June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service

June 30th, 2005 EuroPKI2005

“Towards a Unified Authentication and Authorization Infrastructure

for Grid Services:Implementing an Enhanced OCSP

Service Provider into GT4”

Jesús Luna G.

Manel Medina L.

Oscar Manso C.

Universitat Politècnica de CatalunyaDepartament d’Arquitectura de Computadors


Agenda

– Motivation– Background– Objective– Proof of concept

– Related work– Future work


Motivation


Grid Services

• Open Grid Services Architecture (OGSA): Service orientation to virtualize resources -> everything is a service.

• A standard substrate: the Grid service.• Standard interfaces (OGSI) and behaviors that

address key distributed system issues: naming, service state, lifetime, notification.

• Grid service = Web service + OGSA + OGSI• Grid services are moving from eScience to

eBusiness.


Oracle’s Use of Grid Technology*• Use Grid technology to build better

products– Oracle Database 10g

• Enhanced scalability, relocation, & distributed SQL

• Max database size -> 8 exabytes

– Oracle Application Server 10g• Already based on J2EE/Web

Services• Extending to include OGSI

yields powerful capabilities• Improves scalability and flexibility

• Increases in both scalability and efficiency

• Improves competitiveness of existing products

“Open Grid Services Architecture: A tutorial”. Foster, Ian. www.mcs.anl.gov/~foster

http://www.mcs.anl.gov/~foster

http://www.mcs.anl.gov/~foster


Oracle Grid Product Offerings• Oracle Database 10g

– Transportable tables– Distributed SQL– Managed using OGSI-

compliant interfaces(?)

• Oracle Application Server 10g– Hosting for OGSI-

compliantGrid services

– Development environment– Application Server can be

managed and configured using OGSI-compliant interfaces(?)


Performance & Security

….but

Is the traditional Grid Security Infrastructure (GSI) framework ready for Grid Services?


Background


Pre-WSAuthenticationAuthorization

Data Management

SecurityCommonRuntime

Execution Management

Information Services

GridFTP

Web Services

Components

Non-WS

Components

GridResource

Allocation Mgmt(Pre-WS GRAM)

Monitoring& Discovery

System(MDS2)

C CommonLibraries

GT2

WSAuthenticationAuthorization

ReliableFile

Transfer(RFT)

OGSA-DAI[Tech Preview]

GridResource

Allocation Mgmt(WS GRAM)

Monitoring& Discovery

System(MDS4)

Java WS Core

CASGT3

ReplicaLocationService(RLS)

XIO

GT3

CredentialManagement

GT4

Python WS Core[contribution]

C WS Core

CommunitySchedulerFramework

[contribution]

DelegationService

GT4

Globus Toolkit


GT4 Container

• Open Source implementation of Grid Services through a WSRF Container:

CustomWeb

Services WS-Addressing, WSRF,WS-Notification

CustomWSRF Web

Services

GT4WSRF Web

Services

WSDL, SOAP, WS-Security

User Applications

Re

gis

try

Ad

min

istr

atio

n

GT

4

Co

nta

ine

r


GT4’s Use of Security Standards


GT4: AA Framework

DelegatedProxy

2. Service Request

7. Service Response

Subject

1. Proxy Initialization

Grid ServicesWSRF Container

3. AuthenticationRequest

4. AuthenticationResponse

5. AuthorizationRequest

6. AuthorizationResponse

Service or Resource AuthN

Source

AuthN SOA

3a. AuthenticationDecision

5a. AuthorizationDecision

8. ProxyDestruction

Container or Service AuthZ

PDPs

AuthZ SOAs


Conceptual Grid Authorization Framework*

– Trust Management.– Privilege Management.– Attribute Authorities.– Privilege Assignment.– Attribute Assertions Management.– Policy Management.– Authorization Context.– Authorization Server.– Enforcement Mechanisms.

“Conceptual Grid Authorization Framework and Classification”, R. Baker, L. Gommans, A. McNab, M. Lorch, L. Ramakrishnan, K. Sarkar, and M. R. Thompson Global Grid Forum Working Group on Authorization Frameworks and Mechanisms. February 2003, http://www.ggf.org/Meetings/ggf7/drafts/authz01.pdf


Objective

• Improve GT4 Container’s security and performance through the integration of common AuthN and AuthZ features into a Unified Authentication and Authorization Infrastructure (AAI).


