xpola — an extensible capability-based authorization infrastructure for grids
DESCRIPTION
XPOLA — An Extensible Capability-based Authorization Infrastructure for Grids. Liang Fang, Dennis Gannon Indiana University Frank Siebenlist Argonne National Laboratory . Outline. The Grid security The problems to be solved XPOLA Macroscopic view Microscopic view User ’ s view - PowerPoint PPT PresentationTRANSCRIPT
XPOLA—An Extensible Capability-based Authorization Infrastructure
for GridsLiang Fang, Dennis Gannon
Indiana UniversityFrank Siebenlist
Argonne National Laboratory
04/22/23 PKI R&D 05 2
Outline• The Grid security • The problems to be solved• XPOLA
– Macroscopic view– Microscopic view– User’s view
• Challenges and future work• Conclusion
04/22/23 PKI R&D 05 3
The Grid
1997Pre-Web services era
2002 2004
OGSA
(SOAP-based) Web services era
Grid service = Web service + OGSA
04/22/23 PKI R&D 05 4
Grid Security Infrastructure (GSI)
• GSI adopts public key cryptography as the basis to provide the Grid three main functionalities:– Secure communication: SSL, WS Security– Mutual authentication: PKI– Delegation: proxy certificate
• Authorization (& Authentication): – A gatekeeper daemon maps a Grid identity to a local
account at run time according to a gridmap file. – The Grid identity is allowed to do all the account’s
rights.
04/22/23 PKI R&D 05 5
A Grid User’s Odyssey• Alice wants to access a Grid service. Unfortunately,
she has to …
Account Application
CertificateApplication
Grid-mapRegistration
(Learn how to) Configure
Her ServiceEnvironment
Finally, Timeto use the
Grid service.
~3days ~1wk ~0.5 day
~0.5 hr(Learn how to)Get her Grid
proxy certready
~1day
(Learn how to)Manage herX.509 cert
~0.5 day
04/22/23 PKI R&D 05 6
The Authorization Problems in Real Grid Applications
• Inscalable in administration and maintenance– Host accounts– X.509 certificates
• Coarse-grained authorization– An authorized user can do much more than accessing a service
• For example, in Linked Environments for Atmospheric Discovery (LEAD) project– How to provide the authorization to meteorological Grid services running on TeraGrid to THOUSANDS of scientists and grade school students?– Only a few privileged UNIX accounts available.– Grid services could be dynamically generated (by workflow engines as well as individual scientists).– Of course, no security breach is acceptable .
04/22/23 PKI R&D 05 7
Existing Grid Security Solutions to Fine-grained Authorization
• ACL Model– Akenti, Shibboleth, PERMIS
• Capability Model– CAS, VOMS, PRIMA
• Why we need XPOLA– The above (was) not addressing general Web/Grid services in compliant with Web services security specs.– With central admins, most of them do not address dynamic services well.
1Client Resource Authority2
The ACL Model
Client ResourceAuthority 1 2
The Capability Model
R1 R2 R3Alice xBob x x x
Carol xThe Access Control Matrix
04/22/23 PKI R&D 05 8
XPOLA: The Characteristics• Principle of Least Authority/Privilege (POLA)-
compliant: Strictly fine-grained authorization.• Scalable in administration and maintenance: It is
never assumed that the service user has an account on the machines. The infrastructure is built on a Peer-to-peer chain-of-trust model. No central administrator involved.
• WS-Security Compliant: Conforms to WS-Security for both persistent and transient Web/Grid services.
• Extensible: PKI and SAML-based, but allows other alternatives.
• Dynamic and Reusable: Grid resources (Web services and Grid services) are made available to users through manually or automatically generated capabilities, which can be used for multiple requests in their valid lifetimes.
04/22/23 PKI R&D 05 9
XPOLA: The Big PictureService Provider
PersistentStorage
Service Requester
Request Processing
Capability Request
create
update
destroy
Capability Manager(Capman)
Registry(EPRservice A, …)
HostToken Agent
CommunityInformativeAuthority
ProcessingStack
SVCA
capabilitytoken
04/22/23 PKI R&D 05 10
XPOLA: Capabilities• A capability includes:
– Policy Document• Bindings of the provider’s distinguished name (DN), as well as the users’ DNs.• Identifier of the Grid resource.
– Optional: operations of a Web service instance• Life time (notbefore, notafter)
– The provider’s signature generated with his private key.• Security Assertion Markup Language (SAML):
• Each capability is a set of SAML assertions• AuthorizationDecisionStatement
• However the policy document and protection mechanism can be extensible: XACML, symmetric keys, …
04/22/23 PKI R&D 05 11
XPOLA: Web Services Security• Web services security
– A series of emerging XML-based security standards from W3C and OASIS for SOAP-based Web services, to provide authentication, integrity, confidentiality and so on.
• XSOAP conforms to Web services security.
• SOAP Binding
Body
Header
WS Security Section (User’s Signature, …)
SOAP Message
Capability Token
Provider’s Signature
Policies (SAML Assertions)
04/22/23 PKI R&D 05 12
XPOLA: Enforcement
SOAP Sig Verification SOAP Sig Generation
Valid? Fault Generation
Token VerificationY
Token Sig Valid?
Owner/User Match?
Policy Decision?
Expired?
Fault Generation
Application Service
Token Insertion
Authentication Processing Node
Authorization Processing Node
N
Other Processing Nodes
An arrivingSOAP Msg
A dispatchedSOAP Msg
N
04/22/23 PKI R&D 05 13
Proxy ManagerPortlet
WeatherServicePortlet
User Context
proxycertificate
proxycertificate
Grid Portal
WeatherService
capabilitytoken
User
Capability ManagerPortlet
capabilitytoken
capabilitytoken
capabilitytoken
capabilitytoken
ProviderXPOLA: User’s View in Grid Portals
04/22/23 PKI R&D 05 14
Challenges and Future Work• Revocation• Performance and Scalability
– Message level session-based communication– Load balancing
• Denial of Service (DoS) Mitigation
04/22/23 PKI R&D 05 15
Conclusion• XPOLA provides fine-grained authorization
infrastructure to general Web and Grid services.
• More than that– It scales– Extensible– WS-Security compliant– Adaptable for dynamic services– Reusable– User (as well as provider) friendly