policy driven negotiation for authorization in the grid
play

Policy-driven Negotiation for Authorization in the Grid Ionut - PowerPoint PPT Presentation

Dec 30, 2022 •216 likes •414 views

Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University Daniel Olm edilla L3S Research Center Frank SiebenList Argonne National Laboratory 8 th IEEE POLICY Bologna, Italy, 15 th June 20 0 7 Outline

  1. Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University Daniel Olm edilla L3S Research Center Frank SiebenList Argonne National Laboratory 8 th IEEE POLICY Bologna, Italy, 15 th June 20 0 7

  2. Outline � Introduction � Motivation � Policy-driven Negotiations � Negotiations in the Grid � Implementation � Conclusions and Further Work Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 2

  3. Introduction Virtual Organization Org 3 Org 1 Org 2 Policy Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 3

  4. Introduction Why Grid Security is Hard? Resources being used m ay be valuable & the problem s being solved sensitive � Both users and resources need to be careful Dynam ic form ation and m anagem ent of virtual organizations (VOs) � Large, dynamic, unpredictable… VO Resources and users are often located in distinct adm inistrative dom ains � Can’t assume cross-organizational trust agreements � Different mechanisms & credentials Interactions are not just client/ server, but service-to-service on behalf of the user � Requires delegation of rights by user to service � Services may be dynamically instantiated Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 4

  5. Motivation Local Administrative Domain Ivan’s policy: Alice is my friend and I’ll share my lemonade with her Mallory is not my friend and he can go # $% ^ & Can I have glass of lemonade? Sure, here is a glass Alice I van Can I have glass of lemonade? Resource Ow ner decides! No way, I don’t like you (ultimate source of authority for access) Mallory Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 5

  6. Motivation Distinct Administrative Domains Ivan’s policy: Carol is my friend and I’ll share my lemonade with her I’ll share my lemonade with any friend of Carol I don’t know any Bob…(?) Can I have glass of lemonade? Bob ? I van Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 6

  7. Motivation Distinct Administrative Domains – Pull (I) Ivan’s policy: Carol is my friend and I’ll share my lemonade with her I’ll share my lemonade with any friend of Carol I don’t know any Bob…(?) Can I have glass of lemonade? Bob Sure, here is a glass I van Can Bob have glass of lemonade? Sure, Bob is my friend Carol’s policy: Carol Bob is my friend and I’ll share my lemonade with him Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 7

  8. Motivation Distinct Administrative Domains – Pull (& II) Neighbor's policy: Frosty’s policy: Let’s party! Only share lemonade with ice Bill’s policy: Ivan’s policy: Lemonade is bad for you Aunt’s policy: I don’t know any Bob…(?) Sharing is good I do know John, Mary, Carol, Olivia, … Can I have glass of lemonade? Laura’s policy: Share if he pays! Bob Jogger’s policy: I’d like a glass too Mary’s policy: I van: HELP I van I van I like Bob a little bit Can Bob have glass of lemonade? Rita’s policy: No lemonade after eight John’s policy: Accountant’s policy: Olivia’s policy: I don’t like girls Only if he signs here If Carol likes Bob, I hate him! Sure, Bob is my friend Emma’s policy: Only on his birthday Ann’s policy: Carol’s policy: Lucy’s policy: I like Ivan very much! Carol David’s policy: Bob is my friend and I’ll share my lemonade with him I sometimes like Carol Ask Laura Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 8

  9. Motivation Distinct Administrative Domains – Push approach Ivan’s policy: Carol is my friend and I’ll share my lemonade with her I’ll share my lemonade with any friend of Carol I don’t know any Bob…(?) Can I have glass of lemonade? And BTW, Carol is my friend Bob Sure, here is a glass I van � either Bob provides a list of all his friends or � Privacy problem s, superfluous disclosure � Bob knows in advance the friends from Ivan � static � service instances to be used m ay be selected at run-tim e Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 9

