Presentation is loading. Please wait.

Presentation is loading. Please wait.

KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.

Published byMaximillian Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture."— Presentation transcript:

1 KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture

2 Outline  Introduction KAoS Overview Integration of OGSA and KAoS Related Work Future Work

3 Introduction IHMC has developed KAoS Services to manage multi-agent systems. KAoS domain services provide an organizational structure to an agent community which facilitates policy management of agent actions. The general nature of KAoS Services has enabled application in domains outside of agent systems.

4 Introduction Grid researchers envision the formation of Virtual Organizations (VO’s) 3, where people and resource gather to address complex problems that require extensive collaboration. Most VO’s are managed in a manner similar to network administration, which is inadequate to handle complex permissions and trust relationships.

5 Community work indicates need The problem of service management and access control is shared by agent-based systems, web services, and Grid computing. Solutions begin to appear in three communities. Grid computing: Community Authorization Service (CAS) 5 Grid computing: Community Authorization Service (CAS) 5 Web services: XACML 9 Web services: XACML 9 Multi-agent systems: KAoS, Rei, Ponder,etc. 12 Multi-agent systems: KAoS, Rei, Ponder,etc. 12

6 Merging trends indicate opportunity Grid computing and Web services: They face similar challenges such as service advertisement, matchmaking, etc. They face similar challenges such as service advertisement, matchmaking, etc. The Globus Project presents the Open Grid Service Architecture (OGSA) 6 which is based on Web service specifications The Globus Project presents the Open Grid Service Architecture (OGSA) 6 which is based on Web service specifications Agent-based systems, Web services and Grid computing: Work on Semantic Web Services and Semantic Grid makes them much more suited as platforms for multi- agent systems 7,8 Work on Semantic Web Services and Semantic Grid makes them much more suited as platforms for multi- agent systems 7,8

7 Our approach Apply KAoS Domain and Policy Services to manage the Web Services based OGSA-compliant Globus Toolkit 3 (GT3) Grid environment.

8 Outline Introduction  KAoS Overview Integration of OGSA and KAoS Related Work Future Work

9 KAoS overview KAoS is a collection of componentized domain and policy services oriented to complex agent environments. Based on the pluggable infrastructure of Java Agent Services (JAS 1 ), KAoS is compatible with a number of agent or non-agent platforms, including the DARPA CoABS Grid, the DARPA CoABS Grid, Brahms, etc., Brahms, etc., and now GT3. and now GT3.

10 KAoS domain services KAoS domain services structure groups of agents/resources/services into domains and subdomains. Domains can represent any sort of group imaginable. Complex organizational structures. Complex organizational structures. Dynamic task-oriented teams. Dynamic task-oriented teams. Grid Virtual Organizations for resource sharing. Grid Virtual Organizations for resource sharing.

11 KAoS policy services KAoS policy services allow for specification, management, conflict resolution and disclosure of policies within domains.

12 Policy representation KAoS policies are represented in DAML/OWL and are based on the KAoS Policy Ontologies (KPO) The current version of KPO defines concepts including actions, actors, places, groups, policies, etc, defines concepts including actions, actors, places, groups, policies, etc, distinguishes between authorizations and obligations, and distinguishes between authorizations and obligations, and can be extended with additional classes and rules for a given application. can be extended with additional classes and rules for a given application.

13 Policy specification KAoS Policy Administration Toolkit (KPAT) makes policy creation and management easier.

14

15

16

17

18 Policy distribution and enforcement Each agent is associated with a Guard. All policies that pertain to an agent will be distributed to its Guard. A platform-specific Enforcer intercepts the agent’s actions and queries the Guard to decide whether the actions are authorized. If not, the actions will be blocked by platform- specific enforcement mechanisms.

19 Outline Introduction KAoS Overview  Integration of OGSA and KAoS Related Work Future Work

20 Overview of the integration KAoS and GT3 are perfect complements because: 1. KAoS provides policy and domain services needed by GT3. 2. GT3 GSI provides platform-specific enforcement mechanisms required by KAoS. The KAoS Grid service provides an interface between GT3 and KAoS.

21 KAoS Grid Service Architecture Container Client Grid Service Stub KAoS Grid Service JAS KAoS Guard KAoS Domain and Policy Services JAS

22 Registration A client must register with KAoS Grid service in order to use the domain and policy services. Clients that are not in a domain will only have limited default authorizations. Clients that are not in a domain will only have limited default authorizations. Clients send their own X.509 proxy certificates to the KAoS Grid Service for authentication. Clients send their own X.509 proxy certificates to the KAoS Grid Service for authentication.

23 Grid policy expression Sample policy format: It is permitted for actor(s) X to perform action(s) Y on target(s) Z. It is permitted for actor(s) X to perform action(s) Y on target(s) Z. Coarse-grain policies are based on the existing KPO, and are based on the existing KPO, and permit or forbid overall access to a Grid service. permit or forbid overall access to a Grid service. An example: An example: It is forbidden for Client X to perform a communication action if the action has a destination of Chat Service Y. Fine-grain policies require extending KPO with new concepts, and require extending KPO with new concepts, and permit or forbid access to an operation of a Grid service. permit or forbid access to an operation of a Grid service.

24 Ontology creation Since Grid service requires a extension to KPO, we are working on a tool to generate a DAML/OWL ontology for a given WSDL document. The generated ontologies can be modified to refer to a generic ontology. Grid administrators load the ontology extension and specify the policies using KPAT.

25 Policy deconfliction KAoS provides the capability to identify confliction of policies through a theorem prover and can harmonize them if desired.

