the vega approach to grid security grid system software group, ict, cas 2005-4-11 --security in vega...
TRANSCRIPT
The VEGA Approach to Grid Security
Grid System Software Group,
ICT, CAS
2005-4-11
--Security In VEGA GOS v2
Li ZHA
Outline Background of VEGA GOS Motivations And Goals Security In VEGA GOS
VEGA GOS Architecture Grid Security Mechanism
Key Approaches WS-Security Implementation Agora (VO, Community) Based Authorization Runtime construct (Grip, Grid Process) for
secured accessing the service Hosting Environment And Deployment Conclusion And Roadmap
Background of VEGA GOS Background
Grid related research and the VEGA brand at ICT since 1999 Part of the Grid Software program supported by the China Ministry
of Science and Technology 863 program (2002~2005) Goals
Support multiple geographical distributed grid nodes (HPC Center) Sharing mechanism and framework on computing, data, software a
nd combined resources Provide secured, uniformed and friendly interfaces accessing the s
cientific computing and information services Research
Focus on 4 key issues and aim at minimal common requirements Naming, Process/States, VO, Programming
Focus on implementation architecture, not protocols/services Use computer systems approach, not middleware or network Use SOA concept
Application Scope of VEGA GOS
VEGA GOS
Distributed Resources and Services
ScienceResearch
Manufacturing Resources and Environment
Weather Forecast
Motivations And Goals -- What is needed In grid environment, security should solve or cover:
Traditional security issues such as authentication, access control, information integrity,
information privacy (according to OSI security architecture) Grid authentication
Single Sign On Grid authorization
Adapt to loosely coupled or de-coupled architecture Access control decided by resource owner or provider
Communication security guarantees Adopt opened and standardized protecting mechanism
(signature, encryption, and etc.) All the information separated or put together?
How to put them together?
Motivations And Goals -- More concrete
Integrate security with Web service and VEGA GOS Independent with service implementations (utilizing handler-chain mechanism
at client and service sides) Conformed to existing security standards
X.509 (for authentication) SAML (for authorization) WS-Security Implementation (for service oriented security architecture) Standard signature and encryption algorithms
Ensure mutual security at both user and resource sides User and Service MUST both have certificates
Departs authorization with authentication Token based authorization (tokens are dynamically issued by Authorization
Authority in Agora) GOS context (Agora id, cert/proxy cert and token) is added into each SOAP
message when accessing the service Keep resource as autonomous
Implement access control at resource side with interfaces which can be customized
Multiple granularity access control based on authorization token
VEG
A G
OS
v2
A
rch
itectu
re
(hie
rarc
hic
al)
Agora Service
GOS Hosting
Env.
CoreLevel
Services
Authorization Engine
Grip Service
Servlet Based Scalable Grid Portal Engine
User CustomizedApplications
Grid Apps
Core APIs Core Libraries(Grip, Agora, Service Bus, AC Handling, Core Exception Handling)
AgoraAA
AgoraMgmt.
Grip Container
Multi-GrainedResource AC Policy Mgmt.
User Mgmt. Engine
Acct.Authentication
Acct.Approve
Profile
Role Based Acct. Mgmt.
Resource Mgmt. Engine
Service Addr. and PortType
Mapping
ServiceInfo
Mgmt.
Service Invocation
Addr. Trans.
Grip Ctrl. Structure
User Interaction
Result Caching
Grip State Mgmt.
Service Locating(Global)Service Info. Mgmt. (Local)
Java J2SE, J2EE/Microsoft Windows
Tomcat(Apache)
WebSphere(IBM)
WebLogic(BEA)
.NET(Microsoft)
GT4(Globus)
Core Exceptions
System and Application Libraries(Core Based Functional APIs and Exception Handling)
ExtendedSystem Services
Information(MetaX) Services
MetaDBService
MetaSysService
Naming
File AC Mgmt.
Replica Mgmt.
MetaFile ServiceMeta Info
Mgmt. Quota Mgmt.
etc.
Batch Service Workflow Service etc.
