PowerPoint Presentation PowerPointpresentatie

1
Generic AAA model in Grids IRTF - AAAARCH
meeting IETF 52 Dec 14th Salt Lake City Leon
Gommans lgommans_at_science.uva.nl Advanced Internet
Research Group Informatics Institute University
of Amsterdam
2
Goal Show authorization framework concepts of
RFC2904 applied to the Grid ( at FL300 ) Show
current implementation based on Globus Security
Infrastructure (www.globus.org) Show possible
future authorization concepts.
3

• Grids
• Allow individuals / institutes in science or
  industry to form virtual organizations as to pool
  resources (computers, networks, data) and pursue
  a common goal.
• Current GRID Security Infrastructure (GSI)
• Allows access to multi-domain resources with a
  single sign-on
• Allows organizations to remain in control of
  their resources
• GSS-API / TLS based

More details http//www.globus.org/documentation/
incoming/butler.pdf
4

• Use of X509 Certificates and Proxy Certificates
  to
• Remote login and access control for "standard"
  services.Client/server and server/client
  authentication.Authenticated and encrypted
  messages via GSS.Authenticated and encrypted
  streams via SSL and TLS.Authenticated and
  encrypted Web server access via https
• Impersonate and establish (a chain of)
  delegation.

) Ref http//archive.ncsa.uiuc.edu/General/GridF
orum/SWG/taxonomy.html and draft-ietf-pkix-proxy-0
1.txt
5
User Home Org
Trust Relationship
AAA
User Admin
Authorization Request
User
Token
Trust Relationship
Service Request Token
Service Provider
Service Ack
AAA
Service Admin
RFC 2904 Roaming Push Model and trust
relationships
6
Globus GRID Model
AAA
Grid RA/CA
AAA
AAA
AAA
Registration Request Unsigned Certificate
Certificate SN John IssuerCA
User
CRL
Logon sequence
Unsigned Impersonation Certificate
End Entity Private key
Certificate SN or ? Altname John /
Proxy IssuerJohn
AAA
Grid Resources
AAA
AAA
AAA
Note Push sequence is reversed Hybrid push/pull
?
Proxy Private key
user authorizes impersonation to enable single
sign-on access to grid resources
7
Globus GRID Model
Grid RA/CA
List of subjects and their authorizations (gridmap
file)
User
(offline) CA Cert Request
CA Cert
John Sue
AAA
Grid Resources
(offline) Service Subscription process
AAA
AAA
AAA
Users need to be authorized by service for
access Users need to register with service to
enable services
8
Johns Credentials
User
Gatekeeper (Proxy)
CA(s)
John Sue
AAA
CRL
?
John Proxy Credentials
John Proxy Credentials
Resource 1
Resource 2
RFC2904 Distributed Services Model
John Proxy Credentials
AAA
AAA
John Sue
John Dave
List of global subjects and their authorizations
Service Domain A
Service Domain B
9

• Industrializing the Grid
• Allow commercial organizations to collaborate in
  easy to use, secure and reliable fashion
• interoperability, confidentiality, privacy,
  availability, integrity etc.
• Ad hoc usage of Grid available resources need to
  be converted in units that can be settled as
  subscribed services do not scale.
• resource usage, storage, digital rights etc.
• Grid resources need procurement, user in driving
  seat.
• user authorizes usage up to a certain limit.

10

• Workflow
• create relationship with home organization that
  can authorize a usage limit.
• create relationship with organization that
  represents a community and authorizes access to
  and usage of resources belonging to a Virtual
  Organization based on authorized usage limit.
• use resources based on authorization from
  Virtual Organization

11
Home Org
Home Authorization
User
Community Org
Community Authorization
User Authorization
Grid Service Provider
Grid Services
Roaming authorization Push Model as one of many
options
12
Thank you More info draft-ietf-pkix-proxy-01.tx
t www.globus.org www.ggf.org www.aaaarch.org
13
(No Transcript)