View
219
Download
1
Category
Tags:
Preview:
Citation preview
KAoS SemanticKAoS SemanticPolicy and Domain Policy and Domain
ServicesServices
An Application of DAML/OWLAn Application of DAML/OWL
to a Web-Services Basedto a Web-Services Based
Grid ArchitectureGrid Architecture
OutlineOutline
IntroductionIntroduction
KAoS OverviewKAoS Overview
Integration of OGSA and KAoSIntegration of OGSA and KAoS
Related WorkRelated Work
Future WorkFuture Work
IntroductionIntroduction
IHMC has developed KAoS Services to manage IHMC has developed KAoS Services to manage multi-agent systems.multi-agent systems.
KAoS domain services provide an organizational KAoS domain services provide an organizational structure to an agent community which facilitates structure to an agent community which facilitates policy management of agent actions. policy management of agent actions.
The general nature of KAoS Services has The general nature of KAoS Services has enabled application in domains outside of agent enabled application in domains outside of agent systems. systems.
IntroductionIntroduction
Grid researchers envision the formation of Grid researchers envision the formation of Virtual Organizations (VO’s)Virtual Organizations (VO’s)33, where people and , where people and resource gather to address complex problems resource gather to address complex problems that require extensive collaboration.that require extensive collaboration.
Most VO’s are managed in a manner similar to Most VO’s are managed in a manner similar to network administration, which is inadequate to network administration, which is inadequate to handle complex permissions and trust handle complex permissions and trust relationships.relationships.
Community work indicates needCommunity work indicates need
The problem of service management and access The problem of service management and access control is shared by agent-based systems, web control is shared by agent-based systems, web services, and Grid computing.services, and Grid computing.
Solutions begin to appear in three communities.Solutions begin to appear in three communities. Grid computing: Community Authorization Service Grid computing: Community Authorization Service
(CAS)(CAS)55
Web services: XACMLWeb services: XACML99
Multi-agent systems: KAoS, Rei, Ponder,etc.Multi-agent systems: KAoS, Rei, Ponder,etc.1212
Merging trends indicate opportunityMerging trends indicate opportunity
Grid computing and Web services:Grid computing and Web services: They face similar challenges such as service They face similar challenges such as service
advertisement, matchmaking, etc.advertisement, matchmaking, etc. The Globus Project presents the Open Grid Service The Globus Project presents the Open Grid Service
Architecture (OGSA)Architecture (OGSA)66 which is based on Web service which is based on Web service specificationsspecifications
Agent-based systems, Web services and Grid Agent-based systems, Web services and Grid computing:computing: Work on Semantic Web Services and Semantic Grid Work on Semantic Web Services and Semantic Grid
makes them much more suited as platforms for multi-makes them much more suited as platforms for multi-agent systemsagent systems7,87,8
Our approachOur approach
Apply KAoS Domain and Policy Services Apply KAoS Domain and Policy Services to manage the Web Services based to manage the Web Services based OGSA-compliant Globus Toolkit 3 (GT3) OGSA-compliant Globus Toolkit 3 (GT3) Grid environment.Grid environment.
OutlineOutline
IntroductionIntroductionKAoS OverviewKAoS Overview
Integration of OGSA and KAoSIntegration of OGSA and KAoS
Related WorkRelated Work
Future WorkFuture Work
KAoS overviewKAoS overview
KAoS is a collection of componentized KAoS is a collection of componentized domaindomain and and policypolicy services oriented to services oriented to complex agent environments.complex agent environments.Based on the pluggable infrastructure of Based on the pluggable infrastructure of Java Agent Services (JASJava Agent Services (JAS11), KAoS is ), KAoS is compatible with a number of agent or compatible with a number of agent or non-agent platforms, includingnon-agent platforms, including the DARPA CoABS Grid, the DARPA CoABS Grid, Brahms, etc.,Brahms, etc., and and now GT3now GT3..
KAoS domain servicesKAoS domain services
KAoS domain services structure groups of KAoS domain services structure groups of agents/resources/services into domains agents/resources/services into domains and subdomains.and subdomains.Domains can represent any sort of group Domains can represent any sort of group imaginable.imaginable. Complex organizational structures.Complex organizational structures. Dynamic task-oriented teams.Dynamic task-oriented teams. Grid Virtual Organizations for resource Grid Virtual Organizations for resource
sharing.sharing.
