Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Published byThomasina Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist."— Presentation transcript:

1 Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist

2 06/19/06EGEE Execution Rights Management Workshop 2006 Requirements l Mapping PKI credentials to local accounts u Mapping attributes into account attributes l Creating a mapping creates an implied policy u The PKI credential mapped to an account can access and manage this account l Resource allocation aspect u Account is a resource u Allocate accounts from a pool, manage those pools u Pools may be allocated on a per-attribute basis l Policy management aspect u Account access policies: mapping multiple identities to a local account u Account management policies: who can manage this mapping

3 06/19/06EGEE Execution Rights Management Workshop 2006 DMSDMS Dynamic Account Services Dynamic Account Factory Service useradd (dynamic) Database/Derby (pool) LCMAPS (pool) request an account WSRF-based, secure GT4 management interfaces Back-end implementation Dynamic Account Management Service Account Resource: -Termination time -Account policies manage an account query account mapping DMSDMS PEP Dynamic Accounts Backend Back-end adapters Account creation within a Trusted Computing Base (TCB)

4 06/19/06EGEE Execution Rights Management Workshop 2006 Authorizing Workspace Use l Authorization based on VOMS proxy attributes l Creation (Factory) u Authorization via a DN ACL u Authorization via an attribute ACL l Management and Inspection (Service) u Management functions accessible based on management policies l Authorization callouts are customizable u LCAS /DC=org/DC=doegrids/OU=People/CN=Timothy Freeman 964650 /O=Grid/OU=GlobusTest/OU=simpleCA-prnb3/CN=TimF /EGEE/egee/manager /egtest/mytemp/Role=NULL/Capability=NULL

5 06/19/06EGEE Execution Rights Management Workshop 2006 Using Dynamic Accounts Service: GRAM Example Dynamic Account Factory and Management Services (1) request an account and set policies DMSDMS PEP (4) renegotiate lifetime and policies as needed GRAM PEP (3) check for DN mapping to a specific account (specified by RSL localUserId) l A service needs to be configured to work with the DA Service (configurable in GT4 GRAM) l Prototype extended SAML interface to enable GUMS substitution u Paper: Authorization Attributes, Obligations and Flexible Account Management in the OpenScienceGrid, GRID 2005 (2) request job execution

6 06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Resource Aspect l Pool Accounts u A site admin creates a finite pool of accounts u Accounts are assigned from a pool and potentially restored to the pool after they have been used l The same account may get assigned to multiple users -- audit issue l The number of available accounts is limited l How do we “clean” accounts? l How and when can accounts be quarantined? l Truly dynamic accounts u Created by UNIX useradd call u Flexibilty: accounts created based on need u No need to recycle, simplifies audit u Could potentially interfere with local account management systems

7 06/19/06EGEE Execution Rights Management Workshop 2006 Dynamic Accounts Backend l Creation: poolindex function u DN+attributes -> pool lease + groups l Termination u Via explicit destroy call or TTL termination u Expires the lease u Callout to clean: kill processes, delete files, revert groups back to default u Default script, configurable by site administrator l Quarantine u Puts the account in a “quarantine pool” u Mandatory quarantine: if the termination script exits with errors or checks fail u Optional quarantine: configurable by site administrator u Quarantine removal can be manual or automatic

8 06/19/06EGEE Execution Rights Management Workshop 2006 Backend Adapters l LCMAPS u Developed at NIKHEF u Based on a gridmapdir patch u Maps credentials to pool accounts based on policy/algorithm by creating a hardlink u Allows for multiple pool leases l Database (Derby) u A site administrator creates account pools and describes them in files (one file per pool), the database is populated from these files u The policies are managed in the database, uses db methods for persistence, transactions, etc. l Truly dynamic accounts in prototype stage

9 06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Policy Aspect l Account Access Policy: what DNs can map to this account? u “owner” access is implied u Optional: specify a list of DNs at creation u Enforcement depends on infrastructure l Plugins configure gridmapfile, lcmaps structures l Account management policy u “owner” management is implied u Can I determine management policies for this account? u Management policies imply adding or limiting access to the account

10 06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Identity Mapping l Account creation u Credential attributes are used for authorization u Credential attributes are mapped into attributes associated with the new credential, e.g.: l VOMS attributes -> UNIX groups, l An attribute -> account pool u Implied semantics attached to attributes within a system (TCB-specific policies) PIPPDPapplication VOMS Shib? message context

11 06/19/06EGEE Execution Rights Management Workshop 2006 Future Directions: CAS Interface l CAS overview u WS Policy Management Interface u SAML-based OGSA-Authz authorization query u CAS is enhanced to accommodate dynamic, real- time policy management and enforcement l CAS policy management as an alternative interface to the dynamic accounts service u Leverage CAS’ full featured policy lifecycle management interface u Potentially also leverage CAS’ more expressive policy language to write more sophisticated policies about accounts

12 06/19/06EGEE Execution Rights Management Workshop 2006 Status l Available as part of GT 4.0.2 distribution u Contribution, an incubator project l Leverages GT4 features u GT4 logging for audit, persistence, security, etc. l Integration with Globus services u GT4 GRAM patch available u Can be used with GT2 GRAM via a C client callout l Documentation and download at http://workspace.globus.org/da

13 06/19/06EGEE Execution Rights Management Workshop 2006 Workspaces and Dynamic Accounts l Workspaces u Dynamically created and managed environment based on an authorized request u Associated with a resource allocation u Associated with an environment and its deployment capability u Associated with access and management policies l Examples: u A physical machine configured to meet TeraGrid requirements u A cluster of virtual machines configured to meet OSG requirements l Dynamic Accounts Service is part of the Workspace suite of tools u Also used to go by the name of WorkSpace Service (WSS)

14 06/19/06EGEE Execution Rights Management Workshop 2006 Workspaces (cntd) l Workspace creation: u Provision resources, provide/complete configuration, provide access u Dynamic accounts provide access l Workspace Implementations: u Physical machines u Virtual Machines l Virtual Workspace Service u Allows you to create an independently configured, isolated environment, manage its resource allocation on a fine-grained level u Used in OSG Edge Services u http://workspace.globus.org/vm http://workspace.globus.org/vm

15 06/19/06EGEE Execution Rights Management Workshop 2006 Summary l Some current issues u Mapping into UNIX accounts: separating policy management and querying from resource management concerns u Agreement on interfaces for identity mapping and policy management l E.g., GUMS/Dynamic Accounts effort u Formalizing of attribute mapping between different domains l Right now typically defined by the implementation -- essentially requiring everybody to use the same implementation l More information at http://workspace.globus.org/da

Download ppt "Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist."

Similar presentations

From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.

From Sandbox to Playground: Dynamic Virtual Environments in the Grid Kate Keahey Argonne National Laboratory Karl Doering University.
Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.

Virtual Workspaces in the Grid Kate Keahey Argonne National Laboratory Ian Foster, Tim Freeman, Xuehai Zhang, Daniel Galron.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
TeraGrid Deployment Test of Grid Software JP Navarro TeraGrid Software Integration University of Chicago OGF 21 October 19, 2007.

TeraGrid Deployment Test of Grid Software JP Navarro TeraGrid Software Integration University of Chicago OGF 21 October 19, 2007.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Understanding Active Directory

Understanding Active Directory
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Manage & Configure SQL Database on the Cloud Haishi Bai Technical Evangelist Microsoft.

Manage & Configure SQL Database on the Cloud Haishi Bai Technical Evangelist Microsoft.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.

Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Similar presentations

Ads by Google