1 / 16

Authorization for Metacomputing Applications

This presentation discusses the Prospero Resource Manager (PRM) and its overall security model, including an extended access control list framework and a generic authorization and access control API. It explores the motivation behind the model, as well as its application to PRM. The current prototype and future work are also presented.

ericasimmons
Download Presentation

Authorization for Metacomputing Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorization for Metacomputing Applications G. Gheorghiu, T. Ryutov and B. C. Neuman University of Southern California Information Sciences Institute July, 1998

  2. Outline of Presentation • The Prospero Resource Manager (PRM) • Motivation • Overall security model - Extended Access Control List framework - Generic Authorization and Access control API • Applying the model to PRM • Status • Summary

  3. The Prospero Resource Manager (PRM) • The System Manager (SM) - allocates resources to jobs • The Job Manager (JM) - requests necessary resources • The Node Manager (NM) - loads and executes tasks

  4. Running a job with PRM NM 1 JM 3 SM . . . 4 2 5 % appl NM 5 NM 1.JM requests resources 2.SM allocates resources to the JM, notifies the NMs 3.SM informs the JM of the assigned resources 4.JM requests task initiation 5.NMs create tasks

  5. Motivation • Need for user Authentication • Security policies: - authorized principals - type of granted access - restrictions on granted access and resources • Customization of the policies • Enforcement of the policies Request to load an application Security Policy Data Base Domain A Domain B

  6. EACL framework EACL for host kot.isi.edu EACL entry Principals Access Rights Conditions . . . Default EACL for domain isi.edu . . . Prospero Directory Service

  7. EACL Management • Goal: enable easy sharing of a default authorization policy among NMs while allowing customization at host level • The Prospero Directory Service API is used to create virtual links to the EACL files and to specify attributes for the links • Example of attributes for the default EACL file: • SYSTEM_MANAGER darkstar.isi.edu • EACL_DEFAULT True • Example of attributes for a local EACL file: • NODE_MANAGER kot.isi.edu • EXTEND_DEFAULT Append

  8. EACL entry structure : Principals TYPE SECURITY MECHANISM ID USER Kerberos.V5 joe@ISI.EDU HOST IPaddress 164.67.21.82 APPLICATION Checksum 0x75AA31 GROUP DCE 8 ANYBODY

  9. EACL entry structure: Access Rights user-level representation tag value HOST load HOST status DEVICE power_up DEVICE power_down

  10. EACL entry structure: Conditions TYPE VALUE location DNS_* _island.com time_window 8AM-6PM time_day Monday-Friday payment $20 CPU_load 30 application_name matlab PRM-SPECIFIC GENERIC

  11. Generic Authorization and Access control API (GAA API) Reference to object Upcall function for EACL retrieval . . . gaa_get_object_eacl Object EACL handle GAA API Security Context [ operations for authorization ] . . . gaa_check_authorization YES / NO / MAYBE [ list of authorized operations and corresponding conditions, if any ] . . .

  12. GAA API Security Context • Identity • Authorization Attributes • Delegated credentials • Evaluation and Retrieval functions for Upcalls

  13. Using the GAA API in PRM GAA API EACL 5a 5 gaa_get_object_eacl SM 6 . . . 1 4 gaa_check_authorization 6b Transport Mechanism 6a 4a GAA API security context 2 3 Kerberos Library (1, 2, 3, 4, 4a) request and verification of principal’s identity (5, 5a) call to gaa_get_object_eacl, retrieval of appropriate EACL (6, 6a, 6b) call to gaa_check_authorization

  14. EACL Evaluation EACL associated with the host kot.isi.edu GAA API security context PRINCIPALS OPERATIONS CONDITIONS Identity: USER kerberos.v5 joe@ISI.EDU Functions for upcall: GROUP kerberos.v5 oper@ISI.EDU * USER kerberos.v5 joe@ISI.EDU load time_w: 6AM-8PM cpu_load : 20 REQUEST This is Joe, load matlab, on the host kot.isi.edu Joe host kot.isi.edu 10:07AM

  15. Status • Current Prototype The prototype is used within our current PRM testbed to check user authorization based on the policies in the EACL file. - implemented PRM-specific conditions: time window, idle time and CPU load - only the default policy per domain is used • IETF drafts - draft-ietf-cat-acc-cntrl-frmw-00.txt - draft-ietf-cat-gaa-cbind-00.txt • Future work - implementing the local EACL policy mechanism - other PRM-specificconditions - refining the EACL evaluation algorithm - requesting additional credentials and evaluation of acquired ones

  16. Summary • Flexible and configurable security policy • Integration of local and distributed policies • Fine-grained access control • Facilitation of authorization decisions • Contact authors at {grig, bcn, tryutov}@isi.edu

More Related