Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft.

Published byMaribel Jowers Modified over 9 years ago

Similar presentations

Presentation on theme: "A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft."— Presentation transcript:

1 A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft Corporation.

2 2 Today’s Talk Presents research results on a new approach for addressing Grid access control requirements Comprehensive solution with uniform semantics Flexibility to support different operational models Fine-grained trusts and constrained delegation Results based on a new security policy language design and prototype implementation

3 3 Security Policy Assertion Language (SecPAL) Declarative, logic-based, security language Easily read as English sentences with a restricted grammar Supports distributed policy authoring and composition Simple syntactic checks ensure evaluation safety Complete solution for access control requirements trust, authorization, and delegation policies, auditing, PKI for identity management XML implementation; uses standard parsers, XML DSig, XMLEnc Some features not covered in this talk (revocation, audit,…)

4 4 Partial SecPAL Grammar assertion ::= Principal says fact [ if existsFact1 and... and existsFactN and c] fact ::= principal can actionVerb resource [qualifiers] | principal possess attribute [qualifiers] | principal can say fact principal ::= typically a cryptographic identifier (K-Bob) resource ::= URL, hierarchical namespaces supported actionVerb :: = read | write | list | call | send …. attribute ::= type=value ; (rfc822Name, groupName, serviceName, …) qualifiers ::= timespan (i.e., [T1, T2]) existsFact ::= principal actionVerb resource [qualifiers] | principal possess attribute [qualifiers] c ::= t2-t1 ≤ A | t1 ≤ Current-Time() ≤ t2 | !c | c1 ^ c2 Authorization Queries principal says existsFact | query1 ^ query2 | query1 v query2 | !query | c Assertions can use concrete values or variables, optionally restricted by a pattern.

5 5 Exemplary Grid Environment

6 6 Prototype Implementation Supports a multi-domain Windows® environment Major security components SecPAL libraries and web service protocol integration SecPAL STS Authentication, Authorization, and Audit Gateways Integrates with Windows Compute Cluster Server 2003 Windows Communication Foundation (aka ‘Indigo’).NET Framework Windows identity management (Active Directory®, Kerberos, X.509) XML and Web Service protocol standards

7 7 The Problem How do we implement a complete access control solution that allows Bob to delegate only required access rights to his job running on a C-HPC cluster? Requires: Managing trust relationships Authentication supporting multiple principal types Authorization for job scheduling and FR data access Constrained delegation mechanism Subsequent slides describe one approach investigated

8 8 Cross-Domain Trusts Define the ResGrid VO, C-HPC, Birch relationships As with other PKIs, domain STS keys discovered using an out-of-band mechanism SecPAL explicit trust policies, for example K-CHPC says K-ResGrid can say x possess rfc822Name=^[-_.a-zA-Z0-9@]+$, groupName==^ResGrid/\w+$, roleName==^ResGrid/\w+/\w+$ [t1,t2] if t1 ≤ Current-Time() ≤ t2 K-CHPC says K-Birch can say x possess serviceName=^https?://\w+\.birch\.edu/\w+$ [t1,t2] if t1 ≤ Current-Time() ≤ t2

9 9 Principal Security Tokens Token acquisition can use mechanisms similar to those for other public-key based systems. An example, bootstrapping from organizational X.509 user certificates using WS-Trust SecPAL profile

10 10 Principal Security Tokens (2 of 2) Bob’s attributes from X.509 certificate and the directory K-Contoso says K-Bob possess rfc822Name=bob@contoso.edu, commonName=Bob Jones, organizationName=Contoso K-Dir says K-Bob possess groupName=ResGrid/ProjectX, roleName=ResGrid/ProjectX/Researcher SecPAL policy can control attribute inclusion K-ResGrid says K-Contoso can say x possess rfc822Name=^.+@contoso.edu$ K-ResGrid says K-Dir can say x possess groupName=.+, roleName=.+ Query for all attribute types; valid bindings for x, e, g, and r only K-ResGrid says x possess rfc822Name=e v … groupName=g v … roleName=r v … commonName=c v … organizationName=o Issued token K-ResGrid says K-Bob possess rfc822Name=bob@contoso.edu, groupName=ResGrid/ProjectX, roleName=ResGrid/ProjectX/Researcher [9/12/2006, 10/11/2006]

