Title: Multi-Site%20VOs%20
1gPLAZMA grid-aware Pluggable AuthoriZation
Management(Introducing Role-based Access Control
in dCache)
The XVth International Conference on Computing
in High Energy and Nuclear Physics
(CHEP06) February 15, 2006 TIFR, Mumbai
Abhishek Singh Rana UC San Diego rana_at_fnal.gov
Frank Würthwein UC San Diego fkw_at_fnal.gov
2Authors
RANA, Abhishek Singh (University of California,
San Diego, CA, USA) WÃœRTHWEIN, Frank (University
of California, San Diego, CA, USA) PERELMUTOV,
Timur (Fermi National Accelerator Laboratory,
Batavia, IL,USA) KENNEDY, Robert (Fermi National
Accelerator Laboratory, Batavia, IL, USA) BAKKEN,
Jon (Fermi National Accelerator Laboratory,
Batavia, IL, USA) SKOW, Dane (Fermi National
Accelerator Laboratory, Batavia, IL, USA) FISK,
Ian (Fermi National Accelerator Laboratory,
Batavia, IL, USA) FUHRMANN, Patrick (DESY,
Hamburg, Germany) ERNST, Michael (DESY, Hamburg,
Germany)
3Outline
- OSG AuthZ approach
- gPlazma architecture
- gPlazma implementation
- Example of end-to-end AuthZ for CEs and SEs
- Status
- Future Work
4OSG AuthZ Approach
- VO-Global specification of privilege attributes
per Role. - Site central mapping of Role to sites
implementation of privilege attributes. - Local enforcement of privilege attributes.
- Use of VOMS extended X.509 Attribute Certificate
specification for defining extra attributes
(FQANs or Fully Qualified Attribute Names). - Based on RFC-3281. FQANs contain Role and VO
membership information for a User.
5OSG AuthZ Approach
- VO defines Roles and associated privileges by
specifying expected functionality. - E.g. cmssoft may install software in area that is
read-only by all cmsuser jobs running on
site/campus. - E.g. cmsphedex may have special access to
SRM/dCache system. - Site maps VO scope identities to local scope
identities. - Site wide management of mapping.
- Service level granularity of mapping.
- Site enforces VO privilege policies within local
scope identities. - Authorization (VO-allowed) !(Site-vetoed)
6Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site
Host 1
Site-wide Mapping Service
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
Host 2
7Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site
Host 1
Site-wide Mapping Service
PEP
PDP
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
PDP
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
PEP
Host 2
PEP
Policy Enforcement Point
Policy Decision Point
PDP
8gPLAZMA Architecture
SRM Door
GridFTP Door
Bias ACCESS Priority 2 Apply
Authorization Response AuthZ Record
Priorities
Switches
GridFTP Callout
Storage Metadata AuthZ
Storage Metadata AuthZ
Authorization Services
Plugins
Storage Providers Policies
Legacy Grid AuthN (gridmapfile)
VO Identity Mapping Service
SRM Callout
Legacy Storage AuthZ (dcache.kpwd)
VO Identity Mapping Client
https/SOAP SAML
Bias DENIAL Priority 1 Apply
Assertion Response Allow OR Deny
GUMS-based VO Role Mapping AuthZ
VO Role Mapping AuthZ (gPLAZMA native)
Storage Metadata AuthZ
Site Assertion
Future Additions
Future Additions
9GriPhyN All Hands Meeting Argonne National
Laboratory, April 29 2005
The Open Science Grid Consortium
gPLAZMA Implementation
voms-proxy-init Proxy with VO Membership Role
attributes
srmcp
DATA
DATA
SRM Server
GridFTP Server
SRM-dCache
User Authorization Record
GridFTP Callout
SAML response
PRIMA SAML Client
Storage Authorization Service
Storage metadata
gPLAZMA
https/SOAP
SRM Callout
SAML query
Get storage authz for this username
gPLAZMALite Authorization Service
If authorized, get username
gPLAZMALite grid-mapfile
GUMS Identity Mapping Service
dcache.kpwd
Abhishek Singh Rana, UCSD
www.opensciencegrid.org
10GriPhyN All Hands Meeting Argonne National
Laboratory, April 29 2005
The Open Science Grid Consortium
gPLAZMA Implementation
voms-proxy-init Proxy with VO Membership Role
attributes
1
srmcp
DATA
DATA
SRM Server
GridFTP Server
9
SRM-dCache
2
10
13
User Authorization Record
GridFTP Callout
SAML response
11
12
PRIMA SAML Client
Storage Authorization Service
Storage metadata
gPLAZMA
https/SOAP
4a
8
SRM Callout
3
4
SAML query
Get storage authz for this username
5
gPLAZMALite Authorization Service
4b
6
If authorized, get username
7
gPLAZMALite grid-mapfile
4c
GUMS Identity Mapping Service
dcache.kpwd
4d
Abhishek Singh Rana, UCSD
www.opensciencegrid.org
11Example of end-to-end AuthZ for CEs and SEs
12SE SRM-dCache
- Different doors for different authz methods.
