Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno...

Trust and Security for Next Generation Grids, www.gridtrust.eu

Implementing UCON with XACML for Grid Implementing UCON with XACML for Grid ServicesServices

Bruno Crispo

Vrije Universiteit Amsterdam

OGF-25-Tutorial

[email protected]


Table of ContentTable of Content

• UCON in GridTrustUCON in GridTrust

• eeXXtended tended AAccess ccess CControl ontrol XMLXML (XACML) (XACML)Language Run-time Support

• How we implemented in GridTrustHow we implemented in GridTrust

• Limitations and ExtensionsLimitations and ExtensionsMultilateralismPerformance


From Access Control to Usage From Access Control to Usage ControlControl

Rights

Subjects ObjectsUsage Decision

(Authorizations)

Conditions


From Access Control to Usage From Access Control to Usage ControlControl

Authorizations oBligations Conditions

Subjects Objects

Attributes Attributes

Usage Decision

Rights


Policies ExamplesPolicies Examples

• Access Control policiesAccess Control policiesSilver Users can use the service from 8:00 am

till 8:00pm Managers can read and write Purchase Orders

of the all Sales Department while Accountants can only write they own P.O.

Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM


Policies ExamplesPolicies Examples• Usage Control policiesUsage Control policies

Silver Users can use the service only 5 times from 8:00 am till 8:00pm

The SendOrder Service can be invoked only after the Log Service has been successfully invoked

All mails sent outside the company must be encrypted

All data related to a customer must be deleted when its account is deleted

Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM

WorkflowWorkflowbasedbased

History basedHistory based

ObligationsObligations

ContinuousContinuous monitoringmonitoring


Policies ExamplesPolicies Examples

• DRM policiesDRM policies(Pay Per Use) - The cost to see this movie is

$ 4.00 (Metered Payment) - The cost to see this movie

is 1¢/minute (Play n times) – You can see this movie at most

10 times

GridTrust ModelGridTrust Model

Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu

ComponentsComponents

users

PKI

GridTrust Services• TRS• SRB• VBE Manager

service providers

C-UCON

ENFORCER VO Library


Virtual Breeding EnvironmentVirtual Breeding Environment

VBE Manager

PKI

Virtual BreedingVirtual BreedingEnvironmentEnvironment


User & SP Registration to a VBEUser & SP Registration to a VBE

VBE Manager

PKISRB

• A Virtual Breeding Environment formed by users and different types of services.

• A VBE manager regulated the subscription of services and users to the VBE


VO: Virtual OrganizationsVO: Virtual Organizations

VBE Manager

PKI

VO Manager

SRB• Any user (VO Owner) may initiate the process of creating a VO by looking for service providers she needs.



VBE Manager

PKI

VO Manager

VO

SRB

• The search and join is driven by service functionality and by security policy

• UCON policies, at this level written using XACML

• Service Resource Broker that implements a match-maker for XACML policies


SRB: Secure Resource Broker ServiceSRB: Secure Resource Broker Service

• Service to match the security policy required Service to match the security policy required by the VO with the policies exposed by service by the VO with the policies exposed by service providersproviders

• Supports XACML as a policy languageSupports XACML as a policy language

• It supports policy integration algorithmsIt supports policy integration algorithms




C-UCON

VBE Manager

PKI

VO Manager

VO

SRB

• Users can register to use the VO. The registration consider also the security policies of both VO and User

• Support for UCON policies


EnforcerEnforcer

• A component used by the VOA component used by the VO

Optionally can be also a third party service

• Implement UCON policy at VO levelImplement UCON policy at VO level

E.g. Service1 can be invoked only after Service2 has been invoked



VO UsageVO Usage

Application

VO

ENFORCER


VO user

Service1

Service3

Service2


eXtendible Access Control XML eXtendible Access Control XML (XACML)(XACML)

• XML based access control languageXML based access control language

• Simple Syntax, Strong ExpressivitySimple Syntax, Strong Expressivity

• OASIS standardOASIS standard

• Widely adopted both in industry and Widely adopted both in industry and academiaacademia

• Many implementations (both open Many implementations (both open source and proprietary)source and proprietary)


XACML HistoryXACML History

• First Meeting – 21 May 2001First Meeting – 21 May 2001

• Requirements from: Healthcare, DRM, Online Requirements from: Healthcare, DRM, Online Web, XML Docs, Fed Gov, Workflow….Web, XML Docs, Fed Gov, Workflow….

