110 likes | 239 Views
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors). Tanya Levshina. Talk Outline. Privilege Project Project Collaboration GUMS PRIMA/SAML gPlazma SAZ Future Contacts, etc. Privilege Project.
E N D
Overview of Privilege Project at Fermilab(compilation of multiple talks and documents written by various authors) Tanya Levshina
Talk Outline • Privilege Project • Project Collaboration • GUMS • PRIMA/SAML • gPlazma • SAZ • Future • Contacts, etc APAC 2006 VOMRS
Privilege Project Goal: Privilege Project provides fine-grained authorization for access to grid-enabled resources and services • Improves user account assignment and management at grid sites. • Reduces the associated administrative overhead. • Provides flexible and dynamic user-to-account mapping based not only on user identity (distinguished name) but also on VO-related attributes (FQAN) and least privilege access. • Limits the damage a malicious entity can cause when a user's credentials are compromised. • Obtains different authorization for different activities. • The VO Privilege Project software, relies on, interfaces to and further develops at least some of the following independent pieces of VO-implemented and site-implemented authorization software: VOMRS, VOMS, Gridmap callout interface, GUMS, gPlazma and SAZ. • The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG. APAC 2006 VOMRS
Privilege Project Collaboration(slide from G. Garzoglio’s presentation at HPDC Workshop) • Stakeholders giving requirements: US CMS and US ATLAS. • Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG • Different institutions are responsible for the maintenance of different components • Project started in 2003 • Core software distributed via VDT APAC 2006 VOMRS
Job Manager Prima/SAML callouts (C) Privilege Project Architecture Grid Site VO Services Sitewide Services synchronize synchronize VOMRS VOMS GUMS SAZ register DN, FQAN Is authorized? get-voms-proxy Yes/No user name CE SE Storage Auth Service Gatekeeper gPlazma DN, FQAN Storage priv set Storage priv set DN, FQAN user name DN, FQAN Submit request with voms-proxy SRM Prima/SAML Client (Java) Legend Privilege Project Module VO Management Services APAC 2006 VOMRS
GUMS Goal: GUMS (Grid User Management System) maps users' grid credentials to site-specific identities in accordance with the site's grid resource usage policy • Replaces the Globus grid-mapfile. • Retrieves membership information from a VO server such as LDAP or VOMSs. • Can be configured to generate static grid-mapfiles or to map users dynamically as each job is submitted. • If configured to generate a grid-mapfile, GUMS downloads the file to each gatekeeper as scheduled or requested by an administrator via the GUMS client tools. • If configured to map users dynamically and individually, GUMS is called by the gatekeeper via PRIMA callouts upon each job submission. • Uses configuration file is written in XML. It maps a particular group of user to either pool account or individual account • Stores pool account and DN of a user in a database • Does not reuse assigned pool account • Has ways to increase the pool range APAC 2006 VOMRS
PRIMA/SAML PRIMA is an implementation of the Globus authorization callout. • Allows message exchange between Globus and Authorization Service using SAML protocol • Extracts proxy information from the certificate • Retrieves mapping information from Authorization Service • PRIMA provides for the grid layer management and delegation of privileges on a user - to - user and administrator-to-user basis. • The holder of privileges can selectively provide individual privileges to grid resources when requesting access. This enables least privilege access to resources and ensures that the user has fine-grained control over resource usage of requested services.. • The user-supplied privileges are combined with the administrator-provided policies to render a dynamic authorization decision. APAC 2006 VOMRS
gPlazma Goal: gPlazma (Grid-aware PLuggable AuthoriZation MAnagement) provides the authorization decision and site-specific user information relevant to user’s credential when requested by storage cells (gridFtpdoor, SRM) • Supports the use of plugins which implement various selectable authorization methods. • One of the methods uses Prima Java SAML libraries to form a SAML query and contacts Storage Auth Service that • retrieves username from GUMS by providing user’s DN and FQAN • retrieves storage-privilege set {uid,gid, permitted storage area, r/w permissions} form Storage Meta Data Service • returns a User Authorization Record (a SAML response format) to gPlazma APAC 2006 VOMRS
SAZ Goal: SAZ (Site Authorization Service ) allows security authorities of the grid site to impose sitewide policy and to control access to the site. • Allows administrators to control user access to the site resources • Provides means to retrieve the information about users and their access • Authorizes user by checking • user’s certificate chain • status of VO FQAN provided in extended certificate • user’s access status • Provides centralized maintenance of Certificate Revocation Lists (CRL) APAC 2006 VOMRS
Future Directions(slide from G. Garzoglio’s presentation at HPDC Workshop) • Publication of role-based privilege policies • Simplify / Aggregate architecture • Streamline gPlazma infrastructure (direct connection to GUMS) • Reorganization of PDP services (GUMS talking to SAZ) • Update communication protocols (from extended SAML v1.1 to SAML v2.0) • Improve PRIMA build process • Extend privilege enforcing to network management • Long term directions • Investigate direct DN rights enforcement (no UID mapping) • Integrate Privilege Project with Policy Discovery Services • Extend privilege enforcing to include privacy • Executable integrity APAC 2006 VOMRS
Contacts, etc… Project leader: G. Garzoglio • Email: privilege_project@fnal.gov • On the web at http://computing.fnal.gov/doc/products/voprivilege • GUMS: developed G. Caracassi (BNL), currently supported by J. Hover (BNL) • On the web: http://grid.racf.bnl.gov/GUMS • PRIMA/SAML callouts: developed by M. Lorch, currently supported by I. Sfiligoi • On the web: http://computing.fnal.gov/docs/products/voprivilege/prima/prima.html • gPlazma: developed by A. Rana, currently supported by T. Hesselroth • On the web: http://www.dcache.org/manuals/Book/cf-gplazma.shtml • SAZ: developed by V. Sekhri, currently supported by V.Sergeev • On the web: http://www.fnal.gov/docs/products/saz/v_vo1/SAZ.htm (old) APAC 2006 VOMRS