  10. Motivation Example Scenario – Grid Limitations - Too many Credentials to keep track of - Knowing which credential to use - Different sites trust different CA - No way to determine automatically which issuers are trusted MyProxy Credential Repository NEESgrid 0a RLS Job must know in advance what Linux Cluster Request previously stored proxy credentials will have to be disclosed certificate 0b M.A. Receive proxy 1 certificate M.A. Mutual Authentication SRB (M.A.) job 2 M.A. Alice submits a job 3 Delegate proxy certificate Shake Alice Smith Authorization may depend on user’s GridFTP In large projects, an account per table properties Server M.A. : Mutual Authentication user does not scale E.g. user’s affiliation with a project Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 10

  11. Policy-Driven Negotiations Example: Security & Privacy Alice Bob Step 1: Alice requests a service from Bob Step 2: Bob discloses his policy for the service Step 3: Alice discloses her policy for VISA Step 4: Bob discloses his BBB credential Step 5: Alice discloses her VISA card credential Step 6: Bob grants access to the service Service Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 11

  12. Negotiations in the Grid Revisiting the example scenario The delegated certificate is used to retrieve the requested certificates Credential Repository 4. Alice 1. Authentication Shake Table membership? Access Manager 5. Alice 2. Request BigQuake 3. Alice 0. Alice membership membership? submits a job job 6. Alice BigQuake membership 7. Access granted NEESgrid Linux Cluster Shake 8. Alice’s job Shakes the table table Alice Smith With only one certificate to Server inform s the client access the online repository about its access control policy Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 12

  13. Policy-Driven Negotiations Characteristics Both client and servers are sem antically annotated with policies Annotations � specify constraints and capabilities – access control requirements � which certificates must be presented to gain access to it � who is responsible for obtaining and presenting these certificates � are used during a negotiation � to reason about and to communicate the requirements � to determine whether credentials can be obtained and revealed. User involvem ent is drastically reduced – autom ated interactions If required, for sensitive resources, negotiation can be longer � To obtain (access to) a certificate, I must satisfy its access Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 13 control policy which specifies --and so on recursively—

  14. Implementation Current GT4’s new authZ framework Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 14

  15. Implementation Architecture Client Grid Service Negotiation Module Negotiation Module subscribe() Notification Negotiation notify() Listener Topic PeerTrust PeerTrust Module negotiateTrust() Module Send Negotiation Wrapper Provider getNegotiationTopic() Inference Inference Client Call Engine Engine Interceptor operation() Client Interceptor Grid Negotiation Exception Program PDP Service Policies Policies Credentials Credentials Service wsdl file <wsdl:im port nam espace=“http:/ / linux.egov.pub.ro/ ionut/ TrustNegotiationwsdl” location=“TrustNegotiationwsdl”/ > Service Deploym ent Descriptor <param eter nam e=“providers” value=“SubscribeProvider GetCurrentMessageProvider g4m fs.im pl.gridpeertrust.net.server.TrustNegotiationProvider”/ > <param eter nam e=“securityDescriptor” value=“share/ schem a/ gt4ide/ MathService/ m ysec.xm l”/ > Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 15

  16. Implementation Integration on Globus Toolkit 4.0 � Directed integrated with the grid services paradigm � Extension to GSI pluggable to any GT4.0 com pliant grid service or client � Only requirem ent: Java based grid services � We use: � Custom PDP as part of the Client Call Interceptor - Redirects to a negotiation if required � Asynchronous negotiations are achieved through WS- Base Notification and WS-Topics � CAS integration into negotiations � API for easy integration within client code Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 16

  17. Conclusions & Future Work Conclusions Main Features � Self-describing resources for access requirem ents � Based on properties � Negotiation for service authorization � Dynam ic credential fetching � Now possible to use discovery and scheduling services to locate the best available resources � Otherwise, impossible to predict before hand what exact service instances would be used and which certificates required � Monitoring and explanation of authorization decision Im plem entation in Java � Extension of GSI in GT4.0 � Backwards com patible Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 17

  18. Conclusions & Future Work Further Work � Study perform ance im pact of negotiations � And approaches to m inim ize the extra load � Lim it num ber of iterations - E.g. 2 steps negotiations � Advertise policies before the service is invoked � Investigate the use of XACML � Delegation not yet supported but planned Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 18

