1 / 13

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans

This presentation showcases the concepts of authorization framework applied to Grids, with a focus on the current implementation based on the Globus Security Infrastructure. It also discusses possible future authorization concepts in Grids.

jenkinsc
Download Presentation

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14th Salt Lake City Leon Gommans lgommans@science.uva.nl Advanced Internet Research Group Informatics Institute University of Amsterdam

  2. Goal • Show authorization framework concepts of RFC2904 applied to the Grid ( at FL300 ) • Show current implementation based on Globus Security Infrastructure (www.globus.org) • Show possible future authorization concepts.

  3. Grids • Allow individuals / institutes in science or industry to form virtual organizations as to pool resources (computers, networks, data) and pursue a common goal. • Current GRID Security Infrastructure (GSI): • Allows access to multi-domain resources with a single sign-on • Allows organizations to remain in control of their resources • GSS-API / TLS based More details: http://www.globus.org/documentation/incoming/butler.pdf

  4. Use of X509 Certificates and Proxy Certificates to *: • Remote login and access control for "standard" services.Client/server and server/client authentication.Authenticated and encrypted messages via GSS.Authenticated and encrypted streams via SSL and TLS.Authenticated and encrypted Web server access via https • Impersonate and establish (a chain of) delegation. *) Ref: http://archive.ncsa.uiuc.edu/General/GridForum/SWG/taxonomy.html and draft-ietf-pkix-proxy-01.txt

  5. Trust Relationship User Home Org AAA User Admin Authorization Request User Token Trust Relationship Service Request + Token Service Provider Service Ack AAA Service Admin RFC 2904 Roaming Push Model and trust relationships

  6. Globus GRID Model AAA Grid RA/CA AAA AAA AAA Registration Request + Unsigned Certificate Certificate SN = John Issuer=CA User CRL Logon sequence Unsigned Impersonation Certificate End Entity Private key Certificate SN = “” or ? Altname = John / Proxy Issuer=John AAA Grid Resources AAA AAA AAA Note: Push sequence is reversed Hybrid push/pull ? Proxy Private key user authorizes impersonation to enable single sign-on access to grid resources

  7. Globus GRID Model Grid RA/CA List of subjects and their authorizations (gridmapfile) User (offline) CA Cert Request CA Cert John Sue AAA Grid Resources (offline) Service Subscription process AAA AAA AAA Users need to be authorized by service for access Users need to register with service to enable services

  8. John’s Credentials User Gatekeeper (Proxy) CA(‘s) John Sue AAA CRL  John Proxy Credentials John Proxy Credentials Resource 1 Resource 2 RFC2904 Distributed Services Model John Proxy Credentials AAA AAA John Sue John Dave List of global subjects and their authorizations Service Domain A Service Domain B

  9. “Industrializing” the Grid • Allow commercial organizations to collaborate in easy to use, secure and reliable fashion • interoperability, confidentiality, privacy, availability, integrity etc. • Ad hoc usage of Grid available resources need to be converted in units that can be settled as subscribed services do not scale. • resource usage, storage, digital rights etc. • Grid resources need procurement, user in driving seat. • user authorizes usage up to a certain limit.

  10. Workflow • create relationship with home organization that can authorize a usage limit. • create relationship with organization that represents a community and authorizes access to and usage of resources belonging to a Virtual Organization based on authorized usage limit. • use resources based on authorization from Virtual Organization

  11. Home Org Home Authorization User Community Org Community Authorization User Authorization Grid Service Provider Grid Services Roaming authorization Push Model as one of many options

  12. Thank you More info draft-ietf-pkix-proxy-01.txt www.globus.org www.ggf.org www.aaaarch.org

More Related