Driving and Monitoring Provisional Trust Negotiation with Metapolicies

Download Report

Transcript Driving and Monitoring Provisional Trust Negotiation with Metapolicies

Policy-Based Dynamic Negotiation
for Grid Services Authorization
Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl
Semantic Web Policy Workshop, ISWC’05
Galway, Ireland, 7th November 2005
Motivating Scenario (I)
Grid Limitations
- Too many Credentials to keep track of
- Knowing which credential to use
- Different sites trust different CA
- No way to determine automatically
which issuers are trusted
Job must know in advance what
credentials will have to be disclosed
Authorization may depend on user’s
properties
E.g. user’s affiliation with a project
Daniel Olmedilla
In large projects, an account per
user does not scale
Semantic Web Policy Workshop
Nov 7th, 2005
2
Policy-Driven Negotiation (I)
Characteristics
Both client and servers are semantically annotated with
policies
Annotations
 specify constraints and capabilities

access control requirements
-
which certificates must be presented to gain access to it
who is responsible for obtaining and presenting these certificates
 are used during a negotiation


to reason about and to communicate the need to see certain
credentials from the other party
to determine whether requested credentials can be obtained and
revealed.
User involvement is drastically reduced in favor of
automated interactions.
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
3
Policy-Driven Negotiation (& II)
Example: Security & Privacy
Alice
Bob
Step 1: Alice requests a service from Bob
Step 2: Bob discloses his policy for the service
Step 3: Alice discloses her policy for VISA
Step 4: Bob discloses his BBB credential
Step 5: Alice discloses her VISA card credential
Service
Daniel Olmedilla
Step 6: Bob grants access to the service
Semantic Web Policy Workshop
Nov 7th, 2005
4
Policy-Driven Negotiation on the Grid (I)
Example scenario
The delegated certificate is used to
retrieve the requested certificates
With only one certificate to
access the online repository
Daniel Olmedilla
Server informs the client
about its access control policy
Semantic Web Policy Workshop
Nov 7th, 2005
5
Policy-Driven Negotiation on the Grid (II)
Enhanced Characteristics
 Distributed authorization mechanisms

Driven by policies, not hardcoded
 Bilateral policy specification
 Access is negotiated
 Dynamic credential fetching


Now possible to use discovery and scheduling services to locate
the best available resources
Otherwise, impossible to predict before hand what exact service
instances would be used and which certificates required
 Capability based authorization architecture

Instead of identity based
 No previous trust relationships required
 Monitoring and explanation of authorization decision
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
6
Policy-Driven Negotiation on the Grid (III)
Implementation on Globus Toolkit 4.0
 Directed integrated with the grid services paradigm
 Extension to GSI pluggable to any GT4.0 compliant
grid service or client
 Only requirement: Java based grid services
 We use:

Custom PDP as part of the Client Call Interceptor
-

Redirects to a negotiation if required
Asynchronous negotiations are achieved through WSBase Notification and WS-Topics
 CAS integration into negotiations
 API for easy integration within client code
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
7
Policy-Driven Negotiation on the Grid (& IV)
Architecture
Service wsdl file
<wsdl:import namespace=“http://linux.egov.pub.ro/ionut/TrustNegotiationwsdl” location=“TrustNegotiationwsdl”/>
Service Deployment Descriptor
<parameter name=“providers” value=“SubscribeProvider GetCurrentMessageProvider
g4mfs.impl.gridpeertrust.net.server.TrustNegotiationProvider”/>
<parameter name=“securityDescriptor” value=“share/schema/gt4ide/MathService/mysec.xml”/>
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
8
Conclusions & Future Work (I)
Conclusions
Main Features
 Self-describing resources for access
requirements
 Based on properties
 Dynamic negotiation for service
authorization
 Automatic credential fetching
Implementation in Java
 Extension of GSI in GT4.0
 Backwards compatible
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
9
Conclusions & Future Work (& II)
Further Work
 Study performance impact of negotiations
 And approaches to minimize the extra load
 Limit number of iterations
-
E.g. 2 steps negotiations
 Advertise policies before the service is invoked
 Improve credential repositories
 Integration of TN in MyProxy
 Investigate the use of XACML
 Delegation not yet supported but planned
 Use of traceable negotiations
 E.g. monitoring or accounting
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
10
Thanks!
Questions?
[email protected] - http://www.l3s.de/~olmedilla/
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
11
Implementation in GT4
Easy Integration with Current Grid Services
Service
- include one jar file containing the policy based trust negotiation
engine
- minor add-ons to the service wsdl file (import one wsdl file and
extend one port type) and wsdd file (add one more provider
and install a security descriptor)
- have a resource (if not available)
- re-deploy the service
Client
- use one jar file containing the policy based trust negotiation
engine
- invoke the service as usual / or call directly for a trust
negotiation process
- look for authorization exceptions and if one triggered by trust
negotiation failure make simple calls to the negotiation engine
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
12
Integration into Globus Toolkit 4.0 (I)
Grid Service Descriptor
Descriptors:
- grid service descriptor (wsdl file):
<wsdl:import namespace="http://.../TrustNegotiation.wsdl"
location="TrustNegotiation.wsdl"/>
<portType name=”GridService” wsdlpp:extends= "...
wsntw:NotificationProducer wstn:TrustNegotiation ... ">
TrustNegotiation.wsdl - defines the data types and functions for
exchanging trust negotiation messages
The grid service should extend the NotificationProducer port type
(used for asynchronous communication with the client) and
the TrustNegotiation port type(used for exposing the functions
used by the client to push proofs/requirements to the grid
service).
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
13
Integration into Globus Toolkit 4.0 (II)
Grid Service Deployment Descriptor
Descriptors:
- grid service deployment descriptor (wsdd file):
<parameter name="providers" value="SubscribeProvider
GetCurrentMessageProvider TrustNegotiationProvider"/>
Rely on GT4.0 providers for notification usage and use a
TrustNegotiationProvider implementing the logic for policy
based dynamic negotiation
<parameter name="securityDescriptor"
value="./.../mysec.xml"/>
Install a security descriptor specifying the use of a PDP for
filtering client calls/managing authorization information.
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
14
Integration into Globus Toolkit 4.0 (& III)
Requirements
Resource:
- the grid service should use a resource implementing
TopicListAccessor
- a topic would be added by TrustNegotiationProvider
for trust negotiation (using this topic the service
pushes proofs/requirements on the client side)
Daniel Olmedilla
Semantic Web Policy Workshop
Nov 7th, 2005
15
Client
Daniel Olmedilla
Service
Semantic Web Policy Workshop
Nov 7th, 2005
16
9. Notify the client about service policies
and further requirements
7. Register with
TrustNegotiation Topic for
notifications
Factory
Service
5. Catch the
exception
1. Requests create
resource
Exposes a topic like TrustNegotiationTopic for
asynchronous communication with the client. Notify the
client when his requests are fulfilled or further
requirements are imposed by the service
2. Creates the resource
Resource
10. Operation executed on resource if the trust
negotiation process was successful
Client
3. Operation called on the
resource
4. Client is not authorized to
make the call throw an
exception.
Instance
Service
Have the instance service extend the standard
port types Subscribe and GetMessage (used by
notifications) and a port type which we provide
TrustNegotiationProvider which is going to
expose 2 operations getNegotiationTopic() and
trustNegotiation(). Receive through them the
client requests and proofs with regard to service
authorization
6. Client call getNegotiationTopic() receive
the QName of the negotiation topic.
8. Client call trustNegotiation()
operation for sending client policies
and proofs
Daniel Olmedilla
PDP specified in the Instance service descriptor that
intercepts operation calls. It checks if operation invoked is
authorized. Operations getNegotiationTopic() and
trustNegotiate() are permitted by default and all the other
operations are denied unless a trust negotiation process has
succeeded.
Semantic Web Policy Workshop
Nov 7th, 2005
17