  19. Thanks! Questions? olm edilla@L3S.de - http:/ / w w w .L3S.de/ ~olm edilla/ Daniel Olmedilla 8th IEEE POLICY June 15th, 2007 19

Recommend

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204,

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204,

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1 PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services Secure, fine grained privileges

368 views • 16 slides
Policy-driven Distributed University of Illinois Marianne Winslett Status and Prospects

Policy-driven Distributed University of Illinois Marianne Winslett Status and Prospects

1 Marianne Winslett / POLICY 2007 Policy-driven Distributed University of Illinois Marianne Winslett Status and Prospects Authorization: (sanitized version) 2 A tale of two trends Marianne Winslett / POLICY 2007 3 Organizational

763 views • 53 slides
Welcome to the Course on Negotiation Skills Course Objectives By the end of this course, you

Welcome to the Course on Negotiation Skills Course Objectives By the end of this course, you

Welcome to the Course on Negotiation Skills Course Objectives By the end of this course, you will be able to: Understand the basics of negotiation Describe the negotiation process Use appropriate strategies for win-win outcomes

810 views • 51 slides
Presentation and Negotiation Presentation and Negotiation Filesize: 5.76 MB Reviews Reviews

Presentation and Negotiation Presentation and Negotiation Filesize: 5.76 MB Reviews Reviews

WLKHMWK17WKS \\ Doc / Presentation and Negotiation Presentation and Negotiation Presentation and Negotiation Filesize: 5.76 MB Reviews Reviews The publication is simple in read easier to comprehend. It really is rally interesting throgh

483 views • 3 slides
Navigating Emergency Use Authorization: FDA Policy for COVID- 19 Diagnostic Tests Ian McGill,

Navigating Emergency Use Authorization: FDA Policy for COVID- 19 Diagnostic Tests Ian McGill,

Navigating Emergency Use Authorization: FDA Policy for COVID- 19 Diagnostic Tests Ian McGill, PSM, ASQ CBA April 2020 AGENDA EUA Background COVID-19 Policy Guidance Document Test Type and Pathways to distribution Key

454 views • 11 slides
Whose technology policy? Hegemony of Runaway Technology Policy??!! FATALISM +ve Grid

Whose technology policy? Hegemony of Runaway Technology Policy??!! FATALISM +ve Grid

Power, Policy and Samkhya Philosophy Dipak Gyawali What technology policy? Whose technology policy? Hegemony of Runaway Technology Policy??!! FATALISM +ve Grid HIERARCHISM Asymmetrical Transactions: Risk Absorbing: Strong Ascribed

282 views • 4 slides
Australian distributor for January 2016 Grid Edge / The Company At Grid Edge we are truly

Australian distributor for January 2016 Grid Edge / The Company At Grid Edge we are truly

Energy for a sustainable future Australian distributor for January 2016 Grid Edge / The Company At Grid Edge we are truly passionate about what we do. We are a company of engineers and business people driven to deliver both off grid and on grid

454 views • 42 slides
Negotiation Jos e M Vidal Department of Computer Science and Engineering University of South

Negotiation Jos e M Vidal Department of Computer Science and Engineering University of South

Negotiation Negotiation Jos e M Vidal Department of Computer Science and Engineering University of South Carolina. March 3, 2010 Abstract We describe automated negotiation as it applies to multiagent systems. Chapter 6. Negotiation

1.46k views • 114 slides
&amp; &amp; Open Public Policy Innovation Negotiation &amp; Strategy &lt;a framework&gt;

&amp; &amp; Open Public Policy Innovation Negotiation &amp; Strategy &lt;a framework&gt;

Data Government &amp; &amp; Open Public Policy Innovation Negotiation &amp; Strategy &lt;a framework&gt; Politics Key Roles Administration Policy &amp; Regulation (campaigning/NGO) Politics Key Roles Administration Policy &amp;

885 views • 74 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Presentation and Negotiation Presentation and Negotiation Filesize: 8.62 MB Reviews Reviews

Presentation and Negotiation Presentation and Negotiation Filesize: 8.62 MB Reviews Reviews

