33 %
67 %
Information about JPW Talk AHM2005 MAIN

Published on June 19, 2007

Author: Tarzen


Dynamic Privilege Management Infrastructures Utilising Secure Attribute ExchangeDr John WattGrid Developer, National e-Science CentreUniversity of  Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow Overview:  Overview DyVOSE Overview PERMIS Static PMI Implementation Shibboleth and the SAAM Module Dynamic Delegation Future Work DyVOSE Overview:  Dynamic Virtual Organisations for e-Science Education (DyVOSE) project Two year project started 1st May 2004 funded by JISC Exploring advanced authorisation infrastructures for security in context of education University of Kent provide authorisation software (PERMIS) and security expertise Applied in Grid Computing module part of advanced MSc at the University of Glasgow Will provide insight into rolling out authorisation infrastructures/Grid to the masses Exploration of current state of the art in authorisation infrastructures Second phase of work involves NeSC Edinburgh Extensions to the existing PERMIS infrastructure to provide dynamic delegation of authority and recognition of authority Project website: DyVOSE Overview DyVOSE Participants:  DyVOSE Participants Dynamic Virtual Organisations in e-Science Education (DyVOSE) team Principal Investigators Dr Richard Sinnott (NeSC Glasgow) Prof David Chadwick (Kent) Implementation Dr John Watt (NeSC Glasgow) Dr Sassa Otenko (Kent) Mr Tuan Anh Nguyen (Kent) Mr Wensheng Xu (Kent) Other Key People Involved Dr David Berry (NeSC Edinburgh) Dr Sandy Shaw (EDINA) – SDSS/Shibboleth DyVOSE Workplan Phase 1:  Looking at applying existing PERMIS technology to establish static Privilege Management Infrastructure at GU DyVOSE Workplan Phase 1 ScotGrid Authorisation decisions Authorisation checks PERMIS based authorisation Education VO policies GU Condor pool Other (known!) Grid resources DyVOSE Workplan Phase 2/3:  DyVOSE Workplan Phase 2/3 ScotGrid PERMIS based Authorisation checks/decisions Glasgow Education VO policies Condor pool Edinburgh Education VO policies Shibboleth Blue Dwarf Glasgow Edinburgh Dynamically established VO resources/users Delegated VO policies Authorisation Technologies:  Authorisation Technologies CAS/VOMS Rights/roles asserted by centralised server No interpretation needed at resource end Flexible at VO level, but no resource level decisions Akenti Access Control at Resource end (not central) Desirable Not VO specific PERMIS X509 and SAML PERMIS:  PERMIS PrivilEge and Role Management Infrastructure Standards validation X509 Role Based Access Control (RBAC) Attribute Certificates hold user roles in LDAP XML policy defines the access control Java API allows any app to be protected Complex Policies and multiple Attribute Authorities supported PERMIS Functionality:  PERMIS Functionality PERMIS allows to Define roles for who can do what on what Policy = { Role x Target x Action } Can user X invoke service Y and access or change data Z? Policies created with PERMIS PolicyEditor (output is XML file) PERMIS XML Policy:  PERMIS XML Policy PERMIS based Authorisation:  PERMIS based Authorisation PERMIS Privilege Allocator then used to associate roles with specific users Signed policies are stored as attribute certificates in LDAP server Exploiting the GGF AuthZ specification Generic way to authorise access to Grid services using SAML callouts Based on GT3.3 – PERMIS Grid service (WSDD) has policy information associated with it DN of clients, target and actions checked when attempts made to invoke services 'BRIDGES and DyVOSE only projects exploiting this API right now' (Von Welch at AHM 2004) Explorations in Grid Course:  Explorations in Grid Course Students applied Policy Editor to develop security policy for use in their assignment Sorting/searching 'works of Shakespeare' … run on single PC, … using training lab Condor pool, … * as GT3.3/Condor service, … as GT3.3 service using GSI, To see how authorisation at service level achieved Service should be accessible by themselves and lecturing staff only … using * for GT3.3-PERMIS authorised service To see how authorisation at method level achieved Students split into groups (Gp1, Gp2) Sort method available to their group and lecturers only Search method available to all Performance aspects investigated throughout… PERMIS/Globus Issues:  Long time wrestling with GT3.3-PERMIS integration Some delays due to version issues with GT3.3 Also required some debugging of GT3.3 (commenting out code) Continued feedback on PERMIS tools Policy editor refinements Numerous discussions/meetings with Salford team on sorting out PERMIS-GT3.3 issues Certificate dependencies in using PERMIS Expects certificates created using openSSL Experienced gained for DyVOSE Phase 2… PERMIS/Globus Issues Slide14:  SSO and Access Control on Web Resources Home Institution AUTHENTICATES Recognised across the federation Temporary handle created Releases user attributes to service providers User can restrict attribute set release Resource Institution AUTHORISES Using attributes passed by the home institution Resource has final access decision Resource trusts Home to release correct info… We have V1.2 operating as part of SDSS… Walkthrough provided on DyVOSE website Slide15:  Messages are secure, attributes may not be! Shibboleth encodes its messages in SAMLv1.1 But attributes are not digitally signed (plaintext) Authz Configuration is Apache-based Any changes to rules requires complete restart of Web Server Multiple Attribute Authorities unsupported Coarse grained access control function 'User A with Attribute B can access C' Slide16:  Could PERMIS resolve these issues? Attributes are stored in digitally signed X509 ACs User attributes are now secure PERMIS PMI controls the Authorisation No Shibboleth/Apache restart when rules change PERMIS supports multiple Sources of Authority User may select attributes from more than one AA Complex access control policies Conditionals, Role Hierarchies …again! The PERMIS SAAM Module:  The PERMIS SAAM Module Apache module providing an authorisation handling function mod_permis loaded BEFORE Shibboleth module in Apache configuration file httpd.conf Requires alteration of approx 5 files at federation sites mod_permis can either Collect the ACs from LDAP itself (PULL mode) Be provided the ACs for decision (PUSH mode) 'Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server' D.Chadwick, O.Otenko, W.Xu The PERMIS SAAM Module:  The PERMIS SAAM Module Dynamic Delegation:  Dynamic Delegation Static PMI successfully built at Glasgow Goal is to build a PMI-based VO between Glasgow and Edinburgh Requires provision for Dynamic Delegation of Authority Extensions to the PERMIS software will implement this infrastructure Two cases will be investigated: Static Delegation (easily done by adding Edinburgh SOA and Roles to Policy) Simple Dynamic delegation (this year’s Grid Course…) Static Delegation:  Static Delegation Simple Dynamic Delegation:  Simple Dynamic Delegation Future Work:  Future Work Implementation of new PERMIS Dynamic Delegation Software DIS (Delegation Issuing Service) Cross-certification Role Mapping Design of final student use-case to demonstrate dynamic PMI Final Report on best practices and methods

