Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

Published byOswald Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo."— Presentation transcript:

1 INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo

2 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 2 Subject attributes

3 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 3 Overview of Subject attributes (0) Subject-id –Type: string –Example:  /O=dutchgrid/O=users/O=nikhef/CN=Oscar Koeroo Subject-issuer –Type: string –Example:  /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth Subject-serial-number –Type: integer –Example:  42

4 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 4 Overview of Subject attributes (1) Subject-vo –Type: string –Example:  gin.ggf.org Voms-signing-subject –Type: string –Example:  /O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl Voms-signing-issuer –Type: integer –Example:  /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth Voms-dns-port –Type: string –Example:  kuiken.nikhef.nl:15050

5 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 5 Overview of Subject attributes (2) Voms-fqan –Type: string –Example:  /gin.ggf.org/APAC/Role=VO-Admin Voms-primary-fqan –Type: integer –Example:  /gin.ggf.org/APAC/Role=VO-Admin

6 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 6 Overview of Subject attributes (3) CA-serial-number –Type: integer –Example:  1 Cert-policy-oid –Type: string –Example:  1.2.840.113612.5.2.4

7 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 7 Overview of Subject attributes (4) Cert-chain (experimental) –Type: string –Example:  MIICbjCCAVagAwIBAgICBNgwDQYJKoZIhvcNAQEEBQAwTDES MBAGA1UEChMJZHV0Y2hncmlkMQ4wDAYDVQQKEwV1c2Vycz EPMA0GA1UEChMGbmlraG…(base64)

8 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 8 Obligations

9 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 9 Obligations (0) UIDGID  UID (integer): Unix User ID local to the PEP  GID (integer): Unix Group ID local to the PEP –Stakeholder: Common –Must be consistent with: Username Username  Username (string): Unix username or account name local to the PEP. –Stakeholder: VO Services Project –Must be consistent with: UIDGID SecondaryGIDs –Complex type solution  ListOfGIDs (list of integer): List of secondary Unix Group ID (GID) local to the PEP. Each UID is of type Integer –Multi recurrence  GID (integer): Unix Group ID local to the PEP –Stakeholder: EGEE –Needs obligation(s): UIDGID

10 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 10 Obligations (1) AFSToken  AFSToken (string) in base64: AFS Token passed as a string –Stakeholder: EGEE –Needs obligation(s): UIDGID

11 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 11 Obligations (2) RootAndHomePaths  RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. The PEP should mount this sub-tree as the “root” mount point (‘/’) of the execution environment. This is an absolute path.  HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username StorageAccessPriority  Priority (integer): an integer number that defines the priority to access storage resources. –Stakeholder: VO Services Project –Needs obligation(s): UIDGID or Username

12 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 12 The implementation

13 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 13 It works! Code snippets forwarded to Joe –Creation/add/free of an Obligation structure

14 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 14 Still open to C Still open for discussion on the C implementation: –Request send out to be able to handle the SSL/TLS plumbing our selves  Joe is investigating –Propagation of the understood Obligations from the PEP to the PDP and interacting with that content

15 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 15 Stuff we don’t have time for The relationship between: 1.the SSL client peer identity 2.SAML assertion Sender Receiver 3.SAML-XACML Requester / Responder 4.XACML attributes –(not for this discussion) multiple XACML Name spaces for the attributes and identifiers in all sections –We may use the registered OID of Nikhef JRA3 Security  urn:OID:1.3.6.1.4.1.10434.3.40212:

16 Enabling Grids for E-sciencE INFSO-RI-031688 To change: View -> Header and Footer 16 ?

Download ppt "INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GRID sites connectivity database design Anthony Teslyuk, RRC KI JRA4, SA2 Meeting 4 th EGEE.

INFSO-RI Enabling Grids for E-sciencE GRID sites connectivity database design Anthony Teslyuk, RRC KI JRA4, SA2 Meeting 4 th EGEE.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.

March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Similar presentations

Ads by Google