Globus Computing Infrustructure Software Globus Toolkit 11-2.
Grid Security: What is it? Where is it going? Why? Von Welch [email protected] National Center...
-
Upload
alisha-glenn -
Category
Documents
-
view
217 -
download
0
Transcript of Grid Security: What is it? Where is it going? Why? Von Welch [email protected] National Center...
Grid Security:What is it?
Where is it going?Why?
National Center for Supercomputing Applications
Globus Alliance
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 2
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 3
Authentication, Authorization, Delegation
Authentication: Provingwho you are.
John Doe @ NCSA
Authorization:What are youare allowed todo?
Delegation:Granting aright to anotherentity.
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 4
Public Key Infrastructure
Used in almost all Grids today Allows for two entities to authenticate with minimal cross-organizational supprt
Based on asymmetric cryptography Private and Public Key
Public key is encoded in a Certificate by a Certificate Authority (CA) Certificate and Private key are used to establish identity
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 5
John Doe755 E. WoodlawnUrbana IL 61801
BD 08-06-65Male 6’0” 200lbsGRN Eyes
State ofIllinois
Seal
Certificates
Allow for binding of an Identity (John Doe) to a key or person
NameIssuerPublic KeySignature
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 6
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 7
Grid Security’s goal is to support the virtual organization.
Site A
Site BSite C
Site D
VirtualOrganization
(VO)
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 8
Example: NSF TeraGrid
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 9
Field Equipment
Laboratory Equipment
Remote Users
Remote Users: (K-12 Faculty and Students)
High-Performance Network(s)
Instrumented Structures and Sites
Leading Edge Computation
Curated Data Repository
Laboratory Equipment
Global Connections
(FY 2005 – FY 2014)
Simulation Tools Repository
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 10
Controlled Resource Sharing
ComputeCenter
HEP VO
Chem EngVO
BIO VO
5pm-9amonly
20 Tflops permonth max
100 Tbytesmax
20 Mbytes/secmax
Globally:• User must agree
to AUP• User must use
strong authentication
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 11
Grid Authorization “Flow”VO
User
Process
Resource
Delegate:VO may use
50% of cyclesDelegate:
Jane may use1000 cycles
Delegate:Job X may
use 100 cycles
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 12
So, what are the challenges? Resources being used may be valuable & the problems
being solved sensitive Both users and resources need to be careful
VOs aren’t static Large, dynamic, unpredictable…
VO Resources and users are often located in distinct administrative domains Can’t assume cross-organizational trust agreements Different mechanisms, trust roots & credentials
X.509 vs Kerberos Different CAs X.509 attribute certs vs SAML assertions
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 13
More challenges… Interactions are not just client/server,
but service-to-service on behalf of the user Requires delegation of rights by user to service Services may be dynamically instantiated
Standardization of interfaces to allow for discovery, negotiation and use
Implementation must be broadly available & applicable Standard, well-tested, well-understood protocols;
integrated with wide variety of tools Policy from sites, VO, users need to be combined
Varying formats: SAML, XACML, local custom, etc. Want to hide as much as possible from applications!
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 14
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 15
Grid Security Infrastructure (GSI) Open source libraries, tools and standards
which provide security functionality of the Globus Toolkit
Provides for cross-organizational: Authentication Message protection Authorization Single sign-on
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 16
GSI Stack
PKI (Certs, CAs)
• GSI uses a standard PKI for identity certificates.
• Each entity (user, service) has an X.509 certificate from a CA that uniquely names it.
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 17
GSI Stack
PKI (Certs, CAs)
SSL
• SSL, using the certificates, is used as the network protocol
• Performs authentication, like in the web, but client as well as server
• Also provides message protection as needed (integrity, encryption)
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 18
GSI Stack
PKI (Certs, CAs)
SSL
X.509 Proxy Certificates
• X.509 Proxy Certificates are our extension
• Standardized in IETF (pkix)
• Allow for dynamic delegation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 19
GSI Stack
PKI (Certs, CAs)
SSL
X.509 Proxy Certificates
Grid-Mapfile
• Grid-Mapfile maps Grid users (identified by certificates) to local users (e.g. Unix account)
• Allows authorization using normal local methods (e.g. filesystem perms, quotas)
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 20
GSI-Enabled Coordination
Site A
Site B Site C
Allows forstandard
authenticationmethod
Allows for delegationto allow for
coordinated resourceUsage.
ProxyCertificate
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 21
Grid Security Services
How does a site with an existing sophisticated security infrastructure leverage that for Grids? E.g. Kerberos
How do I carry X.509 credentials around with me? How do I use with non-GSI aware applications? E.g. Web portals?
