A Dynamic, Distributive and Heterogeneous Authorization Policy Management Framework

1
A Dynamic, Distributive and Heterogeneous
Authorization Policy Management Framework

• Speaker YU Chiu Man
• March 16, 2007

2
Agenda

• Related Work Research Objectives
• Dynamic Policy Management Framework (DPMF)
• Conflict Analysis with Partial Information (CAPI)
• Heterogeneous Policy Management
• Contributions Future Work

3
Extra-Grid and Inter-Grid Car04
Host
Host
Host
Host
Host
Host
Physical Organization
Physical Organization
Host
Host
Host
Host
Host
Host
Physical Organization
Physical Organization
4
Inter Grid
Physical Organization
Physical Organization
Host
Host
Host
Host
Host
Host
Physical Organization
Physical Organization
Host
Host
Host
Host
Host
Host
5
Inter Grid
Virtual Organization
Virtual Organization
Virtual Organization
6
Related Work

• Traditional approaches provides authorization
  policy management for only extra-grids.
• Global Layer approaches
• LGI Min05
• IDSA Car04
• VOPS Ver02
• Policy Domain Overlay Wel03
• VOMS Alf03
• Plug-in approaches
• Cassandra Bec04
• Multipolicy Authorization Framework Lan06
• LCAS Ste03

7
Global Layer Approach
Global Layer (Policy model) (Access control model)
organization
organization
organization
8
Plug-in Approach
Global Layer (Policy model) (Access control model)
deploy
deploy
deploy
organization
organization
organization
9
Problems of Global Layer and Plug-in Approaches

• Imposing too much coupling on the Grid
  environments.
• Not scalable for a large number of heterogeneous
  Virtual Organizations (VOs).
• Not supporting dynamic environments.

10
Research Objectives

• Main Goal
• Authorization policy management for open
  Inter-Grid environments of multiple dynamic and
  heterogeneous VOs.
• Challenges
• Management of multiple VOs
• Dynamic Grid memberships
• Untrusting relationship between VOs
• Heterogeneous authorization systems
• Our solutions
• Dynamic policy management framework
• Policy conflict analysis with partial information
• Heterogeneous authorization policy management

11
Scenario Collaboration of VOs
Alice University
Bob University
Carol University
Dave University
Faculties
Globus w/Permis Permis Policy Model RBAC Model
Globus w/Permis Permis Policy Model RBAC Model
TeraGrid w/Akenti Akenti Policy Model RBAC Model
EGEE EGEE Policy Model DAC Model
Education VO
Inter University Grid
Collaboration
12
Agenda

• Related Work Research Objectives
• Dynamic Policy Management Framework (DPMF)
• Conflict Analysis with Partial Information (CAPI)
• Heterogeneous Policy Management
• Contributions Future Work

13
DPMF approach
DPMF system (Homogeneous policy
management) (Conflict analysis with partial
information) (Heterogeneous policy management)
Local system (Policy model) (Access control model)
Local system (Policy model) (Access control model)
Local system (Policy model) (Access control model)
deploy
deploy
deploy
VO
VO
VO
14
Dynamic Policy Management Framework (DPMF)

• DPMF is a hierarchical framework which aims to
  support
• dynamic Grid membership
• heterogeneous policy management
• for Grid environments of multiple VOs.
• Each DPMF system contains a number of
• Policy Agents (PAs),
• Policy Management Agents (PMAs),
• and a Grid Information Agent (GIA).

15
VO Model
16
DPMF Model
PA (PDP)
PA (PDP)
PA (PDP)
PMA (PDP)
GIA (Grid Operator)
PMA (PDP)
PA (PDP)
PA (PDP)
PA (PDP)
PA (PDP)
Policy repository
Service requesters
Service Providers(PEP)
17
DPMF Authorization Model(Push sequence model)
Policy Decision Point (PDP)
System User
Service Provider Policy Enforcement Point (PEP)
18
Authorization for Collaboration of Services

• DPMF authorization services supports
  authorization for collaboration of services (that
  is, multiple services).
• The method of concluding permission conditions is
  to intersect (that is, AND) the permit
  conditions of the policies of the target
  services.
• An authorization decision is positive if the
  permission conditions for the task is not null.

