the prima grid authorization system
play

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura - PowerPoint PPT Presentation

Aug 16, 2023 •203 likes •368 views

The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1 PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services Secure, fine grained privileges

  1. The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura Bharath Ramesh CS 6204, Spring 2005 1

  2. PRIvilege Management Authorization (PRIMA) A system to provide enhanced grid security services ♦ Secure, fine grained privileges ♦ Dynamic policy generation ♦ Dynamic execution environment Requirements derived from usage scenarios and survey of grid users. Scenarios for survey – Scenario 1: Ad-hoc Collaboration – Scenario 2: Multi-Project User Implemented as an extension of the Globus Toolkit CS 6204, Spring 2005 2

  3. Security Requirements Security requirements that were identified from the surveys ♦ Fully distributed mechanism ♦ Fine grained access rights ♦ Direct delegation of authorization ♦ Selective use of access rights ♦ Fine grain enforcement ♦ Support for legacy and untrusted applications How PRIMA addresses these requirements ♦ Privileges ♦ Dynamic policies ♦ Dynamic execution environments CS 6204, Spring 2005 3

  4. 4 PRIMA Concepts: Overview CS 6204, Spring 2005

  5. PRIMA Concepts: Privileges Privilege refers to access rights with the following properties – Fully associated: explicitly specify subjects, objects and allowed action by the subjects on that object – Directly applicable: access rights can be exercised without interpretation Privileges are embedded in a container to protect against manipulation PRIMA privileges properties: – Well defined lifetime – Fine grain CS 6204, Spring 2005 5

  6. PRIMA Concepts: Dynamic Policies All permissible privilege constitute a dynamic policy for a request Policy Enforcement Point (PEP) checks for: – Applicability – Validity – Authority Policy Decision Point (PDP) makes the following decisions: – Coarse decision – Obligations of PEP CS 6204, Spring 2005 6

  7. PRIMA Concepts: PEP Obligations ♦ Additional constraints to an authorization decision is called obligations ♦ If PEP cannot fulfill an obligation then it disallows access to proceed ♦ Obligation address the subtle issues of fine- grained authorization like mismatch in level of detail between request and policies. ♦ Obligations help in maintaining system state. CS 6204, Spring 2005 7

  8. PRIMA Concepts: Dynamic Execution Environments ♦ Each authorized request is executed within a specific execution environment. ♦ Execution environment can be impelented as: – Unix process space – Sandboxing – Hosting environment for web and grid services ♦ The execution environment provide the added benefit to execute legacy and untrusted applications. ♦ Execution environments can be provisioned in various ways like: – Identity authorization – Mixed mode authorization – Privilege-based authorization CS 6204, Spring 2005 8

  9. PRIMA Architecture and System Components: Overview CS 6204, Spring 2005 9

  10. PRIMA Architecture and System Components: The Globus GRAM Authorization Call-Out ♦ Globus Gatekeeper extended with two interfaces: – Identity mapping interface. • Replaces static grid-map file mechanism. – Code for parsing call-out configuration file. • Loading and initializing modules. • Logging to the existing Globus gss_assist library. CS 6204, Spring 2005 10

  11. PRIMA Architecture and System Concepts: PRIMA Authorization Module PRIMA Authorization module interfaces with Globus gatekeeper. The authorization module performs following steps in sequence – Validate privileges and requests authorization decisions. – Determines user account which will be used to service request. – Provision the selected user account with access rights. CS 6204, Spring 2005 11

  12. PRIMA Architecture and System Components: Validation and Decision process ♦ PRIMA authorization module receives Generic Security Services (GSS) context from Globus gatekeeper. ♦ Authorization module extracts and verifies privileges contained in GSS. ♦ On validation PRIMA authorization module determines authority of the privilege attributes issuer. CS 6204, Spring 2005 12

  13. PRIMA Architecture and System Components: Authorization request and response CS 6204, Spring 2005 13

  14. PRIMA Architecture and System Components: User Mapping CS 6204, Spring 2005 14

  15. PRIMA Architecture and System Components: Enforcement Mechanisms PRIMA uses the following mechanisms to control file access: – POSIX.1E file system access control list. PRIMA dynamically modifies system’s ACL based on authorization module to set access rights for execution environment. – XML- based Grid Access Control Lists (GACL’s). The enforcement mechanism is similar to that used by POSIX ACL’s. PRIMA can be extended to use iptables to control access to network PRIMA Privilege Revocator associated with PRIMA enabled resources, automatically revokes privileges and dynamic users as they expire. CS 6204, Spring 2005 15

