gPLAZMA: gridaware Pluggable AuthoriZation …...Abhishek Singh Rana and Frank Wuerthwein UC San...

Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org

The Open Science Grid Consortium CHEP 2006 Mumbai INDIA February 15 2005

gPLAZMA: gridaware Pluggable AuthoriZation Management

(Introducing Rolebased Access Control in dCache)

Abhishek Singh RanaUC San Diego

[email protected]

Frank WürthweinUC San [email protected]

The XVth International Conference on Computing in High Energy and Nuclear Physics (CHEP’06)

February 15, 2006 TIFR, Mumbai



2

RANA, Abhishek Singh (University of California, San Diego, CA, USA)WÜRTHWEIN, Frank (University of California, San Diego, CA, USA)PERELMUTOV, Timur (Fermi National Accelerator Laboratory, Batavia, IL,USA)KENNEDY, Robert (Fermi National Accelerator Laboratory, Batavia, IL, USA)BAKKEN, Jon (Fermi National Accelerator Laboratory, Batavia, IL, USA)SKOW, Dane (Fermi National Accelerator Laboratory, Batavia, IL, USA)FISK, Ian (Fermi National Accelerator Laboratory, Batavia, IL, USA)FUHRMANN, Patrick (DESY, Hamburg, Germany)ERNST, Michael (DESY, Hamburg, Germany)

Authors



3

Outline

• OSG AuthZ approach• gPlazma architecture• gPlazma implementation• Example of endtoend AuthZ for CEs and

SEs• Status• Future Work



4

OSG AuthZ Approach

• VOGlobal specification of privilege attributes per Role.

• Site central mapping of Role to site’s implementation of privilege attributes.

• Local enforcement of privilege attributes.

• Use of VOMS extended X.509 Attribute Certificate specification for defining extra attributes (FQANs or Fully Qualified Attribute Names).

• Based on RFC3281. FQANs contain Role and VO membership information for a User.



5

OSG AuthZ Approach

• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is readonly by all

cmsuser jobs running on site/campus.– E.g. cmsphedex may have special access to SRM/dCache

system.• Site maps VO scope identities to local scope identities.

– Site wide management of mapping.– Service level granularity of mapping.

• Site enforces VO privilege policies within local scope identities.

• Authorization = (VOallowed) && !(Sitevetoed)



6

VO Attribute

Repository

Service X

Service Y

Service X

Service Z

Service X Veto

Service Y Veto

Service Z Veto

Sitewide Assertion Service

Host 1

Host 2

Site

Authorization Service for Service X, Y,

Z

Sitewide Mapping Service

Auxiliary Authorization Service for

Service Z

Auxiliary Mapping Service

Callout Modul

e for X,

Y

Callout Modul

e for Z

Local or Remote ClientProxy with VO Membership | Role Attributes



7

VO Attribute

Repository

Service X

Service Y

Service X

Service Z

Service X Veto

Service Y Veto

Service Z Veto


Host 1

Host 2

Site

Authorization Service for Service X, Y,

Z


Auxiliary Authorization Service for

Service Z


Callout Modul

e for X,

Y

Callout Modul

e for Z


PDPPEP

PEP

PDP

PEP Policy Enforcement Point Policy Decision PointPDP



8

GridFTP Callout

Future Additions

Site AssertionFuture Additions

VO Identity Mapping Client

Priorities

Bias: ACCESSPriority: 2Apply: AuthorizationResponse: AuthZ Record

SRM Door

VO Role Mapping AuthZ(gPLAZMA native)

GridFTP Door …

GUMSbasedVO Role Mapping AuthZ

Legacy Grid AuthN(gridmapfile)

Legacy Storage AuthZ(dcache.kpwd)

