1 / 36

Grid Research on Authorization

Grid Research on Authorization. Jong Kim HPC Lab at POSTECH. Contents. Grid Security Grid Security Challenges Grid Security Requirements Current Status of Grid Security Grid Security Infrastructure (GSI) OGSA Web Services Security Fine-grained Authorization in Dynamic VO

kgrider
Download Presentation

Grid Research on Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Research on Authorization Jong Kim HPC Lab at POSTECH

  2. Contents • Grid Security • Grid Security Challenges • Grid Security Requirements • Current Status of Grid Security • Grid Security Infrastructure (GSI) • OGSA • Web Services Security • Fine-grained Authorization in Dynamic VO • Fine-grained Authorization • Workflow-based Authorization Services • Ticket-based Authorization Services • Summary

  3. Grid Security • Grid Computing • Distributed computing infrastructure with a plenty of resources which are heterogeneous and scattered geographically • A controlled and coordinated resource sharing and resource use in dynamic, scalable, and distributed virtual organizations (VOs) • What is Grid Security ? • Security architecture to enable dynamic, scalable, and distributed VOs • Authentication, Delegation, Authorization, Confidentiality, Privacy, …

  4. Dynamic VO in the Grid • Virtual organizations (VOs) are collections of diverse and distributed individuals that seek to share and use diverse resources in a coordinated fashion. • Users can join into several VOs, while resource providers also partition their resources to several VOs. Bio VO Chemical VO

  5. Grid Security Challenges Bio VO Chemical VO • Dynamic VO establishment • A VO is organized for some goal and disorganized after the goal is achieved. • Users can join into or leave VOs. • Resource providers can join into or leave VOs.

  6. Grid Security Challenges • Dynamic policy management • Resource providers dynamically change their resources policies. • VO managers manage VO users’ rights dynamically. Bio VO Chemical VO

  7. Grid Security Challenges • Interoperability with different host environments • Security services for diverse domains and hosting environments should interact with each other. • At the protocol level, messages can be exchanged. • At the policy level, each entity can specify its policy and the policy can be mutually comprehensive. • At the identity level, a user can be identified from one domain in another domain.

  8. Grid Security Challenges • Integration with existing systems and technologies • It is unrealistic to use a single security technology to address Grid security issues. • Existing security infrastructures cannot be replaced. • Thus, a Grid security architecture must be • Implementation agnostic, • Extensible, and • Integratable.

  9. Grid Security Requirements • Authentication • Entities are provided with plug points for multiple authentication mechanisms. • Delegation • Users can delegate their access rights to services. • Delegation policies also can be specified. • Single Logon • An entity is allowed to have continuous access rights for some reasonable period with single authentication.

  10. Grid Security Requirements • Credential Lifespan and Renewal • A job initiated by a user may take longer than the life time of the user’s initial credential. • In such case, the user needs to be notified prior to expiration of the credential, or be able to refresh it automatically. • Authorization • Resources are used under a certain authorization policies. • A service provider can specify its own authorization policy, with which users can invoke those policies.

  11. Grid Security Requirements • Confidentiality • The confidentiality of the communication mechanism and messages or documents is supported. • Message Integrity • It is ensured that unauthorized changes of messages or documents may be detected. • Privacy • A service requester and a service provider enforce privacy policies. • Other requirements • Policy exchange, secure logging, manageability, …

  12. Contents • Grid Security • Grid Security Challenges • Grid Security Requirements • Current Status of Grid Security • Grid Security Infrastructure (GSI) • OGSA • Web Services Security • Fine-grained Authorization in Dynamic VO • Fine-grained Authorization • Workflow-based Authorization Services • Ticket-based Authorization Services • Summary

  13. Grid Security Infrastructure (GSI) • The fundamental security services in the Globus Toolkit • Based on standard PKI technologies • SSL protocol for authentication, message protection • One-way, light-weight trust relationships by CAs • X.509 Certificates for asserting identity • For users, services, hosts, etc • Grid identity • A user is mapped to local identities using the distinguished name of the user’s certificate.

  14. Grid Security Infrastructure (GSI) • X.509 Proxy Certificates • Enables single sign-on. • Allows users to delegate their identities and rights to services. • Community Authorization Service (CAS) • Enables fine-grained authorization policy. • Resource providers set course-grained policy rules for foreign domain on CAS-identity. • CAS sets policy rules for its local users. • Requestors obtain capabilities from their local CAS.

  15. Grid Security Infrastructure (GSI)

  16. Open Grid Services Architecture (OGSA) • A Grid system architecture • Based on Web services and technologies • An open source collection of Grid services that follow OGSA principles are offered by the Globus project since GT3.0. • WS-Resource Framework (WSRF) • A set of Web service specifications being developed by the OASIS organization • Describing how to implement OGSA capabilities using Web services • Standardization • Underway in the Global Grid Forum (GGF) and OASIS • Many working groups on Grid security, such as OGSA Security, GSI, Authorization Frameworks and Mechanisms (AuthZ), Certificate Authority Operations (CAOPS), Grid Certificate Policy (GCP), and OGSA Authorization (OGSA-Authz)

  17. Security in a Web Services World • The Web services security roadmap provides a layered approach to address Web services. • The OGSA security models needs to be consistent with Web services security model.

