Presentation is loading. Please wait.

Presentation is loading. Please wait.

AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt (

Published byKaitlyn Dunn Modified over 10 years ago

Similar presentations

Presentation on theme: "AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt ("— Presentation transcript:

1 AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt ( j.watt@nesc.gla.ac.uk )j.watt@nesc.gla.ac.uk Richard Sinnott ( r.sinnott@nesc.gla.ac.uk )r.sinnott@nesc.gla.ac.uk University of Glasgow, Scotland, UK

2 AHM 2006 September 2006 Investigating the establishment of scalable Virtual Organisations in an e-Science education domain. 2 year JISC-funded project (May 04 – July 06) In partnership with University of Kent (and EDINA) Dynamic Virtual Organisations in e-Science Education http://www.nesc.ac.uk/hub/projects/dyvose

3 AHM 2006 September 2006 Project Goals (Glasgow) Creation of a permanent Grid Computing Module (GC5) as an option within the Advanced MSc. postgraduate course in Glasgows Computing Science department Provide a lasting lab infrastructure to support practical Grid Computing lab sessions Investigate technologies that enable Grid Services to be protected with advanced authorisation infrastructures which the students can deploy as part of an assignment

4 AHM 2006 September 2006 Course Details Single term course of 20 lectures and 10 tutorials (Jan-Mar) 1 st year (04-05) – 19 students 2 nd year (05-06) – 16 students Three short essay/programming assessments Final Exam in June (answer 3 questions of 5) Month-long Programming Assignment This assignment forms the core of the DyVOSE authorisation investigations

5 AHM 2006 September 2006 Assignment In both years the assignment took the following form: Students are split into two teams Write a Grid Service (and a client) in GT3.3 to perform some task Write a scheduler that will split a large job into many sub-jobs and submit to the local Condor pool Protect the Grid Service so that some functions are only available to students who are in the same team For both years, students used PERMIS to protect their Grid Services…

6 AHM 2006 September 2006 Assignment Year 1 Investigate STATIC privilege management Roles are issued by a local Source of Authority (SoA) stored in a local LDAP for access to a local service only Year 2 Investigate DYNAMIC privilege management Roles are issued by a local SoA stored in a local LDAP for accessing local AND REMOTE services But roles required for access to the REMOTE service are not recognised within the local infrastructure REMOTE SoA DELEGATES the right to assign these REMOTE roles to the LOCAL SoA (they form a VO!) Will prove that this can be done SECURELY and EASILY (from a user perspective) with PERMIS…

7 AHM 2006 September 2006 Generic Java API for Role Based Access Control (RBAC) Provides method-level protection to applications and Web Services Protects Grid Services through GGF- standardised SAML Authz API Roles are issue in the form of X509 Attribute Certificates (ACs) http://sec.cs.kent.ac.uk/permis http://www.permis.org

8 AHM 2006 September 2006 Generic Authorisation A generic framework for authorisation is defined in X.812 ISO 10181-3 Acc. Ctrl. Framework

9 AHM 2006 September 2006 PERMIS with GGF Authz API PERMIS deployed in Grid Service container WSDD file contains policy location, LDAP server details and trust info GSI provides user DN, PERMIS retrieves ACs

10 AHM 2006 September 2006 PERMIS Components XML Policy Roles and heirarchy Targets Actions SOAs DN Scope Attribute Storelist LDAPs Policy Editor tool syntax checks

11 AHM 2006 September 2006 PERMIS Components Privilege Allocator or Attribute Certificate Manager (ACM) Creates and signs X509 Attribute Certificates (ACs) and loads into LDAP ACs contain digitally signed attributes (roles) PERMIS API verifies PKI chain of trust (if more than unity length) on invocation Fully supports a static PMI One SoA, home roles only…

12 AHM 2006 September 2006 Year 1 Assignment Write a Grid service (and client) to parse the Complete Works of Shakespeare and offer a Search service to everyone, but a Sort service only to members of the same team. Split the job into sub-jobs and submit to the Condor pool. Support (as Sys Admins) Create PKI (CA) and p12 certificates for Globus Write a local XML policy to enforce the rules Create LDAP entries and use the ACM to issue ACs to the students which contain their role Students were given LDAP and PKI info to amend their PERMIS service A tough assignment for four weeks. We got 2 completions and about 5 or 6 who were about 90% there. We have since Shibboleth-enabled this service, check URL at end…

