gPLAZMA: gridaware Pluggable AuthoriZation …...Abhishek Singh Rana and Frank Wuerthwein UC San...
Transcript of gPLAZMA: gridaware Pluggable AuthoriZation …...Abhishek Singh Rana and Frank Wuerthwein UC San...
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
gPLAZMA: gridaware Pluggable AuthoriZation Management
(Introducing Rolebased Access Control in dCache)
Abhishek Singh RanaUC San Diego
Frank WürthweinUC San [email protected]
The XVth International Conference on Computing in High Energy and Nuclear Physics (CHEP’06)
February 15, 2006 TIFR, Mumbai
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
2
RANA, Abhishek Singh (University of California, San Diego, CA, USA)WÜRTHWEIN, Frank (University of California, San Diego, CA, USA)PERELMUTOV, Timur (Fermi National Accelerator Laboratory, Batavia, IL,USA)KENNEDY, Robert (Fermi National Accelerator Laboratory, Batavia, IL, USA)BAKKEN, Jon (Fermi National Accelerator Laboratory, Batavia, IL, USA)SKOW, Dane (Fermi National Accelerator Laboratory, Batavia, IL, USA)FISK, Ian (Fermi National Accelerator Laboratory, Batavia, IL, USA)FUHRMANN, Patrick (DESY, Hamburg, Germany)ERNST, Michael (DESY, Hamburg, Germany)
Authors
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
3
Outline
• OSG AuthZ approach• gPlazma architecture• gPlazma implementation• Example of endtoend AuthZ for CEs and
SEs• Status• Future Work
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
4
OSG AuthZ Approach
• VOGlobal specification of privilege attributes per Role.
• Site central mapping of Role to site’s implementation of privilege attributes.
• Local enforcement of privilege attributes.
• Use of VOMS extended X.509 Attribute Certificate specification for defining extra attributes (FQANs or Fully Qualified Attribute Names).
• Based on RFC3281. FQANs contain Role and VO membership information for a User.
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
5
OSG AuthZ Approach
• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is readonly by all
cmsuser jobs running on site/campus.– E.g. cmsphedex may have special access to SRM/dCache
system.• Site maps VO scope identities to local scope identities.
– Site wide management of mapping.– Service level granularity of mapping.
• Site enforces VO privilege policies within local scope identities.
• Authorization = (VOallowed) && !(Sitevetoed)
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
6
VO Attribute
Repository
Service X
Service Y
Service X
Service Z
Service X Veto
Service Y Veto
Service Z Veto
Sitewide Assertion Service
Host 1
Host 2
Site
Authorization Service for Service X, Y,
Z
Sitewide Mapping Service
Auxiliary Authorization Service for
Service Z
Auxiliary Mapping Service
Callout Modul
e for X,
Y
Callout Modul
e for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
7
VO Attribute
Repository
Service X
Service Y
Service X
Service Z
Service X Veto
Service Y Veto
Service Z Veto
Sitewide Assertion Service
Host 1
Host 2
Site
Authorization Service for Service X, Y,
Z
Sitewide Mapping Service
Auxiliary Authorization Service for
Service Z
Auxiliary Mapping Service
Callout Modul
e for X,
Y
Callout Modul
e for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
PDPPEP
PEP
PDP
PEP Policy Enforcement Point Policy Decision PointPDP
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
8
GridFTP Callout
Future Additions
Site AssertionFuture Additions
VO Identity Mapping Client
Priorities
Bias: ACCESSPriority: 2Apply: AuthorizationResponse: AuthZ Record
SRM Door
VO Role Mapping AuthZ(gPLAZMA native)
GridFTP Door …
GUMSbasedVO Role Mapping AuthZ
Legacy Grid AuthN(gridmapfile)
Legacy Storage AuthZ(dcache.kpwd)
Switches Authorizati
onServices
PluginsVO Identity Mapping Service
Storage Metadata AuthZ
Storage Metadata AuthZ
Storage Metadata AuthZ
SRM Callout
StorageProvider’sPolicies
https/SOAPSAML
gPLAZMA Architecture
Bias: DENIALPriority: 1Apply: AssertionResponse: Allow OR Deny
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
9
SRMdCache
SRM Server
vomsproxyinitProxy with VO Membership | Role attributes
gPLAZMA
PRIMA SAML Client
Storage Authorization Service
Storage metadata
GridFTPServer
DATA
DATA
https/SOAP
SAML response
SAML query
Get storage authz for this username
User Authorization Record
If authorized,get username
SRM Callout
srmcp
GridFTP Callout
gPLAZMALite Authorization ServicegPLAZMALite gridmapfile
dcache.kpwd
GUMS Identity MappingService
GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005
Abhishek Singh Rana, UCSD www.opensciencegrid.org
The Open Science Grid Consortium
gPLAZMA Implementation
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
10
SRMdCache
SRM Server
vomsproxyinitProxy with VO Membership | Role attributes
gPLAZMA
PRIMA SAML Client
Storage Authorization Service
Storage metadata
GridFTPServer
DATA
DATA
https/SOAP
SAML response
SAML query
Get storage authz for this username
User Authorization Record
If authorized,get username
SRM Callout
srmcp
GridFTP Callout
gPLAZMALite Authorization ServicegPLAZMALite gridmapfile
dcache.kpwd
GUMS Identity MappingService
GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005
Abhishek Singh Rana, UCSD www.opensciencegrid.org
The Open Science Grid Consortium
gPLAZMA Implementation
1
2
3 44a
4b
4c
4d
5
7
6
8
910
1112
13
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
11
Example of endtoend AuthZ for CEs and SEs
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
12
SE: SRMdCache
• Different doors for different authz methods.
