Presentation is loading. Please wait.

Presentation is loading. Please wait.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Published byMerryl Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile."— Presentation transcript:

1 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm Authorization Interoperability Profile for the Cloud Implementations and Status

2 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 2/17 The Collaboration Ian Alderman 9 Mine Altunay 1 Rachana Ananthakrishnan 8 Joe Bester 8 Keith Chadwick 1 Vincenzo Ciaschini 7 Yuri Demchenko 4 Andrea Ferraro 7 Alberto Forti 7 Gabriele Garzoglio 1 David Groep 2 Ted Hesselroth 1 1 Fermilab, Batavia, IL, USA 2 NIKHEF, Amsterdam, The Netherlands 3 Brookhaven National Laboratory, Upton, NY, USA 4 University of Amsterdam, Amsterdam, The Netherlands 5 SWITCH, Zürich, Switzerland 6 BCCS, Bergen, Norway 7 INFN CNAF, Bologna, Italy 8 Argonne National Laboratory, Argonne, IL, USA 9 University of Wisconsin, Madison, WI, USA John Hover 3 Oscar Koeroo 2 Chad La Joie 5 Tanya Levshina 1 Zach Miller 9 Jay Packard 3 Håkon Sagehaug 6 Valery Sergeev 1 Igor Sfiligoi 1 Neha Sharma 1 Frank Siebenlist 8 Valerio Venturi 7 John Weigand 1

3 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 3/17 The Authorization Model The EGEE (EGI) and OSG security model is based on X509 end entity and proxy credentials for single sign-on and delegation Role-based access to resources is based on VOMS Attribute Certificates  http://vdt.cs.wisc.edu/components/voms.html http://vdt.cs.wisc.edu/components/voms.html Users push credentials and attributes to resources Access privileges are granted with appropriate local identity mappings Resource gateways (Gatekeeper, SRM, gLExec, …) i.e. Policy Enforcement Points (PEP) call-out to site-central Policy Decision Points (PDP) for authorization decisions

4 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 4/17 Authorization Infrastructure (the OSG case) Grid Site GUMS Site Services SAZ CE Gatekeeper LCMAP Is Auth? Yes / No SE SRM gPlazma ID Mapping? Yes / No + UserName VO Services VOMS-admin VOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec LCMAP Storage Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO PDP PEPs AuthZ Components Legend Not Officially In OSG VO Management Services Batch System

5 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 5/17 Goals for Interoperability Agree on common PEP to PDP call-out protocol and implementation in order to… 1. …share and reuse software developed for EGI and OSG, 2. …give software providers (external to the Grid organizations) reference protocols to integrate with both Grids infrastructures, 3. …enable the seamless deployment of software developed in the US or EU in the EU or US security infrastructures.

6 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 6/17 Standardization based on experience It takes many trials & errors (…and many years…) to  …put together a collaboration  …agree on a working profile  …implement libraries for multiple languages  …integrate libraries with existing infrastructure – PEP / PDP  …tune the system to production standards  …widely deploy a solution The Authorization Interoperability is being standardized by OGF in 2012 after 5 years Example of Experience-first / Standardize-later as opposed to the more typical approach: Standardize-first / Experience-later Arguably, the resulting standard is “stronger”

7 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 7/17 AuthZ Interop is standardized at age 5 2008  Release XACML profile document: 1+ yr collaboration (OSG, EGEE, Globus, and Condor_  Implementation and integration of XACML AuthZ modules with principal PDPs and PEPs in OSG and EGEE  Demonstrated interoperability of OSG vs. EGEE deployments in ad-hoc scenarios – Goal 3 2009  Discussion on evolutions of the profile in the context of Argus  Argus extends the interoperability profile  External software providers use the profile as reference on authorization for the Grid Domain. TechX: SVOPME project. Globus: GT5 – Goal 2 2010  Consolidation of additional OSG PDPs and PEPs  Start migration of PEPs to LCMAPS (Nikhef, NL) as common code base – Goal 1 2011  Tune client parameters to sustain authz tsunami  Extend profile with proxy validity attributes  Begin OGF standardization – Goal 2 2012  Plan to complete OGF standardization – Goal 2  Work on profile extension for Cloud Authorization

8 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 8/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm  Authorization Interoperability Profile for the Cloud Implementations and Status

