Post on 12-Jan-2016
description
SecurityOGSA-WG Dec. '03 F2F Meeting @ ANL
Takuya Mori <moritaku@bx.jp.nec.com>
NEC Corporation
Contents
The specifications in the "OGSA-Sec Roadmap" and status of Working Groups
OGSA Security Services Specifications to be defined
The specifications in the "OGSA-Sec Roadmap" and status of Working Groups
Naming# Name Related Specifications New Specification
/ ProfileWG / RG
1 Naming
1-1 OGSA Identity Subject: X.509 DN (RFC2459), Kerberos Names (RFC1510), ...
Resources: GSH (OGSI)
should it be a part of OGSI or OGSA?
(OGSI / OGSA)
OGSA-AuthZ
1-2 OGSA Target / Action Naming
Targets: Grid Services - GSH (OGSI), SDE - SDE Name (OGSI), Arguments - XPath Expressions (need to be defined)
Actions: Grid Services - portType and operation name, SDE - access to SDE (query, update and change notification)
OGSA Authorization Policy Language
OGSA-AuthZ
1-3 OGSA Attribute and Group Naming
SAML Attribute Assertion, X.509 Attribute Certificate (RFC3281),
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
1-4 Transient Service Identity Acquisition
GSH and GSR (OGSI) should it be a part of OGSI or OGSA?
(OGSI / OGSA)
Translating between Security Realms# Name Related Specifications New Specification
/ ProfileWG / RG
2. Translating between Security Realms
2-1 Identity Mapping Services
WS-Federation / WS-Trust (Grid Federation)
2-2 Generic Name Mapping Service
WS-Federation / WS-Trust (Grid Federation)
2-3 Policy Mapping Service
WS-Federation / WS-Trust / WS-Policy
(Grid Federation)
2-4 Credential Mapping Service
WS-Federation / WS-Trust (Grid Federation)
Authentication / Session Security / Authorization
# Name Related Specifications Specification to be defined
WG / RG
3. Authentication Mechanism Agnostic
3-1 Certificate Validation Service Specification
XKMS (Authentication Service)
none
3-2 OGSA-Kerberos Services
Kerberos (Authentication Service)
none
4. Pluggable Session Security
4-1 GSSAPI-SecureConversation
WS-SecureConversation, WS-Trust (A profile for WS-SecureConversation)
none
5. Pluggable Authorization Service
5-1 OGSA-Authorization Service
SAML (Authorization Decision Authority and Assertion)
OGSA-Authorization Service
OGSA-Authz
Authorization, Trust and Privacy Policy Management
# Name Related Specifications Specification to be defined
WG / RG
6. Authorization Policy Management
6-1 Coarse-grained Authorization Policy Management
WS-Policy (, XACML)
It will be based on "Policy and Agreements" discussed in OGSA.
Policy and Agreement (OGSA Authorization Policy Language)
OGSA
(OGSA-AuthZ)
6-2 Fine-grained Authorization Policy Management
WS-Policy (, XACML)
It will be based on "Policy and Agreements" discussed in OGSA.
Policy and Agreement(OGSA Authorization Policy Language)
OGSA
(OGSA-AuthZ)
7. Trust Policy Management
7-1 OGSA Trust Service WS-Policy, WS-Trust
It will be based on "Policy and Agreements" discussed in OGSA.
none
8. Privacy Policy Management
8-1 Privacy Policy Framework
WS-Policy, WS-Privacy
It will be based on "Policy and Agreements" discussed in OGSA.
none
VO Policy Management / Delagation / Firewall "Friendly"
# Name Related Specifications Specification to be defined
WG / RG
9. VO Policy Management
9-1 VO Policy Service WS-Policy, WS-Agreement
It will be based on "Policy and Agreements" discussed in OGSA.
(VO Management is discussed in OGSA)
OGSA
10. Delegation
10-1 Identity Assertion Profile
SAML Attribute Assertion, X.509 Attribute Certificate, ...
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
10-2 Capability Assertion Profile
SAML Attribute Assertion, X.509 Attribute Certificate, ...
OGSA Attribute and Authorization Assertion
OGSA-AuthZ
11. Firewall "Friendly"
11-1 OGSA Firewall Interoperability
WS-Routing, WS-Referral (not sure) none
Security Policy Expression and Exchange / Secure Service Operation / Audit and Secure Logging
# Name Related Specifications Specification to be defined
WG / RG
12 Security Policy Expression and Exchange
12-1 GSR and SDE Security Policy Decoration
WS-Policy (, WS-SecurityPolicy, WS-PolicyAttachment)
It may be based on "Policy and Agreements" discussed in OGSA.
OGSA Authorization Policy Language
OGSA-AuthZ
13 Secure Service Operation
13-1 Secure Service's Policy and Processing
(not sure about this service)
13-2 Service Data Access Control
(not sure about this service)
(OGSA-AuthZ will take care about access control issue for SDE)
(OGSA Authorization Policy Language)
(OGSA-AuthZ)
14 Audit and Secure Logging
14-1 OGSA Audit Service ("Distributed Logging" discussed in OGSA is related to this service)
Sub-WG in OGSA
14-2 OGSA Audit Policy Management
WS-Policy, It will be based on "Policy and Agreements" discussed in OGSA.
