KAoS Semantic Policy and Domain Services

1
KAoS SemanticPolicy and Domain Services

• An Application of DAML/OWL
• to a Web-Services Based
• Grid Architecture

2
Outline

• Introduction
• KAoS Overview
• Integration of OGSA and KAoS
• Related Work
• Future Work

3
Introduction

• IHMC has developed KAoS Services to manage
  multi-agent systems.
• KAoS domain services provide an organizational
  structure to an agent community which facilitates
  policy management of agent actions.
• The general nature of KAoS Services has enabled
  application in domains outside of agent systems.

4
Introduction

• Grid researchers envision the formation of
  Virtual Organizations (VOs)3, where people and
  resource gather to address complex problems that
  require extensive collaboration.
• Most VOs are managed in a manner similar to
  network administration, which is inadequate to
  handle complex permissions and trust
  relationships.

5
Community work indicates need

• The problem of service management and access
  control is shared by agent-based systems, web
  services, and Grid computing.
• Solutions begin to appear in three communities.
• Grid computing Community Authorization Service
  (CAS)5
• Web services XACML9
• Multi-agent systems KAoS, Rei, Ponder,etc.12

6
Merging trends indicate opportunity

• Grid computing and Web services
• They face similar challenges such as service
  advertisement, matchmaking, etc.
• The Globus Project presents the Open Grid Service
  Architecture (OGSA)6 which is based on Web
  service specifications
• Agent-based systems, Web services and Grid
  computing
• Work on Semantic Web Services and Semantic Grid
  makes them much more suited as platforms for
  multi-agent systems7,8

7
Our approach

• Apply KAoS Domain and Policy Services to manage
  the Web Services based OGSA-compliant Globus
  Toolkit 3 (GT3) Grid environment.

8
Outline

• Introduction
• KAoS Overview
• Integration of OGSA and KAoS
• Related Work
• Future Work

9
KAoS overview

• KAoS is a collection of componentized domain and
  policy services oriented to complex agent
  environments.
• Based on the pluggable infrastructure of Java
  Agent Services (JAS1), KAoS is compatible with a
  number of agent or non-agent platforms, including
• the DARPA CoABS Grid,
• Brahms, etc.,
• and now GT3.

10
KAoS domain services

• KAoS domain services structure groups of
  agents/resources/services into domains and
  subdomains.
• Domains can represent any sort of group
  imaginable.
• Complex organizational structures.
• Dynamic task-oriented teams.
• Grid Virtual Organizations for resource sharing.

11
KAoS policy services

• KAoS policy services allow for specification,
  management, conflict resolution and disclosure of
  policies within domains.

12
Policy representation

• KAoS policies are represented in DAML/OWL and are
  based on the KAoS Policy Ontologies (KPO)
• The current version of KPO
• defines concepts including actions, actors,
  places, groups, policies, etc,
• distinguishes between authorizations and
  obligations, and
• can be extended with additional classes and rules
  for a given application.

13
Policy specification

• KAoS Policy Administration Toolkit (KPAT) makes
  policy creation and management easier.

14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Policy distribution and enforcement

• Each agent is associated with a Guard.
• All policies that pertain to an agent will be
  distributed to its Guard.
• A platform-specific Enforcer intercepts the
  agents actions and queries the Guard to decide
  whether the actions are authorized.
• If not, the actions will be blocked by
  platform-specific enforcement mechanisms.

19
Outline

• Introduction
• KAoS Overview
• Integration of OGSA and KAoS
• Related Work
• Future Work

20
Overview of the integration

• KAoS and GT3 are perfect complements because
• KAoS provides policy and domain services needed
  by GT3.
• GT3 GSI provides platform-specific enforcement
  mechanisms required by KAoS.
• The KAoS Grid service provides an interface
  between GT3 and KAoS.

21
KAoS Grid Service Architecture
Client
Grid Service Stub
KAoS Domain and Policy Services
Container
Grid Service Stub
KAoS Grid Service
JAS
JAS
KAoS Guard
22
Registration

• A client must register with KAoS Grid service in
  order to use the domain and policy services.
• Clients that are not in a domain will only have
  limited default authorizations.
• Clients send their own X.509 proxy certificates
  to the KAoS Grid Service for authentication.

23
Grid policy expression

• Sample policy format
• It is permitted for actor(s) X to perform
  action(s) Y on target(s) Z.
• Coarse-grain policies
• are based on the existing KPO, and
• permit or forbid overall access to a Grid
  service.
• An example
• It is forbidden for Client X to perform a
  communication action if the action has a
  destination of Chat Service Y.
• Fine-grain policies
• require extending KPO with new concepts, and
• permit or forbid access to an operation of a Grid
  service.

24
Ontology creation

• Since Grid service requires a extension to KPO,
  we are working on a tool to generate a DAML/OWL
  ontology for a given WSDL document.
• The generated ontologies can be modified to refer
  to a generic ontology.
• Grid administrators load the ontology extension
  and specify the policies using KPAT.

25
Policy deconfliction

• KAoS provides the capability to identify
  confliction of policies through a theorem prover
  and can harmonize them if desired.

