1. 1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist

2. 2 Authentication Framework

3. 3 Authentication Schemes l Secure Transport u Secure Sockets (https) u Anonymous access support u Container-level configuration l Secure Message u Each individual message is secured u Replay Attack Prevention l Secure Conversation u Handshake to establish secure context u Anonymous access support

4. 4 Server-side features l Message Protection options u Integrity and Privacy l Configure required authentication as policy u At service or resource level u Programmatic or security descriptors l Server response u Same authentication scheme as request

5. 5 Client-side features l Configurable client side authentication u Per invocation granularity u Properties on the Stub u Programmatically or Security Descriptors l Message Protection options u Integrity and Privacy u Default: Integrity protection

6. 6 Planned Work l Pluggable Path Validation u Allow OCSP integration u Allows XKMS and trust-root provisioning schemes l Kerberos Work (long term) u If a real user requirement is motivated l Requirements ?

7. 7 Delegation

8. 8 Delegation Service l Higher level service l Authentication protocol independent l Refresh interface l Delegate once, share across services and invocation Client Service1 Service2 Service3 Delegation Service Hosting Environment Resources Delegate EPR Refresh DelegateRefresh

9. 9 Delegation l Secure Conversation u Can delegate as part of protocol u Extra round trip with delegation u Delegation Service is preferred way of delegating l Secure Message and Secure Transport u Cannot delegate as part of protocol

10. 10 Planned Work l Client side support for X509Extensions l Consolidation with EGEE’s equivalent solution l Requirements ?

11. 11 Authorization Framework

12. 12 Server-side Authorization Framework l Establishes if a client is allowed to invoke an operation on a resource l Only authenticated calls are authorized l Authorization policy configurable at resource, service or container level

13. 13 Server-side Authorization Framework l Policy Information Points (PIPs) u Collect attributes (subject, action, resource) u Ex: Parameter PIP l Policy Decision Points (PDPs) u Evaluate authorization policy u Ex: GridMap Authorization, Self Authorization, XACML, SAML authZ call-out l Authorization Engine u Orchestrates authorization process u Enforce authorization policy u Combining algorithm to renders a decision

14. 14 GT 4.0 Authorization Framework Authorization Engine (Deny-override) PIP1PIP2PIPnPDP1PDP2PDPn … … Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine Message Context (store attributes) Permit Deny Permit

15. 15 GT 4.2 Attribute Framework l Normalized Attribute representation u Attribute Identifier: l Unique Id (URI) l Data Type (URI) l Is Identity Attribute ? (boolean) u Set of values u Valid from u Valid to u Issuer l Comparing attributes

16. 16 Entity Attributes Attribute1 Attribute2 AttributeB AttributeA AttributeX Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Attribute2 AttributeB AttributeA AttributeX Merge Entity1 Entity2

17. 17 Sample Attribute l Attribute Identifier u Unique Id: urn:oasis:names:tc:xacml:1.0:subject:subject-id u Data Type: urn:globus:4.0:datatype:java:set:principal u Identity Attribute: true l Set of values: /C=US/O=Globus Alliance/OU=User/CN=101497d3dcd.3dcd5aef l Valid from: Wed Oct 18 10:33:03 CDT 2006 l Valid till: Infinity l Issuer:

18. 18 GT 4.2 Attribute Framework l Bootstrap PIP u Collects attributes about the request: subject, action and resource u Example: X509BootstrapPIP

19. 19 GT 4.2 PDP Interface l Access rights u canAccess() l Administrative rights u canAdmin() l Return type: Decision u PERMIT/DENY/INDETERMINATE u Issuer of decision u Validity u Exception, if any

20. 20 GT 4.2 Authorization Engine l Pluggable combining algorithm l AbstractEngine.java u Initializes PIPs and PDPs with configured parameters u Invokes collectAttributes() on all PIPs u Merges the entity attributes returned by PIPs u Abstract method engineAuthorize process PDPs l Combines decisions from individual PDPs l Returns Decision l Default combining algorithm u Permit override with delegation of rights u At-least one decision chain from resource owner to requestor for a PERMIT u Resolves delegation of rights chains