19
Permission Conditions
policies
service(a)
Permission Conditions
AND
policies
service(b)
service(c)
policies
Time 9 to 17 Friday Time 9 to 12 Sunday
Time 9 to 17 Tuesday Time 9 to 12 Sunday
Time 9 to 12 Sunday
AND
Time 9 to 17 Monday Time 9 to 17 Friday Time 9
to 12 Sunday
20
Scope of Policy Management in DPMF
PMA (Heterogeneous policy management)
Virtual Cluster 1
VO b
PMA PA (Homogeneous policy management)
VO a
VO c
VO d
VO e
VO f
Virtual Cluster 3
VO g
VO h
VO i
Virtual Cluster 2
21
Trust Information Table
22
Distribution of Policy Management

• Using the information of PA trust relationships,
  the PMA can find the subject PA which is trusted
  by most PAs in a conflict analysis task.
• PMA can delegate the task to the subject PA to
  perform conflict analysis.
• Workload of policy management is distributed in a
  virtual cluster.

23
Workload Balancing by Task Delegation
L the total policy management workload in a
virtual cluster l the policy management
workload of a PA (PMA inclusively) n the
number of PAs in the virtual cluster. Then, the
total workload is the sum of individual PA and
PMA workload which is proportional to the
number of requests and policies. Without
delegation, the PMA workload is equal to the
total workload L, that is
24
Workload Balancing by Task Delegation
With delegation, the total workload L is
distributed among the PMA and PAs where T
average percentage of trusted PAs, k average
number of services involved in each
request. Therefore On average
25
Experiment on Task Delegation
26
Deployment of DPMF Authorization Module
Globus Client
GRAM (Globus Resource Allocation Manager)
User
Gatekeeper
Job Manager
Resource/ Application
use
invoke
initialize
Proxy
HTTP
use
use
Authentication service
Job management
Authorization service (Local VO)
DPMF middleware
Authorization service (Remote VO)
27
DPMF API System Flow (Generic)
Authentication Service
credential request
credential
User
Target Services
authorization request credential
authorization request
service response
decision authorization token
policy transfer
authorization token
28
DPMF API System Flow (Integration with
Shibboleth)
Target Services
redirect
service response
AQH
AQM
authentication request
AQR
User
authorization request attributes
authorization request
decision authorization token
policy transfer
authorization token
29
DPMF Implementation
30
Agenda

• Research Objectives
• Dynamic Policy Management Framework (DPMF)
• Conflict Analysis with Partial Information (CAPI)
• Heterogeneous Policy Management
• Contributions Future Work

31
Conflict Analysis with Partial Information (CAPI)

• The problem
• In open environments, we cannot assume that the
  VOs can trust other VOs.
• Some VOs may want to keep their policies private
  to others.
• PMA may be unable to get all the necessary policy
  information from PAs to perform conflict analysis
  and make decisions.
• Conflict analysis with partial information is
  needed.

32
Open Environment of Multiple VOs
33
Trust relationship
34
CAPI Assumption
35
Main Idea of CAPI Mechanism
Trusting PAs
Policy owner attributes
PMA
Untrusting PAs
Policies
Policy owner attributes
Policies
Substitution Policies
36
Flow of CAPI
Pre-Detection Phase
Detection Phase
Post-Detection Phase
37
CAPI Pre-Detection phase

• PMA collects policy information from trusting
  PAs.
• PMA generates policy templates by adding data of
  evaluation element set to the collected policies.

