Policy-Based Dynamic Negotiation for Grid Services Authorization

1
Policy-Based Dynamic Negotiationfor Grid
Services Authorization

• Ionut Constandache, Daniel Olmedilla, Wolfgang
  Nejdl
• Semantic Web Policy Workshop, ISWC05
• Galway, Ireland, 7th November 2005

2
Motivating Scenario (I)Grid Limitations
3
Policy-Driven Negotiation (I)Characteristics

• Both client and servers are semantically
  annotated with policies
• Annotations
• specify constraints and capabilities
• access control requirements
• which certificates must be presented to gain
  access to it
• who is responsible for obtaining and presenting
  these certificates
• are used during a negotiation
• to reason about and to communicate the need to
  see certain credentials from the other party
• to determine whether requested credentials can be
  obtained and revealed.
• User involvement is drastically reduced in favor
  of automated interactions.

4
Policy-Driven Negotiation ( II)Example
Security Privacy
Bob
Alice
5
Policy-Driven Negotiation on the Grid (I)Example
scenario
The delegated certificate is used to retrieve the
requested certificates
With only one certificate to access the online
repository
Server informs the client about its access
control policy
6
Policy-Driven Negotiation on the Grid (II)
Enhanced Characteristics

• Distributed authorization mechanisms
• Driven by policies, not hardcoded
• Bilateral policy specification
• Access is negotiated
• Dynamic credential fetching
• Now possible to use discovery and scheduling
  services to locate the best available resources
• Otherwise, impossible to predict before hand what
  exact service instances would be used and which
  certificates required
• Capability based authorization architecture
• Instead of identity based
• No previous trust relationships required
• Monitoring and explanation of authorization
  decision

7
Policy-Driven Negotiation on the Grid (III)
Implementation on Globus Toolkit 4.0

• Directed integrated with the grid services
  paradigm
• Extension to GSI pluggable to any GT4.0 compliant
  grid service or client
• Only requirement Java based grid services
• We use
• Custom PDP as part of the Client Call Interceptor
• Redirects to a negotiation if required
• Asynchronous negotiations are achieved through
  WS-Base Notification and WS-Topics
• CAS integration into negotiations
• API for easy integration within client code

8
Policy-Driven Negotiation on the Grid ( IV)
Architecture
Service wsdl fileltwsdlimport namespacehttp//l
inux.egov.pub.ro/ionut/TrustNegotiationwsdl
locationTrustNegotiationwsdl/gt Service
Deployment Descriptorltparameter nameproviders
valueSubscribeProvider GetCurrentMessageProvider
g4mfs.impl.gridpeertrust.net.server.TrustNegotiat
ionProvider/gtltparameter namesecurityDescriptor
valueshare/schema/gt4ide/MathService/mysec.xml
/gt
9
Conclusions Future Work (I)Conclusions

• Main Features
• Self-describing resources for access requirements
• Based on properties
• Dynamic negotiation for service authorization
• Automatic credential fetching
• Implementation in Java
• Extension of GSI in GT4.0
• Backwards compatible

10
Conclusions Future Work ( II)Further Work

• Study performance impact of negotiations
• And approaches to minimize the extra load
• Limit number of iterations
• E.g. 2 steps negotiations
• Advertise policies before the service is invoked
• Improve credential repositories
• Integration of TN in MyProxy
• Investigate the use of XACML
• Delegation not yet supported but planned
• Use of traceable negotiations
• E.g. monitoring or accounting

11
Thanks!
Questions? olmedilla_at_l3s.de -
http//www.l3s.de/olmedilla/
12
Implementation in GT4Easy Integration with
Current Grid Services

• Service
• - include one jar file containing the policy
  based trust negotiation engine
• - minor add-ons to the service wsdl file (import
  one wsdl file and extend one port type) and wsdd
  file (add one more provider and install a
  security descriptor)
• - have a resource (if not available)
• - re-deploy the service
• Client
• - use one jar file containing the policy based
  trust negotiation engine
• - invoke the service as usual / or call directly
  for a trust negotiation process
• - look for authorization exceptions and if one
  triggered by trust negotiation failure make
  simple calls to the negotiation engine

13
Integration into Globus Toolkit 4.0 (I)Grid
Service Descriptor

• Descriptors
• - grid service descriptor (wsdl file)
• ltwsdlimport namespace"http//.../TrustNegotiatio
  n.wsdl" location"TrustNegotiation.wsdl"/gt
• ltportType nameGridService wsdlppextends "...
  wsntwNotificationProducer wstnTrustNegotiation
  ... "gt
• TrustNegotiation.wsdl - defines the data types
  and functions for exchanging trust negotiation
  messages
• The grid service should extend the
  NotificationProducer port type (used for
  asynchronous communication with the client) and
  the TrustNegotiation port type(used for exposing
  the functions used by the client to push
  proofs/requirements to the grid service).

14
Integration into Globus Toolkit 4.0 (II)Grid
Service Deployment Descriptor

• Descriptors
• - grid service deployment descriptor (wsdd file)
• ltparameter name"providers" value"SubscribeProvid
  er GetCurrentMessageProvider TrustNegotiationProvi
  der"/gt
• Rely on GT4.0 providers for notification usage
  and use a TrustNegotiationProvider implementing
  the logic for policy based dynamic negotiation
• ltparameter name"securityDescriptor"
  value"./.../mysec.xml"/gt
• Install a security descriptor specifying the use
  of a PDP for filtering client calls/managing
  authorization information.

15
Integration into Globus Toolkit 4.0 (
III)Requirements

• Resource
• - the grid service should use a resource
  implementing TopicListAccessor
• - a topic would be added by TrustNegotiationProvid
  er for trust negotiation (using this topic the
  service pushes proofs/requirements on the client
  side)

16
Client
Service
17
9. Notify the client about service policies and
further requirements
7. Register with TrustNegotiation Topic for
notifications
2. Creates the resource
1. Requests create resource
5. Catch the exception
10. Operation executed on resource if the trust
negotiation process was successful
3. Operation called on the resource
4. Client is not authorized to make the call
throw an exception.
6. Client call getNegotiationTopic() receive the
QName of the negotiation topic.
8. Client call trustNegotiation() operation for
sending client policies and proofs