Add a comment

Related presentations

Related pages

JPW Consulting | LinkedIn

Learn about working at JPW Consulting. Join LinkedIn today for free. See who you know at JPW Consulting, leverage your professional network, and get hired.
Read more

JPW Industries | LinkedIn

Learn about working at JPW Industries. Join LinkedIn today for free. See who you know at JPW Industries, leverage your professional network, and get hired.
Read more


SouthAfrica Entertainment presentation. ... Published on September 21, 2007. Author: Tarzen. Source:
Read more

vogel games

vogel games Entertainment presentation. ... Published on November 7, 2007. Author: Tarzen. Source:
Read more

Contact us | Bates JPW Recruitment Advertising

Contact us; BATES JPW CREATIVE ... We’d love to talk to you. Get in touch by calling us on 020 7481 2000, or email Andrew or Jane. Our details. Bates JPW
Read more

JPW talks scrimmage... and other stuff! |

Alabama finished another two-a-day today, giving it just one more of the preseason. So what happened? Here's what we learned: *****In their first fall ...
Read more

User talk:JPW - Wookieepedia, the Star Wars Wiki

JPW, welcome! Hello and welcome to ... Main page; Articles. Content A-Z; Article index; Browse articles by category; ... Talk page; Blog; Contributions ...
Read more

CHAPTER 1 What Is a Classroom Number Talk?

5 Chapter 1: What Is a Classroom Number Talk? and check for the reasonableness of solutions and answers. We need citizens who are able to discern whether ...
Read more