How does a VO manage the resources contributed to it?
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 22
Kerberos CA: Grid access from Krb5
GSI
KCA
KRB5Resources
• Allows use of Kerberos credentials to geton the Grid• In use at FNAL, USC
Kerberos User Grid Site
Krb5 Ticket
X509 Certificate
Krb5 toGrid ID
Mappings
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 23
• Allows users to acquire Grid credentials from Username/Password• Enables mobility anduse of non-GSI awareapplications
MyProxy Credential WalletMyProxy
The GridThe Grid
UsernamePassword
UsernamePassword
WebServer
UsernamePassword
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 24
Community Authorization Service (CAS)Resources are
Contributed to VOFrom a number of sites
VO decideshow its usersCan use those
resources.
CASVO Userrequestsaccess
CASGives userAssertionGrantingaccess
User presentsassertion to resource
to gain access
CAS: Allows VO to setFine-grain accesspolicy on its resources
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 25
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 26
Grid Evolution:Open Grid Services Architecture
Goals Refactor Globus protocol suite to enable common base
and expose key capabilities Service orientation to virtualize resources and unify
resources/services/information Embrace key Web services technologies for standard
IDL, leverage commercial efforts Result = standard interfaces & behaviors for
distributed system mgmt: the Grid service Standardization within Global Grid Forum and OASIS Open source & commercial implementations
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 27
The Grid Service
Application
• Use WSDLto advertiseinterface• WS-Policyto advertisesecurityrequirements(Krb5, GSI,etc.)• Allow forautomateddiscoveryand binding
Inte
rface
• Hostingenvironmenthandles msgsincludingauthentication,msg protection,authorization,etc.• Allows appdeveloper tofocus on app-specific logic.Hosting Environment
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 28
Based on Standards
Web Services SOAP WSDL
Extensions (follow-on to OGSI) WSRF
Lifetime control
WS-ResourceProperties Expose state
WS-Notification WS-ServiceGroup WS-RenewableReference
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 29
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services
Security Globus Toolkit Implementation and Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 30
Leverage existing/emerging Security Standards
WS-Security/Policy/Trust/Federation/Authorization/SecureConversation/Privacy
XKMS, XML-Signature/Encryption, SAML, XACML, XrML
But… Need to OGSA’fy Need to define Profile/Mechanisms Need to define Naming conventions Need to address late/missing specs Support for delegation, transient services
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 31
WS SecurityCurrent/proposed WSS-specs
proposedproposedSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-AuthorizationWS-Authorization
In progressIn progress
promisedpromised
WS-FederationWS-Federation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 32
Current/proposed specs Building on the SOAP Foundation
TodayToday:: describes describes SOAP extensions for SOAP extensions for secure messaging, secure messaging, provides foundation provides foundation
for other building for other building blocksblocksSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 33
Current/proposed specs Building on the SOAP Foundation
TodayToday::how to express how to express capabilities and capabilities and constraints of constraints of
security policies. security policies. Along with WS-Along with WS-
SecurityPolicy, WS-SecurityPolicy, WS-PolicyAsserts, WS-PolicyAsserts, WS-PolicyAttachmentPolicyAttachment
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 34
Current/proposed specs Building on the SOAP Foundation
TodayToday:: describes describes the model for the model for
establishing both establishing both direct and brokered direct and brokered trust relationships trust relationships
(including third (including third parties and parties and
intermediaries)intermediaries)
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 35
Current/proposed specs Building on the SOAP Foundation
TodayToday:: how to how to manage and manage and authenticate authenticate
message message exchanges exchanges
between parties between parties including security including security context exchange context exchange and establishing and establishing
and deriving and deriving session keyssession keys
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust
WS-SecureWS-SecureConversationConversation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 36
Current/proposed specs Building on the SOAP Foundation
Planned:Planned: will be a will be a model for how model for how
users state users state privacy privacy
preferences, and preferences, and for how Web for how Web
Services state Services state and implement and implement
privacy practicesprivacy practices
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 37
Current/proposed specs Building on the SOAP Foundation
PlannedPlanned:: will will describe how to describe how to
manage and broker manage and broker the trust relationships the trust relationships in a heterogeneous in a heterogeneous
federated federated environment environment
including support for including support for federated identitiesfederated identities
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 38
Current/proposed specs Building on the SOAP Foundation
PlannedPlanned:: will will define how Web define how Web services manage services manage
authorization authorization data and policiesdata and policies
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizationWS-Authorization
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 39
WS SecurityCurrent/proposed WSS-specs
proposedproposedSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-AuthorizationWS-Authorization
In progressIn progress
promisedpromised
WS-FederationWS-Federation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 40
Other Standards
SAML looks good for assertions XACML as language for policy exchange?
