Dynamic Privilege Management Infrastructures Utilising Secure

Attribute Exchange

Dr John WattGrid Developer, National e-Science Centre

University of Glasgow

jwatt@dcs.gla.ac.uk

Overview

DyVOSE OverviewPERMISStatic PMI ImplementationShibboleth and the SAAM ModuleDynamic DelegationFuture Work

Dynamic Virtual Organisations for e-Science Education (DyVOSE) project

Two year project started 1st May 2004 funded by JISCExploring advanced authorisation infrastructures for security in context of education

University of Kent provide authorisation software (PERMIS) and security expertise

Applied in Grid Computing module part of advanced MSc at the University of Glasgow

– Will provide insight into rolling out authorisation infrastructures/Grid to the masses

– Exploration of current state of the art in authorisation infrastructures

– Second phase of work involves NeSC Edinburgh– Extensions to the existing PERMIS infrastructure to provide

dynamic delegation of authority and recognition of authority

Project website: http://www.nesc.ac.uk/hub/projects/dyvose/

DyVOSE Overview

DyVOSE Participants

Dynamic Virtual Organisations in e-Science Education (DyVOSE) team

Principal Investigators Dr Richard Sinnott (NeSC Glasgow) Prof David Chadwick (Kent)

Implementation Dr John Watt (NeSC Glasgow) Dr Sassa Otenko (Kent) Mr Tuan Anh Nguyen (Kent) Mr Wensheng Xu (Kent)

Other Key People Involved Dr David Berry (NeSC Edinburgh) Dr Sandy Shaw (EDINA) – SDSS/Shibboleth

Looking at applying existing PERMIS technology to establish static Privilege Management Infrastructure at GU

DyVOSE Workplan Phase 1

ScotGrid

Authorisation decisions

Authorisation checks

PERMIS based authorisation

Education

VO policies

GU Condor pool

Other (known!) Grid resources

DyVOSE Workplan Phase 2/3

ScotGrid

PERMIS based Authorisation

checks/decisions

Glasgow Education

VO policies

Condor pool

Edinburgh Education VO policies

Shibboleth

Blue Dwarf

Glasgow Edinburgh

Dynamically established VO resources/users

Delegated VO policies

Authorisation Technologies

CAS/VOMSRights/roles asserted by centralised server

No interpretation needed at resource end

Flexible at VO level, but no resource level decisions

AkentiAccess Control at Resource end (not central)

Desirable

Not VO specific

PERMISX509 and SAML

PERMIS

PrivilEge and Role Management Infrastructure Standards validation

X509 Role Based Access Control (RBAC)Attribute Certificates hold user roles in LDAPXML policy defines the access controlJava API allows any app to be protectedComplex Policies and multiple Attribute Authorities supported

PERMIS Functionality

PERMIS allows toDefine roles for who can do what on what

Policy = { Role x Target x Action }– Can user X invoke service Y and access or change data Z?

» Policies created with PERMIS PolicyEditor (output is XML file)

PERMIS XML Policy

PERMIS based Authorisation

PERMIS Privilege Allocator then used to associate roles with specific users

Signed policies are stored as attribute certificates in LDAP server

Exploiting the GGF AuthZ specification Generic way to authorise access to Grid services using SAML

callouts– Based on GT3.3 – PERMIS

» Grid service (WSDD) has policy information associated with it» DN of clients, target and actions checked when attempts made

to invoke services “BRIDGES and DyVOSE only projects exploiting this API right

now” (Von Welch at AHM 2004)

Explorations in Grid Course

Students applied Policy Editor to develop security policy for use in their assignment

Sorting/searching “works of Shakespeare” … run on single PC, … using training lab Condor pool, … * as GT3.3/Condor service, … as GT3.3 service using GSI,

To see how authorisation at service level achieved – Service should be accessible by themselves and lecturing staff only

… using * for GT3.3-PERMIS authorised service To see how authorisation at method level achieved

– Students split into groups (Gp1, Gp2)» Sort method available to their group and lecturers only» Search method available to all

Performance aspects investigated throughout…

Long time wrestling with GT3.3-PERMIS integrationSome delays due to version issues with GT3.3

Also required some debugging of GT3.3 (commenting out code)

Continued feedback on PERMIS tools Policy editor refinements

– Numerous discussions/meetings with Salford team on sorting out PERMIS-GT3.3 issues

Certificate dependencies in using PERMIS Expects certificates created using openSSL

Experienced gained for DyVOSE Phase 2…

PERMIS/Globus Issues

SSO and Access Control on Web ResourcesHome Institution AUTHENTICATES

Recognised across the federation– Temporary handle created

Releases user attributes to service providers– User can restrict attribute set release

Resource Institution AUTHORISES Using attributes passed by the home institution

– Resource has final access decision

Resource trusts Home to release correct info…

We have V1.2 operating as part of SDSS… Walkthrough provided on DyVOSE website

Messages are secure, attributes may not be!Shibboleth encodes its messages in SAMLv1.1

But attributes are not digitally signed (plaintext)

Authz Configuration is Apache-basedAny changes to rules requires complete restart of Web Server

Multiple Attribute Authorities unsupportedCoarse grained access control function

“User A with Attribute B can access C”

Could PERMIS resolve these issues?Attributes are stored in digitally signed X509 ACs

User attributes are now secure

PERMIS PMI controls the Authorisation No Shibboleth/Apache restart when rules change

PERMIS supports multiple Sources of Authority User may select attributes from more than one AA

Complex access control policies Conditionals, Role Hierarchies

…again!

The PERMIS SAAM Module

Apache module providing an authorisation handling function

mod_permis loaded BEFORE Shibboleth module in Apache configuration file httpd.conf

Requires alteration of approx 5 files at federation sites

mod_permis can either Collect the ACs from LDAP itself (PULL mode) Be provided the ACs for decision (PUSH mode)

“Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server” D.Chadwick, O.Otenko, W.Xu

The PERMIS SAAM Module

Dynamic Delegation

Static PMI successfully built at GlasgowGoal is to build a PMI-based VO between Glasgow and Edinburgh

Requires provision for Dynamic Delegation of AuthorityExtensions to the PERMIS software will implement this infrastructureTwo cases will be investigated:

Static Delegation (easily done by adding Edinburgh SOA and Roles to Policy)

Simple Dynamic delegation (this year’s Grid Course…)

Static Delegation

Simple Dynamic Delegation

Future Work

Implementation of new PERMIS Dynamic Delegation Software

DIS (Delegation Issuing Service)Cross-certificationRole Mapping

Design of final student use-case to demonstrate dynamic PMIFinal Report on best practices and methods