1 / 17

Policy-Based Dynamic Negotiation for Grid Services Authorization

Policy-Based Dynamic Negotiation for Grid Services Authorization. Ionut Constandache, Daniel Olmedilla , Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05 Galway, Ireland, 7 th November 2005. Motivating Scenario (I) Grid Limitations. Policy-Driven Negotiation (I) Characteristics.

teressat
Download Presentation

Policy-Based Dynamic Negotiation for Grid Services Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Policy-Based Dynamic Negotiationfor Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05 Galway, Ireland, 7th November 2005

  2. Motivating Scenario (I)Grid Limitations Semantic Web Policy Workshop

  3. Policy-Driven Negotiation (I)Characteristics • Both client and servers are semantically annotated with policies • Annotations • specify constraints and capabilities • access control requirements • which certificates must be presented to gain access to it • who is responsible for obtaining and presenting these certificates • are used during a negotiation • to reason about and to communicate the need to see certain credentials from the other party • to determine whether requested credentials can be obtained and revealed. • User involvement is drastically reduced in favor of automated interactions. Semantic Web Policy Workshop

  4. Step 1: Alice requests a service from Bob Step 2: Bob discloses his policy for the service Step 3: Alice discloses her policy for VISA Step 4: Bob discloses his BBB credential Step 5: Alice discloses her VISA card credential Step 6: Bob grants access to the service Service Policy-Driven Negotiation (& II)Example: Security & Privacy Alice Bob Semantic Web Policy Workshop

  5. Policy-Driven Negotiation on the Grid (I)Example scenario The delegated certificate is used to retrieve the requested certificates With only one certificate to access the online repository Server informs the client about its access control policy Semantic Web Policy Workshop

  6. Policy-Driven Negotiation on the Grid (II) Enhanced Characteristics • Distributed authorization mechanisms • Driven by policies, not hardcoded • Bilateral policy specification • Access is negotiated • Dynamic credential fetching • Now possible to use discovery and scheduling services to locate the best available resources • Otherwise, impossible to predict before hand what exact service instances would be used and which certificates required • Capability based authorization architecture • Instead of identity based • No previous trust relationships required • Monitoring and explanation of authorization decision Semantic Web Policy Workshop

  7. Policy-Driven Negotiation on the Grid (III) Implementation on Globus Toolkit 4.0 • Directed integrated with the grid services paradigm • Extension to GSI pluggable to any GT4.0 compliant grid service or client • Only requirement: Java based grid services • We use: • Custom PDP as part of the Client Call Interceptor • Redirects to a negotiation if required • Asynchronous negotiations are achieved through WS-Base Notification and WS-Topics • CAS integration into negotiations • API for easy integration within client code Semantic Web Policy Workshop

  8. Policy-Driven Negotiation on the Grid (& IV) Architecture • Service wsdl file<wsdl:import namespace=“http://linux.egov.pub.ro/ionut/TrustNegotiationwsdl” location=“TrustNegotiationwsdl”/> • Service Deployment Descriptor<parameter name=“providers” value=“SubscribeProvider GetCurrentMessageProvider g4mfs.impl.gridpeertrust.net.server.TrustNegotiationProvider”/><parameter name=“securityDescriptor” value=“share/schema/gt4ide/MathService/mysec.xml”/> Semantic Web Policy Workshop

  9. Conclusions & Future Work (I)Conclusions • Main Features • Self-describing resources for access requirements • Based on properties • Dynamic negotiation for service authorization • Automatic credential fetching • Implementation in Java • Extension of GSI in GT4.0 • Backwards compatible Semantic Web Policy Workshop

  10. Conclusions & Future Work (& II)Further Work • Study performance impact of negotiations • And approaches to minimize the extra load • Limit number of iterations • E.g. 2 steps negotiations • Advertise policies before the service is invoked • Improve credential repositories • Integration of TN in MyProxy • Investigate the use of XACML • Delegation not yet supported but planned • Use of traceable negotiations • E.g. monitoring or accounting Semantic Web Policy Workshop

  11. Thanks! Questions? olmedilla@l3s.de - http://www.l3s.de/~olmedilla/ Semantic Web Policy Workshop

  12. Implementation in GT4Easy Integration with Current Grid Services • Service - include one jar file containing the policy based trust negotiation engine - minor add-ons to the service wsdl file (import one wsdl file and extend one port type) and wsdd file (add one more provider and install a security descriptor) - have a resource (if not available) - re-deploy the service • Client - use one jar file containing the policy based trust negotiation engine - invoke the service as usual / or call directly for a trust negotiation process - look for authorization exceptions and if one triggered by trust negotiation failure make simple calls to the negotiation engine Semantic Web Policy Workshop

  13. Integration into Globus Toolkit 4.0 (I)Grid Service Descriptor • Descriptors: - grid service descriptor (wsdl file): <wsdl:import namespace="http://.../TrustNegotiation.wsdl" location="TrustNegotiation.wsdl"/> <portType name=”GridService” wsdlpp:extends= "... wsntw:NotificationProducer wstn:TrustNegotiation ... "> TrustNegotiation.wsdl - defines the data types and functions for exchanging trust negotiation messages The grid service should extend the NotificationProducer port type (used for asynchronous communication with the client) and the TrustNegotiation port type(used for exposing the functions used by the client to push proofs/requirements to the grid service). Semantic Web Policy Workshop

  14. Integration into Globus Toolkit 4.0 (II)Grid Service Deployment Descriptor • Descriptors: - grid service deployment descriptor (wsdd file): <parameter name="providers" value="SubscribeProvider GetCurrentMessageProvider TrustNegotiationProvider"/> Rely on GT4.0 providers for notification usage and use a TrustNegotiationProvider implementing the logic for policy based dynamic negotiation <parameter name="securityDescriptor" value="./.../mysec.xml"/> Install a security descriptor specifying the use of a PDP for filtering client calls/managing authorization information. Semantic Web Policy Workshop

  15. Integration into Globus Toolkit 4.0 (& III)Requirements • Resource: - the grid service should use a resource implementing TopicListAccessor - a topic would be added by TrustNegotiationProvider for trust negotiation (using this topic the service pushes proofs/requirements on the client side) Semantic Web Policy Workshop

  16. Client Service Semantic Web Policy Workshop

  17. Exposes a topic like TrustNegotiationTopic for asynchronous communication with the client. Notify the client when his requests are fulfilled or further requirements are imposed by the service Factory Service Resource Client Have the instance service extend the standard port types Subscribe and GetMessage (used by notifications) and a port type which we provide TrustNegotiationProvider which is going to expose 2 operations getNegotiationTopic() and trustNegotiation(). Receive through them the client requests and proofs with regard to service authorization Instance Service PDP specified in the Instance service descriptor that intercepts operation calls. It checks if operation invoked is authorized. Operations getNegotiationTopic() and trustNegotiate() are permitted by default and all the other operations are denied unless a trust negotiation process has succeeded. 9. Notify the client about service policies and further requirements 7. Register with TrustNegotiation Topic for notifications 2. Creates the resource 1. Requests create resource 5. Catch the exception 10. Operation executed on resource if the trust negotiation process was successful 3. Operation called on the resource 4. Client is not authorized to make the call throw an exception. 6. Client call getNegotiationTopic() receive the QName of the negotiation topic. 8. Client call trustNegotiation() operation for sending client policies and proofs Semantic Web Policy Workshop

More Related