Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

Published byDominic Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview."— Presentation transcript:

1 EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview Chad La Joie, SWITCH EGEE '08, Istanbul, Turkey

2 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 2 Agenda Service Components Component Interactions

3 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 3 Service Components Policy Administration Point (PAP) –The repository for store, curating, and composing policies Policy Decision Point (PDP) –Given a request, evaluate the appropriate policy, retrieve execution environment, and return result Policy Enforcement Point (PEP) –Makes request to PDP, may operate on execution environment data Execution Environment Service (EES) –Given a request, an effective policy, and a decision it determines the appropriate execution environment

4 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 4 Service Components

5 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 5 Component Interactions: PAP/PAP A PAP may mark policies as private or public In order to compose policies a PAP may pull in public policies from other PAPs –Uses the SAML 2 profile for XACML 2 to make the request –Policies may be combined in multiple ways  local policy overrides, deny overrides, permit overrides, etc. PAPs do not attempt to filter the effective policy set based on information within an authorization request –It is possible that this may lead to performance issues. The spec details how to do filtering but it is complex and will not be implemented until a need is determined. XACML is a complex language and difficult to author –A simplified policy language will be available for use with the PAP CLI and then compiled down in to XACML

6 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 6 Component Interaction: PDP/PAP PDP uses the same protocol for policy queries as in the PAP/PAP interaction The PAP serves a “close” cache for the effective policy It is expected that a PDP will be deployed with a PAP –Doing otherwise introduces latency Especially complex policies may result in long response times –For the policies currently under discussion this is not an issue

7 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 7 Component Interaction: PDP/PEP PEP uses same XACML/SAML protocol to make authorization decision requests PDPs are stateless and so any number may be deployed to ensure scalability and failure resistance PEPs can be configured with any of PDPs and will try each in turn if one does not respond It is expected that a PDP will be deployed within the same site as PEP-enabled software –Doing otherwise will increase latency Some situations could result in a significant number of identical authorization requests being made –PEP could batch the requests if it was aware of this - this moves the burden to the PDP –PEP could cache the result of requests – difficult to implement

8 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 8 Component Interaction: PDP/EES PDP uses the same XACML/SAML protocol to contact the EES. EES has access to all original request, policy, and decision information.

9 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 9 Component Interaction: PEP PEP contains two types of plugins –Information points – gather information about the resource, environment, user, and action –Obligation handler – deals with obligations sent back by the EES PEP will actually be made up of two components: –A daemon that does all the communication with the PDP –A thin client with no required dependencies that talks to the daemon using a binary protocol (Hessian) over HTTP This model has the following benefits –No chance that the PEP conflicts with worker-node/job software –PEP daemon can keep persistent SSL connections to the PDP thus minimized latency caused by connection startup/shutdown –PEP does not need to be re-initialized for every request made –Makes writing a PEP in other languages trivial

Download ppt "EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview."

Similar presentations

New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Regional Operations Dashboard Workplan Cyril.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Regional Operations Dashboard Workplan Cyril.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Introduction to R-GMA: Relational Grid Monitoring Architecture.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks What GGUS can do for you JRA1 All hands.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks What GGUS can do for you JRA1 All hands.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Middleware Deployment and Support in EGEE.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Middleware Deployment and Support in EGEE.

Similar presentations

Ads by Google