Policy template database
PMA
38
Policy Template Format
ltConditiongt 09 to 21 on everyday ltActiongt permit
execute ltSubjectgt https//192.168.0.128443/wsrf
/services/NewBookService ltIdentitygt any ltEvaluat
ion element setgt ltVO sizegt valueStringsmall,
valueNum0 ltservice typegt valueStringcommercia
l, valueNum1 ltsecurity levelgt
valueStringlow, valueNum0 ltPriority Setgt ltVO
sizegt 0.3 ltservice typegt 0.4 ltsecurity
levelgt 0.3
Original Policy
Policy Template Elements
39
Policy Template Format (contd)

• The evaluation element set stores evaluation
  elements which are attributes of the policy
  owner.
• The attributes are defined by the PMA which can
  include
• Type of VO, Size of VO,
• Type of Service provider,
• Type of Service,
• Security level of Service,
• Lifetime of Service,
• VO (PA) trust relationships
• The priority set stores the weights of importance
  of the evaluation elements.

40
CAPI Detection phase

• PMA generates substitution policies using the
  evaluation element set, and priority set.
• When there is a substitution policy involved in a
  conflict, the policy would be stored in a
  Conflict Policy Set.

Substitution policies For PA c
PAs involved in a service request
Policy template database
PMA
Conflict Policy Set
41
Selection of Policy Template(Detection Phase)

• Control factors defined by PMA
• similarity value threshold
• maximum number of substitution policies
• Service similarity value
• Pr priority value
• Ev distance of evaluation element values of the
  policy template to the untrusting PA
• Service similarity value 0
• A lower service similarity value means higher
  similarity of policy owners
• A policy template would be selected if
• Its service similarity value similarity value
  threshold
• Number of substitution policies maximum number
  of substitution policies

42
Generation of Substitution policies(Detection
Phase)

• For a selected policy template,
• generate a substitution policy
• Condition substitute ? Condition template
• Action substitute ? Action template
• Target Identity substitute ? Identity of
  service requester

43
Conflict analysis

• Traverse all involved policies and substitution
  policies.
• First round
• For all policies where the Action is to permit
  the action requested by the user.
• Intersect the Conditions of these policies.
• Record the result Condition as Permission
  Conditions.
• Second round
• For each policy where its Action is to deny the
  action requested by the user.
• If its Condition has intersection with the
  Permission Conditions, record the policy into
  Conflict Policy Set.

44
CAPI Post-Detection phase

• If Permission Conditions is not null, PMA sends
  the Conflict Policy Set to untrusting PA(s).
• PMA queries them to see if the corresponding
  service(s) has any of the policies in Conflict
  Policy Set .

Conflict Policy Set
PMA
PA c (untrusting)
reply
45
Untrusting PAs policy checking(Post-Detection
Phase)

• The untrusting PA compares its policy set
  (Policy)untrust to the Conflict Policy Set
• A pair of policy (Policy)untrust and
  (Policy)conflict are matched if they satisfy all
  three criteria
• (Condition)conflict is a subset of
  (Condition)untrust
• (Action)conflict is a subset of (Action)untrust
• (Identity)conflict is a subset of
  (Identity)untrust
• The untrusting PA sends the number of certified
  conflict policies to PMA for decision making.
• PMA makes positive authorization decision if the
  number is zero.

46
Why CAPI works

• If
• Correlation of service similarity and policy
  similarity is high and
• Number of substitution policies is larger than
  that of unknown policies.
• Then
• Permission Conditions (by CAPI) is a subset of
  the true Permission Conditions and
• Conflict Policy Set (by CAPI) is a super-set of
  the true one.
• Thus
• Resultant Permission Conditions is valid for both
  the trusting and untrusting PAs.
• Untrusting PAs checking the Conflict Policy Set
  is sufficient to ensure absence of conflicting
  policies.

47
Experiment on CAPI

• Experimental factors
• Correlation of service similarity and policy
  similarity (CoSP)
• This factor controls whether similar service
  environment -gt similar policy set holds.
• Maximum number of substitution policies
• This factor controls the maximum number of
  substitution policies to be selected.
• Similarity threshold to select substitution
  policies
• This factor controls the scope of selecting
  substitution policies. A large threshold means to
  bear less similar service environments
• Occurrence rate of opposite policies
• This factor controls how often an opposite policy
  exists in the overall policy pool.

