Policy Management for OGSA Applications as Grid Services

1
Policy Management for OGSA Applications as Grid
Services

• Lavanya Ramakrishnan

2
Overview

• Motivation
• Architecture
• Scenarios
• Implementation
• Future Directions

3
Policy requirements

• The system maybe
• a personal IR system
• shared IR system
• Shared services from different domains
• Various levels security
• Method
• Service data
• Factory
• Dynamic policy
• Security should be independent of application
  logic
• Tedious to write policy files
• Persistent queries

GridIR Grid Information Retrieval
Collection Manager
Indexer
Query Processor
4
Architecture
PolicyManager Service
Authorization Service
Policy Change
Fetch Policy
Policy Cache
Policy Store
5
Features

• Separation of duty
• Between policy management and decision points
• Synchronization of policy
• Policy Management is data intensive
• Authorization Service is compute intensive
• Scalability of functionalities
• Flexibility
• Authorization at various levels
• Pluggability
• Application specific security independent of
  application logic

6
Features

• Dynamic Policy
• Policy can be updated through the PolicyManager
• Notification passes from the PolicyManager to
  AuthorizationService
• Trust between two entities
• Reduces exposure of functionality
• Only Service Owners can change policy
• Authorization services can access only specific
  policies
• Registered services will have access to the
  Authorization Service
• Can be run as secure services
• Usability
• Graphical user interface to write policy

7
Discussions - Scenarios

• Personal Policy Manager and Authorization Service

Virtual Organization
8
Discussions - Scenarios

• Group Policy Manager and Authorization Service

Virtual Organization
Application
Application
Application
Authorization
PolicyManager
Application
9
Discussions - Scenarios

• Multiple Policy Manager and Authorization Service

Policies to merge decisions
Application
Decision Merging
PolicyManager
Local policies
Authorization
Authorization
Dynamic policies based on load, etc.
PolicyManager
Authorization
PolicyManager
PolicyManager
VO policies
PolicyManager
Common policies
PolicyManager
Local policies to be enforced in the VO
10
Service Creation Time
OGSA Service Factory
Authorization Service Factory
Authorization Service
OGSA Service Instance
PolicyManager GUI Client
PolicyManagerService
11
Service Call Time
OGSA Service Client
PolicyManagerService
AuthorizationService
OGSA Service Instance
XACML
PDP
12
Policy Representation - 1

• ltPolicy PolicyId"Policy RuleCombiningAlgId"urn
  oasisnamestcxacml1.0."gt
• ltTargetgt
• ltResourceMatch MatchId"string-equal"gt
• ltAttributeValue DataTypestring"gtGSH of the
  servicelt/AttributeValuegt
• ltResourceAttributeDesignator DataTypestring
  AttributeId"resource-id"/gt
• lt/ResourceMatchgtlt/Targetgt
• ltRule RuleId"AccessRuleForOperationName"
  Effect"Permit"gtltTargetgt
• ltActiongtltActionMatch MatchId"string-equal"gtltAttri
  buteValue DataTypexsdstring"gtOperationNamelt/Att
  ributeValuegt
• ltActionAttributeDesignator DataTypestring
  AttributeId"MethodName"/gtlt/ActionMatchgtlt/Actiongt

13
Policy Representation - 2

• ltCondition FunctionId"or"gt
• ltApply FunctionId"string-equal"gt
• ltAttributeValue DataType"string"gt
• Distinguished Name of clientlt/AttributeValuegt
• ltApply FunctionId"string-one-and-only"gt
• ltEnvironmentAttributeDesignator DataType"string"
  AttributeId"DN"/gtlt/Applygtlt/Applygt
• lt/Conditiongt
• lt/Rulegt
• ltRule RuleId"FinalRule" Effect"Deny"/gt
• lt/Policygt

14
Service Data

• Policy Manager
• Subscribe to policy change for a certain
  services policy
• Notification data
• Something has changed in the policy for a
  particular service
• Future Investigate sending the change in policy
  
• Larger problem of data merging on the receiving
  end
• Changed data may itself be huge
• Authorization Service
• Services will be able to subscribe to
  notification on decision change
• Useful for long running jobs
• Need to evaluate risks

15
Future directions

• Extend Policy Representation and Management
  interfaces
• Time conditions
• Compatible with interfaces from OGSA-Authz WG
• Performance measurements of the calls
• Expand architecture if feasible and required
• To allow flexibility to launch them as a single
  service if required
• Send diff of policy as notification
• Caching mechanisms
• Experimenting with combinations of the services

16
Acknowledgements

• NASA Virtual Collaborative Center
• Sousan Karimi, Kevin Gamiel, Jeremiah Morris,
  Travis Walsh

17
Interfaces
Operation Name Operation Name Input Message Output Message Output Message
PolicyManager PolicyManager PolicyManager PolicyManager PolicyManager
generatePolicy serviceId xsdstring acl - custom structure serviceId xsdstring acl - custom structure serviceId xsdstring acl - custom structure Success xsdboolean
updatePolicy serviceId xsdstring acl custom structure serviceId xsdstring acl custom structure serviceId xsdstring acl custom structure Success xsdboolean
getGridmap serviceId xsdstring serviceId xsdstring serviceId xsdstring gridmapFilePath xsdstring
getACL serviceId xsdstring serviceId xsdstring serviceId xsdstring policyFilePath xsdstring
Authorization Authorization Authorization Authorization Authorization
register register policyMgrHandle xsdstring policyMgrHandle xsdstring -
checkAuthorization checkAuthorization Context clientId, service, operation Context clientId, service, operation authorizedValue xsdboolean