grid authorization landscape and futures von welch ncsa [email protected]
TRANSCRIPT
![Page 2: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/2.jpg)
Outline
Grid Authorization Goals Where would we like to be…
Current Grid Authorization Where we are…
Future Grid Authorization How are we going to start getting there…
![Page 3: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/3.jpg)
Grid Authorization “Flow”VO
User
Process
Resource
DelegateDelegate
Delegate
![Page 4: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/4.jpg)
Ultimate Goal is Arbitrary Flows
![Page 5: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/5.jpg)
Without Common Infrastructure
Policy DB
![Page 6: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/6.jpg)
Current State of Grid AuthzVO
User
Process
Enforcement
DelegateDelegate
Delegate
![Page 7: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/7.jpg)
Current Resource Owner to VO
Resource owner trusts an attribute authority run by the VO E.g. VOMS, CAS
Trust instantiated through key pair user by the attribute authority
Trust may be scoped More in enforcement…
![Page 8: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/8.jpg)
VO to User
VO Attribute authority issues assertions to users
Attributes are limited by ability of enforcement system to understand them
Today mostly group/role (VOMS) Some capabilities-based systems emerging
(PRIMA, VOMS, CAS)
![Page 9: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/9.jpg)
User to Process
User may delegate rights to processes to allow them to run on their behalf X.509 Proxy Certificates
Again granularity of delegation limited by ability of enforcement system to understand
Today mostly all or nothing Some basic limitations
E.g. Allowed to run job?
![Page 10: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/10.jpg)
Resource Enforcement
All of the ability to do delegation comes down to here, where it must be understood
Vanilla GT understands simple delegation (all/nothing/job run), no attributes
Modifications have emerged VOMS has attribute capabilities for GRAM CAS in GridFTP with file capabilities
Modifications are painful as must be made to each application and protocol
![Page 11: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/11.jpg)
Resource Enforcement
Some richly features authorization decision systems exist in Grid community Akenti, PERMIS Many other in the world
How do we tie these into GT? Painful process of defining enforcement
points, interfaces
![Page 12: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/12.jpg)
GT2 Authz Callouts
Extensions to GT2 to allow basic and GRAM authz callouts (dynamic libraries)
Basic just allows for user, service Doesn’t understand application - no
operation Good for user-based ACLs, revocation, etc.
GRAM has user, operation (RSL), service, job state Application-specific changes
Success in initial deployments Enough to show the track looks promising
![Page 13: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/13.jpg)
Future of Grid Authz
![Page 14: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/14.jpg)
Future of Grid Authz
How does OGSA help? How do we get big, smart enforcement
systems? Can do any policy or delegation the
enforcement system understands it
![Page 15: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/15.jpg)
How does OGSA help?
SOAP-based protocols allow for carrying of credentials outside of application protocol Solves protocol problem of how to pass
assertions around generically Don’t need to hack every application
protocol
![Page 16: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/16.jpg)
How does OGSA help?
Web services define common scheme for service interface (WSDL) Well-defined name for the service Well-defined names for the operations
And arguments
Allows a policy to talk about “Operation X on service Y” without knowing anything about the service
![Page 17: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/17.jpg)
OGSA Service Authz
This, combined with hosting environment programming model, allows application-agnostic authorization separate from application Hosting environment can peel off
credentials and determine request and outsource authorization
Now possible to write one authz service that understand whatever credentials and policy is needed for a resource
![Page 18: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/18.jpg)
HostingEnvironment
OGSA Service Authorization
ApplicationLogic
Service S1
User U1Request
O2()
Can U1 envoke O2On S1?
Yes
No, Reject
![Page 19: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/19.jpg)
OGSA-Authz
Standard protocol being worked on in GGF by OGSA-Authz working group Allow for any authz service and resource to
talk As well as standards for attributes so authz
service can understand attributes of requestor
Still to be seen how much policy is total application agnostic and can be expressed on user/service/operation
![Page 20: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/20.jpg)
What about WS Security Standards?
WS-Security OASIS TC Profiles for carrying credentials in SOAP In looks close to being done 36 companies have agreed how to send
username and password over the wire…
![Page 21: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/21.jpg)
WS Security - SAML
SAML Attribute assertions look fairly stable In use (Internet2 and others) Future of authorization is up in the air, may
be subsumed by…
![Page 22: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/22.jpg)
WS Security (cont)
XACML Good basic language for expressing rights But, no way to express right to delegate
Can give rights to VO but doesn’t allow VO to delegate rights to user nor user to process
Defines start at a authz protocol, will finish?
![Page 23: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/23.jpg)
WS SecurityCurrent/proposed WSS-specs
proposedproposedSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-AuthorizationWS-Authorization
In progressIn progress
promisedpromised
WS-FederationWS-Federation
![Page 24: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/24.jpg)
WS Security(confusing picture)
proposedproposedSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation
WS-FederationWS-Federation
WS-AuthorizationWS-Authorization
In progressIn progress
promisedpromised
SAMLSAML
Liberty AllianceLiberty Alliance
WS-TrustWS-TrustWS-Policy-*WS-Policy-*
XACMLXACML
standardizedstandardized
XrMLXrML
![Page 25: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/25.jpg)
Questions
Where does privacy fit in Grid authorization? Do science grids care?
Multiple credentials? When will we need them?
How does one do least privilege delegation with late-binding jobs? If we leave it up the users, I think we’re in
trouble
![Page 26: Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu](https://reader036.vdocument.in/reader036/viewer/2022062309/5697bf9e1a28abf838c944f6/html5/thumbnails/26.jpg)
More Questions
More features tends to lead to more complexity, which leads to errors. Where to stop? Probably not close yet
How fine grained does authorization need to be? What information is useful? Arguments, application
state, user creds How to pass this around reasonably? (Might be huge)
How do you authorize “Give me all the database rows I have access to” when authorization is outsourced?