13 AHM 2006 September 2006 Year 2 Assignment Write a Grid Service and client which runs BLAST on a set of data extracted from a remote database and schedule into sub-jobs for submission to the Condor pool Student experience much the same as before implementation-wise (deploy PERMIS in container – point to our PMI details) But the Support part requires a more sophisticated AC allocator application to handle external as well as local roles (among other properties) Enter the Delegation Issuing Service (DIS)… –(and a slightly modified PERMIS too)

14 AHM 2006 September 2006 Delegation Issuing Service No user key pair required to issue ACs dis user signs all ACs on behalf of the delegator If a rogue employee is kicked out, any certificates they issued to trustworthy employees are still valid –Not the case with AC chains DIS checks the local policy before signing Only policy-valid ACs can ever be issued With previous PERMIS tools it is possible to issue ANY AC with ANY role Deployed as a web service utilising SOAP Can be used anywhere by valid users

15 AHM 2006 September 2006 Delegation Issuing Service Extensions to the PERMIS API allow for Cross-certification Allow ACs signed by a remote CA to be recognised –Currently done through an SoA policy extension Role-mapping Recognise the meaning of an external role –Currently done by equating the names of the roles in the local policies »Future tools will do this equality on the fly without having to alter local core policy The above implement the necessary features to allow Glasgow to issue Edinburgh roles within their PMI and in accordance with both sites policies

16 AHM 2006 September 2006 DIS Implementation Web Service AXIS, Apache, Tomcat Not too tricky An afternoon Docs fine for this part Underlying PKI OpenSSL Quite complex Had to be quite careful with compatibility of VO PKIs Have written extension to manual detailing the steps required in full

17 AHM 2006 September 2006 Dynamic PMI Use Case Student Assignment Student were split into two teams They were issued with Attribute Certificates which assigned them with one of two roles (GlaTeamN and GlaTeamP) Students implemented a BLAST Grid Service which queried an external database (hosted in Edinburgh) for gene data Database was PERMIS protected so only members of the correct team got the right data (based on EdTeam roles) Students PERMIS protected their service so only members of their own team could invoke the service

18 AHM 2006 September 2006 Dynamic PMI Use Case PERMIS Policy Details BLAST DATA Service (Edinburgh) Send Nucleotide Data if User presents PERMIS Role EdTeamN Send Protein Data if User presents PERMIS Role EdTeamP BLAST Service (Glasgow) Invoke BLASTN service if User presents PERMIS Role GlaTeamN Invoke BLASTP service if User presents PERMIS Role GlaTeamP

19 AHM 2006 September 2006 Dynamic PMI Use Case Dynamic Delegation Edinburgh issues a Delegation Statement to the Glasgow SoA that allows them to assign the EDINBURGH PERMIS role EdTeamN/P Done through Glasgow policy extension (RoleMapping) Glasgow SoA delegates the responsibility to issue this role to user ext Issues ext an Attribute Certificate containing the Edinburgh roles with the delegation flag set User ext assigns the Edinburgh roles to Glasgow students By issuing the Glasgow students Attribute Certificates This user can be in the Glasgow infrastructure or can be the Edinburgh SoA (by logging into the Glasgow DIS) – both models can be supported (the former being the more direct) Edinburgh Data Service searches both LDAP directories Service finds User entries in Glasgow LDAP that contain the correct Edinburgh role – ACCESS GRANTED

20 AHM 2006 September 2006 Dynamic PMI Use Case EdinburghGlasgow GT3.3 Container BLAST DATA BLAST SERVICE PERMIS Service LDAP Student BLAST Client P P P P CONDOR You may assign Edinburgh Roles

21 AHM 2006 September 2006 In Practise

22 AHM 2006 September 2006 Summary PERMIS simple to deploy for users For sys admins, deployment is tricky, but use is easy Dynamic Delegation of Authority can be secure and workable Future tools (next year?) will optimise this process User need not know of certificates! Happier users DyVOSE legacy Third year of Grid module starting in Jan 07 Permanent Grid Computing Laboratory in NeSC Glasgow A set of tools which we are able to apply to many of our security projects now and in the future Fancy doing the course next year? http://www.dcs.gla.ac.uk/courses/MSc_ACS/

Download ppt "AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt ("

Similar presentations

4 June 2002© 2001-2 TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford

4 June 2002© TrueTrust Ltd1 PMI Components Oleksandr Otenko Research Student ISSRG, University of Salford
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.

DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING 2008 8-11 September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Wednesday, June 03, 2015 © 2001 TrueTrust Ltd1 PERMIS PMI David Chadwick.

Similar presentations

Ads by Google