WP6: Authorization ServiceWorkshop in Eger

Marcin Adamski, Michał Chmielewski, Sergiusz Fonrobert, Jarek Nabrzyski

and Tomasz Ostwald

Poznań Supercomputing and Networking Center

March 31st, 2003

Presentation Overview

About security in the GridLab Project

General Design of Authorization Service

Current implementation status

Plans for the Eger meeting

March 31st, 2003

Security in GridLAB

Security in Grid environments is a significant and still open problem

The primary goal of Security Workpackage in the GridLab project is to create flexible and universal Authorization Service

The secondary goal is to provide general support to other workpackages in solving detailed technical problems related to security issues

March 31st, 2003

The Authorization Service

The main requirement is flexibility of Authorization Service

The AS is about to provide universal way of defining security policy for the whole Grid, independent of technologies used at lower levels

It should be able to implement most security models for Grids and use many different scenarios at the same time

It should support many different security technologies (ex. GSI and Microsoft authentication)

It has to be secure and stable implementation (AS is considered as a trusted component of security model)

March 31st, 2003

2nd phase

2nd phase

The General Design

1st phase

3rd phase

March 31st, 2003

1st phase

CurrentState

Core

Core AS Component

ScenariosEngine

AuthorizationScenarios

Security PolicyDatabase

CommunicationComponent

Authorizationand Security

Policy Engine

March 31st, 2003

CurrentState

Security Policy Engine

Security PolicyDatabase

AuthorizationModule

Security PolicyManager

ASP EngineInterface

Authorization and Security Policy Engine

Security PolicyDatabase

Component

March 31st, 2003

AS implementation

Implementation in C

Compatibility with Globus Toolkit 2.0

Globus Toolkit 2.2

CAS version of GT

Service interface using WSDL

Source codes will be available in CVS after the Eger Meeting

March 31st, 2003

AS communication

Communication:based on GSI protocol,

GSI plugin for gSOAP

Interface (GSI based protocol)for internal use between AS components,

in future may be used to fulfill specific needs of GridLab services

Interface functions (WSDL):getServiceDescription

getResourcesList

getAuthorizationDecision

sendCommandLine

March 31st, 2003

AS components

as_serverstoring security policy

get authorization decision, generate policy

other security info

as_client_admin and as_client_admin_soapadd security policy items to as_server database

as_client and as_client_soapget full policy from sever and generate proxy with this policy

as_enabled_tcp_server and client, test_soap_clientcomponents for as_server policy tests

cas_policy_viewerprint policy included into proxy

March 31st, 2003

AS data structure (current)

Object Subject

ObjectAttributes

SubjectAttributes

Relation

ObjectAttributes

array

SubjectAttributes

array

ObjectAttributes

SubjectAttributes

Objectarray

Subjectarray

Object Subject

Relationarray

March 31st, 2003

AS data structure (CAS)

Object"cas_object"

Subject"User"

ObjectAttribute

OBJECT_NAME_TYPE

Relation

ObjectAttributes

array

SubjectAttributes

array

SubjectAttributesId_string

Objectarray

"Objects"

Subjectarray

"Users"

ObjectAttribute

OBJECT_NAME

ObjectAttribute

SERVICE_TYPE

ObjectAttribute

SERVICE_ACTION

Relationarray

March 31st, 2003

AS data structure (GRMS)

Object"grms_object"

Subject"User"

Relation

ObjectAttributes

array

SubjectAttributes

array

SubjectAttributesId_string

Objectarray

"Objects"

Subjectarray

"Users"

ObjectAttribute

OBJECT_NAME

ObjectAttribute

OBJECT_URL

Relationarray

March 31st, 2003

AS data structure

Current state (previous slides)arrays of objects, subjects, relations

Future tree structure (hierarchical structure)

Grid at the top level

Services

Servers

Files

Others objects (based upon specific requirements)

Currently most of our work is focused on appropriate internal design (gathering requirements is the main goal of Eger meeting)

March 31st, 2003

AS experiment (CAS mode)

AS SERVER

AS CLIENTADMIN

AS CLIENT

CAS POLICYVIEWER

ASENABLED

TCP SERVER

ASENABLED

TCP CLIENT

AS PROXY

AS SECURITYPOLICY

March 31st, 2003

Scenario 1 (similar to CAS)

GRID SERVICES

as enabled module

USER

GRMS

grid-mapf ile grid-mapf ile

RESOURCE RESOURCE

RESOURCE

grid proxy user proxy certif icate user certif icate

CA certif icate

RESOURCES

USERS

grid-mapf ile

as enabled module

PORTAL

AS

2.

1.

3.

4.

5.

as proxy user proxy proxy certif icate (logical part of policy

included) user proxy certif icate user certif icate

CA certif icate

 

March 31st, 2003

Scenario 2 (Eger) (GRMS only authorization decision)

GRIDSERVICES

as enabledmodule

GRMS

grid-mapfilegrid-mapfile

RESOURCERESOURCE RESOURCE

grid proxyuser proxy certificate

user certificateCA certificate

RESOURCES

USERS

grid-mapfile

as enabledmodule

PORTAL

AS

2.

1.

3.

4.

5.

as decision as decision

6.

USER

March 31st, 2003

Scenario 3 (GRMS proxy file)

GRIDSERVICES

as enabledmodule

USER

GRMS

grid-mapfilegrid-mapfile

RESOURCERESOURCE RESOURCE

grid proxyuser proxy certificate

user certificateCA certificate

RESOURCES

USERS

grid-mapfile

as enabledmodule

PORTAL

AS

2.

1.

3.

4.

5.

as decision as decision

7.

6.

as proxy GRMS proxy certificate

(logical part of policy included)user proxy certificate

user certificateCA certificate

March 31st, 2003

The Nearest Future

Experiment aimed at integration of portal with resource manager

Complete design and implementation of AS internals (fulfilling most of possible grid specific requirements)

Designing and implementing the initial set of scenarios to be used in the GridLab project

Introduce database support for storing security policy

Verify security level and quality of implementation

March 31st, 2003

Plans for Eger Meeting

Gather information about detailed authorization requirements of various services

Prepare for experiment aimed at integration of portal with resource manager

Planned meetings:Portals (WP4)

Monitoring (WP11)

Testbed (WP5)

Resource Management (WP9+WP4+WP6)

Mobile (WP4+WP12+WP6)

Others