Presentation is loading. Please wait.

Presentation is loading. Please wait.

Liang Fang, Dennis Gannon Indiana University Frank Siebenlist

Published byWinfred Reynolds Modified over 6 years ago

Similar presentations

Presentation on theme: "Liang Fang, Dennis Gannon Indiana University Frank Siebenlist"— Presentation transcript:

1 XPOLA—An Extensible Capability-based Authorization Infrastructure for Grids
Liang Fang, Dennis Gannon Indiana University Frank Siebenlist Argonne National Laboratory

2 Outline The Grid security The problems to be solved XPOLA
Macroscopic view Microscopic view User’s view Challenges and future work Conclusion 1/11/2019 PKI R&D 05

3 The Grid OGSA Pre-Web services era Grid service = Web service + OGSA
A type of distributed system that enables resource sharing across administrative domains. A Skynet with better security 1997 2002 2004 Pre-Web services era (SOAP-based) Web services era Grid service = Web service + OGSA 1/11/2019 PKI R&D 05

4 Grid Security Infrastructure (GSI)
GSI adopts public key cryptography as the basis to provide the Grid three main functionalities: Secure communication: SSL, WS Security Mutual authentication: PKI Delegation: proxy certificate Authorization (& Authentication): A gatekeeper daemon maps a Grid identity to a local account at run time according to a gridmap file. The Grid identity is allowed to do all the account’s rights. 1/11/2019 PKI R&D 05

5 A Grid User’s Odyssey Alice wants to access a Grid service. Unfortunately, she has to … Account Application Certificate Application Grid-map Registration ~3days ~1wk ~0.5 day (Learn how to) Manage her X.509 cert Finally, Time to use the Grid service. (Learn how to) Configure Her Service Environment (Learn how to) Get her Grid proxy cert ready ~1day ~0.5 hr ~0.5 day 1/11/2019 PKI R&D 05

6 The Authorization Problems in Real Grid Applications
Inscalable in administration and maintenance Host accounts X.509 certificates Coarse-grained authorization An authorized user can do much more than accessing a service For example, in Linked Environments for Atmospheric Discovery (LEAD) project How to provide the authorization to meteorological Grid services running on TeraGrid to THOUSANDS of scientists and grade school students? Only a few privileged UNIX accounts available. Grid services could be dynamically generated (by workflow engines as well as individual scientists). Of course, no security breach is acceptable . TeraGrid is the world's largest, most comprehensive, distributed infrastructure, in the meaning of both software and hardware, for open scientific research. 1/11/2019 PKI R&D 05

7 Existing Grid Security Solutions to Fine-grained Authorization
ACL Model Akenti, Shibboleth, PERMIS Capability Model CAS, VOMS, PRIMA Why we need XPOLA The above (was) not addressing general Web/Grid services in compliant with Web services security specs. With central admins, most of them do not address dynamic services well. R1 R2 R3 Alice x Bob Carol The Access Control Matrix 1 Client Resource Authority 2 ACL vs Capability Less load on resource ACL is coarse grained Capability P Most of them address the problem of accessing static resources. However, when it comes to harder ones such as a dynamic Grid service, they have difficult answers. They are not friendly to Alice GSI: mutual authentication, secure communication and sso delegation GSI2: transport level GSI3: message level As a payload Extended Proxy Certificate (CAS) Attribute Certificate (VOMS) SOAP (Cardea) The ACL Model Client Resource Authority 1 2 1/11/2019 PKI R&D 05 The Capability Model

8 XPOLA: The Characteristics
Principle of Least Authority/Privilege (POLA)-compliant: Strictly fine-grained authorization. Scalable in administration and maintenance: It is never assumed that the service user has an account on the machines. The infrastructure is built on a Peer-to-peer chain-of-trust model. No central administrator involved. WS-Security Compliant: Conforms to WS-Security for both persistent and transient Web/Grid services. Extensible: PKI and SAML-based, but allows other alternatives. Dynamic and Reusable: Grid resources (Web services and Grid services) are made available to users through manually or automatically generated capabilities, which can be used for multiple requests in their valid lifetimes. 1/11/2019 PKI R&D 05

9 XPOLA: The Big Picture Registry Community Informative Authority Host
Service Provider Persistent Storage Request Processing create Registry (EPRservice A, …) Capability Manager (Capman) Community Informative Authority update Capability Request destroy Like a policy-level CA, but managed by the service provider himself. Host Token Agent Processing Stack SVC A capability token Service Requester 1/11/2019 PKI R&D 05

10 XPOLA: Capabilities A capability includes:
Policy Document Bindings of the provider’s distinguished name (DN), as well as the users’ DNs. Identifier of the Grid resource. Optional: operations of a Web service instance Life time (notbefore, notafter) The provider’s signature generated with his private key. Security Assertion Markup Language (SAML): Each capability is a set of SAML assertions AuthorizationDecisionStatement However the policy document and protection mechanism can be extensible: XACML, symmetric keys, … 1/11/2019 PKI R&D 05

11 XPOLA: Web Services Security
A series of emerging XML-based security standards from W3C and OASIS for SOAP-based Web services, to provide authentication, integrity, confidentiality and so on. XSOAP conforms to Web services security. SOAP Binding SOAP Message Header Capability Token Policies (SAML Assertions) Provider’s Signature WS Security Section (User’s Signature, …) Body 1/11/2019 PKI R&D 05

12 XPOLA: Enforcement Application Service Authentication Processing Node
SOAP Sig Verification SOAP Sig Generation Valid? Fault Generation Token Verification Y Token Sig Valid? Owner/User Match? Policy Decision? Expired? Application Service Token Insertion Authentication Processing Node Authorization N Other Processing Nodes An arriving SOAP Msg A dispatched The processing chain 1/11/2019 PKI R&D 05

13 XPOLA: User’s View in Grid Portals
Provider User capability token Capability Manager Portlet Proxy Manager Portlet Weather Service Portlet Weather Service capability token proxy certificate proxy certificate capability token capability token XPOLA makes it possible that all the PKI and authorization details are hidden from the users. capability token Grid Portal User Context 1/11/2019 PKI R&D 05

14 Challenges and Future Work
Revocation Performance and Scalability Message level session-based communication Load balancing Denial of Service (DoS) Mitigation 1/11/2019 PKI R&D 05

15 Conclusion XPOLA provides fine-grained authorization infrastructure to general Web and Grid services. More than that It scales Extensible WS-Security compliant Adaptable for dynamic services Reusable User (as well as provider) friendly 1/11/2019 PKI R&D 05

Download ppt "Liang Fang, Dennis Gannon Indiana University Frank Siebenlist"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Similar presentations

Ads by Google