21. 21 GT 4.2 Authorization Framework Authorization Engine Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision

22. 22 Authorization Engine Precedence l Authorization engine used u Administrative authorization engine (container) 1. Resource level authorization engine 2. Service level authorization engine 3. Container level authorization engine l Default: u X509BootstrapPIP and Self authorization

23. 23 Some 4.2 PDP/PIP Examples l Parameter PIP l VOMs PIP l SAML AuthN Assertion PIP l Access Control List PDP l Parameter-based Resource Property PDP l SAML AuthZ Assertion PDP

24. 24 l Determines if said service/resource is allowed to cater to the client’s request l Pluggable authorization scheme u Defined interface, implement custom schemes l Configured as property on stub or using security descriptors l Examples: Self, Host, Identity, None l Default: Host l Required when secure conversation is used with delegation Client-side Authorization

25. 25 GT 4.2 Enhancements l HostOrSelf Authorization u Algorithm: l Do host authorization l If it fails, do self authorization u Set as default in 4.2 code base l Service Key information embedded in EPR

26. 26 Planned Work l Authorization engine as separate module u Plain Java interfaces (facilitate use at application level) u Standardize the Java interfaces in GGF l Re-factor PDP/PIP collection l Remote attribute push u SAML/X509 attribute assertions pushed in SOAP header or embedded in proxy l Requirements ?

27. 27 Security Descriptor Framework

28. 28 Security Descriptor Overview l Used to configure security properties l Declarative security u Configure properties in files l Different types of descriptors for container, service, resource and client security properties l GT 4.2 Enhancements u Defined schema for each descriptor

29. 29 Community Authorization Service

30. 30 Community Authorization Service l Question: How does a large community grant its users access to a large set of resources? l Community Authorization Service (CAS) u Outsource policy admin to VO sub-domain u Enables fine-grained policy l Resource owner sets course-grained policy rules for foreign domain on “CAS-identity” l CAS sets policy rules for its local users l Requestors obtain capabilities from their local CAS that get enforced at the resource u Uses SAML standard

31. 31 Community Authorization Service Domain A Policy Authority Domain B Sub-Domain A1 Sub-Domain B1 CAS identity "trusted" Requestor Server request + CAS assertions Virtual Organization Domain capability assertions Community Authorization Svc enforcement on CAS-identity and requestor's capabilities

32. 32 “Generic” Policy Enforcement

33. 33 “Generic” CAS Policy Engine CAS as Local PDP CAS Pull Model CAS Push Model

34. 34 Example: CAS for WS Policy Management

35. 35 Planned Work l Attribute service interface u Deploy CAS as an attribute service l External attributes consumption u Pass attribute assertions in the query l XACML-2/SAML-2 AuthZ Query Interface u Support the passing of attributes l Requirements ?

36. 36 PURSe Architecture l Portal extensions (CGI scripts) that automate user registration requests. u Solicits basic data from user. u Generates cert request from VO CA (implemented with “simple CA” from GT). u Admin interface allows CA admin to accept/reject request. u Generates a certificate and stores in MyProxy service. u Gives user ID/password for MyProxy. l Benefits u Users never have to deal with certificates. u Portal can get user cert from MyProxy when needed. u Database is populated with user data. u Users are assigned to one or several user groups (with different data access permissions)

37. 37 WS C Security Features (Joe Bester) l WS-Secure Conversation implementation (client/server) l Service/operation level authorization l C Delegation client program l Delegation service implementation

38. 38 Pre-WS C Features (Raj Kettimuthu) l Gridmap callout for CAS l Upgrade openssl version used by GSI l GridFTP over SSH (Planned) u Add functionality to server/client to allow control channel connection as ssh session. u No proxies, certs, or CAs are needed for a secure control channel u If you can ssh to the host, you can establish a secure GridFTP session. l Data channel authentication for non-GSI connections (Planned) u Potentially with pre-shared keys