CGPVH9REZXIG // PDF \\ Presentation and Negotiation Presentation and Negotiation Presentation and Negotiation Filesize: 8.62 MB Reviews Reviews These types of book is the greatest ebook readily available. I was able to comprehended every

506 views • 4 slides
Career Development Workshop: Negotiation R. Sekhar Chivukula and Elizabeth H. Simmons 31 October

Career Development Workshop: Negotiation R. Sekhar Chivukula and Elizabeth H. Simmons 31 October

Career Development Workshop: Negotiation R. Sekhar Chivukula and Elizabeth H. Simmons 31 October 2019 What is Negotiation? Negotiation is a discussion between two or more parties aimed at reaching a mutual agreement. Negotiation often

603 views • 32 slides
A Strategy A Strategy for Automated Meaning Negotiation for Automated Meaning Negotiation in

A Strategy A Strategy for Automated Meaning Negotiation for Automated Meaning Negotiation in

Searching in the ISWC Semantic Bank: &lt; negotiation &gt; - One Item Found A Strategy A Strategy for Automated Meaning Negotiation for Automated Meaning Negotiation in Distributed Information Retrieval Vadim Ermolayev Ermolayev Vadim

771 views • 32 slides
XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha

Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha

Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha vg@cs.wisc.edu tjaeger@cse.psu.edu jha@cs.wisc.edu March 1 st , 2006 Second Annual Security-enhanced Linux Symposium Baltimore, Maryland Introduction

792 views • 39 slides
Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode

Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode

Power grid partitioning Data-Driven Partitioning of Power Networks Via Koopman Mode Analysis by Raak, Susuki and Hikihara Presented by Andr and Pontus http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf 2

411 views • 27 slides
SDP Capability Negotiation draft-ietf-mmusic-sdp-capability-negotiation-12.txt Flemming Andreasen

SDP Capability Negotiation draft-ietf-mmusic-sdp-capability-negotiation-12.txt Flemming Andreasen

SDP Capability Negotiation draft-ietf-mmusic-sdp-capability-negotiation-12.txt Flemming Andreasen (fandreas@cisco.com) IETF 77 March 23, 2010 1 Progress and Current Status WGLC completed on -08 (end of 2007) Chair review resulted in

426 views • 10 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International Symposium on Grid Computing (ISGC) Academia Sinica, Taipei, 5-12 March 2010 Dr. Ognjen Prnjat European and Regional Grid Management GRNET The

329 views • 31 slides
Simple policy negotiation for location disclosure Nick Doty &amp; Erik Wilde UC Berkeley, School

Simple policy negotiation for location disclosure Nick Doty &amp; Erik Wilde UC Berkeley, School

Simple policy negotiation for location disclosure Nick Doty &amp; Erik Wilde UC Berkeley, School of Information Geolocation and privacy Location information is: informationally revealing personally identifying physically intrusive W3C

361 views • 15 slides
TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles,

TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles,

TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles, TeraGrid, Tony Dane S kow Rimovski DOEGrids, Tony Texas High Energy Genovese, Mike Grid, Alan S ill Helms S DS C, Bill Link

375 views • 9 slides
INCREASING GRID RESILIENCE THROUGH DATA-DRIVEN MODELING FOR STORM OUTAGE PREDICTION AND LONG-TERM

INCREASING GRID RESILIENCE THROUGH DATA-DRIVEN MODELING FOR STORM OUTAGE PREDICTION AND LONG-TERM

INCREASING GRID RESILIENCE THROUGH DATA-DRIVEN MODELING FOR STORM OUTAGE PREDICTION AND LONG-TERM PLANNING Steven Quiring, Texas A&amp;M University Seth Guikema, Johns Hopkins University U.S. DOE State Energy Risk Assessment Workshop Our

409 views • 39 slides
Development of a Prosumer Driven Integrated Smart Grid Project plan and discussion 28 August

Development of a Prosumer Driven Integrated Smart Grid Project plan and discussion 28 August

Development of a Prosumer Driven Integrated Smart Grid Project plan and discussion 28 August 2018, New Delhi Outline Concept Project Objectives Key Project Deliverables Work Packages and Outcomes Strategic Plan Team

246 views • 22 slides

More recommend