Grid Security - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Grid Security

Description:

Akenti: Resource gateway (Apache module) call out to policy certificates (set by ... LCAS: EDG gatekeeper call-out to LCAS library, which consists of pluggable ... – PowerPoint PPT presentation

Number of Views:226
Avg rating:3.0/5.0
Slides: 12
Provided by: lia9
Category:
Tags: callout | grid | security

less

Transcript and Presenter's Notes

Title: Grid Security


1
Grid Security
2
Security Components
  • Authentication identity, confidentiality,
    integrity, non-repudiation.
  • Authorization authority.
  • Accounting billing charging.

Cryptography - symmetric public key encryption,
Hash MAC, Digital Signatures.
Access matrix (Subject lt-gt Object), ACL,
Capability, RBAC, etc.
3
Authorization Model (Pull)
Certificates (e.g. X509)
Attributes (assertions)
Wired protocols (e.g. TLS/SSL)
Policy languages, formats, protocols
Trust management, brokering agreement
4
  • Standards ISO10181 Access control framework,
    RFC2904/RFC3281/IETF, WS Security, OGSA Security,
    WG_at_GGF.
  • Policy languages SAML, XrML, XACML, etc.
  • APIs Open Group AZN API, GAA-API etc.
  • Real systems Akenti, CAS, VOMS, LCAS/LCMAPS,
    SlashGrid/GridSite/GACL, PRIMA, PERMIS, AAA,
    Shibboleth, KeyNote, P2P (JXTA), Passport, ...
    etc.

5
Classification
  • Attribute Services
  • Authz Decision Functions (ADF)
  • Authz Enforcement Functions (AEF)

CAS, VOMS, PRIMA, PERMIS
Akenti, GridSite, LCAS, PRIMA
SlashGrid, LCMAPS, PRIMA
6
Attribute Services
  • CAS Maintain group memberships/rights.
    Restricted proxy credentials (group rights with
    limitations).
  • VOMS Maintain group memberships/roles.
    Assertions interpreted and enforced at local
    sites (central VOs, distributed policies).
  • PRIMA X509 ACs come from the individual
    attribute authorities instead of a CS.
  • PERMIS Policy Role ACs are stored in LDAP
    directories (Pull model).

7
Authz Decision Functions
  • Akenti Resource gateway (Apache module) call out
    to policy certificates (set by stakeholders).
    Concentrated on ACL.
  • GridSite/GACL An Apache module which enforces
    access control via GACLs.
  • PRIMA Globus gatekeeper call-out to a PDM (now
    XACML-based). Contains a DAM module. Provision
    fine-grain enforcement env.
  • LCAS EDG gatekeeper call-out to LCAS library,
    which consists of pluggable components. Binary
    response.

8
Authz Enforcement Functions
  • PRIMA POSIX.1E file system ACL. Also support
    GACL/SlashGrid.
  • SlashGrid Grid-aware file systems. File
    ownerships depend on DN instead of UID.
  • LCMAPS Pool account mapping, POSIX enforcement,
    LDAP enforcement.

9
Summary
  • Same model, different implementations. Extensive
    R D in 2G Grid.
  • Ongoing future standards making (XACML/
    SAML_at_OASIS, GGF, etc), Software reengineering
    (Grid services).
  • What else?

Dynamic, ad-hoc, multi-domain authorization.
10
DAGGR - A EU perspective
  • Credential Services translating, bridging.
  • Attribute Services VOMS -gt
  • Authz Decision Services LCAS -gt
  • Enforcement Usage Control SlashGrid -gt
  • Federated Services ?
  • Application scenarios ?

11
Federations of autonomous entities for dynamic
ad hoc collaboration (A high level of P2P
scenario).
Write a Comment
User Comments (0)
About PowerShow.com