The VEGA Approach to Grid Security

Grid System Software Group,

ICT, CAS

2005-4-11

--Security In VEGA GOS v2

Li ZHA

char@ict.ac.cn

Outline Background of VEGA GOS Motivations And Goals Security In VEGA GOS

VEGA GOS Architecture Grid Security Mechanism

Key Approaches WS-Security Implementation Agora (VO, Community) Based Authorization Runtime construct (Grip, Grid Process) for

secured accessing the service Hosting Environment And Deployment Conclusion And Roadmap

Background of VEGA GOS Background

Grid related research and the VEGA brand at ICT since 1999 Part of the Grid Software program supported by the China Ministry

of Science and Technology 863 program (2002~2005) Goals

Support multiple geographical distributed grid nodes (HPC Center) Sharing mechanism and framework on computing, data, software a

nd combined resources Provide secured, uniformed and friendly interfaces accessing the s

cientific computing and information services Research

Focus on 4 key issues and aim at minimal common requirements Naming, Process/States, VO, Programming

Focus on implementation architecture, not protocols/services Use computer systems approach, not middleware or network Use SOA concept

Application Scope of VEGA GOS

VEGA GOS

Distributed Resources and Services

ScienceResearch

Manufacturing Resources and Environment

Weather Forecast

Motivations And Goals -- What is needed In grid environment, security should solve or cover:

Traditional security issues such as authentication, access control, information integrity,

information privacy (according to OSI security architecture) Grid authentication

Single Sign On Grid authorization

Adapt to loosely coupled or de-coupled architecture Access control decided by resource owner or provider

Communication security guarantees Adopt opened and standardized protecting mechanism

(signature, encryption, and etc.) All the information separated or put together?

How to put them together?

Motivations And Goals -- More concrete

Integrate security with Web service and VEGA GOS Independent with service implementations (utilizing handler-chain mechanism

at client and service sides) Conformed to existing security standards

X.509 (for authentication) SAML (for authorization) WS-Security Implementation (for service oriented security architecture) Standard signature and encryption algorithms

Ensure mutual security at both user and resource sides User and Service MUST both have certificates

Departs authorization with authentication Token based authorization (tokens are dynamically issued by Authorization

Authority in Agora) GOS context (Agora id, cert/proxy cert and token) is added into each SOAP

message when accessing the service Keep resource as autonomous

Implement access control at resource side with interfaces which can be customized

Multiple granularity access control based on authorization token

VEG

A G

OS

v2

A

rch

itectu

re

(hie

rarc

hic

al)

Agora Service

GOS Hosting

Env.

CoreLevel

Services

Authorization Engine

Grip Service

Servlet Based Scalable Grid Portal Engine

User CustomizedApplications

Grid Apps

Core APIs Core Libraries(Grip, Agora, Service Bus, AC Handling, Core Exception Handling)

AgoraAA

AgoraMgmt.

Grip Container

Multi-GrainedResource AC Policy Mgmt.

User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile

Role Based Acct. Mgmt.

Resource Mgmt. Engine

Service Addr. and PortType

Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.

Grip Ctrl. Structure

User Interaction

Result Caching

Grip State Mgmt.

Service Locating(Global)Service Info. Mgmt. (Local)

Java J2SE, J2EE/Microsoft Windows

Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions

System and Application Libraries(Core Based Functional APIs and Exception Handling)

ExtendedSystem Services

Information(MetaX) Services

MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.

MetaFile ServiceMeta Info

Mgmt. Quota Mgmt.

etc.

Batch Service Workflow Service etc.

User APIs

SystemLevel

Services

App Level Services

Proxy Cert.

Build-in Utility Collection Extended UtilitiesGrid Portal

Application Logic by Web Pages

CA&Certificates

Mgmt. Service

Base Services

Dymaic Deploy Service

SystemMonitoring

Service

Logging& Auditing Service

File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

Security Mechanism In VEGA GOS v2

Browser uCert

Grid Portal Engine

use uid/pass load proxy cert into grip

Grip Container Service

Agora Service

u_pu_pu_p

PhysicalService

u_puTK

u_puTK

u_puTK

u_puTK

UserMgmt.

Service

ResourceMgmt.

ServiceAA

Service

uTK

Grid ApplicationuCert

uCert

user cert

u_pproxy certuTK

authorization token

PhysicalService

PhysicalService

PhysicalService

Grid Portal

CAu_p

upload the proxy cert to Agora

u_p

Key Approaches

WS-Security Implementation

Agora (VO, Community) Based

Authorization

Runtime construct (Grip, Grid Process)

for secured accessing the service

WS-Security Implementation

Handler chains mechanismSign SOAP message, add cert (or proxy cert)

and tokenAuthenticate caller’s and AAA’s identification Implement access control

GOS contextA common system object storing Agora id,

cert or proxy cert (with key), token in a structured manner

E2E Message Process Flow

WebService

WSClient

· SignHandler(with proxy or user cert)

· AddGOSContextHandler

· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler

· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler· ACHandler

· SignHandler (with service cert)

· AddGOSContextHandler

SOAP MSG overSSL/TSL(HTTPS)

Client Side Server Siderequest flow

response flow

Client Request/Service Response SOAP Header<!-- SOAP begin…(SOAP Element)--> <soapenv: Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope

/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<Soapenv: Header><! -- Certs Type --><CertType soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapen

v: mustUnderstand="0"><Type>cert</type></CertType><!-- Security Element. --><wsse: Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext" s

oapenv: actor="" soapenv: mustUnderstand="0"><!--Encoding Binary Security Tokens. --><!-- This element is used to include a binary-encoded security token. --><wsse: BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/04

/utility" EncodingType="wsse: Base64Binary" ValueType="wsse: PKIPath" wsu: Id="token1112843580450">.........</wsse: BinarySecurityToken>

<!-- WS-Security Signature --><ds: Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><!-- SignatureValue --><ds: SignatureValue>.........</ds: SignatureValue><!-- KeyInfo, indicates the key to be used to validate the signature. --></ds: Signature></wsse: Security></soapenv: Header>

Agora Based Authorization

Separate authorization from authentication Agora Authorization Authority can dynamically issue t

okens according to trusted resource request Flexible authentication at service side according to ha

ndler configurations Implement multiple grained resource access con

trol Token can contain service operations or logic operatio

ns Service side ACHandler implement access control int

egrate with local security policy

Agora Internals

Tomcat+AxisAgora Access Control Mechanism

Authorization Engine

Resource Mgmt. ClientUser Mgmt. Client

UserAuthentication

ResourceAuthorization

ResourceMgmt.