Switches Authorizati

onServices

PluginsVO Identity Mapping Service

Storage Metadata AuthZ



SRM Callout

StorageProvider’sPolicies

https/SOAPSAML

gPLAZMA Architecture

Bias: DENIALPriority: 1Apply: AssertionResponse: Allow OR Deny



9

SRMdCache

SRM Server

vomsproxyinitProxy with VO Membership | Role attributes

gPLAZMA

PRIMA SAML Client

Storage Authorization Service

Storage metadata

GridFTPServer

DATA

DATA

https/SOAP

SAML response

SAML query

Get storage authz for this username

User Authorization Record

If authorized,get username

SRM Callout

srmcp

GridFTP Callout

gPLAZMALite Authorization ServicegPLAZMALite gridmapfile

dcache.kpwd

GUMS Identity MappingService

GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005

Abhishek Singh Rana, UCSD www.opensciencegrid.org

The Open Science Grid Consortium

gPLAZMA Implementation



10

SRMdCache

SRM Server

vomsproxyinitProxy with VO Membership | Role attributes

gPLAZMA

PRIMA SAML Client

Storage Authorization Service

Storage metadata

GridFTPServer

DATA

DATA

https/SOAP

SAML response

SAML query

Get storage authz for this username

User Authorization Record

If authorized,get username

SRM Callout

srmcp

GridFTP Callout

gPLAZMALite Authorization ServicegPLAZMALite gridmapfile

dcache.kpwd

GUMS Identity MappingService

GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005

Abhishek Singh Rana, UCSD www.opensciencegrid.org

The Open Science Grid Consortium

gPLAZMA Implementation

1

2

3 44a

4b

4c

4d

5

7

6

8

910

1112

13



11

Example of endtoend AuthZ for CEs and SEs



12

SE: SRMdCache

• Different doors for different authz methods.

• Same underlying local authz mechanism.• Can be mapped to site’s UID/GID domain.• Or be restricted to SRMdCache only.• Examples:

– USCMSVO at FNAL: Site UID domain.– CDFVO at FNAL: Site Kerberos domain.



13

SE: SRMdCache

• gPLAZMA extends SRMdCache separation of SE authz and CE authz to OSG approach.

• gPLAZMA authenticates.• gPLAZMA uses PRIMA Java SAML libraries to form a SAML query and contacts

Storage Authz Service.• Storage Authz Service contacts GUMS and Storage Metadata Service.• GUMS translates {DN, Membership, Role} to Username.• Storage Metadata Service translates Username to Storageprivilege Set.• Storageprivilege Set is {UID, GID, permitted storage area, R/W permissions}.• Storageprivilege Set is Userlevel ACL governed by {DN, Membership, Role}.• Storage Authz Service forms a User Authorization Record into a SAML response

and sends it back to gPLAZMA at SE.



14

GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

StorageAuthorization

Service



15

GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata


Service



16

GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAC SAMLlibraries

Globus Gatekeeper PRIMAcallout


Service



17

GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata



PEPStorage

AuthorizationService



18

GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata




Service



19

GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata

PRIMAJava SAMLgPLAZMA


SRMGridFTP gPLAZMA callout

gPLAZMALiteAuthorizationServices suite


Service



20

GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata





PEP


Service



21

GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata




OGSAAuthZ

interface



Service



22

GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata




gPLAZMAgridaware Pluggable

AuthorizationManagement System

GUMSGrid User Management

System

SAZSite Authorization Service

VOMSVirtual Organization Membership Service



Service

PRIMAA System for

Privilege Management and Authorization in Grids



23

GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata




gPLAZMAAbhishek Singh Rana, UCSD

Timur Perelmutov, FNAL

GUMSGabriele Carcassi, BNL

SAZVijay Sekhri, FNAL

John Weigand, FNAL

SRMdCacheDESY/FNAL teams

VOMSINFN teams, Italy



Service

PRIMAMarkus Lorch, VT



24

Status

• gPLAZMA native rolebased authz mode deployed at USCMS tier2 production site at UCSD. Work in progress for deployment at tier1 at FNAL.

• GUMS rolebased authz mode in final stages of development/packaging.

• Deployment and usage of all modes on USCMS production dCache sites expected before Service Challenge 4.



25

Known Limitations

• Not (yet) implemented for dcap.• Scalability of site central callout not yet

understood.(gPLAZMA native a viable fallback)

• vi/emacs is only administrative interface.• Options for communicating desired

policies from VO to site are less than satisfactory. (general problem of role based authz!)



26

Future Work

• Add MySQL based backend to replace storage authz records configuration file.

• Complete gPLAZMA for dcap.• Understand scalability of sitewide callout.• Add XACML based authorization engine to

dynamically assign storage authz mappings at Site.

• Explore XACML/SAML rulebased policy declaration (VOlevel) and policy computation (Sitelevel).



27

Thank You.

gPLAZMA: gridaware Pluggable AuthoriZation …...Abhishek Singh Rana and Frank Wuerthwein UC San...

Documents

Transcript of gPLAZMA: gridaware Pluggable AuthoriZation …...Abhishek Singh Rana and Frank Wuerthwein UC San...