- PowerPoint PPT Presentation

About This Presentation
Title:

Description:

relocation, & distributed SQL. Max database size - 8 exabytes. Oracle Application Server 10g ... Hosting for OGSI-compliant. Grid services. Development environment ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 33
Provided by: jesus8
Category:
Tags: hosting | sql | web

less

Transcript and Presenter's Notes

Title:


1
Towards a Unified Authentication and
Authorization Infrastructure for Grid
ServicesImplementing an Enhanced OCSP Service
Provider into GT4
  • Jesús Luna G.
  • Manel Medina L.
  • Oscar Manso C.

Universitat Politècnica de Catalunya Departament
dArquitectura de Computadors
2
Agenda
  • Motivation
  • Background
  • Objective
  • Proof of concept
  • Related work
  • Future work

3
Motivation
4
Grid Services
  • Open Grid Services Architecture (OGSA) Service
    orientation to virtualize resources -gt everything
    is a service.
  • A standard substrate the Grid service.
  • Standard interfaces (OGSI) and behaviors that
    address key distributed system issues naming,
    service state, lifetime, notification.
  • Grid service Web service OGSA OGSI
  • Grid services are moving from eScience to
    eBusiness.

5
Oracles Use of Grid Technology
  • Use Grid technology to build better products
  • Oracle Database 10g
  • Enhanced scalability, relocation, distributed
    SQL
  • Max database size -gt 8 exabytes
  • Oracle Application Server 10g
  • Already based on J2EE/Web Services
  • Extending to include OGSI yields powerful
    capabilities
  • Improves scalability and flexibility
  • Increases in both scalability and efficiency
  • Improves competitiveness of existing products

Open Grid Services Architecture A tutorial.
Foster, Ian. www.mcs.anl.gov/foster
6
Oracle Grid Product Offerings
  • Oracle Database 10g
  • Transportable tables
  • Distributed SQL
  • Managed using OGSI-compliant interfaces(?)
  • Oracle Application Server 10g
  • Hosting for OGSI-compliantGrid services
  • Development environment
  • Application Server can be managed and configured
    using OGSI-compliant interfaces(?)

7
Performance Security
  • .but
  • Is the traditional Grid Security Infrastructure
    (GSI) framework ready for Grid Services?

8
Background
9
Globus Toolkit
10
GT4 Container
  • Open Source implementation of Grid Services
    through a WSRF Container

11
GT4s Use of Security Standards
12
GT4 AA Framework
3
a
.
Authentication
Decision
3
.
Authentication
4
.
Authentication
Request
Response
2
.
Service Request
Grid Services
Delegated
WSRF Container
Proxy
7
.
Service Response
8
.
Proxy
1
.
Proxy
5
.
Authorization
6
.
Authorization
Destruction
Initialization
Request
Response
Subject
5
a
.
Authorization
Decision
13
Conceptual Grid Authorization Framework
  • Trust Management.
  • Privilege Management.
  • Attribute Authorities.
  • Privilege Assignment.
  • Attribute Assertions Management.
  • Policy Management.
  • Authorization Context.
  • Authorization Server.
  • Enforcement Mechanisms.

Conceptual Grid Authorization Framework and
Classification, R. Baker, L. Gommans, A. McNab,
M. Lorch, L. Ramakrishnan, K. Sarkar, and M. R.
Thompson Global Grid Forum Working Group on
Authorization Frameworks and Mechanisms. February
2003, http//www.ggf.org/Meetings/ggf7/drafts/auth
z01.pdf
14
Objective
  • Improve GT4 Containers security and performance
    through the integration of common AuthN and AuthZ
    features into a Unified Authentication and
    Authorization Infrastructure (AAI).

15
AA Performance and Security
3
a
.
Authentication
Decision
3
.
Authentication
4
.
Authentication
Request
Response
2
.
Service Request
Grid Services
Delegated
WSRF Container
Proxy
7
.
Service Response
8
.
Proxy
1
.
Proxy
5
.
Authorization
6
.
Authorization
Destruction
Initialization
Request
Response
Subject
5
a
.
Authorization
Decision
16
Proposed Unified AAI
Grid Services
Delegated
WSRF Container
Proxy
Unified AAI
Subject
17
Proposed Validation Policy
Grid Services
Delegated
WSRF Container
Proxy
Unified AAI
Subject
18
Proposed Trust Engine
Grid Services
Delegated
WSRF Container
Proxy
Unified AAI
Subject
19
Unified AAI Proposal
4
.
Service Request
Grid Services
Delegated
WSRF Container
Proxy
7
.
Service Response
5
.
Accreditation
6
.
Accreditation
3
.
Proxy
8
.
Proxy
Request
Response
Initialization
Destruction
1
.
Validaton and
Accreditation
Request
Subject
Unified AAI
5
a
.
Accreditation
2
.
Validation and
Decision
Accreditation Response
20
Grid Services Authentication Challenges
  • X.509 Credentials life-cycle management.
  • Single Sign-On.
  • Delegation.
  • Identity Federation.
  • Trust conditions.
  • Privacy and anonymity.
  • Interoperability and extensibility.
  • Authentication Architecture.
  • Subject and Resource Authentication Policies.
  • Use of formal methods.
  • Authentication traffic.