11 11 Master Scheduler Access Control Access control policy K-Sched says K-CHPC can say x can say y possess groupName=.+, roleName=.+ K-Sched says x read, write, list, delete //queue/ProjectX if x possess groupName=ResGrid/ProjectX Bob creates new ProjectX job using his token K-ResGrid says K-Bob possess groupName=ResGrid/ProjectX … Combined with C-HPC trust policy lets one conclude: K-Sched says K-Bob read, write, list, delete //queue/ProjectX Bob can also authentic the scheduler based on its token

12 12 Cluster Access Control Clusters accept jobs from Master Scheduler, rely on the user’s attributes for isolating job information ClusterA’s policy: K-ClusterA says K-CHPC can say x can say y possess groupName=.+, roleName=.+ K-ClusterA says K-CHPC can say x possess serviceName= ^http://\w+\.c-hpc\.com/job-manager$ K-ClusterA says y read, write, list, delete //queue/ProjectX if x possess groupName=ResGrid/ProjectX and y possess serviceName= ^http://\w+\.c-hpc\.com/job-manager$ Master scheduler sends a job request to ClusterA, authenticates using its token and includes the job’s user token. Can deduce K-ClusterA says K-Sched read, write, list, delete //queue/ProjectX

13 13 File Repository Policy FR stores data by project, per-user isolation inside a project FR policy for the ProjectX directory : 1. 1. K-FR says K-Birch can say x can say y possess rfc822Name=.+, groupName=.+, roleName=.+ 2. 2. K-FR says K-Birch can say x can say y possess appName=.+, dnsName=.+ 3. 3. K-FR says x read, write, list //fs/ProjectX if x possess groupName=ResGrid/ProjectX 4. 4. K-FR says x can say y v r [t1,t2] if x v r and y possess appName=.+, dnsName=.+ and t2-t1<5Days ^ t1<Current-Time()<t2 Bob creates directory ‘//fs/ProjectX/Bob’, authenticating with his token, FR autogenerates the appropriate policy: K-FR says x read, write, list, delete //fs/ProjectX/Bob if x possess rfc822Name=bob@contoso.edu, groupName=ResGrid/ProjectX Combined with 1, 2, and 4 above

14 14 Bob’s Delegation Bob’s job needs rights to //fs/ProjectX/Bob. Bob doesn’t know the job identity so authorizes the Master Scheduler to delegate K-Bob says K-Sched can say x read,write,list //fs/ProjectX/Bob [t1,t2] if t2-t1<5Days When ClusterA starts Bob’s job, it collects required tokens K-CHPC says K-Job possess dnsName=clustera.c-hpc.com, appName= ‘Blast, Version=1.0’ [9/12/2006, 9/16/2006] K-Sched says K-Job read, write, list file://fs/ProjectX/Bob [9/12/2006, 9/16/2007] The job can access Bob’s data using job and delegation tokens, FR evaluates ‘K-FR says K-Job read,write,list //fs/ProjectX/Bob’. Using assertions from K-Bob and K-Sched we conclude K-Bob says K-Job read, write, list file://fs/ProjectX/Bob [ 9/12/2006, 9/16/2007] Using Bob’s identity token FR can conclude K-FR says K-Bob can say K-Job read, write, list, delete file://fs/ProjectX/Bob [t1,t2] if t2-t1<5Days ^ t1<Current-Time()<t2

15 Demo

16 16 Continuing Research Automated delegation generation Revocation infrastructure Other forms of delegation Job management rights Constrained trust management Mobile code policies For more information see http://research.microsoft.com/projects/SecPAL/ For more information see http://research.microsoft.com/projects/SecPAL/

Download ppt "A Unified Approach to Trust, Delegation, and Authorization Blair Dillaway, Greg Fee Microsoft Corporation Presented at GGF18 Copyright © 2006, Microsoft."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Core Web Service Security Patterns

Core Web Service Security Patterns
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Similar presentations

Ads by Google