User APIs
SystemLevel
Services
App Level Services
Proxy Cert.
Build-in Utility Collection Extended UtilitiesGrid Portal
Application Logic by Web Pages
CA&Certificates
Mgmt. Service
Base Services
Dymaic Deploy Service
SystemMonitoring
Service
Logging& Auditing Service
File Service
Database Service
Messaging Service
GIS Service
Router Service
OMII
Security Mechanism In VEGA GOS v2
Browser uCert
Grid Portal Engine
use uid/pass load proxy cert into grip
Grip Container Service
Agora Service
u_pu_pu_p
PhysicalService
u_puTK
u_puTK
u_puTK
u_puTK
UserMgmt.
Service
ResourceMgmt.
ServiceAA
Service
uTK
Grid ApplicationuCert
uCert
user cert
u_pproxy certuTK
authorization token
PhysicalService
PhysicalService
PhysicalService
Grid Portal
CAu_p
upload the proxy cert to Agora
u_p
Key Approaches
WS-Security Implementation
Agora (VO, Community) Based
Authorization
Runtime construct (Grip, Grid Process)
for secured accessing the service
WS-Security Implementation
Handler chains mechanismSign SOAP message, add cert (or proxy cert)
and tokenAuthenticate caller’s and AAA’s identification Implement access control
GOS contextA common system object storing Agora id,
cert or proxy cert (with key), token in a structured manner
E2E Message Process Flow
WebService
WSClient
· SignHandler(with proxy or user cert)
· AddGOSContextHandler
· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler
· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler· ACHandler
· SignHandler (with service cert)
· AddGOSContextHandler
SOAP MSG overSSL/TSL(HTTPS)
Client Side Server Siderequest flow
response flow
Client Request/Service Response SOAP Header<!-- SOAP begin…(SOAP Element)--> <soapenv: Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope
/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Soapenv: Header><! -- Certs Type --><CertType soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapen
v: mustUnderstand="0"><Type>cert</type></CertType><!-- Security Element. --><wsse: Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" s
oapenv: actor="" soapenv: mustUnderstand="0"><!--Encoding Binary Security Tokens. --><!-- This element is used to include a binary-encoded security token. --><wsse: BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/04
/utility" EncodingType="wsse: Base64Binary" ValueType="wsse: PKIPath" wsu: Id="token1112843580450">.........</wsse: BinarySecurityToken>
<!-- WS-Security Signature --><ds: Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><!-- SignatureValue --><ds: SignatureValue>.........</ds: SignatureValue><!-- KeyInfo, indicates the key to be used to validate the signature. --></ds: Signature></wsse: Security></soapenv: Header>
Agora Based Authorization
Separate authorization from authentication Agora Authorization Authority can dynamically issue t
okens according to trusted resource request Flexible authentication at service side according to ha
ndler configurations Implement multiple grained resource access con
trol Token can contain service operations or logic operatio
ns Service side ACHandler implement access control int
egrate with local security policy
Agora Internals
Tomcat+AxisAgora Access Control Mechanism
Authorization Engine
Resource Mgmt. ClientUser Mgmt. Client
UserAuthentication
ResourceAuthorization
ResourceMgmt.
Interface
UserMgmt.
Interface
Resource Mgmt. Service User Mgmt. Service
RoleProxyUserName profileERes MappingVRes PT
Tomcat+Axis Tomcat+Axis Tomcat+Axis
AAA Client
AuthorizationAuthorityService
AC PolicyMgmt.
AgoraMgmt.
