WP6: Authorization ServiceWorkshop in Eger
Marcin Adamski, Michał Chmielewski, Sergiusz Fonrobert, Jarek Nabrzyski
and Tomasz Ostwald
Poznań Supercomputing and Networking Center
March 31st, 2003
Presentation Overview
About security in the GridLab Project
General Design of Authorization Service
Current implementation status
Plans for the Eger meeting
March 31st, 2003
Security in GridLAB
Security in Grid environments is a significant and still open problem
The primary goal of Security Workpackage in the GridLab project is to create flexible and universal Authorization Service
The secondary goal is to provide general support to other workpackages in solving detailed technical problems related to security issues
March 31st, 2003
The Authorization Service
The main requirement is flexibility of Authorization Service
The AS is about to provide universal way of defining security policy for the whole Grid, independent of technologies used at lower levels
It should be able to implement most security models for Grids and use many different scenarios at the same time
It should support many different security technologies (ex. GSI and Microsoft authentication)
It has to be secure and stable implementation (AS is considered as a trusted component of security model)
March 31st, 2003
2nd phase
2nd phase
The General Design
1st phase
3rd phase
March 31st, 2003
1st phase
CurrentState
Core
Core AS Component
ScenariosEngine
AuthorizationScenarios
Security PolicyDatabase
CommunicationComponent
Authorizationand Security
Policy Engine
March 31st, 2003
CurrentState
Security Policy Engine
Security PolicyDatabase
AuthorizationModule
Security PolicyManager
ASP EngineInterface
Authorization and Security Policy Engine
Security PolicyDatabase
Component
March 31st, 2003
AS implementation
Implementation in C
Compatibility with Globus Toolkit 2.0
Globus Toolkit 2.2
CAS version of GT
Service interface using WSDL
Source codes will be available in CVS after the Eger Meeting
March 31st, 2003
AS communication
Communication:based on GSI protocol,
GSI plugin for gSOAP
Interface (GSI based protocol)for internal use between AS components,
in future may be used to fulfill specific needs of GridLab services
Interface functions (WSDL):getServiceDescription
getResourcesList
getAuthorizationDecision
sendCommandLine
March 31st, 2003
AS components
as_serverstoring security policy
get authorization decision, generate policy
other security info
as_client_admin and as_client_admin_soapadd security policy items to as_server database
as_client and as_client_soapget full policy from sever and generate proxy with this policy
as_enabled_tcp_server and client, test_soap_clientcomponents for as_server policy tests
cas_policy_viewerprint policy included into proxy
March 31st, 2003
AS data structure (current)
Object Subject
ObjectAttributes
SubjectAttributes
Relation
ObjectAttributes
array
SubjectAttributes
array
ObjectAttributes
SubjectAttributes
Objectarray
Subjectarray
Object Subject
Relationarray
March 31st, 2003
AS data structure (CAS)
Object"cas_object"
Subject"User"
ObjectAttribute
OBJECT_NAME_TYPE
Relation
ObjectAttributes
array
SubjectAttributes
array
SubjectAttributesId_string
Objectarray
"Objects"
Subjectarray
"Users"
ObjectAttribute
OBJECT_NAME
ObjectAttribute
SERVICE_TYPE
ObjectAttribute
SERVICE_ACTION
Relationarray
March 31st, 2003
AS data structure (GRMS)
Object"grms_object"
Subject"User"
Relation
ObjectAttributes
array
SubjectAttributes
array
SubjectAttributesId_string
Objectarray
"Objects"
Subjectarray
"Users"
ObjectAttribute
OBJECT_NAME
ObjectAttribute
OBJECT_URL
Relationarray
March 31st, 2003
AS data structure
Current state (previous slides)arrays of objects, subjects, relations
Future tree structure (hierarchical structure)
Grid at the top level
Services
Servers
Files
Others objects (based upon specific requirements)
Currently most of our work is focused on appropriate internal design (gathering requirements is the main goal of Eger meeting)
March 31st, 2003
AS experiment (CAS mode)
AS SERVER
AS CLIENTADMIN
AS CLIENT
CAS POLICYVIEWER
ASENABLED
TCP SERVER
ASENABLED
TCP CLIENT
AS PROXY
AS SECURITYPOLICY
March 31st, 2003
Scenario 1 (similar to CAS)
GRID SERVICES
as enabled module
USER
GRMS
grid-mapf ile grid-mapf ile
RESOURCE RESOURCE
RESOURCE
grid proxy user proxy certif icate user certif icate
CA certif icate
RESOURCES
USERS
grid-mapf ile
as enabled module
PORTAL
AS
2.
1.
3.
4.
5.
as proxy user proxy proxy certif icate (logical part of policy
included) user proxy certif icate user certif icate
CA certif icate
March 31st, 2003
Scenario 2 (Eger) (GRMS only authorization decision)
GRIDSERVICES
as enabledmodule
GRMS
grid-mapfilegrid-mapfile
RESOURCERESOURCE RESOURCE
grid proxyuser proxy certificate
user certificateCA certificate
RESOURCES
USERS
grid-mapfile
as enabledmodule
PORTAL
AS
2.
1.
3.
4.
5.
as decision as decision
6.
USER
March 31st, 2003
Scenario 3 (GRMS proxy file)
GRIDSERVICES
as enabledmodule
USER
GRMS
grid-mapfilegrid-mapfile
RESOURCERESOURCE RESOURCE
grid proxyuser proxy certificate
user certificateCA certificate
RESOURCES
USERS
grid-mapfile
as enabledmodule
PORTAL
AS
2.
1.
3.
4.
5.
as decision as decision
7.
6.
as proxy GRMS proxy certificate
(logical part of policy included)user proxy certificate
user certificateCA certificate
March 31st, 2003
The Nearest Future
Experiment aimed at integration of portal with resource manager
Complete design and implementation of AS internals (fulfilling most of possible grid specific requirements)
Designing and implementing the initial set of scenarios to be used in the GridLab project
Introduce database support for storing security policy
Verify security level and quality of implementation
March 31st, 2003
Plans for Eger Meeting
Gather information about detailed authorization requirements of various services
Prepare for experiment aimed at integration of portal with resource manager
Planned meetings:Portals (WP4)
Monitoring (WP11)
Testbed (WP5)
Resource Management (WP9+WP4+WP6)
Mobile (WP4+WP12+WP6)
Others