myGrid security - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

myGrid security

Description:

user id available for provenance purposes ('who said/created/ran this, and when? ... WS-Security interceptor. Only certificates, not username/password ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 13
Provided by: nicksh
Category:

less

Transcript and Presenter's Notes

Title: myGrid security


1
myGrid security
  • AG meeting, 11 Jan 2005
  • Nick Sharman

2
Agenda
  • Requirements non-requirements
  • Architectural issues
  • Implementation issues

3
Requirements
  • Protect a team's myGrid-based resources
  • data metadata (KAVE, MIR)
  • compute resources (standalone enactor WS) ?
  • Based on user identity ( roles?)
  • user id available for provenance purposes ("who
    said/created/ran this, and when?")

4
Non-requirements
  • Single-sign-on to remote services accessed via
    workflows
  • too hard most bio services free

5
Architectural issues
  • Indirect updates via Enactor Mediator
  • Access decision function
  • embedded in each service?
  • separate, shared, security service?
  • Authentication procedure
  • intercepted at first service contact?
  • separate authentication service?

6
Implementation issues
  • Use of OMII consequences
  • certificates needed
  • different client-side service invocation APIs
    (not Axis)
  • server-side implementation exploiting PBAC

7
Implementation issues certificates
  • How does client get certificate private key?
  • Taverna, browser
  • How does certificate signature get into
    message?
  • How does server (MIR, KAVE) know which
    certificates/users are friends?
  • MIR, KAVE
  • What about intermediates?
  • Enactor WS, Mediator, Portlets
  • plugins

8
Implementation issuesaccess decision function
  • Is access decision function
  • Local to service
  • Can use current context, persistent service state
  • Each service administered separately
  • Centralized access decision service
  • Context needs to be passed to ADS
  • Single administration task
  • PBAC vs. RBAC

9
OMII overview
  • OMII_1 contains
  • Base and extensions
  • API for service client authors
  • Some Grid services
  • E.g. Job submission
  • Sample clients and examples

10
OMII server-side APIs
  • Based on Java, Tomcat, Axis
  • WS-Security interceptor
  • Only certificates, not username/password
  • IT Innovation code http//wssecit.sourceforge.net
    /
  • PBAC process-based access control
  • To enforce service protocol (workflow)
  • IT Innovation code
  • SuSE Linux 9.0 only
  • PostgreSQL dependency
  • Until April!

11
OMII client-side APIs
  • Uses IT Innovations TransMessaging for WS
    invocation not Axis
  • http//transmessaging.sourceforge.net
  • requires work in Taverna, Mediator, plugins,
    portlets, LSID services

12
Decisions
  • Requirements
  • Access decision
  • based on user id only?
  • based on rôle/action?
  • Framework
  • OMII?
  • Custom Tomcat realm?
  • ?
Write a Comment
User Comments (0)
About PowerShow.com