dynamic privilege management infrastructures utilising secure attribute exchange dr john watt grid...
TRANSCRIPT
Dynamic Privilege Management Infrastructures Utilising Secure
Attribute Exchange
Dr John WattGrid Developer, National e-Science Centre
University of Glasgow
Overview
DyVOSE OverviewPERMISStatic PMI ImplementationShibboleth and the SAAM ModuleDynamic DelegationFuture Work
Dynamic Virtual Organisations for e-Science Education (DyVOSE) project
Two year project started 1st May 2004 funded by JISCExploring advanced authorisation infrastructures for security in context of education
University of Kent provide authorisation software (PERMIS) and security expertise
Applied in Grid Computing module part of advanced MSc at the University of Glasgow
– Will provide insight into rolling out authorisation infrastructures/Grid to the masses
– Exploration of current state of the art in authorisation infrastructures
– Second phase of work involves NeSC Edinburgh– Extensions to the existing PERMIS infrastructure to provide
dynamic delegation of authority and recognition of authority
Project website: http://www.nesc.ac.uk/hub/projects/dyvose/
DyVOSE Overview
DyVOSE Participants
Dynamic Virtual Organisations in e-Science Education (DyVOSE) team
Principal Investigators Dr Richard Sinnott (NeSC Glasgow) Prof David Chadwick (Kent)
Implementation Dr John Watt (NeSC Glasgow) Dr Sassa Otenko (Kent) Mr Tuan Anh Nguyen (Kent) Mr Wensheng Xu (Kent)
Other Key People Involved Dr David Berry (NeSC Edinburgh) Dr Sandy Shaw (EDINA) – SDSS/Shibboleth
Looking at applying existing PERMIS technology to establish static Privilege Management Infrastructure at GU
DyVOSE Workplan Phase 1
ScotGrid
Authorisation decisions
Authorisation checks
PERMIS based authorisation
Education
VO policies
GU Condor pool
Other (known!) Grid resources
DyVOSE Workplan Phase 2/3
ScotGrid
PERMIS based Authorisation
checks/decisions
Glasgow Education
VO policies
Condor pool
Edinburgh Education VO policies
Shibboleth
Blue Dwarf
Glasgow Edinburgh
Dynamically established VO resources/users
Delegated VO policies
Authorisation Technologies
CAS/VOMSRights/roles asserted by centralised server
No interpretation needed at resource end
Flexible at VO level, but no resource level decisions
AkentiAccess Control at Resource end (not central)
Desirable
Not VO specific
PERMISX509 and SAML
PERMIS
PrivilEge and Role Management Infrastructure Standards validation
X509 Role Based Access Control (RBAC)Attribute Certificates hold user roles in LDAPXML policy defines the access controlJava API allows any app to be protectedComplex Policies and multiple Attribute Authorities supported
PERMIS Functionality
PERMIS allows toDefine roles for who can do what on what
Policy = { Role x Target x Action }– Can user X invoke service Y and access or change data Z?
» Policies created with PERMIS PolicyEditor (output is XML file)
PERMIS XML Policy
PERMIS based Authorisation
PERMIS Privilege Allocator then used to associate roles with specific users
Signed policies are stored as attribute certificates in LDAP server
Exploiting the GGF AuthZ specification Generic way to authorise access to Grid services using SAML
callouts– Based on GT3.3 – PERMIS
» Grid service (WSDD) has policy information associated with it» DN of clients, target and actions checked when attempts made
to invoke services “BRIDGES and DyVOSE only projects exploiting this API right
now” (Von Welch at AHM 2004)
Explorations in Grid Course
Students applied Policy Editor to develop security policy for use in their assignment
Sorting/searching “works of Shakespeare” … run on single PC, … using training lab Condor pool, … * as GT3.3/Condor service, … as GT3.3 service using GSI,
To see how authorisation at service level achieved – Service should be accessible by themselves and lecturing staff only
… using * for GT3.3-PERMIS authorised service To see how authorisation at method level achieved
– Students split into groups (Gp1, Gp2)» Sort method available to their group and lecturers only» Search method available to all
Performance aspects investigated throughout…
Long time wrestling with GT3.3-PERMIS integrationSome delays due to version issues with GT3.3
Also required some debugging of GT3.3 (commenting out code)
Continued feedback on PERMIS tools Policy editor refinements
– Numerous discussions/meetings with Salford team on sorting out PERMIS-GT3.3 issues
Certificate dependencies in using PERMIS Expects certificates created using openSSL
Experienced gained for DyVOSE Phase 2…
PERMIS/Globus Issues
SSO and Access Control on Web ResourcesHome Institution AUTHENTICATES
Recognised across the federation– Temporary handle created
Releases user attributes to service providers– User can restrict attribute set release
Resource Institution AUTHORISES Using attributes passed by the home institution
– Resource has final access decision
Resource trusts Home to release correct info…
We have V1.2 operating as part of SDSS… Walkthrough provided on DyVOSE website
Messages are secure, attributes may not be!Shibboleth encodes its messages in SAMLv1.1
But attributes are not digitally signed (plaintext)
Authz Configuration is Apache-basedAny changes to rules requires complete restart of Web Server
Multiple Attribute Authorities unsupportedCoarse grained access control function
“User A with Attribute B can access C”
Could PERMIS resolve these issues?Attributes are stored in digitally signed X509 ACs
User attributes are now secure
PERMIS PMI controls the Authorisation No Shibboleth/Apache restart when rules change
PERMIS supports multiple Sources of Authority User may select attributes from more than one AA
Complex access control policies Conditionals, Role Hierarchies
…again!
The PERMIS SAAM Module
Apache module providing an authorisation handling function
mod_permis loaded BEFORE Shibboleth module in Apache configuration file httpd.conf
Requires alteration of approx 5 files at federation sites
mod_permis can either Collect the ACs from LDAP itself (PULL mode) Be provided the ACs for decision (PUSH mode)
“Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server” D.Chadwick, O.Otenko, W.Xu
The PERMIS SAAM Module
Dynamic Delegation
Static PMI successfully built at GlasgowGoal is to build a PMI-based VO between Glasgow and Edinburgh
Requires provision for Dynamic Delegation of AuthorityExtensions to the PERMIS software will implement this infrastructureTwo cases will be investigated:
Static Delegation (easily done by adding Edinburgh SOA and Roles to Policy)
Simple Dynamic delegation (this year’s Grid Course…)
Static Delegation
Simple Dynamic Delegation
Future Work
Implementation of new PERMIS Dynamic Delegation Software
DIS (Delegation Issuing Service)Cross-certificationRole Mapping
Design of final student use-case to demonstrate dynamic PMIFinal Report on best practices and methods