Sub-WG in OGSA
OGSA Security Services
Goal
Virtual Organization
Servicea
Servicebservice request
DelegationAuthentication Authentication
Authorization
Attribute Assertion
Virtual Organization
Servicea
Serviceb
Applications:service request
Federation Services
Security Services
Authentication
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
Serviceb
UnderlyingSecurityLayers:
Session Security (based on WS-SecureConversation)
Message Security (based on WS-Security)
Security Policy (QoP) Exchange & Expression
Security Services:
Applications:service request
Privacy
Policy and Agreement
Authentication
Attribute
Authorization
Trust
Distributed Logging
Privacy
Policy and Agreement
Described in OGSA
Discussed in OGSA-AuthZ-WG
Missing in OGSA or OGSA-AuthZ
Naming Stuff
Servicea service request
Authentication
Federation Services
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(1) service request
(2) request credential validationto get an identity of the requestor
(3) check for the trust relationship(4) identity mapping
Session Security (based on WS-SecureConversation)
Identity Credential
Authentication Service
GS
Trust Service
Authorization (1)
Federation Services
Authentication Service
Attribute
VO Management Services
Policy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust Service
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(2) service request
(4) attribute and policy mapping
Attribute Assertion(1) gets an attribute
assertion
* Decisions are made basedon policies and attributes
(3) asks for an authorizationdecision
Policy Authority
Attribute Authority
Authorization (2)
Federation Services
Authentication Service
Attribute
VO Management ServicesPolicy Mapping Service
VO Membership Service
VO Policy Service
Authorization
Trust Service
Identity / Attribute Mapping Service
Virtual Organization
Real Organization 1
Distributed Logging
Real Organization 2
GS GS
Privacy
Policy and Agreement
Authentication Service
Attribute
Authorization
Trust Service
Distributed Logging
Privacy
Policy and Agreement
(2) request credential validationto get an identity of the requestor•Prerequisite:
The requestor has been identified
(2) checks for the VO membershipand the policy for the requestor
(1) ask for an authorization decision
* Decisions are made basedon policies and attributes
(3) or check for some local attributes
Policy Authority
Attribute Authority
VO Security Services VO Management Services
Referred in the subsection 6.2 of OGSA document VO Membership Service
Manages VO membership (users, resources, authorities, and ...) Issues membership attribute assertions
It means VO Membership Service is a kind of attribute service. VO Policy Service
VO-wide policy service (possible policies include authorization policy, trust policy, and privacy policy)
Federation Services Missing parts in OGSA document Identity / Attribute Mapping Service
Converts identity or attribute assertions of a domain into those of another domain
Policy Mapping Service Converts policies of a domain into those of another domain
Distributed Logging Described in the subsection 6.13 of OGSA document
Policy and Agreement Described in the subsection 6.16 of OGSA document
Authorization Service Discussed in OGSA-AuthZ-WG, but not in OGSA doc
ument
Security Services
Attribute Service (Will be) discussed in OGSA-AuthZ-WG Not described in OGSA document now Issues an attribute assertion that is used for various policy decisions
Authentication Service (Credential Validation) Not described in OGSA document Validates a credential and identifies a requestor Support for PKI and Kerberos is mandatory
Privacy Service Not described in OGSA document Manages privacy policy on both ends. It can be used to declare privacy informati
on usage and to request preference for privacy information handling. Trust Service
Not described in OGSA document Manages trust policy whether does a party trust an assertion authority or not, and
makes decisions based on these policies
Security Services (Contd.)
What's Next Find out if the services listed in this slides are enough or
not Start describing security services into OGSA document Prioritize specifications and activate OGSA-SEC-WG to
start discussion. Prioritizing example
High VO Management Authentication Policy and Agreements
Middle Federation Services Trust
Low Privacy
Specifications to be defined
Fundamental Specifications# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSI or OGSA (Identity, Identity Acquisition Stuff)
Subject: X.509 DN(RFC2459), Kerberos Names(RFC1510), ...
Resources: GSH (OGSI), GSH and GSR (OGSI)
1-1, 1-4 OGSI / OGSA
Message / Session Security
(a part of OGSI?)
WS-Security / WS-SecureConversation / WS-Trust
XML-DSig, XML-Enc, GSSAPI,
4-1 (OGSI)
VO Management
(a part of OGSA?)
WS-Policy, WS-Agreement
It will be based on "Policy and Agreements" discussed in OGSA.
9-1 OGSA
OGSA Audit Service (or Distributed Logging Service)
("Distributed Logging" discussed in OGSA is related to this service)
14-1, 14-2 (OGSA)
Authentication# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Authentication
(Credential Validation)
XKMS, Kerberos 3-1, 3-2 none
OGSA-AuthZ Specifications# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Authorization Service
SAML (Authorization Decision Authority and Assertion)
5-1 OGSA-AuthZ
OGSA Attribute and Authorization Assertion
SAML Attribute Assertion, X.509 Attribute Certificate (RFC3281), ...
1-3, 10-1, 10-2 OGSA-AuthZ
OGSA Authorization Policy Language
Target: Grid Services - GSH (OGSI), SDE - SDE Name (OGSI), Arguments - XPath Expressions (need to be defined)
Action: Grid Services - portType and operation name, SDE - access to SDE (query, update and change notification)
1-2, 6-1, 6-2, 12-1, (13-2)
OGSA-AuthZ
Federation Services# Name Related Specifications Relation to the
proposed specs.
WG / RG
Identity / Attribute
Mapping Service
WS-Federation / WS-Trust
SAML
2-1, 2-2, 2-4 (Grid Federation)
Policy Mapping Service
WS-Federation / WS-Trust / WS-Policy 2-3, 2-4 (Grid Federation)
Others (will be discussed in the future?)# Name Related Specifications Relation to the pr
oposed specs.WG / RG
OGSA Trust Service WS-Policy, WS-Trust
It will be based on "Policy and Agreements" discussed in OGSA.
7-1 none
OGSA Privacy Service WS-Policy, WS-Privacy
It will be based on "Policy and Agreements" discussed in OGSA.
8-1 none
OGSA Firewall Interoperability
WS-Routing, WS-Referral 11-1 none
Secure Service's Policy and Processing
(not sure about this service) 13-1 none