1 / 11

SAML-XACML interoperability

SAML-XACML interoperability. Oscar Koeroo. index. The current setup The architectural big picture (EGEE/OSG) How will this work The requirements Work done and decisions made Stuff to do. Our current architecture. Worker node. Glite: Compute Element or Storage Element. glexec. glexec.

azra
Download Presentation

SAML-XACML interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML-XACML interoperability Oscar Koeroo

  2. index • The current setup • The architectural big picture (EGEE/OSG) • How will this work • The requirements • Work done and decisions made • Stuff to do EGEE'07: MWSG Budapest

  3. Our current architecture Worker node Glite: Compute Element or Storage Element glexec glexec pre-WS GT4 gk, gridftp, opensshd LCAS + LCMAPS edg-gk L&L plug-ins (regular set of plug-ins) edg-gridftp gt4-interface LCAS + LCMAPS GPbox infrastructure [xacml] L&L plug-ins (regular set of plug-ins) L&L plug-ins (regular set of plug-ins + GPbox) Issues with this setup: • share/distribute the gridmapdir for mapping consistency • share/distribute the configurations for the nodes • share/distribute authorization files, like grid/groupmapfiles and a blacklisting file • Scaling issues; lots of node will probably overload an NFS server EGEE'07: MWSG Budapest

  4. LCAS + LCMAPS Prima + gPlazma: SAML-XACML L&L plug-in: SAML-XACML Common SAML XACML library The big picture Front-end node (CE, SE, WN, etc.) CREAM Pilot job on Worker Node (both EGEE and OSG) EGEE OSG pre-WS GT4 gk, gridftp, opensshd pre-WS GT4 gk,gridftp, opensshd gt4-interface edg-gk glexec dCache edg-gridftpd SAML-XACML Query GPbox infrastructure [saml-xacml] GPbox infrastructure [xacml] SAML-XACML interface Common SAML XACML library Site Central: GUMS (+ SAZ) Site Central: LCAS + LCMAPS L&L plug-ins (w/ GPbox) L&L plug-ins (regu. set) EGEE'07: MWSG Budapest

  5. SAML-XACML PEP (L&L plug-in or PRIMA) <Register set of oblig. IDs + define oblig. Handlers> Obligation handler[N] Obligation handler[N] Obligation handler[N] Set of Obligations <work with PEP environment> Globus SAML XACML library Q: map.user.to.some.pool R: Oblg: user001, somegrp How it should work (conceptual) 1 5 6 SAML-XACML Query 4 2 SAML-XACML interface Globus SAML XACML library Site Central LCAS + LCMAPS or GUMS and SAZ 3 EGEE'07: MWSG Budapest

  6. SAML-XACML lib requirements • Requirements to Globus • Initial focus on Java and C environment • C-clients (PEP) & C-service (PDP) • Prima & gPlazma • LCAS and LCMAPS plug-ins • Newly to be created Site Central service with the LCAS and LCMAPS back-end will be C-based • Java initially server-side only (PDP) • The GUMS server is a Java-Tomcat environment • Uses TLS connection for client (PEP) / server (PDP) comm. • Must be able to mix our PDP and PEP implementations • Must be separate from the existing Globus Toolkit • We want the library to be lightweight and easily portable EGEE'07: MWSG Budapest

  7. SAML-XACML lib requirements • Requirements to ourselves • Easy interoperation • Understand a common set of obligations and its attributes • Scalability • Low network traffic • Low overhead at the end points • Keeping compatibility with existing LCAS and LCMAPS plug-ins and their functionalities EGEE'07: MWSG Budapest

  8. Work done and decisions made • Understanding the scope of usage • Interesting for everybody who was not at the MWSG UCSD lunch • Understanding the term stateful PDP • Note: XACML PDP is (usually only) stateless • Passing stateful information (the results of a pool account mapping) from the obligations’ attributes • Discussing SAML-XACML protocol details • “Using standard protocols” != “Being standards compliant” • Generation of the protocol stack must be reproducible • Using Globus SAML-XACML instead of OpenSAML • Globus is committed to fix potential deviation to the specs • Testing the alfa version of the SAML-XACML library • C and Java; Ongoing process… • Compilation of a tentative lists of obligations • for EGEE and OSG (next slide…) EGEE'07: MWSG Budapest

  9. Tentative lists of obligations • EGEE Obligations: • UID + GID • Optional multiple 2ndary GIDs • Optional AFS token (type string) • VO Services Obligations (to be checked with representative from Storage): • Username (for CE) • UID + GID (common w/ EGEE) • RootPath + HomeDir (gPlazma) • Priorities (gPlazma) • File creation mask + directory creation mask EGEE'07: MWSG Budapest

  10. Stuff to do…. • Other obligations (or no obligation, just a binary AuthZ decision) • Reproducibility of the protocol stack, credits to: • Yuri Demchenko • Valerio Venturi • Vincenzo Ciaschini • Alberto Forti • and others… • Timeline: • Library beta: ~end of October ‘07 • Client (LCMAPS plugin) Library beta + 1 month • Service (beta) Library beta + 2 months • Service (production) ~Q1 2008 EGEE'07: MWSG Budapest

  11. Final words • The site central solution allows for improved emergency response • Central blacklist • Consistent mappings across a cluster or a site for all the services • The interface is going to be standards compliant with SAML2-XACML2 • Globus library will be the first implementation of the protocol stack, hopefully many to follow EGEE'07: MWSG Budapest

More Related