• XACML 1.0 - OASIS Standard – 6 February XACML 1.0 - OASIS Standard – 6 February 20032003

• XACML 1.1 – Committee Specification – 7 XACML 1.1 – Committee Specification – 7 August 2003August 2003

• XACML 2.0 – Approved February 2005XACML 2.0 – Approved February 2005

• XACML 3.0 Core Specification under reviewXACML 3.0 Core Specification under review


GoalsGoals

• Define a core XML schema for representing Define a core XML schema for representing authorization and entitlement policiesauthorization and entitlement policies

• Target - any object - referenced using XML Target - any object - referenced using XML • Fine grained access controlFine grained access control• Consistent with and building upon SAMLConsistent with and building upon SAML


XACML – Key AspectsXACML – Key Aspects

• General-purpose authorization policy model and General-purpose authorization policy model and XML-based specification languageXML-based specification language

• Input/output to the XACML policy processor is Input/output to the XACML policy processor is clearly defined as XACML context data structureclearly defined as XACML context data structure

• Extension points: function, identifier, data type, Extension points: function, identifier, data type, rule-combining algorithm, policy-combining rule-combining algorithm, policy-combining algorithm, etc.algorithm, etc.

• A policy consists of multiple rulesA policy consists of multiple rules• A set of policies is combined by a higher level A set of policies is combined by a higher level

policy (PolicySet element)policy (PolicySet element)


XACML SyntaxXACML Syntax


Target Policy

Subject Resource Action

Rule Combining Algorithm

Rule

Effect

Condition

1..*

1

1

1

0..11

1..*

1

1..*

1

0..*

1

1

10..1

1

0..1 1

XACML ExampleXACML Example

[email protected] =VideoServer =login

= Permit

= >08h00 and <17h00= UsersRegs

=Deny-Overrides

=Multimedia

“the user [email protected] can login on a Video Server in the period between 08:00AM and 05:00PM”


XACML SchemasXACML Schemas

Policy Schema

PolicySet (Combining Alg)

Policy* (Combining Alg)

Rule* (Effect)

Target

Subject*

Resource*

Action*

Environment

Effect

Condition

Obbligation*

Request Schema

Request

Subject

Resource

Action

Response Schema

Response Decision

• Permit

• Permit w/ Obligations• Deny• N/A• Indeterminate


XACML Combination AlgorithmsXACML Combination Algorithms

• Both at policy level and at rule levelBoth at policy level and at rule level

• Used to compute decision result in case of Used to compute decision result in case of policies/rules with conflicting policies/rules with conflicting effectseffects

• rule: <target><condrule: <target><cond11..cond..condnn><effect>><effect>

rule1: <any user,read,file1><in-range-time 8-20><deny>rule2:<john,read,file1><in-range-time 10-12><permit>


• Permit-Override John can access• Deny-Override John can’t


Combination AlgorithmCombination Algorithm Expected BehaviorExpected Behavior

Deny OverrideDeny Override A policy is denied if a rule is A policy is denied if a rule is encountered the effect of which is encountered the effect of which is DENYDENY

Permit OverridePermit Override A policy is permitted if a rule is A policy is permitted if a rule is encountered the effect of which is encountered the effect of which is PERMITPERMIT

First-one-applicableFirst-one-applicable The combined result is the same as The combined result is the same as the result of the first rule that the result of the first rule that appliesapplies

Only-one-applicableOnly-one-applicable The combined result corresponds The combined result corresponds to the result of the unique rule to the result of the unique rule which applies to the requestwhich applies to the request

XACML Combination AlgorithmsXACML Combination Algorithms

• Similarly for policies


Problem: Policy IntegrationProblem: Policy Integration

• If VO can always “impose” its policy, combination If VO can always “impose” its policy, combination algorithms are enoughalgorithms are enoughSimpleNot very flexible

• We want to increase flexibility to increase the We want to increase flexibility to increase the chances service provider can join the VOchances service provider can join the VOThen we cannot impose but we need to integrate

VO and service provider policies, thus combination algorithms are not enough.