21
Grid Services Authorization Challenges
  • Interoperability and extensibility.
  • Use of formal methods.
  • Policy writing.
  • Distributed Policy Management.
  • Subject-side and Resource-side Authorization
    Rules.
  • Authorization Architecture and Performance.
  • Authorization Assertion's security.
  • Fine grain Authorization for Grid Services
    Operations (portTypes) and Service Data Elements
    (SDE).
  • Session-based Authorization.
  • Conditional Replies.

22
Proof of conceptAn Enhanced OCSP Service
Provider for GT4
23
Why OCSP in Grids?
  • Used to provide near real-time certificate status
    for Grid relying parties.
  • Avoid burden of managing local CRLs at Grid
    clients.
  • May allow support for Proxy Certificates
    revocation.
  • OCSP Service requirements for Grids
    discoverable, fault tolerant and low latency.
  • OCSP support not implemented into GT4.
  • Grids need to define an OCSP Policy (GGF
    CAOPS-WG).

24
CertiVeR Enhanced OCSP Service Provider
  • Distributed architecture.
  • May work as Trusted or Authorized Responder.
  • Able to parse customized OCSP Response
    Extensions, which may include AuthZ related
    information.
  • Supports Proxy Certificate Revocation

25
Adding OCSP support to GT4
  • CertiVeR OCSP Java API integrated into CoGs
    ProxyPathValidator class.
  • Same CoG class used into Java WS Core.
  • First the EEC chain is built by the client
  • then is sent to validation in a single OCSP
    Request and
  • Finally is received again in a single OCSP
    Response.
  • Fully compliant with RFC2560.

26
(No Transcript)
27
Related Work
28
  • Akenti (Berkeley Lab)
  • Not exactly an AAI.
  • Manages distributed AuthZ.
  • Pre-WS Grid integration in progress.
  • PERMIS (UE Funded Project)
  • AuthZ based on Attributes Certificates.
  • AuthN agnostic.
  • Recently integrating with GT4 and SAML.
  • Shibboleth (Internet2/IBM)
  • Designed for Web Services.
  • Supports interinstitutional AA based on existing
    security schemes.
  • Delivers users privacy through anonymity.
  • GridShib in progress (NSF).
  • Cardea (NASA)
  • Designed for NASAs Information Power Grid.
  • Uses XACML.
  • Manages distributed AuthZ.
  • VOMS
  • AuthZ is established by enforcing agreements
    between Resource Providers (RP) and VOs.

29
Future Work and Conclusions
30
OCSP and GT4
  • OCSP Policy fine-tuning to balance Security and
    Performance (signed Responses, use of nonces,
    etc.).
  • Enable full Proxy Certificate Revocation support
    with any of two mechanisms
  • Sending the Proxy Cert into the OCSP Request
    -gtDepends on OCSP Service Provider.
  • Without sending the Proxy Cert into the OCSP
    Request -gt Any OCSP Service Provider.
  • To be included into next release of GT4.
  • Work in Progress OCSP Requirements for Grids
    with CAOPS-WG into GGF.

31
Unified AAI next steps
  • Validation Policy
  • Full definition based on Unified AA Framework.
  • Move to XACML?
  • Build upon ETSIs Signature Policy concept?
  • Unified AAI
  • SAML adoption for GT4 interoperability
    (callouts).
  • Fault tolerant architecture.
  • Trust Engine
  • Distributed Validation Policy evaluation and
    management (maybe with a parallel paradigm?).
  • Use CertiVeRs enhanced Responses to convey
    signed evidence and thus optimize evaluation
    process.
  • Traditional Web Services (non WSRF-based) can
    also make use of the Unified AAI.

32
Moltes mercès!
Write a Comment
User Comments (0)
About PowerShow.com