Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National.

Published byHoward Park Modified over 8 years ago

Similar presentations

Presentation on theme: "The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National."— Presentation transcript:

1 The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National Laboratory), Takuya Mori (NEC), Rachana Ananthakrishnan (ANL), Liang Fang (Indiana Uni.), Tim Freeman (UofChicago), Kate Keahey (ANL), Sam Meder (ANL), Olle Mulmo (KTH), Thomas Sandholm (KTH) franks@mcs.anl.gov - http://www.globus.org/

2 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW2 Outline l The Globus Toolkit (GT) l (Grid) Use Cases u Virtual Orgs (VOs), multiple admin realms, delegation l Policy, Policy, Policy…. u Attributes l Shibboleth, SAML, X509-ACs, VOMS, etc. u Authorization l Call-out, SAML Authz, XACML, PC, PERMIS, AAA-tk, Delegation... l Authorization Processing Framework u Attribute collection, generic PDP-abstraction, Master- PDP, Delegation/Rights-Admin l Big Picture & Futures u Proto-type=>real-thing, XACML-3, job/agreement- language integration

3 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW3 Globus Toolkit (GT-4.0) l WS, WS-I & WSRF compliant toolkit l WSS, WS-I, X509/(GGF-)SAML Identity/Attribute Certificates, X509 Proxy-Certificate, XACML, PERMIS, VOMS compliant toolkit u Message Level Security & TLS support l Different platform support u Java, C/C++, Python,.Net/C# l (Security-)Integrated with higher-level Svcs u GridFTP, GRAM, MDS, MyProxy, PURSE, OGSA-DAI… l Many, many parties involved u Customer-requirements driven u … with commercial “versions”… l Open Source u Apache-style license

4 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW4 Leverage (Open Source) Security Service Implementations l OpenSSL u “native” Proxy Certificate support coming… (thanks to OpenSSL hacker Richard Levitte and KTH!) l Internet2’s OpenSAML u Part of GT - used by CAS/GridShib/AuthzCallout/… l Internet2’s Shibboleth u NSF funded GridShib project to “Grid-enable” Shibboleth l Sun’s open source XACML effort u Integrate sophisticated policy decision engine in the GT l Futures: Permis, Handle System, XKMS, XrML, …

5 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW5 Security of Grid Brokering Services Brokers/Schedulers handle resource discovery, reservation, coordination, and usage on behalf of users Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services QoS/QoP Negotiation and multi-level delegation

6 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW6 Security Services Objectives l It’s all about “Policy” u (Virtual) Organization’s Security Policy u Security Services facilitate the enforcement l Security Policy to facilitate “Business Objectives” u Related to higher level “agreement” l Security Policy often delicate balance u More security  Higher costs u Less security  Higher exposure to loss u Risk versus Rewards u Legislation sometimes mandates minimum security

7 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW7 Agreement  VO Security Policy Price Cost Obligations QoS T&Cs …………… Security …………… trust anchors (initial) members (initial) resources (initial) roles Access rules Privacy rules (Business) Agreement Dynamic VO Security Policy members resources roles Attribute mgmt Authz mgmt Static Initial VO Security Policy

8 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW8 Virtual Organization Concept

9 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW9 Propagation of Requester’s Rights through Job Scheduling and Submission Process Dynamically limit the Delegated Rights more as Job specifics become clear Trust parties downstream to limit rights for you… or let them come back with job specifics such that you can limit them Virtualization complicates Least Privilege Delegation of Rights

10 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW10 Security Services with VO

11 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW11 GT’s Attribute Assertion Support l VOMS/Permis/X509/Shibboleth/SAML identity/attribute assertions l Assertions can be pushed by client, pulled from a service, or are made locally available GT-runtime has to mix and match all Attribute information a consistent manner, and present it to the subsequent Authz stage…

12 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW12 GT’s GGF’s Authorization Call-Out Support l GGF’s OGSA-Authz WG: “Use of SAML for OGSA Authorization” u Authorization service specification u Extends SAML spec for use in WS-Grid u Recently standardized by GGF l Conformant call-out integrated in GT u Transparently called through configuration l Permis interoperability u Ready for GT4! l Futures… u SAML2.0 compliance … XACML2.0-SAML2.0 profile

13 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW13 GT-XACML Integration l eXtensible Access Control Markup Language (XACML) u OASIS standard u Open source implementations l XACML: sophisticated policy language l Globus Toolkit will ship with XACML runtime u Integrated in every client and server build on GT u Turned-on through configuration l …and we’re using the XACML-”model” for our Authz Processing Framework… l …can be called transparently from runtime and/or explicitly from application…

14 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW14 GT’s Assertion Processing “Problem” l VOMS/Permis/X509/Shibboleth/SAML/Kerberos identity/attribute assertions l XACML/SAML/CAS/XCAP/Permis/ProxyCert authorization assertions l Assertions can be pushed by client, pulled from service, or locally available l Policy decision engines can be local and/or remote l Delegation of Rights is required “feature” implemented through many different means GT-runtime has to mix and match all policy information and decisions in a consistent manner…

15 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW15 Basic Access Control Policy Ivan Mallory Alice Can I have glass of lemonade? Bob’s policy: Alice is my friend and I’ll share my lemonade with her Mallory is not my friend and he can go #$%^& Sure, here is a glass Can I have glass of lemonade? No way, I don’t like you