AA Performance and Security

DelegatedProxy

2. Service Request

7. Service Response

Subject



3. AuthenticationRequest

4. AuthenticationResponse

5. AuthorizationRequest

6. AuthorizationResponse

Service or Resource AuthN

Source

AuthN SOA

3a. AuthenticationDecision

5a. AuthorizationDecision

8. ProxyDestruction

Container or Service AuthZ

PDPs

AuthZ SOAs


Proposed Unified AAI

DelegatedProxy

Subject


Unified AAI

SOAs


Proposed Validation Policy

DelegatedProxy

Subject


Unified AAI

SOAs

Subject + HOAA Rules

Resource + VOAA Rules

VO DistributedValidation

Policy


Proposed Trust Engine

DelegatedProxy

Subject


Unified AAI

SOAs

VO DistributedValidation

Policy

Tru

st E

ng

ine


Unified AAI Proposal

DelegatedProxy

4. Service Request

7. Service Response

Subject



1. Validaton and Accreditation Request

Unified AAI

5. AccreditationRequest

6. AccreditationResponse

5a. AccreditationDecision

8. ProxyDestruction

2. Validation and Accreditation Response

SOAs

Tru

st E

ng

ine


Grid Services Authentication Challenges

– X.509 Credentials life-cycle management.– Single Sign-On.– Delegation.– Identity Federation.– Trust conditions.– Privacy and anonymity.– Interoperability and extensibility.– Authentication Architecture.– Subject and Resource Authentication Policies.– Use of formal methods.– Authentication traffic.


Grid Services Authorization Challenges

– Interoperability and extensibility.– Use of formal methods.– Policy writing.– Distributed Policy Management.– Subject-side and Resource-side Authorization

Rules.– Authorization Architecture and Performance.– Authorization Assertion's security.– Fine grain Authorization for Grid Services

Operations (portTypes) and Service Data Elements (SDE).

– Session-based Authorization.– Conditional Replies.


Proof of concept:An Enhanced OCSP Service

Provider for GT4


Why OCSP in Grids?

• Used to provide near real-time certificate status for Grid relying parties.

• Avoid burden of managing local CRLs at Grid clients.

• May allow support for Proxy Certificates revocation.

• OCSP Service requirements for Grids: discoverable, fault tolerant and low latency.

• OCSP support not implemented into GT4.• Grids need to define an OCSP Policy (GGF

CAOPS-WG).


CertiVeR Enhanced OCSP Service Provider

• Distributed architecture.• May work as Trusted or Authorized Responder.• Able to parse customized OCSP Response

Extensions, which may include AuthZ related information.

• Supports Proxy Certificate Revocation


Adding OCSP support to GT4

• CertiVeR OCSP Java API integrated into CoG’s ProxyPathValidator class.

• Same CoG class used into Java WS Core.• First the EEC chain is built by the client…• …then is sent to validation in a single OCSP

Request and…• Finally is received again in a single OCSP

Response.• Fully compliant with RFC2560.


Grid Proxy Initialization Comparision

0.000

1.000

2.000

3.000

4.000

5.000

6.000

7.000

Proxy Number

Tim

e (s

ecs)

CoG Only

CertiVeR Only

CoG with CertiVeR


Related Work


• Akenti (Berkeley Lab):– Not exactly an AAI.– Manages distributed AuthZ.– Pre-WS Grid integration in progress.

• PERMIS (UE Funded Project):– AuthZ based on Attributes Certificates.– AuthN agnostic.– Recently integrating with GT4 and SAML.

• Shibboleth (Internet2/IBM):– Designed for Web Services.– Supports interinstitutional AA based on existing security schemes.– Delivers user’s privacy through anonymity.– GridShib in progress (NSF).

• Cardea (NASA):– Designed for NASA’s Information Power Grid.– Uses XACML.– Manages distributed AuthZ.

• VOMS:– AuthZ is established by enforcing agreements between Resource

Providers (RP) and VOs.– Information about user rights at a RP is defined in Extended ACL and

depends on his VO membership.– Uses GSI AuthN and delegation mechanisms.– Based on DataGrid and DataTAG frameworks.


Future Work and Conclusions


OCSP and GT4

• OCSP Policy fine-tuning to balance Security and Performance (signed Responses, use of nonces, etc.).

• Enable full Proxy Certificate Revocation support with any of two mechanisms:

1. Sending the Proxy Cert into the OCSP Request ->Depends on OCSP Service Provider.

2. Without sending the Proxy Cert into the OCSP Request -> Any OCSP Service Provider.

• To be included into next release of GT4.• Work in Progress: “OCSP Requirements

for Grids” with CAOPS-WG into GGF.


• Validation Policy:– Full definition based on Unified AA Framework.– Move to XACML?– Build upon ETSI’s Signature Policy concept?

• Unified AAI: – SAML adoption for GT4 interoperability (callouts). – Fault tolerant architecture.

• Trust Engine: – Distributed Validation Policy evaluation and management

(maybe with a parallel paradigm?).– Use CertiVeR’s enhanced Responses to convey signed

evidence and thus optimize evaluation process.• Traditional Web Services (non WSRF-based) can

also make use of the Unified AAI.

Unified AAI: next steps


Moltes mercès!

Documents

June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service