Interface

UserMgmt.

Interface

Resource Mgmt. Service User Mgmt. Service

RoleProxyUserName profileERes MappingVRes PT

Tomcat+Axis Tomcat+Axis Tomcat+Axis

AAA Client

AuthorizationAuthorityService

AC PolicyMgmt.

AgoraMgmt.

SAML based authorization token...<Conditions NotBefore=" " NotOnOrAfter=" "> <AudienceRestrictionCondition> <!-- extended authorization info, such as info added by metaX service --> <Audience>FILE PATH to local storage</Audience> </AudienceRestrictionCondition></Conditions> <!-- reference infomation help service side implementing access control --><Advice> ...... </Advice><AuthorizationDecisionStatement Decision="Permit" Resource="vres://ed3ee2ed

0d9ba0085db0fe8df40e8bd9:4b284f96f21f8fde00ba45218c9e8eea"> <Subject> <NameIdentifier> O=Grid,OU=GOSTEST,OU=grid.org.cn,OU=linux.ict.ac.cn,CN=usr1 </NameIdentifier> </Subject> <Action Namespace="0">ping</Action></AuthorizationDecisionStatement>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ...<!-- signature related info algorithm, digest and signature value etc. --> ...</ds:Signature>...

can be logical operations, such as “read” and “write” that parsed by service side

access control mechanism

user DN

Runtime construct (Grip, Grid Process) for secured accessing the service Dynamically created at runtime

responding to user requests simple interfaces (5 in total)

Keep some information for reusing Load and store proxy cert, user profile and service

address Destroyed until grip closed

Relay user’s invocation requests Extends called service with an asynchronous

interface Cache the returned result, such as batch job query

status

Physical Service

Grip At Runtimecreate

Agora Service

grip

uid/pass

Proxy, Profile

bindERes name

VRes name, Token, PT

invoke

Physical Service Physical Service

crtl(getResult)

grip

grip

grip

Network of Resource Routers

authentication

•resource selection•resource authorization

resource locating

service invocation

•return•cache

close

•uCert_pProfile

•uCert_p ProfileVResTokenPT

•uCert_p ProfileVResTokenPT PResRet

•uCert_p ProfileVResTokenPTPRes

Sample Code Using Grip...//define effective resource name

String effective = "eres://agora1:MService";//new a gripclient object

GripClient testgripclient = new GripClient( );//create a grip with user id, passwd and //agora name want to login

UserHandle griphandle = testgripclient.create("usr1", "usr1", "agora1");

//bind the effective resource

int index = testgripclient.bind(effective, griphandle); //invoke the bound service by resource index and //pass the parameters required

Object retvalue = testgripclient.invoke(index, "list",

new Object[] {"/"},

GripContainer.M_SYNCHRONIZED, griphandle);...

//process the return value here

...

//close it, reclaim the resources used by grip

testgripclient.close(griphandle);...

synchronization flag

parameters passed to actual service

VEGA GOS v2 Hosting Environments

Grid Portal and Grid Applications

OS (Linux/Unix/Windows*)

Intel or AMD based PC Server (Grid Server)

J2SE(1.4.2_07), J2EE

Tomcat(5.0.28) +Axis(1.2 rc2)

Axis Handlers For Message Level Security

Grid Portal Engine

Core, System And App Level GOS v2 Services

VEGA GOS v2 Deployment

Grid Node 2(Shanghai)

Grid Node 3(Xi’an)

Grid Node 4(Changsha)

Grid Server

GridServer

Grid Server

Grid Server

Grid Server· Router service· Agora service· Grip service· System and application level

services· Grid portal based on Grid

Portal Engine (optional)

Dedicated Client/Grid Application Client

Web Browser

Grid Client· General Web Browser· and/or GOS Admin Tools· and/or GOS API Based Grid

Application

Grid CA

Grid Node 1(Beijing)

HPC Hosting Env.

Legacy Applications

To Other Grid Nodes

To Other Grid Nodes

HPC Hosting Env.

Legacy Applications

HPC Hosting Env.

Legacy Applications

HPC Hosting Env.

Legacy Applications

Conclusion WS-Security Implementation and integrated into VEG

A GOS Header and attachment, Which one is the best place for sec

urity info? (my opinion) Implementations are different, how can be interoperable?

Agora (VO, Community) Based Authorization Loosely coupled

Multi-grained access control implementation mechanism according to info carried by token Adapt to resource provider side’s security mechanism

Runtime construct (Grip, Grid Process) for secured accessing the service Simple and easy to use

VEGA GOS v2 Roadmap

Time Schedule2005.3, GOS v2 Alpha (prototype)2005.4, GOS v2 Beta (barely fixed)2005.5, GOS v2 release (include sample app

lication and full documents)

GOS mailing list ： gos@software.ict.ac.cn

CNGrid ： http://www.grid.org.cn/

VEGA ： http://vega.ict.ac.cn/ Thanks!