ExampleExample• VO Policy: VO Policy: Any user with an email in the “.edu” or in Any user with an email in the “.edu” or in

the “.gov” domains can read any file. However, no the “.gov” domains can read any file. However, no access is allowed from 8am till 12am. access is allowed from 8am till 12am. [Deny-Override][Deny-Override]

• SP policy:SP policy: Any user with an email in the “.edu” domain Any user with an email in the “.edu” domain can perform any action on any resource. HP users can can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests read any files from 8am till 10am. However, requests received between 8am till 6pm are denied received between 8am till 6pm are denied [Permit-[Permit-Override]Override]

• Which combination algorithm to apply?


ExampleExample

• VO Policy: VO Policy: Any user with an email in the “.edu” or in Any user with an email in the “.edu” or in the “.gov” domains can read any file. However, no the “.gov” domains can read any file. However, no access is allowed from 8am till 12am. access is allowed from 8am till 12am. [Deny-Override][Deny-Override]


• If Deny-Override HP users cannot read file from 8am till 10am


ExampleExample• VO Policy: VO Policy: Any user with an email in the “.edu” or in Any user with an email in the “.edu” or in

the “.gov” domains can read any file. However, no the “.gov” domains can read any file. However, no access is allowed from 8am till 12am. access is allowed from 8am till 12am. [Deny-Override][Deny-Override]


• If Permit-Override VO may not be happy that HP users and “.edu” domain can violate its policy


Propose integration algorithmsPropose integration algorithms

• Stakeholders specify combination algorithms and Stakeholders specify combination algorithms and also which compromise they are willing to accept if also which compromise they are willing to accept if they offer their service to a VOthey offer their service to a VO

• Step1: Normalize policy (First-one applicable)Step1: Normalize policy (First-one applicable)

• Step2: Compute policy similarityStep2: Compute policy similarity

• Step3: Specify integration preferencesStep3: Specify integration preferences


Policy similarityPolicy similarityRule similarity typeRule similarity type Authorized request setAuthorized request set

RRii ConvergesConverges R Rjj

RRii Diverges Diverges RRjj

RRii Restricts Restricts RRjj

RRii Extends Extends RRjj

RRii Shuffles Shuffles RRjj

Ri =Rj

Ri Rj

RiRj

RjRi

Ri Rj


Policy Integration PreferencesPolicy Integration Preferences

VO point of viewVO point of view• Converge OverrideConverge Override

VO enforces only its unchanged policy

• Restrict OverrideRestrict Override VO enforces also SP policies that

do not deny its

• Deny OverrideDeny Override VO enforces also SP policies.

Request permitted only if all permit it

• Permit OverridePermit Override VO enforces also SP policies.

Requested permitted if at least one permit it

SP point of viewSP point of view• Restrict OverrideRestrict Override

SP accepts that only a subset of its accepted requests will be accepted by the VO

• Extend OverrideExtend Override SP accepts requests it doesn’t

accept will be accepted by the VO

• Converge OverrideConverge Override SP demands that its

unchanged policy is enforced by the VO


Policy Integration PreferencesPolicy Integration PreferencesRestrict OverrideRestrict Override ExtendExtend

OverrideOverrideConverge Converge OverrideOverride

Converge Converge OverrideOverride

ConvergeConvergeExtendExtend

Converge Converge RestrictRestrict

ConvergeConverge

Restrict OverrideRestrict Override Converge Converge RestrictRestrict



Deny Deny OverrideOverride

Converge Converge RestrictRestrictExtendExtendShuffleShuffle



Permit OverridePermit Override Converge Converge ExtendExtend

Converge Converge RestrictRestrictExtendExtendShuffleShuffleDivergeDiverge

Converge Converge ExtendExtend

VO SP


XACML Runtime SupportXACML Runtime Support

• The The Policy Administration PointPolicy Administration Point (PAP) (PAP) stores stores XACML policies in the appropriate repository.XACML policies in the appropriate repository.

• The The Policy Enforcement PointPolicy Enforcement Point (PEP) (PEP) performs performs access control by making decision requests access control by making decision requests and enforcing authorization decisions.and enforcing authorization decisions.

• The The Policy Information PointPolicy Information Point (PIP) (PIP) serves as serves as the source of attribute values, or the data the source of attribute values, or the data required for policy evaluation.required for policy evaluation.

• The The Policy Decision PointPolicy Decision Point (PDP) (PDP) evaluates the evaluates the applicable policy and renders an authorization applicable policy and renders an authorization decision.decision.