16 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW16 Basic Access Control Policy (2) Mallory Alice Can I have glass of lemonade? Bob’s policy: Alice is my friend and I’ll share my lemonade with her Mallory is not my friend and he can go #$%^& Sure, here is a glass Can I have glass of lemonade? No way, I don’t like you Ivan Resource Owner decides! (ultimate source of authority for access)

17 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW17 Delegation of Rights (1) Sure, here is a glass Can Bob have glass of lemonade? Sure, Bob is my friend Ivan Ivan’s policy: Carol is my friend and I’ll share my lemonade with her I’ll share my lemonade with any friend of Carol I don’t know any Bob…(?) Can I have glass of lemonade? Bob Carol Carol’s policy: Bob is my friend and I’ll share my lemonade with him

18 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW18 Delegation of Rights (2) Sure, here is a glass Can Bob have glass of lemonade? Sure, Bob is my friend Ivan’s policy: Carol is my friend and I’ll share my lemonade with her I’ll share my lemonade with any friend of Carol I don’t know any Bob…(?) Can I have glass of lemonade? Bob Carol’s policy: Bob is my friend and I’ll share my lemonade with him Ivan Carol Ivan likes Carol + Carol likes Bob => Ivan likes Bob (non-normative delegation logic ;-) )

19 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW19 Carol Ivan Request to invoke porttype/operation on ws-resource Ivan’s PermitPolicy: Subject.vo-role == “administrator” Ivan’s Attribute Assertion: Carol.vo-role = “administrator” Ivan has no policy applicable to Bob => NotApplicable Application Reply Can Bob’s request context invoke porttype/operation on my ws-resource? Permit Bob Carol’s PermitPolicy: Subject.name == “Bob” Carol’s SAML-XACML Authz Svc EPR = Ext-PDP Ivan’s local XACML PDP Ivan delegates the rights to administrate access to Carol Delegation of Rights (3)

20 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW20 Authz Processing Assumptions (1) l All Policy Statements, PDPs and Authz-Decisions have Issuer associated with them u “someone” has to take responsibility for statements and associated decisions l Resource Owner is the Ultimate Authority u Any statement/decision that can not be directly traced back to the owner is NotApplicable l “traced back”: delegation chain that starts with owner l Two different Policy Statements and Queries u Admin Policy Statements l Issuer states that certain admin-subject are allowed to administer the rights of certain access-subjects to invoke certain operations on certain resources. u Access Policy Statements l Issuer states that certain access-subject are allowed to invoke certain operations on certain resources.

21 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW21 Authz Processing Assumptions (2) l “Push-Pull” Equivalence u Pushing authz-assertion and evaluating it locally renders same decision as evaluating the same policy statements remotely behind an external PDP l Authz-Decisions are Policy Statements u Folded over the request context u Could optimize by only considering the attributes used to render a decision… u If attributes don’t specify a “invocation context”, then only the invoker’s identity would suffice… u Conservative: mandate that all request context’s attributes values are equal to the ones that rendered the decision.

22 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW22 Attribute Collection Framework

23 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW23 GT’s Authorization Processing Model (1) l Use of a Policy Decision Point (PDP) abstraction that conceptually resembles the one defined for XACML. u Normalized request context and decision format u Modeled PDP as black box authorization decision oracle l After validation, map all attribute assertions to XACML Request Context Attribute format l Create mechanism-specific PDP instances for each authorization assertion and call-out service l The end result is a set of PDP instances where the different mechanisms are abstracted behind the common PDP interface.

24 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW24 GT’s Authorization Processing Model (2) l The Master-PDP orchestrates the querying of each applicable PDP instance for authorization decisions. l Pre-defined combination rules determine how the different results from the PDP instances are to be combined to yield a single decision. l The Master-PDP is to find delegation decision chains by asking the individual PDP instances whether the issuer has delegated administrative rights to other subjects. l the Master-PDP can determine authorization decisions based on delegated rights without explicit support from the native policy language evaluators.

25 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW25 GT Authorization Framework (1)

26 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW26 GT Authorization Framework (2)

27 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW27 GT Authorization Framework (3) l Master-PDP accessed all mechanism-specific PDPs through same Authz Query Interface u SAML-XACML-2 profile l Master PDP acts like XACML “Combinator” u “Permit-Overrides” rules l Negative permissions are evil… l Delegation-chains found through exhaustive search u …with optimization to evaluate cheap decisions first… l “Blacklist-PDPs” are consulted separately u Statically configured, call-out only PDPs u Deny-Overrides only for the blacklist-PDPs… l Pragmatic compromise to keep admin simple

28 April 27, 2005Ottawa Access Control Workshop: Globus Authz Processing FW28 GT-Authz Summary & Futures l Generic Authz Processing Framework u Mix, match and combine different authz mechanism u Supports delegation as “side-effect” l Proto-type => GT-4.2 integration u Both Attribute Collection & Authz Processing u Java, Python, C/C++ (,.Net) … WS & GridFTP & httpd l XACML-3 (?) u May be able to incorporate “all” our processing requirements l Focus on higher-level Policy Integration u (Security) Policy Negotiation/Publishing/Discovery u Job Execution & Agreement Language Integration (?Semantic Web?) u Infrastructure Svc Integration to enable the “5-min VO” u … stay requirement driven - listen to our “customers” …

Download ppt "The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.

June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Globus 4 Guy Warner NeSC Training.

Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google