The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura - - PowerPoint PPT Presentation

the prima grid authorization system
SMART_READER_LITE
LIVE PREVIEW

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura - - PowerPoint PPT Presentation

Aug 16, 2023 203 likes •374 views

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1 PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services Secure, fine grained privileges

slide-1
SLIDE 1

1 CS 6204, Spring 2005

The PRIMA Grid Authorization System

Markus Lorch and Dennis Kafura

Bharath Ramesh

slide-2
SLIDE 2

2 CS 6204, Spring 2005

PRIvilege Management Authorization (PRIMA)

A system to provide enhanced grid security services

♦ Secure, fine grained privileges ♦ Dynamic policy generation ♦ Dynamic execution environment

Requirements derived from usage scenarios and survey of grid users. Scenarios for survey – Scenario 1: Ad-hoc Collaboration – Scenario 2: Multi-Project User Implemented as an extension of the Globus Toolkit

slide-3
SLIDE 3

3 CS 6204, Spring 2005

Security Requirements

Security requirements that were identified from the surveys

♦ Fully distributed mechanism ♦ Fine grained access rights ♦ Direct delegation of authorization ♦ Selective use of access rights ♦ Fine grain enforcement ♦ Support for legacy and untrusted applications

How PRIMA addresses these requirements

♦ Privileges ♦ Dynamic policies ♦ Dynamic execution environments

slide-4
SLIDE 4

4 CS 6204, Spring 2005

PRIMA Concepts: Overview

slide-5
SLIDE 5

5 CS 6204, Spring 2005

PRIMA Concepts: Privileges

Privilege refers to access rights with the following properties

– Fully associated: explicitly specify subjects, objects and allowed action by the subjects on that object – Directly applicable: access rights can be exercised without interpretation

Privileges are embedded in a container to protect against manipulation PRIMA privileges properties:

– Well defined lifetime – Fine grain

slide-6
SLIDE 6

6 CS 6204, Spring 2005

PRIMA Concepts: Dynamic Policies

All permissible privilege constitute a dynamic policy for a request Policy Enforcement Point (PEP) checks for:

– Applicability – Validity – Authority

Policy Decision Point (PDP) makes the following decisions:

– Coarse decision – Obligations of PEP

slide-7
SLIDE 7

7 CS 6204, Spring 2005

PRIMA Concepts: PEP Obligations

♦ Additional constraints to an authorization

decision is called obligations

♦ If PEP cannot fulfill an obligation then it

disallows access to proceed

♦ Obligation address the subtle issues of fine-

grained authorization like mismatch in level

  • f detail between request and policies.

♦ Obligations help in maintaining system

state.

slide-8
SLIDE 8

8 CS 6204, Spring 2005

PRIMA Concepts: Dynamic Execution Environments

♦ Each authorized request is executed within a specific

execution environment.

♦ Execution environment can be impelented as:

– Unix process space – Sandboxing – Hosting environment for web and grid services

♦ The execution environment provide the added benefit to

execute legacy and untrusted applications.

♦ Execution environments can be provisioned in various

ways like:

– Identity authorization – Mixed mode authorization – Privilege-based authorization

slide-9
SLIDE 9

9 CS 6204, Spring 2005

PRIMA Architecture and System Components: Overview

slide-10
SLIDE 10

10 CS 6204, Spring 2005

PRIMA Architecture and System Components: The Globus GRAM Authorization Call-Out

♦ Globus Gatekeeper extended with two

interfaces:

– Identity mapping interface.

  • Replaces static grid-map file mechanism.

– Code for parsing call-out configuration file.

  • Loading and initializing modules.
  • Logging to the existing Globus gss_assist library.
slide-11
SLIDE 11

11 CS 6204, Spring 2005

PRIMA Architecture and System Concepts: PRIMA Authorization Module

PRIMA Authorization module interfaces with Globus gatekeeper. The authorization module performs following steps in sequence

– Validate privileges and requests authorization decisions. – Determines user account which will be used to service request. – Provision the selected user account with access rights.

slide-12
SLIDE 12

12 CS 6204, Spring 2005

PRIMA Architecture and System Components: Validation and Decision process

♦ PRIMA authorization module receives Generic Security Services

(GSS) context from Globus gatekeeper.

♦ Authorization module extracts and verifies privileges contained in

GSS.

♦ On validation PRIMA authorization module determines authority of

the privilege attributes issuer.

slide-13
SLIDE 13

13 CS 6204, Spring 2005

PRIMA Architecture and System Components: Authorization request and response

slide-14
SLIDE 14

14 CS 6204, Spring 2005

PRIMA Architecture and System Components: User Mapping

slide-15
SLIDE 15

15 CS 6204, Spring 2005

PRIMA Architecture and System Components: Enforcement Mechanisms

PRIMA uses the following mechanisms to control file access:

– POSIX.1E file system access control list. PRIMA dynamically modifies system’s ACL based on authorization module to set access rights for execution environment. – XML- based Grid Access Control Lists (GACL’s). The enforcement mechanism is similar to that used by POSIX ACL’s.

PRIMA can be extended to use iptables to control access to network PRIMA Privilege Revocator associated with PRIMA enabled resources, automatically revokes privileges and dynamic users as they expire.

slide-16
SLIDE 16

16 CS 6204, Spring 2005

Conclusion PRIMA designed to support spontaneous, short lived collaboration PRIMA contributes towards scalable grid environments PRIMA has implemented as an extension to the Globus Toolkit