KAoS policy servicesKAoS policy services
KAoS policy services allow for KAoS policy services allow for specification, management, conflict specification, management, conflict resolution and disclosure of policies within resolution and disclosure of policies within domains.domains.
Policy representationPolicy representation
KAoS policies are represented in KAoS policies are represented in DAML/OWL and are based on the KAoS DAML/OWL and are based on the KAoS Policy Ontologies (KPO)Policy Ontologies (KPO)The current version of KPOThe current version of KPO defines concepts including actions, actors, defines concepts including actions, actors,
places, groups, policies, etc,places, groups, policies, etc, distinguishes between authorizations and distinguishes between authorizations and
obligations, andobligations, and can be extended with additional classes and can be extended with additional classes and
rules for a given application.rules for a given application.
Policy specificationPolicy specification
KAoS Policy Administration Toolkit (KPAT) KAoS Policy Administration Toolkit (KPAT) makes policy creation and management makes policy creation and management easier.easier.
Policy distribution and Policy distribution and enforcementenforcement
Each agent is associated with a Each agent is associated with a GuardGuard..
All policies that pertain to an agent will be All policies that pertain to an agent will be distributed to its Guard.distributed to its Guard.
A platform-specific A platform-specific EnforcerEnforcer intercepts the intercepts the agent’s actions and queries the Guard to decide agent’s actions and queries the Guard to decide whether the actions are authorized.whether the actions are authorized.
If not, the actions will be blocked by platform-If not, the actions will be blocked by platform-specific enforcement mechanisms.specific enforcement mechanisms.
OutlineOutline
IntroductionIntroduction
KAoS OverviewKAoS Overview Integration of OGSA and KAoSIntegration of OGSA and KAoS
Related WorkRelated Work
Future WorkFuture Work
Overview of the integrationOverview of the integration
KAoS and GT3 are perfect complements KAoS and GT3 are perfect complements because:because:
1.1. KAoS provides policy and domain services KAoS provides policy and domain services needed by GT3.needed by GT3.
2.2. GT3 GSI provides platform-specific GT3 GSI provides platform-specific enforcement mechanisms required by enforcement mechanisms required by KAoS. KAoS.
The KAoS Grid service provides an The KAoS Grid service provides an interface between GT3 and KAoS.interface between GT3 and KAoS.
KAoS Grid Service ArchitectureKAoS Grid Service Architecture
Container
Client
Grid Service Stub
Grid Service Stub KAoS Grid Service
JAS
KAoS Guard
KAoSDomain and Policy
Services
JAS
RegistrationRegistration
A client must register with KAoS Grid A client must register with KAoS Grid service in order to use the domain and service in order to use the domain and policy services.policy services. Clients that are not in a domain will only have Clients that are not in a domain will only have
limited default authorizations.limited default authorizations. Clients send their own X.509 proxy certificates Clients send their own X.509 proxy certificates
to the KAoS Grid Service for authentication.to the KAoS Grid Service for authentication.
Grid policy expressionGrid policy expression
Sample policy format:Sample policy format: It is permitted for actor(s) X to perform action(s) Y on It is permitted for actor(s) X to perform action(s) Y on
target(s) Z. target(s) Z.
Coarse-grain policiesCoarse-grain policies are based on the existing KPO, andare based on the existing KPO, and permit or forbid permit or forbid overalloverall access to a Grid service. access to a Grid service. An example:An example:
It is forbidden for Client X to perform a communication action if It is forbidden for Client X to perform a communication action if the action has a destination of Chat Service Y. the action has a destination of Chat Service Y.
Fine-grain policiesFine-grain policies require extending KPO with new concepts, andrequire extending KPO with new concepts, and permit or forbid access to an permit or forbid access to an operationoperation of a Grid service. of a Grid service.
Ontology creationOntology creation
Since Grid service requires a extension to KPO, Since Grid service requires a extension to KPO, we are working on a tool to generate a we are working on a tool to generate a DAML/OWL ontology for a given WSDL DAML/OWL ontology for a given WSDL document.document.
The generated ontologies can be modified to The generated ontologies can be modified to refer to a generic ontology.refer to a generic ontology.
Grid administrators load the ontology extension Grid administrators load the ontology extension and specify the policies using KPAT.and specify the policies using KPAT.
Policy deconflictionPolicy deconfliction
KAoS provides the capability to identify KAoS provides the capability to identify confliction of policies through a theorem confliction of policies through a theorem prover and can harmonize them if desired.prover and can harmonize them if desired.