Note: The PEP and PDP might both be contained Note: The PEP and PDP might both be contained within the same application, or might be within the same application, or might be distributed across different serversdistributed across different servers


Evaluation WorkflowEvaluation Workflow

VO User ObligationsservicePEP (DKM )

PDP Context Handler

PIP

ResourcesAttributeManager

Environment AttributeManager

PAP SubjectsAttributeManager

2. service invocation

3. request 12. response

5. attribute query

4. request notification

10. attributes11. response context

6. attribute query 8. attributes

1. policy

9. resource

7a. subject attributes

7b. Resource attributes7c. Environment attributes


Our implementation in GridTrustOur implementation in GridTrust

VO

ENFORCER


VO user

Service1

Service3

Service2PEP


EnforcerEnforcer

• Extension of SUN XACML PDP to support Extension of SUN XACML PDP to support UCON at VO service levelUCON at VO service level

• At the moment covers only a subset of the At the moment covers only a subset of the XACML specificationsXACML specifications

• In case of denial respond with the rule that In case of denial respond with the rule that caused the denycaused the deny

• RollbackRollback



Enforcer (Extended PDP)Enforcer (Extended PDP)

B. Crispo TNO Groningen - 16-10-2008 39

PDP

OAM SAM HM CM

OM

APPPLICATION(PEP)

Allow? Yes/No/Delay/Modify/N/A

Enforcer

• OAM: Object Attribute Manager

• SAM: Subject Attribute Manager

•HM: History Manager

•CM Consition Manager

•OM: Obligation Manager


Why PDP Performance is Important?Why PDP Performance is Important?

• PDP is critical for the overall performance of authorization service

• The proliferation of service oriented applications

• S3-like services will face enormous amount of requests requiring authorization decisions


ExperimentsExperiments

• PDP Tested: Sun XACML, XACML Enterprise, PDP Tested: Sun XACML, XACML Enterprise, XACMLightXACMLight

• Two phases have been tested:Two phases have been tested:

• Policy Load: Loading of policy/policies from disk to main memory.• Policy Evaluation: Request evaluation against loaded policies.

• Environment: Environment: 3.4 GHz3.4 GHz Pentium IV CPU, 2GB RAM, 160 Pentium IV CPU, 2GB RAM, 160 GB Serial ATA (7200GB Serial ATA (7200 rpm) HDDrpm) HDD

• JVM heap size :JVM heap size : 256 MB 256 MB -- 1024MB 1024MB


Policy TestPolicy Test SuiteSuite

Three policy test suites (syntetic policies):Three policy test suites (syntetic policies):Large Number of Policies: 10, 100, 1000 and

10000 XACML policies composed of 4 rules.

Large Number of Rules: 10, 50, 100, 500 and 1000 rules in a single policy.

Policy Similarity: 10 policies with different similarity settings


Large Number of PoliciesLarge Number of Policies

• In enterprise/cross-enterprise systems In enterprise/cross-enterprise systems

•With large number of entities eager to specify access control policies•With shared PDP services

• 1 request is evaluated against 10, 100, 1 request is evaluated against 10, 100, 1000 and 1000 policies at a time.1000 and 1000 policies at a time.


Large Number of PoliciesLarge Number of Policies

Policy Load


Large Number of Policies (Cont.)Large Number of Policies (Cont.)

Policy Evaluation


Large Number of RulesLarge Number of Rules

• A single organizationA single organization

• With large number of users and resources• Single Point of Control

• 1 request is evaluated against 10 policies 1 request is evaluated against 10 policies with 10, 50, 100, 500, 1000 rules insidewith 10, 50, 100, 500, 1000 rules inside


Large Number of RulesLarge Number of Rules

Policy Load


Large Number of Rules (Cont.)Large Number of Rules (Cont.)

Policy Evaluation


Ongoing WorkOngoing Work

• Extend the enforcement by reaction, Extend the enforcement by reaction, extending the obligationextending the obligation

• Integrating security policy Match-making with Integrating security policy Match-making with Resource Allocation/SchedulingResource Allocation/Scheduling

• Improve performance acting both on loading Improve performance acting both on loading time (more efficient policy representation) and time (more efficient policy representation) and evaluation time (more efficient evaluation evaluation time (more efficient evaluation algorithms)algorithms)

• Considering Continuous Monitoring at service Considering Continuous Monitoring at service level for some specific applicationslevel for some specific applications

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno...

Documents

Transcript of Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno...