220 likes | 379 Views
SecPAL *: A security policy language to support grid on demand. Jason Hogg (jason.hogg@microsoft.com) Program Manager Grid Security Advanced Technology Incubation Group Microsoft Corp. *Security Policy Assertion Language. Agenda. Introduction Research motivation
E N D
SecPAL*: A security policy language to support grid on demand Jason Hogg (jason.hogg@microsoft.com) Program Manager Grid Security Advanced Technology Incubation Group Microsoft Corp. *Security Policy Assertion Language
Agenda • Introduction • Research motivation • SecPAL Syntax and Semantics • Walkthrough securing a simple scenario • Demonstration • Next steps
Introduction • SecPALdeveloped to address security challenges in large-scale distributed systems such as computing grids • Comprehensive solution with uniform semantics • Flexibility to support different operational models • Fine-grained trusts and constrained delegation • SecPAL is Research • It is not a product and is not officially supported • The .NET research release has been made available to encourage organizations with complex security requirements to establish proof-of-concept applications and provide feedback which can be used to improve SecPAL should it be incorporated into a product at a future point in time • Joint research being developed by the Advanced Technology Incubation Group and Microsoft Research in Cambridge Private & Confidential
Utility Computing • TeraGrid is one example of how this model is used for scientific computing. • TeraGrid aims to build the world's largest, most comprehensive grid computing cyber-infrastructure for open scientific research. • Scientific Gateway solutions are being developed combining portals and desktop applications as gateways to access computational resources, information, and instruments. • Gateways provide communities of like-minded scientists access to a variety of capabilities including workflows, visualization, resource discovery and job execution services. • Software as a Service model for accessing compute / grid resources is also gaining mainstream popularity – Sun Grid, Amazon S3, Microsoft all have utility computing offerings.
Motivation for SecPAL • Existing approaches are complex to manage, fail to meet important customer needs – especially in federated environments, are hard to maintain, and impossible to analyze • Existing policy mechanisms a major contributor • Disjoint, often ad hoc approaches for establishing Trust, attribute binding, authZ, delegation, audit, … and almost certainly many different semantics • Can’t express some customer needs (distributed mgt, fine-gained trusts, delegations, revocation etc) • Composition of policies is problematic • Token<->Policy semantic differences exacerbate the situation • Mapping tables often needed for attribute translation or binding to local attributes • Typically support only limited name/attribute formats Private & Confidential
What is SecPAL? • Declarative, logic-based, security policy language • Easily read as English sentences with a restricted grammar • Simple syntactic checks ensure evaluation safety • XML-based: serializes as XML, uses standard parsers, schema, XMLDSIG, XMLENC • Complete solution for Grid access control requirements • Trust, authorization, delegation policies, auditing, PKI for identity management • Can work with existing identity management mechanisms Private & Confidential
Facts, Claims and Assertions • Assertion (Token, Policy, AuthorizationQuery) • A says claim • Claim (conditional fact) • fact [if fact1, fact2, … , factn, constraint] • Fact • P can verbresource [qual] (action) • P possess attrib=value [qual] (possession) • P can say fact (delegation) • P can act as P’ (alias) • P can revoke [ClaimId] (revocation) Example: ResourceGuardsays Bob can readhttp://foo.com/ if Bob can write http://foo.com/ Private & Confidential
Variables • SecPAL assertions can include variables – allowing generic policies to be authored • Variables are substituted for concrete values at evaluation-time • Example: CHPCAdminsays VO-ReseachGrid-STS can say %p possesses %a where %a matches rfc822Name:".*@contoso\.edu"
Scenario: User Schedules a Job • User from within a virtual organization (called Research Grid VO) wants to submit grid jobs to a computational cluster in an external organization (called the Center for High-Performance Computing). • Requires two types of policies: • Trust relationship • Resource access policy
Step 1: Establish a trust relationship • Master Scheduler could establish a trust-relationship directly with our end-user Bob; however, this interaction quickly becomes unmanageable for any sizable environment. Rather, the common practice is for CHPC to establish a trust relationship with an authority, such as the Research Grid Security Token Service (STS), responsible for certifying grid users. CHPCAdminsays VO-ReseachGrid-STS can say %p possesses %a (from %t1 until %t2) where %t2 - %t1 <= "366.00:00:00", %t1 <= CurrentTime() <= %t2, %a matches rfc822Name:".*@contoso\.edu"
Step 2: Define resource access policy • The CHPC master scheduler would have a local authorization policy controlling who may use the job management services. This will typically rely on the organizational trust policy since the scheduler service administrator won’t typically be responsible for cross-organizational relationships. CHPCAdminsays %p can execute service:"http://www.chpc.org/scheduleJob" if %p possesses %a where %a matches rfc822Name:" .*@contoso\.edu "
Step 3: User requests an identity token • For our user Bob to schedule a job, he first needs to obtain an identity token from the Research Grid STS which contains his email name. This might require he authenticate using a Contoso supplied authentication credential (such as an X.509 certificate, Kerberos token, SAML token or another SecPAL token) which is accepted by grid services. • The grid token obtained from the STS would contain the assertion: VO-ReseachGrid-STS says Bob possesses rfc822Name:"Bob@contoso.edu" (from "2007-01-01" until "2007-12-31")
Step 4a: User submits a job • Now Bob can submit a request to initiate a job on the CHPC cluster by sending an authenticated message containing his SecPAL token along with the job information needed by the CHPC master scheduler. • The scheduler can then formulate a SecPAL query similar to: CHPCAdminsays Bob canexecute service:"http://www.chpc.org/scheduleJob"?
Step 4b: Authorization Decision • SecPAL evaluation engine evaluates the authorization query based on relevant policies and tokens • Positive authorization decisions include a proof graph showing relevant policies and tokens that lead to the authorization decision • Critical for auditing / compliance requirements
Step 6: User delegates rights • Bob can also take advantage of SecPAL to formulate a delegation of his rights to access a data file on a server at Birch University where the job data may reside. Bob says Scheduler can say %p read file://BirchFileShare/jobData (from %t1 tio %t2) if %t2-%t1<5 days Scheduler saysBob-Job can read file://BirchFileShare/jobData [from 2007-04- 28 to 2007-05-01]
Summary SecPAL was designed to solve challenges such as: • How does an organization establish a fine-grained trust relationship with another organization across organizational boundaries? • How does a user delegate a subset of a user’s rights (constrained delegation) to another user residing either in the same organization or in a different organization? • How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies? • How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource? • How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?
Research Availability • Public Availability • SecPAL Formal Model and Whitepaper • SecPAL Preview Binaries and Developer Documentation • SecPAL Schema and Schema Specification • http://research.microsoft.com/projects/secpal • Community Workspace • Additional scenarios • API questions • Additional downloads – query editor available shortly • http://www.codeplex.com/secpal Private & Confidential
Call to Action • Evaluate • Download the .NET Research Release • Look at the 15 authorization patterns • Follow the tutorial in the developmer docs • Build a prototype to meet your requirements • Provide feedback • This work is currently research – perfect time to have your feedback incorporated • What other patterns does your organization use? • How successful were you at solving these with SecPAL? • … • Feedback can be submitted to http://www.codeplex.com/secpal or directly to myself at jason.hogg@microsoft.com • Tell your colleagues – especially those responsible for planning your long-term security strategy!