Embed Size (px)
Citation preview
1
Globus Toolkit SecurityRachana Ananthakrishnan
Frank SiebenlistArgonne National Laboratory
2
Security Components
Features– Authentication
– Message security
– Authorization
– Delegation Implementations in C and Java Used in pre-WS and WS components
Talk focuses on recent and upcoming work
3
Java Authorization Framework
4
Authorization
Establishing rights of an identity– Can user do some action on some resource
Identity-based authorization– Scalability issues
Attribute-based authorization– Authorization policy can use attributes
Authorization with obligation
5
Authorization Framework Policy Information Points (PIPs)
– Collect attributes (subject, action, resource)
– E.g: Operation Parameter PIP Policy Decision Points (PDPs)
– Evaluate authorization policy
– E.g: GridMap Authorization, Self Authorization Authorization Engine
– Orchestrates authorization process
– Enforce distributed authorization policy
– Combining algorithm to render a decision
6
GT 4.0 Authorization Framework
Authorization Engine
(Deny-override)
PIP1 PIP2 PIPn PDP1 PDP2 PDPn… …
Web Services Message Context (store attributes)
Permit
Deny
Deny
Permit
Permit
Permit
Policy Enforcement
Point
7
AuthZ Framework Enhancements
Modular code base– Independent module
> Removed web services dependency
> separated from Java WS Core
– Java interfaces Improved attribute processing
– Normalized attribute representation
– Comparison of attributes across sources
– Merging of attributes of same entities
8
AuthZ Framework Enhancements
Separate interface for request attributes– Bootstrap PIP interface
Improved authorization engine– Pluggable engine algorithm
– Decision issuer part of decision making process
– Administration and Access privileges
– Default Algorithm: Permit-override combining algorithm
> Construct decision Chain from Requestor to Owner
9
GT 4.2 Authorization Framework
Authorization Engine
Policy Enforcement
Point
bPIP1 [owner1]
… bPIPn
[ownerN]
PIP1 [owner1]
… PIPn
[ownerN]…
Request Attributes
PIP Attribute Processing
PDP Combining Algorithm
Attributes
PDP1 [owner1]
canAdmin canAccess
PDPn
[ownerN]
Decision
10
Some interesting GT PDP/PIP
SOAP Parameter PIP– Most efficient at application level
Resource Properties PDP– Uses SOAP Parameter PIP
SAML Authorization PDP XACML Authorization PDP (In Progress)
11
Authorization Policy Management
12
Authorization Policy Management
Currently GridMap files are commonly used– Identity-based authorization
– Local user account as obligation Other requirements
– Attribute based authorization for better scalability (roles/groups)
– Fine grained authorization
– Better management interface
13
Community Authorization Service
Fine grained policy engine– Policy as Tuple
– Entity, Action, Resource
– E.g Rachana’s DN, read, server1.anl.gov/sandbox/foo
– Internal groups for administration Management interface via web services and
command line Multiple interfaces for obtaining decision/rights
– SAML Assertions signed by CAS server
Reference: http://dev.globus.org/wiki/CAS/SAML_Utilities
14
CAS: Push via proxyCAS Server
Admin Interface
Query Interface
User rights assertion
Signed
SAML Assertion
Secure Resource
Trust CAS Server
Signed
SAML Assertion
Administrator
15
CAS: Push via SOAP headerCAS Server
Admin Interface
Query Interface
Signed
SAML Assertion
Secure Resource
Trust CAS Server
Signed
SAMLAssertion
SOAP Headers
Administrator
Can be GridFTP Control Channel
Signed
SAML Assertion
16
CAS as AuthZ Service (pull)CAS Server
Admin Interface
Query Interface
Secure Resource
Trust CAS Server
Signed Assertion
Administrator
Decision
17
CAS Co-located
Java Interface
Secure Resource
Admin Interface
Administrator
CAS
18
Other Highlights Embed key information in Endpoint References
(Completed)– Allows for deployment of user-certs on server
– Easy key-discovery for ephemeral resources
– OGSA Basic Security Profile compliant OpenSSL upgrade (In progress)
– Version 0.9.8 in 4.0.x
– Uses local OpenSSL in trunk Signing policy in Java GSI (Planned) OCSP Support
– OGRO Project
– User requirements?
19
Questions?
20
Security Committee
Goals– Evaluate and resolve security vulnerabilities prior to
making it public
– Potential vulnerabilities: [email protected] Membership
– Any dev.globus committer
– Subscribed to [email protected]
– Owns vulnerabilities and has voting rights Lurkers
– Participate in discussions
http://dev.globus.org/wiki/SecurityCommittee/Security_Vulnerability_Handling
21
Security Committee
Membership requires approval– Majority quorum amongst members
Participating communities– Receive advance notice of advisory
– TeraGrid, VDT, Condor Community inclusion request
– Nominated and voted on by members
– GT usage and participation in committee activities
