View
217
Download
2
Embed Size (px)
Citation preview
June 30th, 2005 EuroPKI2005
“Towards a Unified Authentication and Authorization Infrastructure
for Grid Services:Implementing an Enhanced OCSP
Service Provider into GT4”
Jesús Luna G.
Manel Medina L.
Oscar Manso C.
Universitat Politècnica de CatalunyaDepartament d’Arquitectura de Computadors
June 30th, 2005 EuroPKI2005
Agenda
– Motivation– Background– Objective– Proof of concept
– Related work– Future work
June 30th, 2005 EuroPKI2005
Grid Services
• Open Grid Services Architecture (OGSA): Service orientation to virtualize resources -> everything is a service.
• A standard substrate: the Grid service.• Standard interfaces (OGSI) and behaviors that
address key distributed system issues: naming, service state, lifetime, notification.
• Grid service = Web service + OGSA + OGSI• Grid services are moving from eScience to
eBusiness.
June 30th, 2005 EuroPKI2005
Oracle’s Use of Grid Technology*• Use Grid technology to build better
products– Oracle Database 10g
• Enhanced scalability, relocation, & distributed SQL
• Max database size -> 8 exabytes
– Oracle Application Server 10g• Already based on J2EE/Web
Services• Extending to include OGSI
yields powerful capabilities• Improves scalability and flexibility
• Increases in both scalability and efficiency
• Improves competitiveness of existing products
“Open Grid Services Architecture: A tutorial”. Foster, Ian. www.mcs.anl.gov/~foster
June 30th, 2005 EuroPKI2005
Oracle Grid Product Offerings• Oracle Database 10g
– Transportable tables– Distributed SQL– Managed using OGSI-
compliant interfaces(?)
• Oracle Application Server 10g– Hosting for OGSI-
compliantGrid services
– Development environment– Application Server can be
managed and configured using OGSI-compliant interfaces(?)
June 30th, 2005 EuroPKI2005
Performance & Security
….but
Is the traditional Grid Security Infrastructure (GSI) framework ready for Grid Services?
June 30th, 2005 EuroPKI2005
Pre-WSAuthenticationAuthorization
Data Management
SecurityCommonRuntime
Execution Management
Information Services
GridFTP
Web Services
Components
Non-WS
Components
GridResource
Allocation Mgmt(Pre-WS GRAM)
Monitoring& Discovery
System(MDS2)
C CommonLibraries
GT2
WSAuthenticationAuthorization
ReliableFile
Transfer(RFT)
OGSA-DAI[Tech Preview]
GridResource
Allocation Mgmt(WS GRAM)
Monitoring& Discovery
System(MDS4)
Java WS Core
CASGT3
ReplicaLocationService(RLS)
XIO
GT3
CredentialManagement
GT4
Python WS Core[contribution]
C WS Core
CommunitySchedulerFramework
[contribution]
DelegationService
GT4
Globus Toolkit
June 30th, 2005 EuroPKI2005
GT4 Container
• Open Source implementation of Grid Services through a WSRF Container:
CustomWeb
Services WS-Addressing, WSRF,WS-Notification
CustomWSRF Web
Services
GT4WSRF Web
Services
WSDL, SOAP, WS-Security
User Applications
Re
gis
try
Ad
min
istr
atio
n
GT
4
Co
nta
ine
r
June 30th, 2005 EuroPKI2005
GT4: AA Framework
DelegatedProxy
2. Service Request
7. Service Response
Subject
1. Proxy Initialization
Grid ServicesWSRF Container
3. AuthenticationRequest
4. AuthenticationResponse
5. AuthorizationRequest
6. AuthorizationResponse
Service or Resource AuthN
Source
AuthN SOA
3a. AuthenticationDecision
5a. AuthorizationDecision
8. ProxyDestruction
Container or Service AuthZ
PDPs
AuthZ SOAs
June 30th, 2005 EuroPKI2005
Conceptual Grid Authorization Framework*
– Trust Management.– Privilege Management.– Attribute Authorities.– Privilege Assignment.– Attribute Assertions Management.– Policy Management.– Authorization Context.– Authorization Server.– Enforcement Mechanisms.
“Conceptual Grid Authorization Framework and Classification”, R. Baker, L. Gommans, A. McNab, M. Lorch, L. Ramakrishnan, K. Sarkar, and M. R. Thompson Global Grid Forum Working Group on Authorization Frameworks and Mechanisms. February 2003, http://www.ggf.org/Meetings/ggf7/drafts/authz01.pdf
June 30th, 2005 EuroPKI2005
Objective
• Improve GT4 Container’s security and performance through the integration of common AuthN and AuthZ features into a Unified Authentication and Authorization Infrastructure (AAI).
