Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI Common XACML Profile

Published byLesley Boyd Modified over 6 years ago

Similar presentations

Presentation on theme: "EMI Common XACML Profile"— Presentation transcript:

1 EMI Common XACML Profile
Valery Tschopp (SWITCH) EMI XACML task force

2 EMI Security Meeting, Zurich
Common XACML Profile Goal Define a common XACML profile for interoperable authorization between the three EMI middleware stacks. Requirements In sync with the common SAML attribute profile Uses dci-sec.og registered namespace 9/11/2018 EMI Security Meeting, Zurich

3 EMI Security Meeting, Zurich
Common XACML Profile XML Namespaces used 9/11/2018 EMI Security Meeting, Zurich

4 XACML Authorization Request
9/11/2018 EMI Security Meeting, Zurich

5 EMI Security Meeting, Zurich
Attribute DataTypes Group DataType Identifier: Pattern: (/\w[-_.:\w]*)+ Example: “/emi/test:group” Role DataType Identifier: Example: “VO-Admin” Role Datatype really required??? 9/11/2018 EMI Security Meeting, Zurich

6 Environment Attribute
Profile Identifier Identify the profile implemented by the request sender. MUST be present in the request AttributeId: DataType: Value: 9/11/2018 EMI Security Meeting, Zurich

7 EMI Security Meeting, Zurich
Subject Attributes Subject Identifier Identify the submitter of the job to the CE. MUST be present in the request. AttributeId: urn:oasis:names:tc:xacml:1.0:subject:subject-id DataType: urn:oasis:names:tc:xacml:1.0:data-type:x500Name Value: X.509 distinguished name of the end-entity certificate. The DN format is RFC2253. 9/11/2018 EMI Security Meeting, Zurich

8 Subject Attributes (cont.)
Subject Identifier (Example) <ctx:Subject> <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id” DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”> <ctx:AttributeValue> CN=John Doe,DC=example,DC=org </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

9 Subject Attributes (cont.)
Subject Issuer DNs of all the root CA and all subordinate CA within the certificate chain identifying the job submitter. MUST be present in the request. AttributeId: DataType: urn:oasis:names:tc:xacml:1.0:data-type:x500Name Value: X.509 distinguished name of the root and issuing CAs of the certificate chain. The DN format is RFC2253. 9/11/2018 EMI Security Meeting, Zurich

10 Subject Attributes (cont.)
Subject Issuer (Example) <ctx:Subject> <ctx:Attribute AttributeId=” ” DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”> <ctx:AttributeValue> CN=Example Issuing CA,DC=example,DC=org </ctx:AttributeValue> <ctx:AttributeValue> CN=Example Root CA,O=Example Org,C=CH </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

11 Subject Attributes (cont.)
Virtual Organization (VO) The subject's virtual organization membership. AttributeId: DataType: Value(s): Names of virtual organizations the subject is member of. SAML profile have a special data type!!!! 9/11/2018 EMI Security Meeting, Zurich

12 Subject Attributes (cont.)
Virtual Organization (Example) <ctx:Subject> <ctx:Attribute AttributeId=” DataType=” <ctx:AttributeValue> atlas </ctx:AttributeValue> <ctx:AttributeValue> vo.example.org </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

13 Subject Attributes (cont.)
Group The subject group membership. AttributeId: DataType: Value(s): Names of the group the subject is member of. 9/11/2018 EMI Security Meeting, Zurich

14 Subject Attributes (cont.)
Group (Example) <ctx:Subject> <ctx:Attribute AttributeId=” DataType=” <ctx:AttributeValue> /atlas/analysis </ctx:AttributeValue> <ctx:AttributeValue> /mygroup/test </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

15 Subject Attributes (cont.)
Primary Group The subject primary group membership. AttributeId: DataType: Value: Name of the primary group the subject is member of. The primary value MUST be present in the Group attribute value(s). 9/11/2018 EMI Security Meeting, Zurich

16 Subject Attributes (cont.)
Primary Group (Example) <ctx:Subject> <ctx:Attribute AttributeId=” DataType=” <ctx:AttributeValue> /atlas/analysis </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

17 Subject Attributes (cont.)
Role Represents the roles assigned to the subject. The subject role MUST be scoped to a particular group or VO name. AttributeId: DataType: Issuer: Define the Group or VO scope name. MUST be present in the respective attribute (Group or VO) Value(s): Names of the role assigned to the subject. SAML only scope to a Group name!!!! Not VO!!! do we need a special data type for the role (like SAML) or ...#string is enough? 9/11/2018 EMI Security Meeting, Zurich

