1 / 12

gJAF Java Authorization Framework Progress and Next Steps

This document provides an overview of the gJAF Java Authorization Framework progress, suggested work items, and discussion on next steps and interaction with other packages. Topics include SAML/Shib credentials support, using XACML for policy expression, compatibility and integration with other solutions, and more. Presented at the JRA1-AH All-Hands meeting on November 8-10, 2006 in the UK.

ccoker
Download Presentation

gJAF Java Authorization Framework Progress and Next Steps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. gLite Java Authorisation Framework (gJAF) and Authorisation Policy coordination Trygve Aspelien and Yuri Demchenko University of Bergen and University of Amsterdam All-Hands meeting November 8-10, 2006, UK

  2. Outline • gJAF Overview and progress • Suggested work items • Other supporting activities • Discussion - Next steps and interaction with other packages JRA1-AH, 8-10 November 2006, Abingdon

  3. gJAF Overview • Provided as org.glite.security.authz Java package • Uses actively java-utils library for VOMS • Called from applications via an interceptor (PEP) • {MessageContext, Subject, operation} • Contains a configured chain of PIP and PDP modules • PIP collects/extracts information to be sent to PDP • Each PDP evaluates its relevant attributes against its own Policy • Chain is configured to apply PDP decisions combination • Problems • Requires application specific manual chain configuration • Limited use up to now in gLite • CE (and some interest from DM) JRA1-AH, 8-10 November 2006, Abingdon

  4. gJAF components and connection to the Grid Service JRA1-AH, 8-10 November 2006, Abingdon

  5. Suggested work items (1) • SAML/Shib Credentials support • Need to clarify SAML Assertions format and supporting libraries • To be provided as internal gJAF package or part of java-utils • Will rely on effective cooperation with SWITCH • Also expected to be available in GT4-AuthZ with GridShib • Using XACML for policy expression • Motivation - Standard, Context aware, can be mapped to different formats • Used in G-PBox • Can be added as XACML PDP plugin to gJAF or GT4-AuthZ • Need policy management tool (simple or complex) • Other issues found important • Enable PDP chain to respond with Obligated decision • PDP answer with AuthZ ticket to provide extended/full decision context in response to gJAF/PDP JRA1-AH, 8-10 November 2006, Abingdon

  6. Suggested work items (2) • Compatibility and integration with other gLite/EGEE and 3rd party solutions • Integration with the G-PBox • Needs gJAF AuthZ chain extension to process Obligated decisions • Compatibility and integration with the GT4-AuthZ • Possibility to reuse available set of PDP’s and PIP’s • Interest to cooperate was expressed by the GT4 Security team • AuthZ Policy compatibility and coordination • Common or mapped attributes semantics • Policy formats mapping – XACML -> GACL, ACL, gridmap, BlackList • Q: Are all they compatible and convertible to XACML? JRA1-AH, 8-10 November 2006, Abingdon

  7. Other supporting activities • gJAF promotion in EGEE and for wider Grid community • Time to update gJAF Developer’s guide - https://edms.cern.ch/document/501718 • HOWTO and usage examples • EGEE AuthZ Policy Coordination • First meeting was in Bologna on June 6-7, 2005 • Need for next meeting – in December 2006 – January 2007 • OGF OGSA-AuthZ Working Group • EGEE interest – bring EGEE reality to GGF standardisation • Proposed documents on AuthZ service components and protocols CVS – Credentials Validation Service JRA1-AH, 8-10 November 2006, Abingdon

  8. Summary I (Detailed Workplan) General • Meeting with the Cream G-Pbox guys to discuss policy handling. Similar to Bologna 2005. • Promote use of gJAF (Includes also tests and PDP usage examples) Shared work effort (Yuri & Trygve) • Further investigations on the chain sequence • Prepare for adding obligations (G-Pbox) and ticket system (developed by UvA, chain sequence is important) JRA1-AH, 8-10 November 2006, Abingdon

  9. Summary II (Detailed Workplan (cont.)) Trygve (UiB) • ETICS building of authz-framework • Shib/SAML integration (Needs co-operation with SWITCH.) Some open questions e.g. * Content of attributes and validation (MsgCtx) * Library? * Own PDP (e.g. VOMS) (Needs?) / External call-out? * How to get PIP attributes (extend java-utils?) Yuri (UvA) • Possible integration of GT4 features. (e.g. Xacml PDP callout functionality) • Integrate ticket system from UvA JRA1-AH, 8-10 November 2006, Abingdon

  10. Discussion • Any other issues? • Interaction with other packages and developers • Comments? JRA1-AH, 8-10 November 2006, Abingdon

  11. Additional information (Appendix) • GT4 Authorisation Framework JRA1-AH, 8-10 November 2006, Abingdon

  12. GT4 Authorisation Framework • Can be configured for Container, Message, Service/Resource • Called from the SOAP/Axis message interceptor • AuthZ processing sequence includes • New! Bootstrapping X.509 PIP – retrieves request parameters from the message • Subject, Resource, Action • Sequence of pre-configured PIP’s, including SAML • Sequence of (specialised) PDP’s • Different PDP decisions combination algorithms by AuthZ engine • However, multiple policy decision’s consistency is not resolved • Available PDP’s • ACL and GridMap • HostAuthorization and UserNameAuthorization (similar BlackList PDP) • SAML AuthZ callout and SAML AuthZ Assertion • SelfAuthorization – based on shared/trusted Resource credentials • Simple XACML PDP (provided as a placeholder for extension) JRA1-AH, 8-10 November 2006, Abingdon

More Related