Presentation is loading. Please wait.

Presentation is loading. Please wait.

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

Published byAlvin Park Modified over 9 years ago

Similar presentations

Presentation on theme: "WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003."— Presentation transcript:

1 WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003

2 WP3 What is Authorization? Whereby a principal is allowed to or prevented from carrying out an action. In edg there are requirements to carry out an authorization decision based on –Specific DN –VO membership(s) –Role within VO –Group within VO –By allowing anyone with an acceptable certificate to carry out an action –Allowing anyone to carry out an action

3 WP3 Authorization – EDG Principle Principle within EDG is that Authorization information goes with the resource or data. The authorization decision is made close to the resource or data, based on a combination of local Authorization information and attributes from the user This enables e.g. resource owner or administrator, or a file owner or administrator to keep control over it’s access. Hence e.g. a producer of information must make the decision as to whether or not the requestor of that information can have that information. Hence the end producer of the information must have information on the DN, VO membership, role(s) and groups of the end client in order to make an authorization decision.

4 WP3 VOMS certificate Voms certificate contains proof that a user is a member of a VO, is a member of certain groups in a VO, and has certain roles within a VO. A delegated VOMS certificate means that any servlet that is connected onto has proof of an entity’s VO membership, groups and roles as well as DN. Then an authorization decision can be made. Without a delegated VOMS certificate – authorization is not really secure – any hacked consumer can do what they like.

5 WP3 Course grained vs fine grained authorization Course grained – authorization on front of service (I.e. y/n can the person connect). –“Is the user allowed to use this service – if so – what role” Fine grained – authorization takes place within a service. –E.g. can this user read this file? R-GMA could have services which decide whether or not a connection is allowed, as well as services which decide whether to satisfy the request within the service. I favour ALL authorization decisions being made within services for R-GMA – a combination will be rather cumbersome.

6 WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Coarse-grained e.g. CE, Gatekeeper WP4 Fine-grained e.g. SE, /grid WP5 Java C authenticate acl

7 WP3 User service authr map pre-proc authr Coarse-grained e.g. Spitfire WP2 dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Java authenticate acl service pre-proc authr delegation

8 WP3 Sensor Code Producer API Application Code Consumer API Registry Consumer Instance Registry API Registry API Producer Instance Schema API Schema Delegation (from application’s cert) Delegation (from producer’s cert) Producer decides- sensor y/n? Registry decides producer to register y/n? Registry decides consumer y/n? Producer decides- application y/n? Consumer decides- application y/n? ?

9 WP3 Authenticated USER ACL (DN, Vo, Role) DN, Vo, Role(s) Fine grained R-GMA In fine grained Authorization a decision must be made within the producer. Each table, even each row of a table will have it’s own ACL ACL (DN, Vo, Role) ACL (DN, Vo, Role)

10 WP3 Confidentiality There are certain requirements on confidentiality. To satisfy these an authorization decision at the source of info AND a delegated VOMS proxy is needed. If a third party can say ‘tell me if Linda is banned’ without the use of a delegated certificate – then the fact Linda is banned can be found out without Linda’s permission. Similarly for any info – a hacked or rogue R- GMA can get any info they want. Can only make things difficult.

11 WP3 Rogue Consumer Rogue Consumer has acceptable Certificate. DN DN info matches Without Delegation it is possible to obtain info one is not authorized to see. But it requires a consumer to be hacked or written.

12 WP3 Some WP3 specific requirements It must be possible to restrict knowledge of the existence of producers of information to specific authorized users –Solution – authorization information goes into the registry – only those authorized are granted info on the producer A producer must be able to restrict the publishing of information to specific authorized users. –Solution – each time a user attempts to publish – check against a list of users.

13 WP3 Specific WP3 requirements - contd A user can only see information on their own job –Solution – when job control info is requested, the producer only passes the info back if dn matches dn. A producer must be able to restrict read access to information to specific authorized users. –Solution – add authorization info into the table. –This could be a generalization of above

14 WP3 Suggested implementation solution Each Servlet has associated with it a file which defines authorization for each type of operation. Each table has an indicator as to whether authorization is per table or per row. If per table – indicate the name of the authorization file for this table – possibly indicate DN must match. If per row, each row contains authorization info – possibly a pointer to a table

15 WP3 Authorization without delegation First just have user’s only seeing their own jobs. Only way to do this in the absence of delegation in the trustmanager is –extract the DN of the user when they connect to the consumer –Pass this onto the producer –Add to job info table that DN must match –Only allow the user to see the job if DN matches Not secure – anyone with an acceptable certificate could get the info – but they would have to write their own consumer code

16 WP3 Sensor Code Producer API Application Code Consumer API Registry “Event Dictionary” Consumer Instance Registry API Registry API Producer Instance Schema API Schema If job info –does DN match? Have to trust the consumer to pass on DN

17 WP3 Evolutionary approach 1 st carry out a very crude system for authorization without delegation – until delegation is available. This will allow to try out the DN extracting and matching, having a first stage of adding to table. Replace with delegation as soon as available Then start looking at how to formulate what are effectively the ACL’s. Possibly use GACL. Look at what to add to the schema tables – pointer such as no Authorization, DN match, pointer to table. Steve Fisher has ideas on details.

18 WP3 Mixing secure and non-secure access Allowing different access rules after authentication fits quite well into R-GMA. Allowing a mixture of secure and non secure access is more difficult. –Authentication happens before connection –Authorization happens within the servlet –So for non-secure access – would need a different copy of R-GMA on a different port. –Problem is for us – 1 R-gma does everything. –Ideally, would need different service for non- secure access, I.e. a cut down R-GMA which just allows certain things.

19 WP3 Sensor Code Producer API Application Code Consumer API Registry Consumer Instance Registry API Registry API Producer Instance Schema API Schema

Download ppt "WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003."

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop 2002 - Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

Similar presentations

Ads by Google