1 / 10

Application of Policy at Fermilab

Application of Policy at Fermilab. Stu Fuess Fermilab / CD / CCF 14 Sep 2005 MWSG Meeting. This presentation is from the point of view of an administrator, new to the grid community I’m here to listen and learn Will gladly take questions back to experts It’s a site / resource provider view

zazu
Download Presentation

Application of Policy at Fermilab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application of Policyat Fermilab Stu Fuess Fermilab / CD / CCF 14 Sep 2005 MWSG Meeting

  2. This presentation is from the point of view of an administrator, new to the grid community I’m here to listen and learn Will gladly take questions back to experts It’s a site / resource provider view Particular interest in security Will talk about two things SAZ (Site Authorization) As implemented at Fermilab PPT (Policy, Publication, Trust) An embryonic OSG activity In the standard model of authorization policy application… Introduction

  3. Organizational role • Group of unique names • Key Material Authorization context • User Policy comes from many stakeholders • Other • VO • Stakeholders • Delegation • User • Policy • Resource • Attributes • VO • Authorization Policy • Policy • Process acting • on user’s behalf • Architecture • Policy • Enforcement • Standardize • Point • Delegation Policy • Server • Resource • PKI • Attributes • Site • Local Site • Identity • Policy • Kerberos • Policy and • Identity • Allow or • Deny • attributes. • PKI/Kerberos • Identity • Translation • Service • Site/ • Authorization • Resource Graphics from Globus Alliance& GGF OGSA-WG • Service/ • Owner • PDP Slide lifted from D. Groep

  4. VOMS OSG privilege scenario voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA

  5. VOMS OSG privilege scenario voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA site SAZServer PRIMA

  6. SAZ is a service utilizing the authorization callout from the Globus Gatekeeper via a PRIMA interface Providing a separate authorization service Verifies certificate, CA, VO, and user SAZ has been a specific exercise in FermiGrid which introduced a “white list” check of certificate Performing Certificate Revocation List (CRL) function Used to also generate usage / auditing list SAZ experience Found to be “high maintenance” Lots of effort to update “white list” Moving to “black list” model Evaluating code change, don’t anticipate large effort Looking to make SAZ invocation a mainstream process SAZ: Site Authorization

  7. If you make security decisions on a limited number of policy attributes, then in effect you operate as “default allow” with respect to other attributes “Default allow” is a fundamentally different mode of operation than “default deny” Requires technical mitigations to limit vulnerabilities Introduces need for strong reactive component of security Requires agility and flexibility in response to unforeseen circumstances Which may well be external policy changes Believe it necessary to add functionality to allow this mode The PPT activity Site security perspective

  8. It’s the standard authorization model containing policy components from VO, site, and elsewhere: (GGF / EGEE diagram) And now working “bottom up” from the site This is the current principal exercise: understanding site requirements Site requirements may demand more info than the VO supplies! The “trickle down” policy mode may be insufficient Flexibility to make decisions beyond the certificate level e.g. Constraints may be imposed by funding agencies PPT: Policy, Publication, and Trust

  9. Expanding the policy model… The “Publication” part – how do the site/resource provider needs “flow back up”? Not yet… but can think of ways Feedback loops Try again, but this time add information on “this” Matrix of policy queries Tell me “this” How does this get to the human info providers? The “Trust” part – how can a site / resource provider verify that VO supplied information is correct? Want to align PPT with similar efforts It looks like there is a lot “out there”; is there a desire to collaborate? PPT: Policy, Publication, and Trust

  10. We have a strong motivation to increase efforts in implementing policy mechanisms Site security concerns will remain overwhelming factor Experience / “gut feeling” is that current model may not allow sufficient flexibility / responsiveness This is a new environment, receiving much scrutiny Want to use effort as an opportunity to adopt, build upon, align with, supplement, improve, and contribute to community effort Comments welcome: fuess@fnal.gov Conclusion

More Related