26
Policy enforcement

• Policies are forwarded to the Guard associated
  with the KAoS Grid service.
• When a client requests for a service, the KAoS
  Grid service checks if the requested action is
  authorized by querying the Guard.
• If the action is authorized, the KAoS Grid
  service returns a restricted proxy certificate
  that can be used to access the service.
• The local security mechanism uses the restricted
  proxy certificate to allow or block the actions.

27
Local Security Mechanism
(The arrows represent SOAP messages)
Stub
KAoS Grid Service
Client
KAoS
Credential
(if authorized)
WS Security Request Handler
Credential
(Checks whether the arrows match)
Grid Service
28
Impact on GT3

• GT3 components that need to be modified
• The Grid service skeleton that all Grid services
  are based on.
• WS Security Request Handler, which intercepts all
  incoming messages of a service container.
• Client stubs.
• Things that do not need to be modified
• Service source code.
• Client source code.

29
Outline

• Introduction
• KAoS Overview
• Integration of OGSA and KAoS
• Related Work
• Future Work

30
Related work

• Web service approaches
• WS-Security, XACML and SAML
• Globus approach
• Community Authorization Service

31
Web service approaches

• WS-Security is complementary to this work,
  providing for the basic needs of message
  integrity, confidentiality, and single-message
  authentication10
• XACML provides schema and namespaces for for
  access control policies9
• The disadvantage of XACML is that the meanings
  are implicit.
• Implicit semantics assume a consensus in human
  interpretation. Ambiguity arises when
  interpretations differ.
• DAML-based policies can be mapped to lower-level
  XACML representations.

32
Web service approaches (contd)

• SAML allows for exchanging authentication and
  authorization information10
• In the SAML model, policies are gathered at the
  Policy Decision Point (PDP).
• PDP returns the policy decision to the Policy
  Enforcement Point (PEP).
• Disadvantage of SAML model
• SAML puts too much burden on services by
  requiring them to gather the evidence needed for
  policy decision.

33
Comparison of CAS and KAoS

• Compatibility
• CAS is a prototype that only works with a special
  version of Grid FTP service of GT2.
• KAoS is designed to work with OGSA-compliant GT3.
• Policy expression and reasoning
• CAS server stores the policies as a list of
  rights.
• KAoS uses DAML/OWL and Java Theorem Prover (JTP)
  to express and reason about policies.

34
Outline

• Introduction
• KAoS Overview
• Integration of OGSA and KAoS
• Related Work
• Future Work

35
Obligations

• Authorization vs. Obligation
• authorizations constraints that permit or
  forbid some action
• obligations constraints that require some
  action to be performed, or else serve to waive
  such a requirement
• KAoS Obligations are working in other areas
  (CoAX, NASA IS, HyRes, etc.)
• Implementing Obligations with Grid services will
  require some additional handlers and more
  sophisticated action to ontology mapping, but
  should still not impact the client or service
  source code
• Enablers are components that provide capabilities
  the client may lack in order to meet an obligation

36
(No Transcript)
37
Generalization to Web services

• Our KAoS implementation on GT3 actually governs
  all GSI-enabled Web services.
• We are monitoring the progress of Web service
  security standards.

Web services
Secure Grid services
GSI-enabled Web services
Grid services
38
Questions?
39
References

1. Arnold, G., J. Bradshaw, B. de hOra, D.
   Greenwood, M. Griss, D. Levine, F. McCabe, A.
   Spydell, H. Suguri, S. Ushijima. (2002) Java
   Agent Services Specification. http//www.java-agen
   t.org/
2. Foster, I., Kesselman, C., Nick, J., Tuecke, S.
   (2002). The Physiology of the Grid An Open Grid
   Services Architecture for Distributed Systems
   Integration. Open Grid Service Infrastructure
   Working Group, Global Grid Forum, 22 June.
3. Foster, I., Kesselman, C., and Tuecke, S. (2001).
   The Anatomy of the Grid Enabling Scalable
   Virtual Organizations International J.
   Supercomputer Applications , 15(3)
4. Foster, I., and C. Kesselman. (1998) The Globus
   Project A Status Report. Heterogeneous Computing
   Workshop, IEEE Press, 1998, 4-18.
5. Pearlman, L., Welch, V., Foster, I., Kesselman,
   C., Tuecke, S. (2002) Community Authorization
   Service for Group Collaboration. IEEE Workshop on
   Policies for Distributed Systems and Networks.
6. Tuecke, S., Czajkowski, K., Foster, I., Frey, J.,
   Graham, S., Kesselman, C. (2002) Grid Service
   Specification. http//www.gridforum.org/ogsi-wg/dr
   afts/GS_Spec_draft03_2002-07-17.pdf
7. http//www.semanticgrid.org
8. http//www.semanticweb.org
9. http//www.oasis-open.org/committees/tc_home.php?w
   g_abbrevxacml
10. http//www.oasis-open.org/committees/tc_home.php?w
    g_abbrevsecurity
11. http//www-fp.globus.org/security/CAS/CAS-Overview
    .ppt
12. Tonti, G., Bradshaw, J., Jeffers, R., Montanari,
    R., Suri, N., Uszok, A. (2003), Semantic Web
    Languages for Policy Representation and
    Reasoning A Comparison of KAoS, Rei and Ponder.
    Submitted to the 2nd International Semantic Web
    Conference (ISWC2003), Sanibel Island, Florida,
    USA.