48
Similarity of Policies

• Three performance indexes are used to measure the
  similarity of generated substitution policy set
  to the policy set of untrusting PAs.
• Positive Match (PM)
• Negative Match (NM)
• Policy Similarity (PS)

49
Evaluation

• In the experiments, we control the correlation
  of service similarity and policy similarity
  (CoSP).
• policy similarity PS
• service similarity 1- service similarity
  value
• 0 CoSP 1

50
Part A correlation of service similarity and
policy similarity (CoSP)
51
Observation for results in part A

• Higher (CoSP)
• ? 1. Higher Positive Match (PM)
• ? 2. Lower Positive Match (NM)
• ? 3. Higher Policy Similarity (PS)
• PM grows exponentially
• PS grows linearly

52
Part B max. num. of substitution policies
10
20
30
40
53
Observation for results in part B

• (max number of substitution policies) does not
  significantly affect PM and NM
• Higher (max number of substitution policies)
• ? Higher Policy Similarity

54
Part C similarity threshold
1
0
3
2
55
Observation for results in part C

• Higher (similarity threshold)
• ? 1. Lower Positive Match (PM)
• ? 2. Higher Negative Match (NM)
• ? 3. Lower Policy Similarity (PS)
• ? 4. Graphs of PM,NM,PS become more irregular

56
Part D occurrence rate of opposite policy
3
2
4
5
57
Observation for results in part D

• Higher (rate of opposite policy)
• ? Higher negative match (NM)
• (rate of opposite policy) does not significantly
  affect PM and PS

58
Overall Observations

• (CoSP) and (similarity threshold)
• significantly affect PM, NM, PS
• According to Part D, to ensure that PM gt NM
• (CoSP) gt (rate of opposite policy) x 10
• According to Part B and C, to achieve a low NM
• 1. Low (similarity threshold)
• 2. Small (max. no. substitution policies) but
  need to be larger than size of policy set of
  untrusting VO

59
Agenda

• Related Work Research Objectives
• Dynamic Policy Management Framework (DPMF)
• Conflict Analysis with Partial Information (CAPI)
• Heterogeneous Policy Management
• Contributions Future Work

60
Flow of HeterogeneousPolicy Management
User
Request authorization
PA
Forward request
Request maps
PMA
GIA
Request policies
PA
PA
PA
Policy
Policy
Policy
Account mapping
(Policy)
(Policy)
(Policy)
Policy mapping
(Policy)
(Policy)
(Policy)
Conflict analysis Conclusion of permission
condition
Authorization Decision
61
Account Mapping
62
Account Mapping
PAs
Local Accounts
Local Accounts
GIA
Account Map
Account Map
63
Policy Mapping
Local policy schema (Virtual Cluster B)
Local policy schema (Virtual Cluster A)
Meta-schema taxonomy
64
Meta-Schema Taxonomy

• A collection of meta-schema elements.
• The taxonomy is divided into categories, for
  example
• Condition
• Action
• Identity
• Other
• Example elements for Condition category
• Time Period Time, Time
• Event String
• Expired Time Time

65
Policy Schema Map

• Pointers from elements in local policy schema
  to that in meta-schema taxonomy

66
Policy Schema Map
67
Policy Schema Map
PAs
Local Policy Schema
GIA
Meta-Schema Taxonomy
Policy Schema Map
Policy Schema Map
Policy Schema Map
Policy Schema Map
68
Inter-Schema Map
Policy Schema Map A
VO identity (A)
Meta-Schema Taxonomy
Local Policy Schema (A)
Policy Schema Map B
VO identity (B)
Meta-Schema Taxonomy
Local Policy Schema (B)
69
Inter-Schema Map
OR
70
Example of Policy Mapping (Policy Core
Information Model versus SAML) (I)

• Meta-Schema Taxonomy

71

• Policy Core Information Model

Local Policy Schema
72

• SAML

Local Policy Schema
73
Inter-Schema Map for mapping SAML to IETF Policy
Core Information Model
74
Experiment on Processing Time of Heterogeneous
Policy Management
75
Experiment on Processing Time of Heterogeneous
Policy Management