• Same underlying local authz mechanism.• Can be mapped to site’s UID/GID domain.• Or be restricted to SRMdCache only.• Examples:
– USCMSVO at FNAL: Site UID domain.– CDFVO at FNAL: Site Kerberos domain.
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
13
SE: SRMdCache
• gPLAZMA extends SRMdCache separation of SE authz and CE authz to OSG approach.
• gPLAZMA authenticates.• gPLAZMA uses PRIMA Java SAML libraries to form a SAML query and contacts
Storage Authz Service.• Storage Authz Service contacts GUMS and Storage Metadata Service.• GUMS translates {DN, Membership, Role} to Username.• Storage Metadata Service translates Username to Storageprivilege Set.• Storageprivilege Set is {UID, GID, permitted storage area, R/W permissions}.• Storageprivilege Set is Userlevel ACL governed by {DN, Membership, Role}.• Storage Authz Service forms a User Authorization Record into a SAML response
and sends it back to gPLAZMA at SE.
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
14
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
15
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
16
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
17
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
PEPStorage
AuthorizationService
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
18
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
19
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRMGridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
20
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRMGridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
PEP
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
21
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRMGridFTP gPLAZMA callout
OGSAAuthZ
interface
gPLAZMALiteAuthorizationServices suite
StorageAuthorization
Service
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
22
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRMGridFTP gPLAZMA callout
gPLAZMAgridaware Pluggable
AuthorizationManagement System
GUMSGrid User Management
System
SAZSite Authorization Service
VOMSVirtual Organization Membership Service
gPLAZMALiteAuthorizationServices suite
StorageAuthorization
Service
PRIMAA System for
Privilege Management and Authorization in Grids
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
23
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Sitewide Assertion Service
Site
SAZ
VOMS
Sitewide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRMGridFTP gPLAZMA callout
gPLAZMAAbhishek Singh Rana, UCSD
Timur Perelmutov, FNAL
GUMSGabriele Carcassi, BNL
SAZVijay Sekhri, FNAL
John Weigand, FNAL
SRMdCacheDESY/FNAL teams
VOMSINFN teams, Italy
gPLAZMALiteAuthorizationServices suite
StorageAuthorization
Service
PRIMAMarkus Lorch, VT
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
24
Status
• gPLAZMA native rolebased authz mode deployed at USCMS tier2 production site at UCSD. Work in progress for deployment at tier1 at FNAL.
• GUMS rolebased authz mode in final stages of development/packaging.
• Deployment and usage of all modes on USCMS production dCache sites expected before Service Challenge 4.
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
25
Known Limitations
• Not (yet) implemented for dcap.• Scalability of site central callout not yet
understood.(gPLAZMA native a viable fallback)
• vi/emacs is only administrative interface.• Options for communicating desired
policies from VO to site are less than satisfactory. (general problem of role based authz!)
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
26
Future Work
• Add MySQL based backend to replace storage authz records configuration file.
• Complete gPLAZMA for dcap.• Understand scalability of sitewide callout.• Add XACML based authorization engine to
dynamically assign storage authz mappings at Site.
• Explore XACML/SAML rulebased policy declaration (VOlevel) and policy computation (Sitelevel).
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005
27
Thank You.