Policy enforcementPolicy enforcement
Policies are forwarded to the Guard Policies are forwarded to the Guard associated with the KAoS Grid service.associated with the KAoS Grid service.When a client requests for a service, the When a client requests for a service, the KAoS Grid service checks if the requested KAoS Grid service checks if the requested action is authorized by querying the Guard.action is authorized by querying the Guard.If the action is authorized, the KAoS Grid If the action is authorized, the KAoS Grid service returns a service returns a restricted proxy certificaterestricted proxy certificate that can be used to access the service. that can be used to access the service. The local security mechanism uses the The local security mechanism uses the restricted proxy certificate to allow or block restricted proxy certificate to allow or block the actions. the actions.
Local Security MechanismLocal Security Mechanism
Stub
Grid Service
KAoSGridServiceCredential
Credential
Client
KAoS
(Checks whether the arrows match)
(The arrows represent SOAP messages)
(if authorized)
WS SecurityRequest Handler
Impact on GT3Impact on GT3
GT3 components that need to be modified:GT3 components that need to be modified: The Grid service skeleton that all Grid services are The Grid service skeleton that all Grid services are
based on.based on. WS Security Request Handler, which intercepts all WS Security Request Handler, which intercepts all
incoming messages of a service container.incoming messages of a service container. Client stubs.Client stubs.
Things that do not need to be modified:Things that do not need to be modified: Service source code.Service source code. Client source code.Client source code.
OutlineOutline
IntroductionIntroduction
KAoS OverviewKAoS Overview
Integration of OGSA and KAoSIntegration of OGSA and KAoSRelated WorkRelated Work
Future WorkFuture Work
Related workRelated work
Web service approaches:Web service approaches: WS-Security, XACML and SAMLWS-Security, XACML and SAML
Globus approach:Globus approach: Community Authorization ServiceCommunity Authorization Service
Web service approachesWeb service approaches
WS-Security is complementary to this work, WS-Security is complementary to this work, providing for the basic needs of message providing for the basic needs of message integrity, confidentiality, and single-message integrity, confidentiality, and single-message authenticationauthentication1010
XACML provides schema and namespaces XACML provides schema and namespaces for for access control policiesfor for access control policies99
The disadvantage of XACML is that the meanings The disadvantage of XACML is that the meanings are implicit.are implicit.
Implicit semantics assume a consensus in human Implicit semantics assume a consensus in human interpretation. Ambiguity arises when interpretation. Ambiguity arises when interpretations differ.interpretations differ.
DAML-based policies can be mapped to lower-DAML-based policies can be mapped to lower-level XACML representations.level XACML representations.
Web service approaches Web service approaches (cont’d)(cont’d)
SAML allows for exchanging authentication and SAML allows for exchanging authentication and authorization informationauthorization information1010
In the SAML model, policies are gathered at the In the SAML model, policies are gathered at the Policy Decision Point (PDP).Policy Decision Point (PDP).
PDP returns the policy decision to the Policy PDP returns the policy decision to the Policy Enforcement Point (PEP).Enforcement Point (PEP).
Disadvantage of SAML model:Disadvantage of SAML model: SAML puts too much burden on services by requiring SAML puts too much burden on services by requiring
them to gather the evidence needed for policy them to gather the evidence needed for policy decision.decision.
Comparison of CAS and KAoSComparison of CAS and KAoS
Compatibility:Compatibility: CAS is a prototype that only works with a special CAS is a prototype that only works with a special
version of Grid FTP service of GT2.version of Grid FTP service of GT2. KAoS is designed to work with OGSA-compliant GT3.KAoS is designed to work with OGSA-compliant GT3.
Policy expression and reasoning:Policy expression and reasoning: CAS server stores the policies as a list of rights.CAS server stores the policies as a list of rights. KAoS uses DAML/OWL and Java Theorem Prover KAoS uses DAML/OWL and Java Theorem Prover
(JTP) to express and reason about policies.(JTP) to express and reason about policies.