• p percentage of services on heterogeneous
  virtual clusters in the environment
• n average number of services involved in each
  request
• The probability of initializing Heterogeneous
  Policy Management mechanism is
• 1 (1 p)n

76
Agenda

• Related Work Research Objectives
• Dynamic Policy Management Framework (DPMF)
• Conflict Analysis with Partial Information (CAPI)
• Heterogeneous Policy Management
• Contributions Future Work

77
Contributions (I)

• DPMF architecture
• Support authorization policy management for
  multiple-VOs Grid environments.
• Advantages
• To deploy DPMF, the VOs do not need to deploy a
  new authorization system.
• Support dynamic Grid memberships.
• Support task delegation such that the
  authorization workload can be shared among the
  VOs.

78
Contributions (II)

• CAPI mechanism
• Enable authorization decision making when the
  authorization policy information is incomplete.
• Calculate the similarities between service
  providers to generate substitutions of the
  incomplete policy information (unknown policies).

79
Contributions (III)

• Heterogeneous Policy Management mechanism
• Authorization between VOs of heterogeneous
  authorization systems.
• Use account mapping and policy mapping
  mechanisms.
• Implementation of DPMF system
• We have implemented the DPMF system and
• Performed experiments to evaluate its
  performance.

80
Future Work (I)

• There are many different P2P applications using
  different P2P systems.
• How to support their collaborations?
• Can DPMF be used in P2P environments?
• Challenges
• Authentication in P2P is not compulsory.
• Malicious hosts.
• Free-riders.

81
Future Work (II)

• Malicious host
• Malicious hosts may provide incorrect policy
  information.
• Mechanisms to detect or prevent malicious
  information are essential.
• Free-rider
• Free-riders are the VOs or hosts which are not
  willing to share the DPMF policy management
  tasks.
• This problem may be significant in environments
  without authentication.

82
Welcome for Questions

• Thank You

83
References (I)

• Car04 B.E. Carpenter, and P. A. Janson.
  Abstract Interdomain Security Assertions A
  Basis for extra-grid virtual organizations, IBM
  Systems Journal, Vol. 43, No. 4, 2004, pp.
  689-701.
• Min05 Naftaly Minsky. Law Governed Interaction
  (LGI) A Distributed Coordination and Control
  Mechanism, in Rutgers University Technical
  Report, October 2005.
• Ver02 Dinesh Verma, Sambit Sahu, Seraphin Calo,
  Manid Beigi, and Isabella Chang. A Policy
  Service for GRID Computing, M. Parashar(Ed.)
  GRID 2002, LNCS 2536, pp. 243-255.
• Wel03 Von Welch, Frank Siebenlist, Ian Foster,
  John Bresnahan, Karl Czajkowski, Jarek Gawor,
  Carl Kesselman, Sam Meder, Laura Pearlman, and
  Steven Tuecke. Security for Grid Services, in
  Proceedings of the 12th IEEE International
  Symposium on High Performance Distributed
  Computing (HPDC'03).

84
References (II)

• Alf03 R. Alfieri, R. Cecchini, etc. VOMS an
  Authorization System for Virtual Organizations,
  1st European Across Grids Conference, Santiago de
  Compostela, February 13-14, 2003.
• Lan06 B. Lang, I. Foster, F. Siebenlist, R.
  Ananthakrishnan, T. Freeman. A Multipolicy
  Authorization Framework for Grid Security, in
  Proceedings of the Fifth IEEE Symposium on
  Network Computing and Application, Cambridge,
  USA, July 24-26, 2006.
• Bec04 Moritz Y. Becker, and Peter Sewell.
  Cassandra Distributed Access Control Policies
  with Tunable Expressiveness, Proceedings of the
  Fifth IEEE International Workshop on Policies for
  Distributed Systems and Networks (POLICY'04),
  2004.
• Ste03 M. Steenbakkers. Guide to LCAS Version
  1.1.16, Document of the European DataGrid
  Project, 15 September 2003.