June 30th, 2005 EuroPKI2005
AA Performance and Security
DelegatedProxy
2. Service Request
7. Service Response
Subject
1. Proxy Initialization
Grid ServicesWSRF Container
3. AuthenticationRequest
4. AuthenticationResponse
5. AuthorizationRequest
6. AuthorizationResponse
Service or Resource AuthN
Source
AuthN SOA
3a. AuthenticationDecision
5a. AuthorizationDecision
8. ProxyDestruction
Container or Service AuthZ
PDPs
AuthZ SOAs
June 30th, 2005 EuroPKI2005
Proposed Unified AAI
DelegatedProxy
Subject
Grid ServicesWSRF Container
Unified AAI
SOAs
June 30th, 2005 EuroPKI2005
Proposed Validation Policy
DelegatedProxy
Subject
Grid ServicesWSRF Container
Unified AAI
SOAs
Subject + HOAA Rules
Resource + VOAA Rules
VO DistributedValidation
Policy
June 30th, 2005 EuroPKI2005
Proposed Trust Engine
DelegatedProxy
Subject
Grid ServicesWSRF Container
Unified AAI
SOAs
VO DistributedValidation
Policy
Tru
st E
ng
ine
June 30th, 2005 EuroPKI2005
Unified AAI Proposal
DelegatedProxy
4. Service Request
7. Service Response
Subject
3. Proxy Initialization
Grid ServicesWSRF Container
1. Validaton and Accreditation Request
Unified AAI
5. AccreditationRequest
6. AccreditationResponse
5a. AccreditationDecision
8. ProxyDestruction
2. Validation and Accreditation Response
SOAs
Tru
st E
ng
ine
June 30th, 2005 EuroPKI2005
Grid Services Authentication Challenges
– X.509 Credentials life-cycle management.– Single Sign-On.– Delegation.– Identity Federation.– Trust conditions.– Privacy and anonymity.– Interoperability and extensibility.– Authentication Architecture.– Subject and Resource Authentication Policies.– Use of formal methods.– Authentication traffic.
June 30th, 2005 EuroPKI2005
Grid Services Authorization Challenges
– Interoperability and extensibility.– Use of formal methods.– Policy writing.– Distributed Policy Management.– Subject-side and Resource-side Authorization
Rules.– Authorization Architecture and Performance.– Authorization Assertion's security.– Fine grain Authorization for Grid Services
Operations (portTypes) and Service Data Elements (SDE).
– Session-based Authorization.– Conditional Replies.
June 30th, 2005 EuroPKI2005
Why OCSP in Grids?
• Used to provide near real-time certificate status for Grid relying parties.
• Avoid burden of managing local CRLs at Grid clients.
• May allow support for Proxy Certificates revocation.
• OCSP Service requirements for Grids: discoverable, fault tolerant and low latency.
• OCSP support not implemented into GT4.• Grids need to define an OCSP Policy (GGF
CAOPS-WG).
June 30th, 2005 EuroPKI2005
CertiVeR Enhanced OCSP Service Provider
• Distributed architecture.• May work as Trusted or Authorized Responder.• Able to parse customized OCSP Response
Extensions, which may include AuthZ related information.
• Supports Proxy Certificate Revocation
June 30th, 2005 EuroPKI2005
Adding OCSP support to GT4
• CertiVeR OCSP Java API integrated into CoG’s ProxyPathValidator class.
• Same CoG class used into Java WS Core.• First the EEC chain is built by the client…• …then is sent to validation in a single OCSP
Request and…• Finally is received again in a single OCSP
Response.• Fully compliant with RFC2560.
June 30th, 2005 EuroPKI2005
Grid Proxy Initialization Comparision
0.000
1.000
2.000
3.000
4.000
5.000
6.000
7.000
Proxy Number
Tim
e (s
ecs)
CoG Only
CertiVeR Only
CoG with CertiVeR
June 30th, 2005 EuroPKI2005
• Akenti (Berkeley Lab):– Not exactly an AAI.– Manages distributed AuthZ.– Pre-WS Grid integration in progress.
• PERMIS (UE Funded Project):– AuthZ based on Attributes Certificates.– AuthN agnostic.– Recently integrating with GT4 and SAML.
• Shibboleth (Internet2/IBM):– Designed for Web Services.– Supports interinstitutional AA based on existing security schemes.– Delivers user’s privacy through anonymity.– GridShib in progress (NSF).
• Cardea (NASA):– Designed for NASA’s Information Power Grid.– Uses XACML.– Manages distributed AuthZ.
• VOMS:– AuthZ is established by enforcing agreements between Resource
Providers (RP) and VOs.– Information about user rights at a RP is defined in Extended ACL and
depends on his VO membership.– Uses GSI AuthN and delegation mechanisms.– Based on DataGrid and DataTAG frameworks.
June 30th, 2005 EuroPKI2005
OCSP and GT4
• OCSP Policy fine-tuning to balance Security and Performance (signed Responses, use of nonces, etc.).
• Enable full Proxy Certificate Revocation support with any of two mechanisms:
1. Sending the Proxy Cert into the OCSP Request ->Depends on OCSP Service Provider.
2. Without sending the Proxy Cert into the OCSP Request -> Any OCSP Service Provider.
• To be included into next release of GT4.• Work in Progress: “OCSP Requirements
for Grids” with CAOPS-WG into GGF.
June 30th, 2005 EuroPKI2005
• Validation Policy:– Full definition based on Unified AA Framework.– Move to XACML?– Build upon ETSI’s Signature Policy concept?
• Unified AAI: – SAML adoption for GT4 interoperability (callouts). – Fault tolerant architecture.
• Trust Engine: – Distributed Validation Policy evaluation and management
(maybe with a parallel paradigm?).– Use CertiVeR’s enhanced Responses to convey signed
evidence and thus optimize evaluation process.• Traditional Web Services (non WSRF-based) can
also make use of the Unified AAI.
Unified AAI: next steps