optimization Various flavors Researcher data store (simple upload, share and access) Aggregated EUDAT metadata domain. Data inventory Network of trust among authentication and authorization actors PID Identity Integrity Authenticity Locations EUDAT Box dropbox -like service easy sharing local synching Semantic Anno checking & referencing services to come Dynamic Data immediate handling Workflow Engine executing WFs EUDAT Services

8 Simple but works – WLCG WLCGVOSiteSecurity

9 WLCG WLCG is (kind of) a federation of T0, T1, T2, T3 –1 T0, ~11 T1, ~100 T2s, Four original WLCG VOs (ATLAS, CMS, LHCb, ALICE) Additional VOs: global, international, national, site VOs provide scalability: –Accepting WLCG AUP –Defining scope of VO’s work –Managing membership and user authorisation –Authorisation is pretty coarse grained: user, production –Using VOMS (RFC3281 AC)

10 More complex: Dramatis Personae FederationCommunity Sub- community MemberSiteSite adminSite opsec“Fed stuff”

11 Next steps in federated authorisation? How can we express policy in practice, and which policy requirements can we identify – and satisfy with the technology available to us today? Case studies: ENES (climate), CLARIN (linguistics) in EUDAT

12 POLICIES

13 Policies (in general) –Identity attributes –Authorisation attributes doing to –identifier, class-of-object in –Time, location, status

14 We divide policies into two main classes: * Authorisations: express the actions that a subject is allowed to perform on an object within an environment. * Prohibitions: express actions that a subject is not allowed to perform on an object within an environment. (use with caution...)

15 Usage Control Normal access control: “pre” (before action) Ongoing control: “on” (after successful initial decision)

16 DEPLOYMENT

17 Technology Review Protocols and Standards X.509 – federation-internal credentials (SSL/TLS) XACML SAML OAuth (RFC6749) – delegation of credentials

18 From xacml-3.0-core-spec-os-en: Copyright © OASIS Open 2013. All Rights Reserved. The XACML model

19 Important: separation of duties in ConSec

20 REQUIREMENTS Community policies

21 ENES Data centres: local data ingest Actions: –Access, Ingest, Publish, Modification/Version User and API access (OGC WPS?)

22 CLARIN – The Language Archive (TLA) Trusted repository Users can upload and share language data NREN (Shib) feds for identity and attributes Authorisation is local (currently.htaccess), generally individually {user}x{file}  {true, false} Virtualises the logical name space and physical name, identifies objects via Persistent Identifiers

23 EUDAT itself Different authentication methods (e.g. OpenID, OAuth, X.509, Shib, …) Support fine grained access control – VO and Role approach does not (always) work A minimum set of semantically standardised attributes for user identification and access control (future: CoC) Communities retain control on authorisation decisions Attributes provided by IdP, ConSec, or (todo) AtP Support different Access Methods (e.g. HTTP, GridFTP, Web Portals, Workflows) Bridge to other infrastructures – PRACE, EGI, …

24 EUDAT itself Authorisation policies Language sufficiently expressive Tools to make it possible to express Sufficient performance in evaluations Resilience possible (against SPoF, attacks) Need much of XACML3.0 supported Also certain optional, er, options (note also support for UCON as extension)

25 IMPLEMENTATION Community policies

26 Very simple policies …? (Communities) Objects = Files (or datasets) Subjects = User (DN/principal) –With X.509. Possibly delegated (w. OAuth) Actions = read (mostly) Environment = (don’t care) …

27 Very simple policies? (Sites’ view) Site policies: –Define communities to support –Define min-req-LoA, policy-attrs., AUP accepted –Traceable identities –Agents are user-delegated (OAuth)

28 Very simple policies? (Fed’n view) Which LoAs are supported –Policy for assignment of LoAs to IdPs –Cross federation AUPs accepted Supporting volatile attributes? Community data must go only to community-supporting sites

29 Combining Algorithms Select on membership: –User is member of –PolicySet Kind of like boolean (except 3-state) (or (and (member-x) (cond-x)) (and (member-y) (cond-y))) Membership can be multi-valued (future?)

