Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.

Published byMeghan York Modified over 9 years ago

Similar presentations

Presentation on theme: "Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization."— Presentation transcript:

1 Hao Wang Computer Sciences Department University of Wisconsin-Madison hbwang@cs.wisc.edu http://www.cs.wisc.edu/condor Authentication and Authorization in Condor

2 www.cs.wisc.edu/condor Outline › General Requirements › Issues › Our Design › Current Status › Plans and Issues

3 www.cs.wisc.edu/condor General Requirements › Why do we need security?  A question of trust › We need security in a distributed environment  Control resources usage  Privacy reason  And much more

4 www.cs.wisc.edu/condor General Requirements › Secure channel  We want to have a secure way to communicate Send commands, messages or data securely  Secure channel should provide Privacy – no one can eavesdrop on the channel Integrity – no one can tamper with the communication Authenticity – who am I talking to and how can I make sure it’s true

5 www.cs.wisc.edu/condor General Requirements › Authentication – who are you?  Provide a positive identification  Mutual authentication is often required › Credentials  Forms of identification  Normally a product of a successful authentication

6 www.cs.wisc.edu/condor General Requirements › Authorization  I know who you are, but what can you do?  Map a user to a set of rights Many different ways to setup the mapping e.g. Host based, role based › Data Integrity  Make sure that the data is not tampered › Data Security

7 www.cs.wisc.edu/condor Issues › Different authentication protocols  Normally incompatible with each other  Different strength › Non-interactive authentication  User may not be present when authentication is required › How to deal with credentials  Credentials can expire  How to store them

8 www.cs.wisc.edu/condor Our Design › Authentication  Support multiple protocols  Independent of actual protocol used  Use API to provide consistency and hide complexity of the protocols › Authorization  User based access control policy  Separation of policy from mechanism

9 www.cs.wisc.edu/condor Our Design KerberosNTSSPIX.509..... Condor Daemons Authentication API (partial) authenticate forward_credential receive_credential is_valid remove_credential update_credential.....

10 www.cs.wisc.edu/condor Authentication in Action A Condor User Condor Scheduling Agent Connect User initiate the action

11 www.cs.wisc.edu/condor Authentication in Action A Condor User Condor Scheduling Agent Connect Authenticate yourself Server requires authentication

12 www.cs.wisc.edu/condor Authentication in Action A Condor User Condor Scheduling Agent Connect Authenticate yourself Handshake User provides a list of supported protocols Server decides which ones to use and in what order

13 www.cs.wisc.edu/condor Authentication in Action A Condor User Condor Scheduling Agent Connect Authenticate yourself Handshake Authentication(s) One or more authentication might be required

14 www.cs.wisc.edu/condor Current Status › Authentication  API is already in place One API for authentication –Mechanism independent One API for credential management –Mechanism independent –Dealing with issues such as expiration, forwarding, proxies

15 www.cs.wisc.edu/condor Current Status › Authentication (cont.)  Protocols already supported: NTSSPI, Claimtobe, Filesystem  X.509 and Kerberos support is coming soon Supports mutual authentication Supports encryption Supports proxy/delegation Use GSS-API for X.509

16 www.cs.wisc.edu/condor Current Status › Authorization  Defining access control policy  Defined in Condor’s configuration file Currently host based HOSTALLOW_ADMIN = beak.cs.wisc.edu HOSTDENY_READ = *.wisc.edu HOSTALLOW_WRITE = *.cs.wisc.edu Will be user based soon ALLOW_ADMIN = alice@cs.wisc.edu DENY_READ = charlie@somewhere.net

17 www.cs.wisc.edu/condor Current Status › Data Encryption  Using X.509 and Kerberos’ built-in support for now › Data Integrity  Still an open issue

18 www.cs.wisc.edu/condor Plans and Issues › Authorization  Look at software and tools for enforcing security policies Keynote, SPKI › Role Based Access Control  Dealing with Access Control based on Roles, not users  More structural

19 www.cs.wisc.edu/condor Plans and Issues › Data Security  Would like it to be independent of authentication method  Deal with large amount of data (> GB) Use private key based encryption? › Data Integrity  Deal with large amount of data (> GB)

20 www.cs.wisc.edu/condor Conclusion › Our goal is:  Make Condor a secure environment to work with › Where are we?  Worked primarily in authentication and authorization  Still much to be done

21 www.cs.wisc.edu/condor That’s it for now! › Questions? › Comments? › Ideas?

Download ppt "Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.

Greg Quinn Computer Sciences Department University of Wisconsin-Madison Condor on Windows.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Job submission architectures in GRID environment Masamichi Ando M1 Student 26403 Taura Lab. Department of Information Science and Technology.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.
1 Presentation at SciDAC face-to-face January 2005 Ron A. Oldfield Sandia National Laboratories The Lightweight File System.

1 Presentation at SciDAC face-to-face January 2005 Ron A. Oldfield Sandia National Laboratories The Lightweight File System.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Implementing a Distributed Firewall

Implementing a Distributed Firewall
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Similar presentations

Ads by Google