Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey.

Published byMercy Jenkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey."— Presentation transcript:

1 Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey University of Virginia Supported by the US Department of Energy (Early Career Program), the National Science Foundation under grants SCI-0438741, SCI-0438263, and SCI-0426972, and Microsoft.

2 2 Overview Background GRID Authorization Job-property Authorization Performance Evaluation Conclusion

3 3 Never happen?

4 4 Remote Execution in GRID GRID Middleware 2. Authentication (Mutual) 3. Authorization 1. Job Submission (w. executable path, arguments, stdin/out…) Fred’s DN  local account /C=US /O=UVa /CN=Fred 4. Resource Allocation & Process Execution (Enqueue or fork) 5. Status Monitoring & Job Management Local Resource Manager Local site Remote site

5 5 Existing GRID Authorization ‘grid-mapfile’ approach The early day’s mechanism to authorize GRID user Map the GRID level ID (X509 DN) to a local account (e.g., /C=US/O=UVa/OU=CS/CN=Fred foo) The auth. decision is enforced by O/S’s security system Still the most widely used authorization scheme Limitations Huge administrative burden – every GRID user should have an account on resources Limits VO scalability

6 6 Existing GRID Authorization VO Authorization Infrastructure Manage community member’s privileges within VO Mostly role-based authorization Example systems Community Authorization Service (CAS) - -Use SAML to carry the fine-grained authorization assertion - -Proxy cert is used to securely deliver the assertion to resources - -GridFTP interprets the access control primitive in the assertion VO Management Service (VOMS) - -VOMS server issues the user’s role in the VO - -Resource interprets the role by mapping it to a local account PRIMA (Open Science GRID) - -VOMS server issues role - -GUMS server, per site, maps the role to local account - -No more ‘grid-mapfile’ within resource

7 7 What are the problem? Fred has a scientist role in VO What if his account is compromised? What if his binary is compromised? What if Fred is a bad guy? … Scientist role can access enormous amount of GRID resources…Guess what? Not safe to assume the role/identity will do what it is supposed to do!

8 8 Job Property Authorization Take this part for authorization decision What it is supposed to do  Job’s property or behavioral requirements VO determines the job’s property and issues certification about it Resource recognizes the property and enforces it accordingly Not safe to assume the role/identity will do what it is supposed to do !

9 9 Job Property Authorization - Scenario Remote Resources I want to run Matlab on GRID /C=US /O=UVa /CN=Fred Fred’s execution of Matlab will require: * Maximum 10 hours of running time * 128 MBs of memory * Write access to /home/vo/cms Matlab for Fred Running Time: 10 hours Memory: 128 MBs …… File Access: write …… I want to run Matlab and here is the certified job property document Job property doc Ok, I will accept the job property but will enforce my own policy in addition to VO policy

10 10 Job Property Authorization Four issues in the Job Property Authorization 1. 1.The language to express the fine-grained job property 2. 2.How the remote resource can securely retrieve the job property? 3. 3.Multiple policy resolution (Job property as VO policy, Site policy, and more) 4. 4.How to enforce the fine-grained job property within remote execution system?

11 11 Job Property Authorization- Prototype Development CAS as a VO job property authorization server SAML as a language to express the job property (1) Proxy certificate as a medium to securely hold and deliver the job property (2) Multiple Policy Resolution – Site policy + Job Property (3).NET CLR Sandbox as an enforcement mechanism (4)

12 12 Dynamic and fine-grained Authorization Enforcement Account-based system - -Statically or dynamically maps to the existing account - -Coarse granularity of privilege configuration OS-level Virtual Machine (e.g., VMWare and Xen) - -Newly instantiate guest O/S on top of host O/S - -Guest O/S become the sandbox to the host O/S - -Performance overhead is big (esp. Instantiation delay) App-level sandbox - -Monitoring process intercepts system calls and enforce policy - -Every system call is examined  overhead is big Language Runtime VM (.NET CLR and JVM) Sandbox Runtime enforces the fine-grained access control Utilization in GRID has not been examined

13 13 Job Property Authorization- Prototype Development Novel use of CAS VO Admin inputs Job Properties and maps them to members SAML for encoding Job Property Use GT4 client tools (e.g., globus-run, cas-wrap, and etc) Compatible to GT4 GRAM WSRF-based implementation Run as Windows service Invoke.NET CLR Multiple Policy Resolution CLR Sandbox Configuration

14 14 Job Property Authorization- Prototype Development SAML for job property authorization Single auth. Decision carries multiple actions Each action maps to job property <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID=“ Issuer="C=US,ST=Virginia,L=Charlottesville,O=University of Virginia,,CN=PKI Master" MajorVersion="1" MinorVersion="0"> /C=US/O=University of Virginia/OU=UVA Standard PKI User/ E=sp2kn@virginia.edu/CN=Sang-Min Park write/ WORKING_DIR read/WORKING_DIR execution/WORKING_DIR\\bin socket/cs.virginia.edu

15 15 Policy Resolution Granting the least amount of privileges Both job property given from VO and site policy describes multiple fine-grained permissions Least amount of privilege Intersection of permission sets “and” relation for logical permission Intersection of file path resolution C:\ C:\VO1 C:\VO1 C: \VO1 C:\VO1\Matlab C:\VO1\Matlab Yes C:\Temp No No No No … Yes … …

16 16 Evaluation Quantitative Evaluation Run hello-world application Measure time to execute binary in resource Overhead due to Job Property Authorization Policy Resolution Time CLR Sandbox Configuration Time Compares with Baseline case Choose sufficiently large amount of entries in Job Property and Site policy

17 17 Evaluation 100 $VOBasePath NO No NO No Yes No Yes No Yes No Site Policy in Evaluation

18 18 Evaluation Job Property Document in Evaluation read/VO_APPLICATIONS_PATH read/VO_LIBRARY_PATH read/VO_SHARED_PATH read/VO_TMP_PATH read/VO_UTILS_PATH read/VO_BIN_PATH read/DEFAULT_WORKING_DIR write/DEFAULT_WORKING_DIR write/VO_SHARED_PATH write/VO_TMP_PATH socket execution registry db_connection call_unmanaged_code environment_var

19 19 Evaluation Base line-No auth. (ms) Job Property Authorization (ms) GRAM.NET 62.276.7 CLR Creation Time 619.0650.8 Policy Resolution Time 43.1 Sandbox configuration time 176.6 Logging 19.45.9 Total 700.6953.1 253 ms overhead due to Job-Property Authorization

20 20 Evaluation Interpretation of result Majority time is CLR creation (≈ 600 ms) CLR pooling might be helpful CLR sandbox configuration time is also long (≈200 ms) Less than 1 second for invoking remote process within a site with Job Property Authorization

21 21 Conclusions Job Property Authorization: authorization per Job is more secure than authorization per identity Implemented the Job Property Authorization prototype using the CAS, SAML, and.NET CLR Overhead due to Job Property Authorization is not very significant for most GRID applications

22 22 Future works The mechanism by which the VO determines the behavior and property of the job that its members run Predefined and limited set of application By recording and collecting the Vo-wide job execution history? Language Framework for general-purpose Job Property Specification Neutral to enforcement mechanisms Binding to enforcement mechanisms with varying degree of fine-granularity

23 23 Thank you! Questions ?

Download ppt "Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Minerva Infrastructure Meeting – October 04, 2011.

Minerva Infrastructure Meeting – October 04, 2011.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.

.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Digital Object Architecture

Digital Object Architecture

Similar presentations

Ads by Google