18 Subject Attributes (cont.)
Role (Example) <ctx:Subject> <!-- role scoped to the group --> <ctx:Attribute AttributeId=” DataType=“ Issuer="/atlas/analysis”> <ctx:AttributeValue> SoftwareManager </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

19 Subject Attributes (cont.)
Primary Role Represents the primary role assigned to the subject. The primary role MUST be scoped. AttributeId: DataType: Issuer: Define the Group or VO scope name. MUST be present in the respective attribute (Group or VO) Value: Name of the primary role of the subject. SAML only scope to a Group name!!!! Not VO!!! do we need a special data type for the role (like SAML) or ...#string is enough? 9/11/2018 EMI Security Meeting, Zurich

20 Subject Attributes (cont.)
Primary Role (Example) <ctx:Subject> <ctx:Attribute AttributeId=” DataType=“ Issuer="/atlas/analysis”> <ctx:AttributeValue> SoftwareManager </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

21 Subject Attributes (cont.)
Resource Owner Identify the owner of the resources. AttributeId: DataType: urn:oasis:names:tc:xacml:1.0:data-type:x500Name Value: X.509 distinguished name of the resource owner. The DN format is RFC2253. SAML only scope to a Group name!!!! Not VO!!! do we need a special data type for the role (like SAML) or ...#string is enough? 9/11/2018 EMI Security Meeting, Zurich

22 Subject Attributes (cont.)
Resource Owner (Example) <ctx:Subject> <ctx:Attribute AttributeId=” DataType=”urn:oasis:names:tc:xacml:1.0:data-type:x500Name”> <ctx:AttributeValue> CN=Batman,DC=Metropolis,DC=com </ctx:AttributeValue> </ctx:Attribute> </ctx:Subject> 9/11/2018 EMI Security Meeting, Zurich

23 EMI Security Meeting, Zurich
Resource Attributes Resource Identifier Identifies the CE, or a logical grouping of CEs, upon which the action to be authorized will be executed. MUST be present in the request. AttributeId: urn:oasis:names:tc:xacml:1.0:resource:resource-id DataType: Value: Identifier of the resource Is the DataType ...#string correct to identity a resource, why not ...#anyURI ? Should we formalize the resource identifier values ? 9/11/2018 EMI Security Meeting, Zurich

24 Resource Attributes (cont.)
Resource Identifier (Example) <ctx:Resource> <ctx:Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:resource:resource-id” DataType=” <ctx:AttributeValue> </ctx:AttributeValue> </ctx:Attribute> </ctx:Resource> Is the DataType ...#string correct to identity a resource, why not ...#anyURI ? Better to use string… 9/11/2018 EMI Security Meeting, Zurich

25 EMI Security Meeting, Zurich
Action Attributes Action Identifier Identifies the action being performed on the CE. MUST be present in the request. AttributeId: urn:oasis:names:tc:xacml:1.0:action:action-id DataType: Value: Action to be authorized on the resource. define the list of action value, based on the EMI Execution Service (EES) requirement. 9/11/2018 EMI Security Meeting, Zurich

26 Action Attributes (cont.)
Action Identifier Values We should define a list of Action values. This list is not an absolute constraint, but should be used if applicable. CREAM CE action values (as example): define the list of action value, based on the EMI Execution Service (EES) requirement. 9/11/2018 EMI Security Meeting, Zurich

27 Action Attributes (cont.)
Action Identifier Values (cont.) A-REX actions (as example): AttributeId: AttributeValue: Create AttributeId: AttributeValue: Modify AttributeId: AttributeValue: Read AttributeId: AttributeValue: Admin AttributeId: AttributeValue: Info EMI Execution Service actions: Unknown, require examples or requirements define the list of action value, based on the EMI Execution Service (EES) requirement. 9/11/2018 EMI Security Meeting, Zurich

28 EMI Security Meeting, Zurich
Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI 9/11/2018 EMI Security Meeting, Zurich

Download ppt "EMI Common XACML Profile"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept. 2012.

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Asap://www.XACML. jury-rigged. ClientPEP PDP PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3.

Asap:// jury-rigged. ClientPEP PDP PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Protect your data with Security John Ykema, Director of Sales & Marketing.

Protect your data with Security John Ykema, Director of Sales & Marketing.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
RFC 3039 bis Qualified Certificates Profile Changes from RFC 3039.

RFC 3039 bis Qualified Certificates Profile Changes from RFC 3039.
EMI INFSO-RI-261611 European Middleware Initiative (EMI) Standardization and Interoperability Florida Estrella (CERN) Deputy Project Director.

EMI INFSO-RI European Middleware Initiative (EMI) Standardization and Interoperability Florida Estrella (CERN) Deputy Project Director.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google