  18. Contents • Grid Security • Grid Security Challenges • Grid Security Requirements • Current Status of Grid Security • Grid Security Infrastructure (GSI) • OGSA • Web Services Security • Fine-grained Authorization in Dynamic VO • Fine-grained Authorization • Workflow-based Authorization Services • Ticket-based Authorization Services • Summary

  19. Fine-grained Authorization Service • Motivations • Resource providers want their resources to be used by only VO members under their local polices. • VO managers specify user access rights. • A user delegates his or her rights to the job to run. • Requirements • Combining polices from different sources • Fine-grained resource control • VO-based management of jobs and resources Provide a portion of their resources Specify user’s access rights Delegate the user’srights User VO Resource Providers Run the job under the restricted rights Job

  20. Proposed Fine-grained Authorization Services Architecture • Workflow-based Authorization Services (WAS) • A workflow is defined as possible sequences of requested rights of a user job. • The workflow is auto-generated from the source code of the job. • The job is executed and authorized in accordance with the specified workflow. • Ticket-based Authorization Services (TAS) • A ticket is defined as an assertion of delegated rights from a VO entity. • Resource ticket : resource provider’s local policy • Attribute ticket : VO manager’s policy on user • User ticket : user’s delegated rights to a job • Resource providers permit a job to user their resources under the specified rights on the submitted tickets.

  21. WAS : Components Checks workflow’s justification. Signs the workflow. Creates the task’s workflow. Requests signed workflow. Loads workflow. Handles task’s right request. Sends task’s info. to WAS_workflow. Delegates task with signed workflow. Checks workflow’s validation info. Sends workflow to WAS_client. Runs the task.

  22. WAS : Creating Workflow USER side WAS_SERVER side USER 1. Send source code, arguments, and executable WAS_WORKFLOW 2. Extract Workflow from source code and arguments 3. Get validation information 4. Make Workflow file RESOURCE side

  23. WAS : Authenticating Workflow 2. Load user’s policy 4. Check Workflow with policy 5. Sign Workflow with was_server’s key USER side 1. Mutual authentication WAS_REQUEST WAS_SERVER 3. Send Workflow 6. Send signed Workflow 0. Invoke WAS_SERVER side WAS_WORKFLOW 7. Create RSL Executable : <gram:executable> Arguments : <gram:arguments> Environments : <gram:environment> FileStageIn : <gram:fileStageIn> RESOURCE side

  24. WAS : Delegating a task with Workflow USER side WAS_SERVER side USER 1. Run 2. Mutual authentication Managed-job-globusrun MasterForkManagedJobFactoryService 4. Send information(RSL) ManagedJobService 5. Require Workflow and task JobManager 6. Send Workflow and task RESOURCE side

  25. WAS : Verifying Workflow WAS Overview USER side WAS_SERVER side Job_manager 4. Check signature of Workflow 5. Check subject name of Workflow 6. Check task_id of Workflow 7. Check valid period of Workflow 1. Get rsl’s information(workflow_location, executable) 2. Add unique job id to environment 3. Invoke WAS_VERIFIER WAS_VERIFIER RESOURCE side

  26. WAS : Running the Task WAS Overview USER side WAS_SERVER side WAS_VERIFIER Job_manager 1. Run 1. Send Workflow TASK WAS_CLIENT 3. Require function call 2. Analyze Workflow 5. Check the right with Workflow 4. Intercept function call 6. If match, provide that function call OS globus_gass_open library RESOURCE side

  27. TAS : Components R A R U R R R R Bio VO Manager A Chemical VO Manager A A A A R R R R R R A U Bio VO Chemical VO R :ResourceTicket R :ResourceTicket A :AttributeTicket A :AttributeTicket : Resource : Resource U :UserTicket U :UserTicket : User : User Site C Site A Site B Site D : Agent

  28. TAS : Tickets • A ticket is an XML record asserting that the issuer specifies a policy. • A resource provider notifies the resource usage policy. • A VO manager issues VO users’ attributes. • A user delegates his or her rights to the submitted job. • Each ticket is signed by the private key of the issuer to protect the integrity of the ticket. • Tickets are unforgeable and exchangeable among VO entities for resource control. • Tickets are classified into • resource ticket, • attribute ticket, • user ticket, and • job ticket.