But don’t fit nicely together (NASA work). SAML 2.0 will hopefully help.
XACML delegation of rights? XrML
Another policy language Liberty Alliance
Federated Identity like WS-Federation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 41
WS Security(Confusing Picture)
proposedproposedSOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-AuthorizationWS-Authorization
In progressIn progress
promisedpromised
WS-FederationWS-Federation
Liberty AllianceLiberty Alliance
SAMLSAML
XACMLXACML
XrMLXrML
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 42
How does all this fit into Grids?
WS-Policy/XACML/XrML for expressing security constraints What credentials (Kebreros, GSI) are
accepted and preferred Encryption supported? Required? Rejected?
WS-Authorization/XACML/XrML for managing authorization data e.g. in CAS
WS-Privacy (?) for managing privacy
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 43
OGSA Security Roadmap Goal Address the Grid Security Architecture
Requirements
Make Implementations Possible
Address Interoperability Address Pluggability/Replaceability Address missing/late/insufficient Standards
“OGSA Security Roadmap”submitted to GGF – co-authored with IBM
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 44
OGSA Security
Security implemented by pluggable security services Usable by clients and services
Allow for more agnostic approach to security mechanisms As implementations are created for a mechanism
they can be plugged into existing tools to enable use.
Applications and services can examine published security policies and convert/acquire credentials as needed
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 45
Remove Security from Applications
Allow deployment-time selection of supported mechanisms and policies
OGSA resource virtualization allows for policy on application-independent operation invocation
Place as much security functionality as possible into sophisticated hosting environments
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 46
Transparent Call-outs from WS-Stubs
RequestorApplication
VODomain
CredentialValidation
Service
AuthorizationService
Requestor'sDomain
Service Provider'sDomain
Audit/Secure-Logging
Service
AttributeService
TrustService
ServiceProvider
Application
Bridge/Translation
Service
PrivacyService
CredentialValidation
Service
AuthorizationService
Audit/Secure-Logging
Service
AttributeService
TrustService
PrivacyService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
WS-StubWS-Stub Secure Conversation
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 47
Outline
Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and
Futures
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 48
What’s actually in GT3?
SOAP-based wire protocol WS-Security (XML-Signature, XML-Encryption) for
authentication, message protection GSI-SecureConversation
Based on GT2’s TLS/GSSAPI implementation Based on a poor-man’s “interpretation” of
WS-Trust/WS-SecureConversation specs plus XML-Signature/XML-Encryption/WS-Security
Waiting for WS-Trust & WS-SecureConversation & WS-Kerberos specs to be submitted to standards body
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 49
What’s Actually in GT3?
SAML assertions in Community Authorization Service (GT 3.2) Allow VOs to set and distribute policy on file
access Standardized Proxy Certificates Java and C implementations Java based on Axis with security
implemented in handlers
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 50
GT Security Futures (1)
Authorization is “KEY” for the coming year Includes communicating/sharing/matching of
authz-policies and capabilities Profiles for Attributes Standards for authorization services GGF OGSA Authorization WG
Restricted Delegation By service and operation By “domains”
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 51
GT Security Futures (2)
Securely route through firewalls/network-hurdles Tackle the firewall/NAT traversal issues
transparently in the runtime Integration of Group authentication/key-
exchange protocols Going from 2 parties to N parties should be
“seamless” Secure Logging and Audit
Another undefined, unstandardized missing link… while the requirements are there!
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 52
Conclusion Grid’s requirements maybe few years ahead,
but industry will face same challenges soon Few “new” distributed computing requirements…
Our security requirements are conceptually 1-2 levels above what is available now as specifications, standards and open source Ideally, we want to be end-users of WSS not plumbers…
The standards circus is very worrisome And distracting and time consuming…
Come help us at the Global Grid Forum Exciting security stuff! We need your help… (www.ggf.org)
Play with the Globus Toolkit (GT3.2) Downloaded 100k+ times already (www.globus.org)
ClusterWorld 2004 Grid Security - Von Welch ([email protected]) 53
Thanks
Many colleagues at Argonne, NCSA, ISI & PDC: Frank Siebenlist, Sam Meder, Olle Mulmo,
Leaur Pearlman, Jarek Garow, Jim Basney, Steve Tuecke, Ian Foster, Carl Kesselman, Rachana Ananthakrishnan and many others.
Funding from DOE, NSF and IBM
Questions?