Presentation is loading. Please wait.

Presentation is loading. Please wait.

Argus EMI Authorization Integration

Published byColin Bryan Modified over 7 years ago

Similar presentations

Presentation on theme: "Argus EMI Authorization Integration"— Presentation transcript:

1 Argus EMI Authorization Integration
Valery Tschopp (SWITCH) Argus Product Team

2 Argus, EMI All Hands Meeting 2011, Lund
Outline Argus Authorization Service Common XACML Authorization Profile EMI Authorization Integration Service Deployment Argus Releases Conclusions 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

3 Argus Authorization Service
Renders consistent authorization decisions based on XACML policies Can user X perform action Y on resource Z? Ban user by DN, FQAN, issuing CA, … ! 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

4 Argus Authorization Service (cont.)
Argus PAP: Policy Administration Point Provides site administrators with the tools for authoring policies Stores and manages authored XACML policies Provides managed authorization policies to other authorization service components (other PAPs or PDP) pap-admin tool Simple Policy Language 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

5 Argus Authorization Service (cont.)
Argus PDP: Policy Decision Point XACML policies evaluation engine Receives authorization decision requests from the PEP Server or other components (UNICORE PDP, …) Evaluates the authorization decision requests against the XACML policies retrieved from the PAP Renders the authorization decision 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

6 Argus Authorization Service (cont.)
Argus PEP: Policy Enforcement Point Client/Server architecture Lightweight PEP client API libraries (C and Java) PEP Server receives the authorization decision requests from the PEP clients Applies additional filters to the requests (PIP) Asks the PDP to render an authorization decision Applies the obligation handler (OH) to determine the user mapping Sends authorization decision (with obligations) back to the PEP clients 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

7 Common XACML Authorization Profile
EMI common authorization profile Define a common set of XACML authorization attributes Homogenous and consistent authorization decisions across the EMI middleware Profile released, but still need to be implemented for UNICORE PDP integration in XACML ARC SecHandler integration with PEP client API 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

8 EMI Authorization Integration
EMI-1 release authorization status Computing Element (CE): CREAM CE integrated with Argus Worker Node (WN): gLExec with LCMAPS PEP plugin for pilot jobs Storage Element (SE): DPM/LFC banning engine dCache authorization plugin (available in EMI-1, not enabled by default) 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

9 EMI Authorization Integration (cont.)
Future work (EMI Year 2) Implement the common XACML authorization profile Argus update to support new profile Extend the simple policy language Define the new XACML attributes UNICORE PDP integration in XACML ARC SecHandler integration with PEP client API Storage Element (SE) StoRM authorization (banning) EMI Execution Service (ES) integration??? 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

10 Argus, EMI All Hands Meeting 2011, Lund
Service Deployment Argus as a service to manage consistent authorization policy based decisions 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

11 Service Deployment (cont.)
Hierarchical distribution of policies 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

12 Pilot Jobs Authorization
Payload is downloaded on the WN gLExec runs it under the end-user identity 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

13 Argus, EMI All Hands Meeting 2011, Lund
Argus Releases Argus 1.3 (EMI-1 release) Back-compatible with gLite 3.2 Argus PEP client API libraries (C and Java) Support for LFC/DPM banning engine Bug fixes Next Argus release (EMI Year 2) Implement the EMI Common XACML Authorization Profile Integration with UNICORE and ARC 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

14 Argus, EMI All Hands Meeting 2011, Lund
Conclusions Common XACML Authorization Profile EMI authorization integration ongoing Consistent authorization decisions across the whole EMI middleware stack (CE, WN, SE, UNICORE, ARC, …) Global banning list easy to manage and distribute 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

15 Argus, EMI All Hands Meeting 2011, Lund
Argus Support GGUS Tickets (ARGUS Support Unit) Support mailing list (e-group): General documentation 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

16 Argus, EMI All Hands Meeting 2011, Lund
Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI 31/05/2011 Argus, EMI All Hands Meeting 2011, Lund

Download ppt "Argus EMI Authorization Integration"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Recent ARC developments in the EMI project Andrii Salnikov, Ievgen Sliusar.

EMI is partially funded by the European Commission under Grant Agreement RI Recent ARC developments in the EMI project Andrii Salnikov, Ievgen Sliusar.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
DORII Joint Research Activities DORII Joint Research Activities Status and Progress 6 th All-Hands-Meeting (AHM) Alexey Cheptsov on.

DORII Joint Research Activities DORII Joint Research Activities Status and Progress 6 th All-Hands-Meeting (AHM) Alexey Cheptsov on.
European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.

European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Mine Altunay July 30, 2007 Security and Privacy in OSG.

Mine Altunay July 30, 2007 Security and Privacy in OSG.
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

Similar presentations

Ads by Google