  29. TAS : Resource Ticket • Issued by a resource provider • Describing the provider’s local policy for a VO • Fields • Id : a unique identifier of the ticket • Issuer : the resource provider’s name • VOName : the VO name • ValidTime: the ticket’s lifetime • UseTime: a guaranteed usable time of the ticket • ServiceType : the Grid service endpoint • Condition : the resource provider’s policy for the VO • Attaching XML signature of the resource provider <ResourceTicket id> </ResourceTicket> <Issuer>Resource Name</Issuer> <VOName>VO</VOName> <ValidTime/> <UseTime/> <ServiceType> <wsdl:service name/> <condition/> </ServiceType> </ds:Signature>

  30. TAS : Attribute Ticket • Issued by a VO manager • Describing the VO manager’s policy for users in the VO • Fields • Id : a unique identifier of the ticket • Issuer : the VO manager’s name • UserName : the user’s name • ValidTime: the ticket’s life time • UseTime: a guaranteed usable time of the ticket • Service : the Grid service name • Condition : the VO manager’s policy for the user • Attaching XML signature of the VO manager <AttributeTicket id> </AttributeTicket> <Issuer>VO Name</Issuer> <UserName>User</UserName> <ValidTime/> <UseTime/> <ServiceType> <wsdl:service name/> <condition/> </ServiceType> </ds:Signature>

  31. TAS : User Ticket <Issuer>User</Issuer> <ImportedTicket id/> • Issued by a user • Describing the necessary rights to run a job • Fields • Id : a unique identifier of the ticket • Issuer : the user’s name • UseTime: a guaranteed usable time of the ticket • ImportedTicket : referencing the resource tickets and the attribute ticket • Service : the Grid service’s name • Condition : the user’s policy for the job • Attaching XML signature of the user <UserTicket id> </UserTicket> <UseTime/> <ServiceType> <wsdl:service name/> <condition/> </ServiceType> </ds:Signature>

  32. TAS : Job Ticket <Job Ticket> </Job Ticket> <ResourceTicket/> <AttributeTicket/> <UserTicket/> • Generated by a user in order to request the rights • Including necessary tickets for a job • Imported ticket field in the user ticket indicates other tickets. <ResourceTicket id> ...... </ResourceTicket> <AttributeTicket id> …… </AttributeTicket> <UserTicket id> …… </UserTicket> <Issuer>Resource Name</Issuer> <Issuer>VO Name</Issuer> <Issuer>User</Issuer> <VOName>VO</VOName> <UserName>User</UserName> <ImportedTicket id/> </ds:Signature> </ds:Signature> </ds:Signature>

  33. TAS : Supported Grid Services • Dynamic VO Management • A VO is easily managed by sharing resource and attribute tickets. • VO policies can be changed by re-issuing the corresponding tickets. • Fine-grained Rights Delegation • Resource providers and VO managers delegate a set of permitted rights to users. • A user also delegates his or her rights to the job using the user ticket.

  34. TAS : Supported Grid Services • Fine-grained Job Authorization • The resource provider verifies the job ticket. • Signature verification : All the imported tickets are sure to be specified in the job ticket and not be altered. • Content verification : Requested rights are within the bounds of those in the resource tickets, the attribute ticket, and the user ticket. • After signature and content verifications, the resource provider grants the requested rights to the user’s job. • Guaranteeing Resource Availability • While the user’s job is running, the resource provider does not issue a new resource ticket for the used service any more. • After the valid time of the used resource ticket, other users cannot acquire the currently used resource. • The user’s job is guaranteed to use the resource for the UseTime period.

  35. Summary • Grid Security • Needs to solve many security issues to provide dynamic, scalable VOs in Grid computing environment. • Hard problem due to diversity, interoperability, integration, … • Fine-grained Authorization Services • As a Grid security service, it provides VO-wide fine-grained authorization of jobs and resources. • Our research provided two fine-grained authorization services. • Workflow-based Authorization Services • Ticket-based Authorization Services

  36. References • F. Siebenlist, V. Welch, “Grid Security : The Globus Perspective,” GlobusWORLD 2004, http://www.globus.org/ • V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman, S. Tuecke, “Security for Grid Services,” HPDC-12, June 2003. • N. Nagaratnam, P. Janson, J. Dayka, A. Nadalin, F. Siebenlist, V. Welch, I. Foster, S. Tuecke, “The Security Architecture for Open Grid Services,” OGSA-SEC-WG document, GGF. • S. H. Kim, J. Kim, S. J. Hong, S. W. Kim, "Workflow based Authorization Service in Grid", 4th International workshop on Grid Computing (Grid 2003), pp 94-100, Novebmer 2003. • S. H. Kim, K. H. Kim, J. Kim, S. J. Hong, S. W. Kim, “Workflow-based Authorization Service in the Grid”, Journal of Grid Computing, vol. 2, no. 1, pp. 43-55, 2004. • B. J. Kim, S. J. Hong, J. Kim, "Ticket-Based Fine-Grained Authorization Service in the Dynamic VO Environment," ACM Workshop on Secure Web Services, October 2004. • B. J. Kim, K. H. Kim, S. J. Hong, J. Kim, "Ticket-based Grid Services Architecture for Dynamic Virtual Organizations,“ LNCS 3470 (Advances in Grid Computing: EGC 2005), pp. 394-403, 2005.

More Related