Title: Grid Security
1Grid Security
2Security Components
- Authentication identity, confidentiality,
integrity, non-repudiation. - Authorization authority.
- Accounting billing charging.
Cryptography - symmetric public key encryption,
Hash MAC, Digital Signatures.
Access matrix (Subject lt-gt Object), ACL,
Capability, RBAC, etc.
3Authorization Model (Pull)
Certificates (e.g. X509)
Attributes (assertions)
Wired protocols (e.g. TLS/SSL)
Policy languages, formats, protocols
Trust management, brokering agreement
4- Standards ISO10181 Access control framework,
RFC2904/RFC3281/IETF, WS Security, OGSA Security,
WG_at_GGF. - Policy languages SAML, XrML, XACML, etc.
- APIs Open Group AZN API, GAA-API etc.
- Real systems Akenti, CAS, VOMS, LCAS/LCMAPS,
SlashGrid/GridSite/GACL, PRIMA, PERMIS, AAA,
Shibboleth, KeyNote, P2P (JXTA), Passport, ...
etc.
5Classification
- Attribute Services
- Authz Decision Functions (ADF)
- Authz Enforcement Functions (AEF)
CAS, VOMS, PRIMA, PERMIS
Akenti, GridSite, LCAS, PRIMA
SlashGrid, LCMAPS, PRIMA
6Attribute Services
- CAS Maintain group memberships/rights.
Restricted proxy credentials (group rights with
limitations). - VOMS Maintain group memberships/roles.
Assertions interpreted and enforced at local
sites (central VOs, distributed policies). - PRIMA X509 ACs come from the individual
attribute authorities instead of a CS. - PERMIS Policy Role ACs are stored in LDAP
directories (Pull model).
7Authz Decision Functions
- Akenti Resource gateway (Apache module) call out
to policy certificates (set by stakeholders).
Concentrated on ACL. - GridSite/GACL An Apache module which enforces
access control via GACLs. - PRIMA Globus gatekeeper call-out to a PDM (now
XACML-based). Contains a DAM module. Provision
fine-grain enforcement env. - LCAS EDG gatekeeper call-out to LCAS library,
which consists of pluggable components. Binary
response.
8Authz Enforcement Functions
- PRIMA POSIX.1E file system ACL. Also support
GACL/SlashGrid. - SlashGrid Grid-aware file systems. File
ownerships depend on DN instead of UID. - LCMAPS Pool account mapping, POSIX enforcement,
LDAP enforcement.
9Summary
- Same model, different implementations. Extensive
R D in 2G Grid. - Ongoing future standards making (XACML/
SAML_at_OASIS, GGF, etc), Software reengineering
(Grid services). - What else?
Dynamic, ad-hoc, multi-domain authorization.
10DAGGR - A EU perspective
- Credential Services translating, bridging.
- Attribute Services VOMS -gt
- Authz Decision Services LCAS -gt
- Enforcement Usage Control SlashGrid -gt
- Federated Services ?
- Application scenarios ?
11Federations of autonomous entities for dynamic
ad hoc collaboration (A high level of P2P
scenario).