policy resolution and enforcement of privileges in a grid authorization system based on job...
TRANSCRIPT
Policy Resolution and Policy Resolution and Enforcement of Privileges in a Enforcement of Privileges in a
Grid Authorization System Based Grid Authorization System Based on Job Propertieson Job Properties
Sang-Min ParkSang-Min Park, Glenn Wasson, and , Glenn Wasson, and Marty HumphreyMarty Humphrey
University of VirginiaUniversity of Virginia
Supported by the US Department of Energy (Early Career Program), the Supported by the US Department of Energy (Early Career Program), the National Science Foundation under grants SCI-0438741, SCI-0438263, National Science Foundation under grants SCI-0438741, SCI-0438263,
and SCI-0426972, and Microsoft.and SCI-0426972, and Microsoft.
2
OverviewOverview
Background
GRID Authorization
Job-property Authorization
Performance Evaluation
Conclusion
3
Never happen?Never happen?
4
Remote Execution in GRIDRemote Execution in GRID
GR
ID M
iddl
ewar
e
GR
ID M
iddl
ewar
e
2. Authentication (Mutual) 3. Authorization
1. Job Submission (w. executable path, argument
s, stdin/out…) Fred’s DN Fred’s DN local accountlocal account
/C=US /O=UVa /CN=Fr/C=US /O=UVa /CN=Freded
4. Resource Allocation & Process Execution
(Enqueue or fork)
5. Status Monitoring & Job Management
Loca
l Res
ourc
e
Loca
l Res
ourc
e
Man
ager
Man
ager
Local siteLocal site
Remote Remote sitesite
5
Existing GRID AuthorizationExisting GRID Authorization
‘grid-mapfile’ approachThe early day’s mechanism to authorize GRID user
Map the GRID level ID (X509 DN) to a local account (e.g., /C=US/O=UVa/OU=CS/CN=Fred foo)
The auth. decision is enforced by O/S’s security system
Still the most widely used authorization scheme
LimitationsHuge administrative burden – every GRID user should have an account on resources
Limits VO scalability
6
Existing GRID AuthorizationExisting GRID Authorization
VO Authorization InfrastructureManage community member’s privileges within VO
Mostly role-based authorization
Example systemsCommunity Authorization Service (CAS)
- Use SAML to carry the fine-grained authorization assertion
- Proxy cert is used to securely deliver the assertion to resources
- GridFTP interprets the access control primitive in the assertion
VO Management Service (VOMS)
- VOMS server issues the user’s role in the VO
- Resource interprets the role by mapping it to a local account
PRIMA (Open Science GRID)
- VOMS server issues role
- GUMS server, per site, maps the role to local account
- No more ‘grid-mapfile’ within resource
7
What are the problem?What are the problem?
Fred has a scientist role in VO
What if his account is compromised?
What if his binary is compromised?
What if Fred is a bad guy? …
Scientist role can access enormous amount of GRID resources…Guess what?
Not safe to assume the role/identity will do what it
is supposed to do!
8
Job Property AuthorizationJob Property Authorization
Take this part for authorization decision
What it is supposed to do Job’s property or behavioral requirements
VO determines the job’s property and issues certification about it
Resource recognizes the property and enforces it accordingly
Not safe to assume the role/identity will do what it is
supposed to do !
9
Job Property Authorization - ScenarioJob Property Authorization - Scenario
VO Authorization
System
Remote ResourcesRemote Resources
I want to run MI want to run Matlab on GRIDatlab on GRID
/C=US /O=UVa /CN=F/C=US /O=UVa /CN=Fredred
Fred’s execution of Matlab will require:* Maximum 10 hours of running time* 128 MBs of memory* Write access to /home/vo/cms
Matlab for Fred
Running Time: 10 hoursMemory: 128 MBsFile Access: write …… ……
I want to run Matlab and I want to run Matlab and here is the certified job phere is the certified job p
roperty documentroperty document
Job property
doc
Ok, I will accept the job property but will enforce my own policy in addition to VO policy
10
Job Property AuthorizationJob Property Authorization
Four issues in the Job Property Authorization1. The language to express the fine-grained job property
