the prima grid authorization system
play

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura - PowerPoint PPT Presentation

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1 PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services Secure, fine grained privileges


  1. The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1

  2. PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services ♦ Secure, fine grained privileges ♦ Dynamic policy generation ♦ Dynamic execution environment Requirements derived from usage scenarios and survey of grid users. Scenarios for survey – Scenario 1: Ad-hoc Collaboration – Scenario 2: Multi-Project User Implemented as an extension of the Globus Toolkit CS 6204, Spring 2005 2

  3. Security Requirements Security requirements that were identified from the surveys ♦ Fully distributed mechanism ♦ Fine grained access rights ♦ Direct delegation of authorization ♦ Selective use of access rights ♦ Fine grain enforcement ♦ Support for legacy and untrusted applications How PRIMA addresses these requirements ♦ Privileges ♦ Dynamic policies ♦ Dynamic execution environments CS 6204, Spring 2005 3

  4. 4 PRIMA Concepts: Overview CS 6204, Spring 2005

  5. PRIMA Concepts: Privileges Privilege refers to access rights with the following properties – Fully associated: explicitly specify subjects, objects and allowed action by the subjects on that object – Directly applicable: access rights can be exercised without interpretation Privileges are embedded in a container to protect against manipulation PRIMA privileges properties: – Well defined lifetime – Fine grain CS 6204, Spring 2005 5

  6. PRIMA Concepts: Dynamic Policies All permissible privilege constitute a dynamic policy for a request Policy Enforcement Point (PEP) checks for: – Applicability – Validity – Authority Policy Decision Point (PDP) makes the following decisions: – Coarse decision – Obligations of PEP CS 6204, Spring 2005 6

  7. PRIMA Concepts: PEP Obligations ♦ Additional constraints to an authorization decision is called obligations ♦ If PEP cannot fulfill an obligation then it disallows access to proceed ♦ Obligation address the subtle issues of fine- grained authorization like mismatch in level of detail between request and policies. ♦ Obligations help in maintaining system state. CS 6204, Spring 2005 7

  8. PRIMA Concepts: Dynamic Execution Environments ♦ Each authorized request is executed within a specific execution environment. ♦ Execution environment can be impelented as: – Unix process space – Sandboxing – Hosting environment for web and grid services ♦ The execution environment provide the added benefit to execute legacy and untrusted applications. ♦ Execution environments can be provisioned in various ways like: – Identity authorization – Mixed mode authorization – Privilege-based authorization CS 6204, Spring 2005 8

  9. PRIMA Architecture and System Components: Overview CS 6204, Spring 2005 9

  10. PRIMA Architecture and System Components: The Globus GRAM Authorization Call-Out ♦ Globus Gatekeeper extended with two interfaces: – Identity mapping interface. • Replaces static grid-map file mechanism. – Code for parsing call-out configuration file. • Loading and initializing modules. • Logging to the existing Globus gss_assist library. CS 6204, Spring 2005 10

  11. PRIMA Architecture and System Concepts: PRIMA Authorization Module PRIMA Authorization module interfaces with Globus gatekeeper. The authorization module performs following steps in sequence – Validate privileges and requests authorization decisions. – Determines user account which will be used to service request. – Provision the selected user account with access rights. CS 6204, Spring 2005 11

  12. PRIMA Architecture and System Components: Validation and Decision process ♦ PRIMA authorization module receives Generic Security Services (GSS) context from Globus gatekeeper. ♦ Authorization module extracts and verifies privileges contained in GSS. ♦ On validation PRIMA authorization module determines authority of the privilege attributes issuer. CS 6204, Spring 2005 12

  13. PRIMA Architecture and System Components: Authorization request and response CS 6204, Spring 2005 13

  14. PRIMA Architecture and System Components: User Mapping CS 6204, Spring 2005 14

  15. PRIMA Architecture and System Components: Enforcement Mechanisms PRIMA uses the following mechanisms to control file access: – POSIX.1E file system access control list. PRIMA dynamically modifies system’s ACL based on authorization module to set access rights for execution environment. – XML- based Grid Access Control Lists (GACL’s). The enforcement mechanism is similar to that used by POSIX ACL’s. PRIMA can be extended to use iptables to control access to network PRIMA Privilege Revocator associated with PRIMA enabled resources, automatically revokes privileges and dynamic users as they expire. CS 6204, Spring 2005 15

  16. Conclusion PRIMA designed to support spontaneous, short lived collaboration PRIMA contributes towards scalable grid environments PRIMA has implemented as an extension to the Globus Toolkit CS 6204, Spring 2005 16

Recommend


More recommend