80 likes | 191 Views
Distributed Programmable Authorisation. David Chadwick. Initiator. Target. Submit Access Request. AEF. Present Access Request. Decision Request. Decision. ADF. X.812|ISO 10181 Access Control Framework. AEF = (Application dependent) Access control Enforcement Function
E N D
Distributed Programmable Authorisation David Chadwick GALT 03
Initiator Target Submit Access Request AEF Present Access Request Decision Request Decision ADF X.812|ISO 10181 Access Control Framework AEF = (Application dependent) Access control Enforcement Function ADF = (Application independent) Access control Decision Function GALT 03
Application Access control Enforcement Function Policy Based Authorisation Today(based on ISO 10181-3) Authorisation Decision Request Authorisation Decision Initiator ADI Target ADI ADF Contextual Information Access Request ADI Retained ADI Access Control Policy Rules ADI=Access control Decision Information Example ADFs are Akenti, PERMIS, Cardea GALT 03
Authorisation Today for Distributed Applications Distributed Application Site 3 Site 1 Site 2 AEF AEF AEF Decision Request Decision Decision Request Decision Request Decision Decision Standalone ADF Common policy GALT 03 Allows co-ordination, but bottleneck to performance
Authorisation Today for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF ADF ADF Site 2 Site 1 Site 3 Common policy GALT 03 Increased performance, but lacks co-ordination
Authorisation Tomorrow for Distributed Applications Distributed Application AEF AEF AEF Decision Request Decision Request Decision Request Decision Decision Decision ADF Co-ordination Co-ordination ADF ADF Site 2 Site 1 Site 3 Site specific policy GALT 03 Performance and co-ordination
How ? • By hierarchically decomposing distributed application authorisation policies into lower level site specific policies • Policies comprise rules for subjects, targets, actions and conditions: Who can access what in which way and under what conditions • Specify rules that say how targets and actions at the distributed application level are decomposed into targets and actions at the site specific level • E.g. UserA can run distributed application X on the Grid using a maximum of 3 MB of storage, might hierarchically decompose into • UserA can read File F from site1 and search DB2 at site2 providing no more than 3MB of data are retrieved in total • UserA can run the data processing application at any site with spare capacity • UserA can write output to their home site GALT 03
Proposed Methodology and Technology • Specify rules in DAML/OIL/OWL for policy decomposition and produce an authorisation ontology • Build a user friendly interface for policy/rule creation, based on a configurable ontology • Use JTP from Stanford University, a DAML/OIL reasoning engine that can make inferences • Build a reasoning compiler using the above that will read in the ontology and the application specific rules, and will produce site specific policies in XACML • Build a secure policy distribution mechanism • Build a co-ordination capability between either the site specific ADFs or a central co-ordinating ADF GALT 03