2. How the remote resource can securely retrieve the job property?
3. Multiple policy resolution (Job property as VO policy, Site policy, and more)
4. How to enforce the fine-grained job property within remote execution system?
11
Job Property Authorization- Prototype Job Property Authorization- Prototype DevelopmentDevelopment
CAS as a VO job property authorization server
SAML as a language to express the job property (1)
Proxy certificate as a medium to securely hold and deliver the job property (2)
Multiple Policy Resolution – Site policy + Job Property (3)
.NET CLR Sandbox as an enforcement mechanism (4)
12
Dynamic and fine-grained Authorization Dynamic and fine-grained Authorization EnforcementEnforcement
Account-based system- Statically or dynamically maps to the existing account- Coarse granularity of privilege configuration
OS-level Virtual Machine (e.g., VMWare and Xen)- Newly instantiate guest O/S on top of host O/S- Guest O/S become the sandbox to the host O/S- Performance overhead is big (esp. Instantiation delay)
App-level sandbox- Monitoring process intercepts system calls and enforce policy- Every system call is examined overhead is big
Language Runtime VM (.NET CLR and JVM) SandboxRuntime enforces the fine-grained access control
Utilization in GRID has not been examined
13
Job Property Authorization- Prototype Job Property Authorization- Prototype DevelopmentDevelopment
Novel use of CAS VO Admin inputs Job Properties
and maps them to members SAML for encoding Job
Property
Use GT4 client tools (e.g., globus-run, cas-wrap, and etc)
Compatible to GT4 GRAM
WSRF-based implementation
Run as Windows service Invoke .NET CLR Multiple Policy Resolution CLR Sandbox Configuration
14
Job Property Authorization- Prototype Job Property Authorization- Prototype DevelopmentDevelopment
SAML for job property authorizationSingle auth. Decision carries multiple actions
Each action maps to job property<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID=“Issuer="C=US,ST=Virginia,L=Charlottesville,O=University of Virginia,,CN=PKI Master" MajorVersion="1" MinorVersion="0"><Conditions ></Conditions><AuthorizationDecisionStatement Decision="Permit" Resource="http://sangmin.cs.virginia.edu/gram"><Subject><NameIdentifier Format="#X509SubjectName">/C=US/O=University of Virginia/OU=UVA Standard PKI User/ [email protected]/CN=Sang-Min Park</NameIdentifier></Subject><Action NS="http://cs.virginia.edu/gcg/authorization">write/ WORKING_DIR</Action><Action NS="http://cs.virginia.edu/gcg/authorization">read/WORKING_DIR </Action><Action NS="http://cs.virginia.edu/gcg/authorization">execution/WORKING_DIR\\bin</Action><Action NS="http://cs.virginia.edu/gcg/authorization">socket/cs.virginia.edu</Action></AuthorizationDecisionStatement></Assertion>
15
Policy ResolutionPolicy Resolution
Granting the least amount of privilegesBoth job property given from VO and site policy describes multiple fine-grained permissions
Least amount of privilegeIntersection of permission sets
“and” relation for logical permission
Intersection of file path resolution
<Site-Policy vo="VO1", job="Matlab"> <Job-Property name="Matlab"> <Final-Permission><Read>C:\ </Read> <Read>C:\VO1</Read> <Read>C:\VO1</Read><Write>C: \VO1<Write> <Write>C:\VO1\Matlab</Write> <Write>C:\VO1\Matlab</Write><Socket> Yes </Socket> <Write>C:\Temp</Write> <Socket> No </Socket><Thread> No </Thread> <Socket> No </Socket> <Thread> No </Thread>… <Thread> Yes </Thread> …</Site-Policy> … </Final-Permission>
</Job-Property>
16
EvaluationEvaluation
Quantitative EvaluationRun hello-world application
Measure time to execute binary in resource
Overhead due to Job Property AuthorizationPolicy Resolution Time
CLR Sandbox Configuration Time
Compares with Baseline case
Choose sufficiently large amount of entries in Job Property and Site policy
17
EvaluationEvaluation
<MaxJobRunningTime Type="Number">100</MaxJobRunningTime> <File Type="FilePath" Action="Read">$VOBasePath</File><File Type="FilePath" Action="Write">$VOBasePath</File><DatabaseConnection Type="Bool">NO</DatabaseConnection><Diagnostics Type="Bool">No</Diagnostics><DirectoryService Type="Bool">NO</DirectoryService><Printing Type="Bool">No</Printing><SocketConnection Type="Bool">Yes</SocketConnection><Dns Type="Bool">Yes</Dns><Web Type="Bool">No</Web><MessageQueue Type="Bool">No</MessageQueue><EnvironmentVar Type="Bool">Yes</EnvironmentVar><FileDialog Type="Bool">No</FileDialog><IsolatedStorage Type="Bool">No</IsolatedStorage><Reflection Type="Bool">No</Reflection><Registry Type="Bool">No</Registry><ControlAppDomain Type="Bool">No</ControlAppDomain><ControlEvidence Type="Bool">No</ControlEvidence><ControlPolicy Type="Bool">No</ControlPolicy><ControlPrincipal Type="Bool">No</ControlPrincipal><ControlThread Type="Bool">Yes</ControlThread><Execution Type="Bool">Yes</Execution><CallUnmanagedCode Type="Bool">Yes</CallUnmanagedCode><SkipVerification Type="Bool">No</SkipVerification>
Site Policy in Evaluation
18
EvaluationEvaluation
Job Property Document in Evaluation
<Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_APPLICATIONS_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_LIBRARY_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_SHARED_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_TMP_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_UTILS_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/VO_BIN_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">read/DEFAULT_WORKING_DIR</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">write/DEFAULT_WORKING_DIR</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">write/VO_SHARED_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">write/VO_TMP_PATH</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">socket</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">execution</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">registry</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">db_connection</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">call_unmanaged_code</Action><Action Namespace="http://cs.virginia.edu/gcg/authorization">environment_var</Action>
19
EvaluationEvaluation
Base line-No auth. (ms)Job Property
Authorization (ms)
GRAM.NET 62.2 76.7
CLR Creation Time 619.0 650.8
Policy Resolution Time
43.1
Sandbox configuration time
176.6
Logging 19.4 5.9
Total 700.6 953.1
253 ms overhead due to Job-Property Authorization
20
EvaluationEvaluation
Interpretation of resultMajority time is CLR creation (≈ 600 ms)
CLR pooling might be helpful
CLR sandbox configuration time is also long (≈200 ms)
Less than 1 second for invoking remote process within a site with Job Property Authorization
21
ConclusionsConclusions
Job Property Authorization: authorization per Job is more secure than authorization per identity
Implemented the Job Property Authorization prototype using the CAS, SAML, and .NET CLR
Overhead due to Job Property Authorization is not very significant for most GRID applications
22
Future worksFuture worksThe mechanism by which the VO determines the behavior and property of the job that its members run
Predefined and limited set of application
By recording and collecting the Vo-wide job execution history?
Language Framework for general-purpose Job Property Specification
Neutral to enforcement mechanisms
Binding to enforcement mechanisms with varying degree of fine-granularity
23
Thank you!
Questions ?