myGrid security

1
myGrid security

• AG meeting, 11 Jan 2005
• Nick Sharman

2
Agenda

• Requirements non-requirements
• Architectural issues
• Implementation issues

3
Requirements

• Protect a team's myGrid-based resources
• data metadata (KAVE, MIR)
• compute resources (standalone enactor WS) ?
• Based on user identity ( roles?)
• user id available for provenance purposes ("who
  said/created/ran this, and when?")

4
Non-requirements

• Single-sign-on to remote services accessed via
  workflows
• too hard most bio services free

5
Architectural issues

• Indirect updates via Enactor Mediator
• Access decision function
• embedded in each service?
• separate, shared, security service?
• Authentication procedure
• intercepted at first service contact?
• separate authentication service?

6
Implementation issues

• Use of OMII consequences
• certificates needed
• different client-side service invocation APIs
  (not Axis)
• server-side implementation exploiting PBAC

7
Implementation issues certificates

• How does client get certificate private key?
• Taverna, browser
• How does certificate signature get into
  message?
• How does server (MIR, KAVE) know which
  certificates/users are friends?
• MIR, KAVE
• What about intermediates?
• Enactor WS, Mediator, Portlets
• plugins

8
Implementation issuesaccess decision function

• Is access decision function
• Local to service
• Can use current context, persistent service state
• Each service administered separately
• Centralized access decision service
• Context needs to be passed to ADS
• Single administration task
• PBAC vs. RBAC

9
OMII overview

• OMII_1 contains
• Base and extensions
• API for service client authors
• Some Grid services
• E.g. Job submission
• Sample clients and examples

10
OMII server-side APIs

• Based on Java, Tomcat, Axis
• WS-Security interceptor
• Only certificates, not username/password
• IT Innovation code http//wssecit.sourceforge.net
  /
• PBAC process-based access control
• To enforce service protocol (workflow)
• IT Innovation code
• SuSE Linux 9.0 only
• PostgreSQL dependency
• Until April!

11
OMII client-side APIs

• Uses IT Innovations TransMessaging for WS
  invocation not Axis
• http//transmessaging.sourceforge.net
• requires work in Taverna, Mediator, plugins,
  portlets, LSID services

12
Decisions

• Requirements
• Access decision
• based on user id only?
• based on rôle/action?
• Framework
• OMII?
• Custom Tomcat realm?
• ?