9 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 9/17 Authorization Interoperability and the Cloud The Grid relies on infrastructure that has been made stable and reliable throughout the years. Many communities are now deploying Cloud infrastructure  on-demand user-sized machine instantiation based on virtualization We want to reuse the Grid authorization infrastructure for the Cloud Strategy: extend the authorization interoperability profile and reuse 99% of the implementation for the Grid We seek collaborators

10 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 10/17 FermiCloud Authentication / Authorization FermiCloud is Infrastructure as a Service (IaaS) Cloud Computing in support of the Fermilab Scientific Program  See Keith Chandwick’s talk “FermiGrid and FermiCloud Update” on Feb 28, 2012 FermiCloud is currently based on Open Nebula (ONe) In collaboration with ONe, the FermiCloud project has integrated X509 Authentication for ONe Currently, we have a proof-of-principle authorization call-out from ONe to GUMS ONe v3.2 supports authorization plug-ins: planning to use X509 identity in that context for call-out 0.6 FTE from Mar 12, 2012

11 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 11/17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware ISGC 2012 Feb 27, 2012 Keith Chadwick for the AuthZ Interop team Grid & Cloud Computing dept., Computing Sector, Fermilab Overview Experience-first Standardize-later paradigm Authorization Interoperability Profile for the Cloud  Implementations and Status

12 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 12/17 Request/Response Attribute Categories Request is made with  Subject attributes  Action attributes  Resource attributes  Environment attributes Response is made with  Permit, Deny, or Indeterminate  Obligation attributes PDP Site Services CE / SE / WN Gateway PEP XACML Request XACML Response Grid Site Subject S requests to perform Action A on Resource R within Environment E Decision Permit, but must fulfill Obligation O

13 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 13/17 Implementations for the Grid SAML v2 - XACML v2 profile  OpenSAML (Java); Globus XACML (C) Authorization Callout Modules and PDPs  LCAS / LCMAPS (L&L) - SCAS plug-in  SCAS (EGI)  PRIMA - gPlazma plug-in  GUMS / SAZ (OSG) Resource Gateways  Computing Element  Pre-WS and WS Gatekeepers 4.2 / 5.2  Storage Element  SRM / dCache; BeStMan; xrootd; GridFTP  Worker Node  gLExec

14 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 14/17 GUMS XACML2 gLExecSRM/dCache LCMAPS XACML2 gLite lib gPlazma XACML Callout Structure in OSG Using only EMI Code Pre-WS GK WN CE SE Gateway Call-out XACML lib PDP 2012 GK v5.2 XACML2 gLite lib GridFTP xrootd SRM BeStMan Legend: Cmpnt EGEE Comp. used in OSG XACML2 gLite lib LCMAPS XACML2 gLite lib LCMAPS XACML2 gLite lib LCMAPS XACML2 gLite lib XACML2 gLite lib LCMAPS SAZ XACML2

15 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 15/17 Measured Performance Tuning PEP / PDP connection parameters to sustain authorization “tsunami” * :  Socket connection timeout > 21 s (set to 30 s)  Sysctl parameter 'net.core.somaxconn‘ = max expected job connections (set at 4096 per server)  Apache parameter 'ListenBacklog‘ = same value as above (GUMS only)  Tomcat parameter 'acceptCount‘ = same (SAZ only)  Apache ‘MaxClients’ = 32 (GUMS only) * https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallGlexec#Engineering_Considerationshttps://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallGlexec#Engineering_Considerations MaxClient value GUMS mappings / sec Tuning GUMS Mapping Rate % Mapping success rate

16 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 16/17 Future: integration with new identity models Several communities are investigating models for identity management other than x509  OpenID, Shibboleth, InCommon, … As support for these new models become wide-spread, we envision the need to integrate these with the Auth Interop profile The work will probably focus on the “subject” context of the profile

17 Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 17/17 Conclusions Major OSG sites fully or partially migrated  rpm-based VDT packages L&L / XACML call- out for easy deployment Working with OGF on standardization of the profile following Experience-first / Standardize-later model Looking for collaborators to extend the standardized profile in support of Cloud Authorization  Goal: reuse stable fine-grain role-based site- central Grid AuthZ infrastructure for Cloud deployments at sites

Download ppt "Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

Similar presentations

Ads by Google