  16. Conclusion PRIMA designed to support spontaneous, short lived collaboration PRIMA contributes towards scalable grid environments PRIMA has implemented as an extension to the Globus Toolkit CS 6204, Spring 2005 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University

Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University

Policy-driven Negotiation for Authorization in the Grid Ionut Constandache Duke University Daniel Olm edilla L3S Research Center Frank SiebenList Argonne National Laboratory 8 th IEEE POLICY Bologna, Italy, 15 th June 20 0 7 Outline

414 views • 19 slides
Building a Grid System for HPC HPC on Grid High Performance Computing (HPC): Use of computer

Building a Grid System for HPC HPC on Grid High Performance Computing (HPC): Use of computer

ASGC Danny Shieh and Hsin Yen Chen ISGC 2008, Taiwan Building a Grid System for HPC HPC on Grid High Performance Computing (HPC): Use of computer system for numerical intense computing. I t is commonly associated with the use of

189 views • 17 slides
Grid Graphics The grid graphics system is provided by

Grid Graphics The grid graphics system is provided by

Grid Graphics The grid graphics system is provided by the grid package. Fundamental ideas 1 You start with nothing. 2 Anything goes. 3 You might end up with a plot.

207 views • 5 slides
Modernizing T&D on the Electric Grid 11/29/2011 Mark Nealon System Meter & Smart Grid

Modernizing T&D on the Electric Grid 11/29/2011 Mark Nealon System Meter & Smart Grid

Modernizing T&D on the Electric Grid 11/29/2011 Mark Nealon System Meter & Smart Grid Ameren Missouri PSC Smart Grid Technical Conference 1 What is the Smart Grid? What Smart Grid means to Ameren Transform Amerens grid to

341 views • 7 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Prima Primary y Coo Cooing ing Sys System tem of of J Jor orda dan R n Res esea earch

Prima Primary y Coo Cooing ing Sys System tem of of J Jor orda dan R n Res esea earch

Commissioning Commissioning E Exp xperien erience ce for R or Rea eacto ctor a r and nd Prima Primary y Coo Cooing ing Sys System tem of of J Jor orda dan R n Res esea earch h an and d Training aining Rea eacto ctor (J

428 views • 23 slides
Funding Opportunities for Universities Cooperation development PRIMA Foundation, Director

Funding Opportunities for Universities Cooperation development PRIMA Foundation, Director

Funding Opportunities for Universities Cooperation development PRIMA Foundation, Director Octavi Quintana Trias The PRIMA programme is an Art. 185 initiative supported and funded under Horizon 2020, the Unions Framework European

528 views • 41 slides
Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By

Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By

Energy Storage Technologies for Grid- Connected and Off-Grid Power System Applications By By Faruk Ahmed Bhuiyan Graduate Student Electrical and Computer Engineering Dept., Western University, London, Ontario Supervisor: Professor

168 views • 16 slides
Session 1: A Window to Your DPV Future Hawaii Experience Grid System Technologies Advanced

Session 1: A Window to Your DPV Future Hawaii Experience Grid System Technologies Advanced

Session 1: A Window to Your DPV Future Hawaii Experience Grid System Technologies Advanced Research Team Marc M. Matsuura, PE Leon R. Roose, Esq. Sr. Smart Grid Program Manager, Grid START Principal & Chief Technologist, Grid START Hawaii

486 views • 14 slides
PRIMA INDUSTRIE GROUP 2 AGENDA REORGANIZATION & RESTRUCTURING COMPANY OVERVI EW MARKET

PRIMA INDUSTRIE GROUP 2 AGENDA REORGANIZATION & RESTRUCTURING COMPANY OVERVI EW MARKET

STAR Conference London, October 8 th 2 0 0 9 PRIMA INDUSTRIE GROUP 2 AGENDA REORGANIZATION & RESTRUCTURING COMPANY OVERVI EW MARKET OVERVIEW FINANCIALS PRIMA Key Highlights Leading global player in laser & sheet m etal m achinery

851 views • 29 slides
Evolving Our Grid: System Planning and Grid Modernization GRC Overview October 24, 2016

Evolving Our Grid: System Planning and Grid Modernization GRC Overview October 24, 2016

Evolving Our Grid: System Planning and Grid Modernization GRC Overview October 24, 2016 Objective and Agenda Todays objective is to provide information and answer questions about our plan for evolving the grid as articulated in our GRC.

