XPOLAAn Extensible Capabilitybased Authorization Infrastructure for Grids - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

XPOLAAn Extensible Capabilitybased Authorization Infrastructure for Grids

Description:

(SOAP-based) Web services era. Grid service = Web service OGSA ... With central admins, most of them do not address. dynamic services well. ... central ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 16
Provided by: liang7
Category:

less

Transcript and Presenter's Notes

Title: XPOLAAn Extensible Capabilitybased Authorization Infrastructure for Grids


1
XPOLAAn Extensible Capability-based
Authorization Infrastructure for Grids
  • Liang Fang, Dennis Gannon
  • Indiana University
  • Frank Siebenlist
  • Argonne National Laboratory

2
Outline
  • The Grid security
  • The problems to be solved
  • XPOLA
  • Macroscopic view
  • Microscopic view
  • Users view
  • Challenges and future work
  • Conclusion

3
The Grid
OGSA
2004
2002
1997
Pre-Web services era
(SOAP-based) Web services era
Grid service Web service OGSA
4
Grid Security Infrastructure (GSI)
  • GSI adopts public key cryptography as the basis
    to provide the Grid three main functionalities
  • Secure communication SSL, WS Security
  • Mutual authentication PKI
  • Delegation proxy certificate
  • Authorization ( Authentication)
  • A gatekeeper daemon maps a Grid identity to a
    local account at run time according to a gridmap
    file.
  • The Grid identity is allowed to do all the
    accounts rights.

5
A Grid Users Odyssey
  • Alice wants to access a Grid service.
    Unfortunately, she has to

Account Application
Certificate Application
Grid-map Registration
3days
1wk
0.5 day
(Learn how to) Manage her X.509 cert
(Learn how to) Configure Her Service Environment
Finally, Time to use the Grid service.
(Learn how to) Get her Grid proxy cert ready
1day
0.5 hr
0.5 day
6
The Authorization Problems in Real Grid
Applications
  • Inscalable in administration and maintenance
  • Host accounts
  • X.509 certificates
  • Coarse-grained authorization
  • An authorized user can do much more than
    accessing a service
  • For example, in Linked Environments for
    Atmospheric Discovery (LEAD) project
  • How to provide the authorization to
    meteorological Grid services running on TeraGrid
    to THOUSANDS of scientists and grade school
    students?
  • Only a few privileged UNIX accounts available.
  • Grid services could be dynamically generated (by
    workflow engines as well as individual
    scientists).
  • Of course, no security breach is acceptable .

7
Existing Grid Security Solutions to Fine-grained
Authorization
  • ACL Model
  • Akenti, Shibboleth, PERMIS
  • Capability Model
  • CAS, VOMS, PRIMA
  • Why we need XPOLA
  • The above (was) not addressing general Web/Grid
    services in compliant with Web services security
    specs.
  • With central admins, most of them do not address
    dynamic services well.

The Access Control Matrix
The ACL Model
The Capability Model
8
XPOLA The Characteristics
  • Principle of Least Authority/Privilege
    (POLA)-compliant Strictly fine-grained
    authorization.
  • Scalable in administration and maintenance It is
    never assumed that the service user has an
    account on the machines. The infrastructure is
    built on a Peer-to-peer chain-of-trust model. No
    central administrator involved.
  • WS-Security Compliant Conforms to WS-Security
    for both persistent and transient Web/Grid
    services.
  • Extensible PKI and SAML-based, but allows other
    alternatives.
  • Dynamic and Reusable Grid resources (Web
    services and Grid services) are made available to
    users through manually or automatically generated
    capabilities, which can be used for multiple
    requests in their valid lifetimes.

9
XPOLA The Big Picture
Service Provider
Persistent Storage
Request Processing

create
Capability Manager (Capman)
Registry (EPRservice A, )
Community Informative Authority
update
Capability Request
destroy
Host
Token Agent
Processing Stack
SVC A
capability token
Service Requester
10
XPOLA Capabilities
  • A capability includes
  • Policy Document
  • Bindings of the providers distinguished name
    (DN), as well as the users DNs.
  • Identifier of the Grid resource.
  • Optional operations of a Web service instance
  • Life time (notbefore, notafter)
  • The providers signature generated with his
    private key.
  • Security Assertion Markup Language (SAML)
  • Each capability is a set of SAML assertions
  • AuthorizationDecisionStatement
  • However the policy document and protection
    mechanism can be extensible XACML, symmetric
    keys,

11
XPOLA Web Services Security
  • Web services security
  • A series of emerging XML-based security standards
    from W3C and OASIS for SOAP-based Web services,
    to provide authentication, integrity,
    confidentiality and so on.
  • XSOAP conforms to Web services security.
  • SOAP Binding

SOAP Message
Header
Capability Token
Policies (SAML Assertions)
Providers Signature
WS Security Section (Users Signature, )
Body
12
XPOLA Enforcement
13
XPOLA Users View in Grid Portals
User
Provider
capability token
Proxy Manager Portlet
Weather Service Portlet
Capability Manager Portlet
Weather Service
capability token
proxy certificate
proxy certificate
capability token
capability token
capability token
Grid Portal
User Context
14
Challenges and Future Work
  • Revocation
  • Performance and Scalability
  • Message level session-based communication
  • Load balancing
  • Denial of Service (DoS) Mitigation

15
Conclusion
  • XPOLA provides fine-grained authorization
    infrastructure to general Web and Grid services.
  • More than that
  • It scales
  • Extensible
  • WS-Security compliant
  • Adaptable for dynamic services
  • Reusable
  • User (as well as provider) friendly
Write a Comment
User Comments (0)
About PowerShow.com