Dyvose project experiences in applying advanced authorisation infrastructures
1 / 22

DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures - PowerPoint PPT Presentation

  • Uploaded on

DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures. John Watt ( [email protected] ) Richard Sinnott ( [email protected] ) University of Glasgow, Scotland, UK. Dynamic Virtual Organisations in e-Science Education.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures' - holmes-vang

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dyvose project experiences in applying advanced authorisation infrastructures

DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures

John Watt ( [email protected] )

Richard Sinnott ( [email protected] )

University of Glasgow, Scotland, UK

Dynamic Authorisation Infrastructures

Virtual Organisations in

e-Science Education


“Investigating the establishment of scalable Virtual Organisations in an e-Science education domain.”

2 year JISC-funded project (May ’04 – July ’06)

In partnership with University of Kent (and EDINA)

Project goals glasgow
Project Goals (Glasgow) Authorisation Infrastructures

  • Creation of a permanent Grid Computing Module (GC5) as an option within the Advanced MSc. postgraduate course in Glasgow’s Computing Science department

  • Provide a lasting lab infrastructure to support practical Grid Computing lab sessions

  • Investigate technologies that enable Grid Services to be protected with advanced authorisation infrastructures which the students can deploy as part of an assignment

Course details
Course Details Authorisation Infrastructures

  • Single term course of 20 lectures and 10 tutorials (Jan-Mar)

    • 1st year (’04-’05) – 19 students

    • 2nd year (’05-’06) – 16 students

  • Three short essay/programming assessments

  • Final Exam in June (answer 3 questions of 5)

  • Month-long Programming Assignment

    • This assignment forms the core of the DyVOSE authorisation investigations

Assignment Authorisation Infrastructures

  • In both years the assignment took the following form:

    • Students are split into two teams

    • Write a Grid Service (and a client) in GT3.3 to perform some task

    • Write a scheduler that will split a large job into many sub-jobs and submit to the local Condor pool

    • Protect the Grid Service so that some functions are only available to students who are in the same team

      • For both years, students used PERMIS to protect their Grid Services…

Assignment Authorisation Infrastructures

  • Year 1

    • Investigate STATIC privilege management

      • Roles are issued by a local Source of Authority (SoA) stored in a local LDAP for access to a local service only

  • Year 2

    • Investigate DYNAMIC privilege management

      • Roles are issued by a local SoA stored in a local LDAP for accessing local AND REMOTE services

      • But roles required for access to the REMOTE service are not recognised within the local infrastructure

    • REMOTE SoA DELEGATES the right to assign these REMOTE roles to the LOCAL SoA (they form a VO!)

      • Will prove that this can be done SECURELY and EASILY (from a user perspective) with PERMIS…

  • Generic Java API for Role Based Access Control (RBAC) Authorisation Infrastructures

  • Provides method-level protection to applications and Web Services

  • Protects Grid Services through GGF-standardised SAML Authz API

  • Roles are issue in the form of X509 Attribute Certificates (ACs)



Generic authorisation
Generic Authorisation Authorisation Infrastructures

  • A generic framework for authorisation is defined in X.812 ISO 10181-3 Acc. Ctrl. Framework

Permis with ggf authz api
PERMIS with GGF Authz API Authorisation Infrastructures

  • PERMIS deployed in Grid Service container

  • WSDD file contains policy location, LDAP server details and trust info

  • GSI provides user DN, PERMIS retrieves ACs

Permis components
PERMIS Components Authorisation Infrastructures

  • XML Policy

    • Roles

      • and heirarchy

    • Targets

    • Actions

    • SOAs

    • DN Scope

    • Attribute Storelist

      • LDAPs

  • Policy Editor tool

    • syntax checks

Permis components1
PERMIS Components Authorisation Infrastructures

  • Privilege Allocator or Attribute Certificate Manager (ACM)

  • Creates and signs X509 Attribute Certificates (ACs) and loads into LDAP

    • ACs contain digitally signed attributes (roles)

    • PERMIS API verifies PKI chain of trust (if more than unity length) on invocation

  • Fully supports a static PMI

    • One SoA, home roles only…

Year 1 assignment
Year 1 Assignment Authorisation Infrastructures

  • “Write a Grid service (and client) to parse the Complete Works of Shakespeare and offer a “Search” service to everyone, but a “Sort” service only to members of the same team. Split the job into sub-jobs and submit to the Condor pool.”

    • Support (as Sys Admins)

      • Create PKI (CA) and p12 certificates for Globus

      • Write a local XML policy to enforce the rules

      • Create LDAP entries and use the ACM to issue ACs to the students which contain their role

    • Students were given LDAP and PKI info to amend their PERMIS service

      • A tough assignment for four weeks. We got 2 completions and about 5 or 6 who were about 90% there.