916 views • 55 slides
Sustainability and Smart Grid Implementing a Non residential Smart Metering System PaperCon

Sustainability and Smart Grid Implementing a Non residential Smart Metering System PaperCon

Sustainability and Smart Grid Implementing a Non residential Smart Metering System PaperCon 2011 Page 195 Smart Grid Popular Topics in the News Smart Grid Smart Meter Smart Meter Micro Grid Distributive Generation Most talk is

427 views • 39 slides
CSD Oper ational P lan Co vid-19 Re spo nse a nd Ope ra tio ns Pla n CSD Prima ry Ob je c

CSD Oper ational P lan Co vid-19 Re spo nse a nd Ope ra tio ns Pla n CSD Prima ry Ob je c

CSD Oper ational P lan Co vid-19 Re spo nse a nd Ope ra tio ns Pla n CSD Prima ry Ob je c tive s E nsure Pe rso na l sa fe ty, sa fe ty o f c o wo rke rs a nd sa fe ty o f fa mily Co ntinue to pro vide life sa fe ty a nd e sse

76 views • 6 slides
One Page Everywhere Fluid, Responsive Design with Semantic.gs The Semantic Grid System Grid

One Page Everywhere Fluid, Responsive Design with Semantic.gs The Semantic Grid System Grid

One Page Everywhere Fluid, Responsive Design with Semantic.gs The Semantic Grid System Grid System Fluid or Fixed Responsive Semantic Sass or LESS Grid Systems Grid System Fixed Size Grid System Fixed Size Semantic.gs:

726 views • 44 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
A Look at Some Ideas and Experiments Jack Dongarra University of Tennessee and Oak Ridge

A Look at Some Ideas and Experiments Jack Dongarra University of Tennessee and Oak Ridge

A Look at Some Ideas and Experiments Jack Dongarra University of Tennessee and Oak Ridge National Laboratory Orientation The design of smart numerical libraries; libraries that can use the best available resources, analyze the

414 views • 28 slides
Globus Toolkit Support Transition Derek Simmel <dsimmel@psc.edu> TAGPMA Chair 41 st

Globus Toolkit Support Transition Derek Simmel <dsimmel@psc.edu> TAGPMA Chair 41 st

T h e A m e r i c a s G r i d Policy Management Authority Globus Toolkit Support Transition Derek Simmel <dsimmel@psc.edu> TAGPMA Chair 41 st EUGridPMA / IGTF All-Hands Meeting September 25-27, 2017 JISC, Manchester, England Globus

98 views • 6 slides
Integrating Grid Services into a Cray XT4 Environment Hwa-Chun Wendy Lin and Shreyas Cholia

Integrating Grid Services into a Cray XT4 Environment Hwa-Chun Wendy Lin and Shreyas Cholia

Integrating Grid Services into a Cray XT4 Environment Hwa-Chun Wendy Lin and Shreyas Cholia National Energy Research Scientific Computing Center (NERSC/LBL) CUG 2009, Atlanta, GA What Is a Grid? A grid is a system that coordinates

565 views • 18 slides
Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017,

Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017,

Update on the Globus Transition FEARLESS SCIENCE Reminder: Where are we coming from? In 2017, the Globus organization announced the From May 2017 Globus end-of-support for the Globus Toolkit. Globus Toolkit provides the reference

486 views • 9 slides
A Storage Architecture for A Storage Architecture for Resilient Assured Data Resilient Assured

A Storage Architecture for A Storage Architecture for Resilient Assured Data Resilient Assured

A Storage Architecture for A Storage Architecture for Resilient Assured Data Resilient Assured Data Paul Manno Paul Manno Georgia Tech / PACE Georgia Tech / PACE Date May 2019 Date May 2019 Research Computing at Georgia Tech Research

586 views • 16 slides
Into DSpace using SWORD & GLOBUS Lee Taylor, University of Exeter, UK 11 July 2013 Exeter

Into DSpace using SWORD & GLOBUS Lee Taylor, University of Exeter, UK 11 July 2013 Exeter

Moving BIG DATA Into DSpace using SWORD & GLOBUS Lee Taylor, University of Exeter, UK 11 July 2013 Exeter Landscape 2011 DSpace in use for three independent repositories A brand new ~1M Petabyte data store established to hold all

408 views • 12 slides
GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu

GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu

Enabling Grids for E sciencE Enabling Grids for E-sciencE GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu egee org www.eu-egee.org EGEE and gLite are registered trademarks EGEE-II

295 views • 12 slides
OSiRIS Overview for ARC-TS and Unit IT Open Storage Research Infrastructure Ben Meekhof

OSiRIS Overview for ARC-TS and Unit IT Open Storage Research Infrastructure Ben Meekhof

OSiRIS Overview for ARC-TS and Unit IT Open Storage Research Infrastructure Ben Meekhof University of Michigan Advanced Research Computing OSiRIS Technical Lead OSiRIS Summary OSiRIS is a pilot project funded by the NSF to evaluate a

654 views • 24 slides

More recommend