Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute.

Published byAndra Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute."— Presentation transcript:

1 1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute July, 1998

2 2 Outline of Presentation u The Prospero Resource Manager (PRM) u Motivation u Overall security model - Extended Access Control List framework - Generic Authorization and Access control API u Applying the model to PRM u Status u Summary

3 3 The Prospero Resource Manager (PRM) u The System Manager (SM) - allocates resources to jobs u The Job Manager (JM) - requests necessary resources u The Node Manager (NM) - loads and executes tasks

4 4 Running a job with PRM JM 1 3 2 4 1. JM requests resources 2. SM allocates resources to the JM, notifies the NMs 3. SM informs the JM of the assigned resources 4. JM requests task initiation 5. NMs create tasks 5 5... SM NM % appl

5 5 Motivation u Need for user Authentication u Security policies: - authorized principals - type of granted access - restrictions on granted access and resources u Customization of the policies u Enforcement of the policies Domain ADomain B Request to load an application Security Policy Data Base

6 6 EACL framework EACL for host kot.isi.edu Prospero Directory Service Principals Access Rights Conditions EACL entry Default EACL for domain isi.edu...

7 7 EACL Management u Goal: enable easy sharing of a default authorization policy among NMs while allowing customization at host level u The Prospero Directory Service API is used to create virtual links to the EACL files and to specify attributes for the links u Example of attributes for the default EACL file: –SYSTEM_MANAGER darkstar.isi.edu –EACL_DEFAULT True u Example of attributes for a local EACL file: –NODE_MANAGER kot.isi.edu –EXTEND_DEFAULT Append

8 8 EACL entry structure : Principals TYPE SECURITY MECHANISM ID USER Kerberos.V5 joe@ISI.EDU HOST IPaddress 164.67.21.82 APPLICATION Checksum 0x75AA31 GROUP DCE 8 ANYBODY

9 9 EACL entry structure: Access Rights user-level representation tag value HOST load HOST status DEVICE power_up DEVICE power_down

10 10 EACL entry structure: Conditions TYPE VALUE location DNS_* _island.com time_window 8AM-6PM time_day Monday-Friday payment $20 CPU_load 30 application_name matlab PRM- SPECIFIC GENERIC

11 11 Generic Authorization and Access control API (GAA API) Object EACL handle Reference to object Upcall function for EACL retrieval... gaa_check_authorization GAA API Security Context [ operations for authorization ]... gaa_get_object_eacl YES / NO / MAYBE [ list of authorized operations and corresponding conditions, if any ]...

12 12 GAA API Security Context u Identity u Authorization Attributes u Delegated credentials u Evaluation and Retrieval functions for Upcalls

13 13 Using the GAA API in PRM gaa_get_object_eacl gaa_check_authorization GAA API SM EACL... GAA API security context 5 5a Kerberos Library 1 2 3 4 4a 6 6a 6b (1, 2, 3, 4, 4a) request and verification of principal’s identity (5, 5a) call to gaa_get_object_eacl, retrieval of appropriate EACL (6, 6a, 6b) call to gaa_check_authorization Transport Mechanism

14 14 EACL Evaluation This is Joe, load matlab, on the host kot.isi.edu GROUP kerberos.v5 oper @ISI.EDU * USER kerberos.v5 joe@ ISI.EDU load time_w: 6AM-8PM cpu_load : 20 Joe 10:07AM host kot.isi.edu Identity: USER kerberos.v5 joe@ ISI.EDU Functions for upcall: GAA API security context EACL associated with the host kot.isi.edu REQUEST PRINCIPALS OPERATIONS CONDITIONS

15 15 Status u Current Prototype The prototype is used within our current PRM testbed to check user authorization based on the policies in the EACL file. - implemented PRM-specific conditions: time window, idle time and CPU load - only the default policy per domain is used u IETF drafts - draft-ietf-cat-acc-cntrl-frmw-00.txt - draft-ietf-cat-gaa-cbind-00.txt u Future work - implementing the local EACL policy mechanism - other PRM-specific conditions - refining the EACL evaluation algorithm - requesting additional credentials and evaluation of acquired ones

16 16 Summary u Flexible and configurable security policy u Integration of local and distributed policies u Fine-grained access control u Facilitation of authorization decisions u Contact authors at {grig, bcn, tryutov}@isi.edu

Download ppt "1 Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Operating System Structures

Operating System Structures
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Operating Systems 635-321 Operating system is the “executive manager” of all hardware and software.

Operating Systems Operating system is the “executive manager” of all hardware and software.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
Copyright © 1995-2005 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci555: Advanced Operating Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci555: Advanced Operating Systems Lecture.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CS582: Distributed Systems Lecture 10, 11 –

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CS582: Distributed Systems Lecture 10, 11 –
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.

Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authorization.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authorization.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Lecture 7 Access Control

Lecture 7 Access Control
Linux Security.

Linux Security.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google