      • We have since Shibboleth-enabled this service, check URL at end…

Year 2 assignment
Year 2 Assignment Authorisation Infrastructures

  • “Write a Grid Service and client which runs BLAST on a set of data extracted from a remote database and schedule into sub-jobs for submission to the Condor pool”

    • Student experience much the same as before implementation-wise (deploy PERMIS in container – point to our PMI details)

    • But the Support part requires a more sophisticated AC allocator application to handle external as well as local roles (among other properties)

      • Enter the Delegation Issuing Service (DIS)…

        • (and a slightly modified PERMIS too)

Delegation issuing service
Delegation Issuing Service Authorisation Infrastructures

  • No user key pair required to issue ACs

    • ‘dis’ user signs all ACs on behalf of the delegator

      • If a rogue employee is kicked out, any certificates they issued to trustworthy employees are still valid

        • Not the case with AC chains

  • DIS checks the local policy before signing

    • Only policy-valid ACs can ever be issued

      • With previous PERMIS tools it is possible to issue ANY AC with ANY role

  • Deployed as a web service utilising SOAP

    • Can be used anywhere by valid users

Delegation issuing service1
Delegation Issuing Service Authorisation Infrastructures

  • Extensions to the PERMIS API allow for

    • Cross-certification

      • Allow ACs signed by a remote CA to be recognised

        • Currently done through an SoA policy extension

    • Role-mapping

      • Recognise the meaning of an external role

        • Currently done by equating the names of the roles in the local policies

          • Future tools will do this equality on the fly without having to alter local core policy

    • The above implement the necessary features to allow Glasgow to issue Edinburgh roles within their PMI and in accordance with both sites policies

Dis implementation
DIS Implementation Authorisation Infrastructures

  • Web Service

    • AXIS, Apache, Tomcat

    • Not too tricky

      • An afternoon

      • Docs fine for this part

  • Underlying PKI

    • OpenSSL

    • Quite complex

      • Had to be quite careful with compatibility of VO PKIs

      • Have written extension to manual detailing the steps required in full

Dynamic pmi use case
Dynamic PMI Use Case Authorisation Infrastructures

  • Student Assignment

    • Student were split into two teams

      • They were issued with Attribute Certificates which assigned them with one of two roles (GlaTeamN and GlaTeamP)

    • Students implemented a BLAST Grid Service which queried an external database (hosted in Edinburgh) for gene data

      • Database was PERMIS protected so only members of the correct team got the right data (based on EdTeam roles)

    • Students PERMIS protected their service so only members of their own team could invoke the service

Dynamic pmi use case1
Dynamic PMI Use Case Authorisation Infrastructures

PERMIS Policy Details

  • BLAST DATA Service (Edinburgh)

    • Send Nucleotide Data if User presents PERMIS Role “EdTeamN”

    • Send Protein Data if User presents PERMIS Role “EdTeamP”

  • BLAST Service (Glasgow)

    • Invoke BLASTN service if User presents PERMIS Role “GlaTeamN”

    • Invoke BLASTP service if User presents PERMIS Role “GlaTeamP”

  • Dynamic pmi use case2
    Dynamic PMI Use Case Authorisation Infrastructures

    • Dynamic Delegation

      • Edinburgh issues a Delegation Statement to the Glasgow SoA that allows them to assign the EDINBURGH PERMIS role ‘EdTeamN/P’

        • Done through Glasgow policy extension (RoleMapping)

      • Glasgow SoA delegates the responsibility to issue this role to user ‘ext’

        • Issues ‘ext’ an Attribute Certificate containing the Edinburgh roles with the delegation flag set

      • User ‘ext’ assigns the Edinburgh roles to Glasgow students

        • By issuing the Glasgow students Attribute Certificates

        • This user can be in the Glasgow infrastructure or can be the Edinburgh SoA (by logging into the Glasgow DIS) – both models can be supported (the former being the more direct)

      • Edinburgh Data Service searches both LDAP directories

        • Service finds User entries in Glasgow LDAP that contain the correct Edinburgh role – ACCESS GRANTED

    Dynamic pmi use case3
    Dynamic PMI Use Case Authorisation Infrastructures


    “You may











    PERMIS Service







    PERMIS Service

    GT3.3 Container

    GT3.3 Container

    In practise
    In Practise Authorisation Infrastructures

    Summary Authorisation Infrastructures

    • PERMIS simple to deploy for users

      • For sys admins, deployment is tricky, but use is easy

    • Dynamic Delegation of Authority can be secure and workable

      • Future tools (next year?) will optimise this process

    • User need not know of certificates!

      • Happier users

    • DyVOSE legacy

      • Third year of Grid module starting in Jan ’07

      • Permanent Grid Computing Laboratory in NeSC Glasgow

      • A set of tools which we are able to apply to many of our security projects now and in the future

    • Fancy doing the course next year?

      • http://www.dcs.gla.ac.uk/courses/MSc_ACS/