OutlineOutline
IntroductionIntroduction
KAoS OverviewKAoS Overview
Integration of OGSA and KAoSIntegration of OGSA and KAoS
Related WorkRelated WorkFuture WorkFuture Work
ObligationsObligations
Authorization vs. ObligationAuthorization vs. Obligation authorizationsauthorizations = constraints that permit or forbid some action = constraints that permit or forbid some action obligationsobligations = constraints that require some action to be = constraints that require some action to be
performed, or else serve to waive such a requirement performed, or else serve to waive such a requirement
KAoS Obligations are working in other areas (CoAX, KAoS Obligations are working in other areas (CoAX, NASA IS, HyRes, etc.)NASA IS, HyRes, etc.)Implementing Obligations with Grid services will require Implementing Obligations with Grid services will require some additional handlers and more sophisticated action some additional handlers and more sophisticated action to ontology mapping, but should still not impact the client to ontology mapping, but should still not impact the client or service source codeor service source codeEnablers are components that provide capabilities the Enablers are components that provide capabilities the client may lack in order to meet an obligationclient may lack in order to meet an obligation
Generalization to Web servicesGeneralization to Web services
Our KAoS implementation on GT3 actually Our KAoS implementation on GT3 actually governs all GSI-enabled Web services.governs all GSI-enabled Web services.
We are monitoring the progress of Web service We are monitoring the progress of Web service security standards.security standards.
Web services
GSI-enabledWeb services
Gridservices
SecureGrid services
ReferencesReferences1.1. Arnold, G., J. Bradshaw, B. de hOra, D. Greenwood, M. Griss, D. Levine, F. McCabe, A. Spydell, H. Suguri, Arnold, G., J. Bradshaw, B. de hOra, D. Greenwood, M. Griss, D. Levine, F. McCabe, A. Spydell, H. Suguri,
S. Ushijima. (2002) Java Agent Services Specification. http://www.java-agent.org/S. Ushijima. (2002) Java Agent Services Specification. http://www.java-agent.org/2.2. Foster, I., Kesselman, C., Nick, J., & Tuecke, S. (2002). The Physiology of the Grid: An Open Grid Services Foster, I., Kesselman, C., Nick, J., & Tuecke, S. (2002). The Physiology of the Grid: An Open Grid Services
Architecture for Distributed Systems Integration. Open Grid Service Infrastructure Working Group, Global Grid Architecture for Distributed Systems Integration. Open Grid Service Infrastructure Working Group, Global Grid Forum, 22 June.Forum, 22 June.
3.3. Foster, I., Kesselman, C., and Tuecke, S. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Foster, I., Kesselman, C., and Tuecke, S. (2001). The Anatomy of the Grid: Enabling Scalable Virtual Organizations International J. Supercomputer Applications , 15(3)Organizations International J. Supercomputer Applications , 15(3)
4.4. Foster, I., and C. Kesselman. (1998) The Globus Project: A Status Report. Heterogeneous Computing Foster, I., and C. Kesselman. (1998) The Globus Project: A Status Report. Heterogeneous Computing Workshop, IEEE Press, 1998, 4-18.Workshop, IEEE Press, 1998, 4-18.
5.5. Pearlman, L., Welch, V., Foster, I., Kesselman, C., & Tuecke, S. (2002) Community Authorization Service for Pearlman, L., Welch, V., Foster, I., Kesselman, C., & Tuecke, S. (2002) Community Authorization Service for Group Collaboration. IEEE Workshop on Policies for Distributed Systems and Networks.Group Collaboration. IEEE Workshop on Policies for Distributed Systems and Networks.
6.6. Tuecke, S., Czajkowski, K., Foster, I., Frey, J., Graham, S., & Kesselman, C. (2002) Grid Service Tuecke, S., Czajkowski, K., Foster, I., Frey, J., Graham, S., & Kesselman, C. (2002) Grid Service Specification. http://www.gridforum.org/ogsi-wg/drafts/GS_Spec_draft03_2002-07-17.pdfSpecification. http://www.gridforum.org/ogsi-wg/drafts/GS_Spec_draft03_2002-07-17.pdf
7.7. http://www.semanticgrid.orghttp://www.semanticgrid.org8.8. http://www.semanticweb.orghttp://www.semanticweb.org9.9. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacmlhttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml10.10. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=securityhttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security11.11. http://www-fp.globus.org/security/CAS/CAS-Overview.ppthttp://www-fp.globus.org/security/CAS/CAS-Overview.ppt12.12. Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., & Uszok, A. (2003), Semantic Web Languages for Tonti, G., Bradshaw, J., Jeffers, R., Montanari, R., Suri, N., & Uszok, A. (2003), Semantic Web Languages for
Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. Submitted to the 2nd Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. Submitted to the 2nd International Semantic Web Conference (ISWC2003), Sanibel Island, Florida, USA.International Semantic Web Conference (ISWC2003), Sanibel Island, Florida, USA.
Recommended