SAML based authorization token...<Conditions NotBefore=" " NotOnOrAfter=" "> <AudienceRestrictionCondition> <!-- extended authorization info, such as info added by metaX service --> <Audience>FILE PATH to local storage</Audience> </AudienceRestrictionCondition></Conditions> <!-- reference infomation help service side implementing access control --><Advice> ...... </Advice><AuthorizationDecisionStatement Decision="Permit" Resource="vres://ed3ee2ed
0d9ba0085db0fe8df40e8bd9:4b284f96f21f8fde00ba45218c9e8eea"> <Subject> <NameIdentifier> O=Grid,OU=GOSTEST,OU=grid.org.cn,OU=linux.ict.ac.cn,CN=usr1 </NameIdentifier> </Subject> <Action Namespace="0">ping</Action></AuthorizationDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ...<!-- signature related info algorithm, digest and signature value etc. --> ...</ds:Signature>...
can be logical operations, such as “read” and “write” that parsed by service side
access control mechanism
user DN
Runtime construct (Grip, Grid Process) for secured accessing the service Dynamically created at runtime
responding to user requests simple interfaces (5 in total)
Keep some information for reusing Load and store proxy cert, user profile and service
address Destroyed until grip closed
Relay user’s invocation requests Extends called service with an asynchronous
interface Cache the returned result, such as batch job query
status
Physical Service
Grip At Runtimecreate
Agora Service
grip
uid/pass
Proxy, Profile
bindERes name
VRes name, Token, PT
invoke
Physical Service Physical Service
crtl(getResult)
grip
grip
grip
Network of Resource Routers
authentication
•resource selection•resource authorization
resource locating
service invocation
•return•cache
close
•uCert_pProfile
•uCert_p ProfileVResTokenPT
•uCert_p ProfileVResTokenPT PResRet
•uCert_p ProfileVResTokenPTPRes
Sample Code Using Grip...//define effective resource name
String effective = "eres://agora1:MService";//new a gripclient object
GripClient testgripclient = new GripClient( );//create a grip with user id, passwd and //agora name want to login
UserHandle griphandle = testgripclient.create("usr1", "usr1", "agora1");
//bind the effective resource
int index = testgripclient.bind(effective, griphandle); //invoke the bound service by resource index and //pass the parameters required
Object retvalue = testgripclient.invoke(index, "list",
new Object[] {"/"},
GripContainer.M_SYNCHRONIZED, griphandle);...
//process the return value here
...
//close it, reclaim the resources used by grip
testgripclient.close(griphandle);...
synchronization flag
parameters passed to actual service
VEGA GOS v2 Hosting Environments
Grid Portal and Grid Applications
OS (Linux/Unix/Windows*)
Intel or AMD based PC Server (Grid Server)
J2SE(1.4.2_07), J2EE
Tomcat(5.0.28) +Axis(1.2 rc2)
Axis Handlers For Message Level Security
Grid Portal Engine
Core, System And App Level GOS v2 Services
VEGA GOS v2 Deployment
Grid Node 2(Shanghai)
Grid Node 3(Xi’an)
Grid Node 4(Changsha)
Grid Server
GridServer
Grid Server
Grid Server
Grid Server· Router service· Agora service· Grip service· System and application level
services· Grid portal based on Grid
Portal Engine (optional)
Dedicated Client/Grid Application Client
Web Browser
Grid Client· General Web Browser· and/or GOS Admin Tools· and/or GOS API Based Grid
Application
Grid CA
Grid Node 1(Beijing)
HPC Hosting Env.
Legacy Applications
To Other Grid Nodes
To Other Grid Nodes
HPC Hosting Env.
Legacy Applications
HPC Hosting Env.
Legacy Applications
HPC Hosting Env.
Legacy Applications
Conclusion WS-Security Implementation and integrated into VEG
A GOS Header and attachment, Which one is the best place for sec
urity info? (my opinion) Implementations are different, how can be interoperable?
Agora (VO, Community) Based Authorization Loosely coupled
Multi-grained access control implementation mechanism according to info carried by token Adapt to resource provider side’s security mechanism
Runtime construct (Grip, Grid Process) for secured accessing the service Simple and easy to use
VEGA GOS v2 Roadmap
Time Schedule2005.3, GOS v2 Alpha (prototype)2005.4, GOS v2 Beta (barely fixed)2005.5, GOS v2 release (include sample app
lication and full documents)
GOS mailing list : [email protected]
CNGrid : http://www.grid.org.cn/
VEGA : http://vega.ict.ac.cn/ Thanks!