26 Policy enforcement Policies are forwarded to the Guard associated with the KAoS Grid service. When a client requests for a service, the KAoS Grid service checks if the requested action is authorized by querying the Guard. If the action is authorized, the KAoS Grid service returns a restricted proxy certificate that can be used to access the service. The local security mechanism uses the restricted proxy certificate to allow or block the actions.

27 Local Security Mechanism Stub Grid Service KAoS Grid Service Credential Client KAoS (Checks whether the arrows match) (The arrows represent SOAP messages) (if authorized) WS Security Request Handler

28 Impact on GT3 GT3 components that need to be modified: The Grid service skeleton that all Grid services are based on. The Grid service skeleton that all Grid services are based on. WS Security Request Handler, which intercepts all incoming messages of a service container. WS Security Request Handler, which intercepts all incoming messages of a service container. Client stubs. Client stubs. Things that do not need to be modified: Service source code. Service source code. Client source code. Client source code.

29 Outline Introduction KAoS Overview Integration of OGSA and KAoS  Related Work Future Work

30 Related work Web service approaches: WS-Security, XACML and SAML WS-Security, XACML and SAML Globus approach: Community Authorization Service Community Authorization Service

31 Web service approaches WS-Security is complementary to this work, providing for the basic needs of message integrity, confidentiality, and single-message authentication 10 XACML provides schema and namespaces for for access control policies 9 The disadvantage of XACML is that the meanings are implicit. The disadvantage of XACML is that the meanings are implicit. Implicit semantics assume a consensus in human interpretation. Ambiguity arises when interpretations differ. Implicit semantics assume a consensus in human interpretation. Ambiguity arises when interpretations differ. DAML-based policies can be mapped to lower- level XACML representations. DAML-based policies can be mapped to lower- level XACML representations.

32 Web service approaches (cont’d) SAML allows for exchanging authentication and authorization information 10 In the SAML model, policies are gathered at the Policy Decision Point (PDP). In the SAML model, policies are gathered at the Policy Decision Point (PDP). PDP returns the policy decision to the Policy Enforcement Point (PEP). PDP returns the policy decision to the Policy Enforcement Point (PEP). Disadvantage of SAML model: SAML puts too much burden on services by requiring them to gather the evidence needed for policy decision. SAML puts too much burden on services by requiring them to gather the evidence needed for policy decision.

33 Comparison of CAS and KAoS Compatibility: CAS is a prototype that only works with a special version of Grid FTP service of GT2. CAS is a prototype that only works with a special version of Grid FTP service of GT2. KAoS is designed to work with OGSA-compliant GT3. KAoS is designed to work with OGSA-compliant GT3. Policy expression and reasoning: CAS server stores the policies as a list of rights. CAS server stores the policies as a list of rights. KAoS uses DAML/OWL and Java Theorem Prover (JTP) to express and reason about policies. KAoS uses DAML/OWL and Java Theorem Prover (JTP) to express and reason about policies.

34 Outline Introduction KAoS Overview Integration of OGSA and KAoS Related Work  Future Work

35 Obligations Authorization vs. Obligation authorizations = constraints that permit or forbid some action authorizations = constraints that permit or forbid some action obligations = constraints that require some action to be performed, or else serve to waive such a requirement obligations = constraints that require some action to be performed, or else serve to waive such a requirement KAoS Obligations are working in other areas (CoAX, NASA IS, HyRes, etc.) Implementing Obligations with Grid services will require some additional handlers and more sophisticated action to ontology mapping, but should still not impact the client or service source code Enablers are components that provide capabilities the client may lack in order to meet an obligation

36

37 Generalization to Web services Our KAoS implementation on GT3 actually governs all GSI-enabled Web services. We are monitoring the progress of Web service security standards. Web services GSI-enabled Web services Grid services Secure Grid services

38 Questions?

39 References 1.Arnold, G., J. Bradshaw, B. de hOra, D. Greenwood, M. Griss, D. Levine, F. McCabe, A. Spydell, H. Suguri, S. Ushijima. (2002) Java Agent Services Specification. http://www.java-agent.org/ 2.Foster, I., Kesselman, C., Nick, J., & Tuecke, S. (2002). The Physiology of the Grid: An Open Grid Services Architecture for Distributed Systems Integration. Open Grid Service Infrastructure Working Group, Global Grid Forum, 22 June. 3.Foster, I., Kesselman, C., and Tuecke, S. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Organizations International J. Supercomputer Applications, 15(3) 4.Foster, I., and C. Kesselman. (1998) The Globus Project: A Status Report. Heterogeneous Computing Workshop, IEEE Press, 1998, 4-18. 5.Pearlman, L., Welch, V., Foster, I., Kesselman, C., & Tuecke, S. (2002) Community Authorization Service for Group Collaboration. IEEE Workshop on Policies for Distributed Systems and Networks. 6.Tuecke, S., Czajkowski, K., Foster, I., Frey, J., Graham, S., & Kesselman, C. (2002) Grid Service Specification. http://www.gridforum.org/ogsi-wg/drafts/GS_Spec_draft03_2002-07-17.pdf 7.http://www.semanticgrid.org 8.http://www.semanticweb.org 9.http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml 10.http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 11.http://www-fp.globus.org/security/CAS/CAS-Overview.ppt 12.Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., & Uszok, A. (2003), Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. Submitted to the 2nd International Semantic Web Conference (ISWC2003), Sanibel Island, Florida, USA.

Download ppt "KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Policy Description & Enforcement Languages Anis Yousefi

Policy Description & Enforcement Languages Anis Yousefi
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © 2009. Chapter 1, pp 19-28. For educational use only.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
OGSA : Open Grid Services Architecture Ramya Rajagopalan

OGSA : Open Grid Services Architecture Ramya Rajagopalan
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Similar presentations

Ads by Google