30 Combining Algorithms PolicySet: Policies from Com., Site, Fed’n Failsafe: deny overrides Consider ordering: in general, Com. is more specific (do last) Check communities orthogonal: (NotApplicable) if processed

31 Matching Community Resources (fed policy) Resource publishes (bag of) community Use of AttributeSelector

32 E.g. AUP and IdP-LoA Fed: IdP is covered by suitable policy –Or, user has accepted additional AUP Comm.: Must have Comm.-AUP Site: must have Comm. member and AUP

33 Problems – Translations Translating existing ACLs into the fed. infra “New” names: users, files –must be mapped, consistent, persistent –Particularly ePTID where no algo exists (use email?) How to address files –Replicas, PID, –Protect every replica; single ACL Datasets (PID/handle), granularity

34 Problems – more names urn names of attributes (AttributeDesignator) Harmonised credentials made it possible (problem is pushed to multi server and/or fed’n db) Consistency across PEPs - context

35 Access Control Decisions (community integration) Callout to existing PDP (e.g. REMS) –REMS: {user} x {file}  {true, false} Run a new REMS instance with e-I names Translate to fed-provided policy (language) –Maintain consistency With XACML it’d be Policy (with first-applicable ) … where Target matches file “name”, subject “name”, and action (Access)

36 CONCLUSION

37 What we can do XACML (prototype!) Data ACL (read only) Data ACL (read only) Fed level PAP

38 Future work PEP integration with EUDAT services Understanding of the naming problems Support more actions Link to external AA/AtP (eg VOMS) Community PAPs More testing…!

39 Conclusions Basics (like read-only) common to communities –Somewhat coarse grained, except objects –Expressing ~90% is relatively easy, translations harder –Still a bit experimental – getting a feel for what’s feasible –Semi-hand-knitted – works, but no direct community PAP Yes, probably XACML is overkill atm –But it makes sense to use standards –Maintain extensibility for future Move to federated authorisation not trivial –Mostly the (re)naming problems –Still need to integrate non-IdP AtP (AA) Federation must provide (consistent) authorisation –Enforced at lowest level (storage) – ConSec provides portal and API

40 Thanks… S Memon, FZJ (DE) I Matteucci, A Yautsiukhin, M Petrocchi, L Krautsevich, A Lazouski, CNR (IT) W Elbers, MPI (NL)

41 EXTRA SLIDES

42 POLICIES

43 Contradictions * Contradictory policies allow and deny the same action by the same subject on the same object within the same environment * Alice can write clinical data during office hours * Alice cannot write clinical data during office hours

44 Exceptions * Exceptions: different effects on the same action, and one policy is a subset of the other one. * Subjects with role General Practitioner can print documents of category medical of their patients * Subjects with ID dr12345 cannot print the document with ID xyz * dr12345 has role General Practitioner * xyz is a medical document

45 Correlations * Correlations: different effects and the attributes set of a policy intersects the attributes set of the other * Subjects with role Administrative Personnel can print administrative documents * Subjects with role Administrative Personnel cannot print administrative documents until 31/12/2020

46 Analytic Hierarchy Process 1)you have a goal in mind 2)you have different alternatives to reach the goal 3) AHP helps you in choose the most relevant alternative based on a set of criteria.

47 Sub-criteria Each criterion can be refined by considering sub-criteria

48 AHP for policy conflict resolution The goal is ranking two conflicting policies and prioritize the application of the winning policy The alternatives are the two conflicting policies The criteria are –Specificity of the subject –Specificity of the object –Specificity of the environment –The subcriteria for each criterion are for subject: ID, role, and organization for object: ID, category, and issuer for environment: status, time, and location

49 DEPLOYMENT

50 Fed stuff? Governance –Rules of membership –Policies Operations –Adding/removing sites, communities, –Security incidents (coordinate response) –Dealing with (high level) policy violations Legal –Data protection –Compliance with national legislation

51 -- 51 -- Federated Id Resource PEP PDP DB Policies PAP PIP Subscr. OK X reject + suspend Federation core =attributes (SAML) Authorisation and Access Control

Download ppt "Implementing Community Security Policies for Trustworthy e/cyberinfrastructure Jens Jensen, STFC (UK) Paolo Mori, CNR (IT) Stephan Kindermann, DKRZ (DE)"

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.

(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Similar presentations

Ads by Google