- Same underlying local authz mechanism.
- Can be mapped to sites UID/GID domain.
- Or be restricted to SRM-dCache only.
- Examples
- USCMS-VO at FNAL Site UID domain.
- CDF-VO at FNAL Site Kerberos domain.
13SE SRM-dCache
- gPLAZMA extends SRM-dCache separation of SE authz
and CE authz to OSG approach.
- gPLAZMA authenticates.
- gPLAZMA uses PRIMA Java SAML libraries to form a
SAML query and contacts Storage Authz Service. - Storage Authz Service contacts GUMS and Storage
Metadata Service. - GUMS translates DN, Membership, Role to
Username. - Storage Metadata Service translates Username to
Storage-privilege Set. - Storage-privilege Set is UID, GID, permitted
storage area, R/W permissions. - Storage-privilege Set is User-level ACL governed
by DN, Membership, Role. - Storage Authz Service forms a User Authorization
Record into a SAML response and sends it back to
gPLAZMA at SE.
14Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Site-wide Mapping Service
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
15Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Site-wide Mapping Service
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
16Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
17Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
PEP
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
18Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
19Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
20Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
PEP
gPLAZMALite Authorization Services suite
21Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
OGSA AuthZ interface
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
22Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS Virtual Organization Membership Service
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Grid User Management System
PRIMA C SAML libraries
CE
GUMS
PRIMA A System for Privilege Management and
Authorization in Grids
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA grid-aware Pluggable Authorization Managem
ent System
SRM-GridFTP gPLAZMA callout
SAZ Site Authorization Service
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
23Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS INFN teams, Italy
Site
Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Gabriele Carcassi, BNL
PRIMA C SAML libraries
CE
GUMS
PRIMA Markus Lorch, VT
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA Abhishek Singh Rana, UCSD Timur
Perelmutov, FNAL
SRM-GridFTP gPLAZMA callout
SAZ Vijay Sekhri, FNAL John Weigand, FNAL
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
SRM-dCache DESY/FNAL teams
gPLAZMALite Authorization Services suite
24Status
- gPLAZMA native role-based authz mode deployed at
USCMS tier-2 production site at UCSD. Work in
progress for deployment at tier-1 at FNAL. - GUMS role-based authz mode in final stages of
development/packaging. - Deployment and usage of all modes on USCMS
production dCache sites expected before Service
Challenge 4.
25Known Limitations
- Not (yet) implemented for dcap.
- Scalability of site central call-out not yet
understood.(gPLAZMA native a viable fallback) - vi/emacs is only administrative interface.
- Options for communicating desired policies from
VO to site are less than satisfactory. (general
problem of role based authz!)
26Future Work
- Add MySQL based backend to replace storage authz
records configuration file. - Complete gPLAZMA for dcap.
- Understand scalability of site-wide call-out.
- Add XACML based authorization engine to
dynamically assign storage authz mappings at
Site. - Explore XACML/SAML rule-based policy declaration
(VO-level) and policy computation (Site-level).
27Thank You.