GRID: Globus Toolkit 4.0 - Authorization Model

The feature list is
  • Support for PDP Chaining
  • Policy Combination algorithm Supported: DENY overrides ALLOW (permit overrides can be simulated by having a MasterPDP which will then controll the other PIP &PDP - Will need to specify sequence of the PDP & PIP Separately)
  • Supports the concept of PIP which works as Interceptor (like PDP) but does not return decision. It instead returns data which can be used by PDP (More info needed on how)
  • ID that will be authorized is extracted from the credential used by client to contact the service.
  • A concept of Resource Owner is supported which can be extracted from "resource, service or container depending on availability in that order of precedence"
  • Authorization Schemes supported
    • self - Caller ID = Owner
    • gridmap - Caller ID part of pre-defined list. This sheme also supports user ID mapping to local user id (how does that help or can be leveraged??)
    • Identity - Caller ID = Specified ID
    • Host - Called's Host ID = specified Host ID. Host ID being a special form of certificate with a common name (CN) corresponding to a name obtained from DNS or some configured service name. (How does this get mapped to caller, is the caller id = host id or is host id like a computer certificate in the Windows system??)
    • SAML Call-out - PDP contacts a SAML Authz Service using request/response interface
    • userName - Caller ID = JAAS authenticated User (who is authenticating and how is that being passed to PDP?)
  • The development involves the following - Please note all the plugins have initialize and close function
    1. Implement the PDP interface - org.globus.wsrf.security.authorization.PDP :: boolean isPermitted(javax.security.auth.Subject,javax.xml.rpc.handler.MessageContext, javax.xml.namespace.QName operation). This interface also hase capability to get policynames and get/set policy (org.w3c.dom.Node)
    2. Reference the PDP from a security descriptor - Change $GLOBUS_LOCATION/etc/<service name>/security-config | <service name>-security-descriptor.xml add the <authz value="ascope:class name"/> where ascope is scope which is an authorization scheme "context" used to distinguish different authorization schemes with the same implementing class within the chain.
    3. Test the PDP - run client
    4. Implement the PIP interface - org.globus.wsrf.security.authorization.PIP :: collectAttributes(Subject subject,MessageContext ctx,QName operation)
    5. Reference the PIP from a security descriptor - <authz value="ascope:PIP_Class pdpscope:PDP_CLASS"/>
    6. Test the PIP - the order of execution of PIPs and PDPs depends on the order in which they were specified in the authorization chain configuration
    7. Communicate an attribute from PIP to PDP - e.g. - subject.getPublicCredentials().add(attribute); & subject.getPublicCredentials();
    8. Add a configuration to an interceptor - Use the service deployment descriptor to pass the data to PDPConfig used in initialize call. The D.D. is located in $GLOBUS_LOCATION/etc/<your_service> and <parameter name="ascope-attribute" value="notmanager"/> i.e. scope_name-attribute_name (Guess can not have hiphenated scope name??)
  • Next Steps -
    • Develop Attribute/Role-based Authorization - Proper representation of attributes need to be developed which can be transferred accross the PDPs
    • support for fine grained expression of "delegation of rights" =
    • pluggable authorization engines
    • lazy collection of attributes
    • caching of decision/attributes
    • and metadata about attributes/interceptors
  • Resources - GlobusTK 4.0 Release Manual, WS Authentication and Authorization documentation, GridShib (Globus Toolkit with Shibboleth), Community Authorization Service

Comments

Post a Comment

Popular posts from this blog

Vendor List

Updated: November 12 2006 I am trying to come up with the list of vendors and associated products in the Identity and Access Management arena. Please note that this list is based on marketing/public information and my understanding of the terms which may not comply with any specific groups' definitions and/or requirements. This is by no means a complete list and will keep growing as I get more time to add them and find more companies (any help on that front will be really appreciated). Before we go further along, lets try to define what each of these product typically do so that my mode of classification may make sense or any flaw in my classfication will become apparant. Identity Management/User Provisioning These products typically provide the facility of Workflow-based Identity provisioning, password reset, identity reconciliation/discovery, delegated identity administration and self-service features on wide variety of identity platforms (like LDAP, Unix, Windows, Mainfra
Read more

2006 Prediction - Recap

Seems like the 2006 Prediction season is over and so I thought that I will try to capture the various predictions in Identity Management space that I came across. ( Nick at WickID ) Host/Mutual authentication will be critical. There will be an attack against banks using non-cryptographic based host authentication (ie, pictures, cookies). - I am assuming that means machine authentication besides user authentication something similar to that from Passmark and Trusted Network Technology . This makes sense and will really be looking forward to various non-intrusive and intrusive technology in this space. Transaction authentication will become a hot topic later in the year due to session hijacking trojans. - I think people like Bruce Schneier have already been talking about this. An important aspect of transaction authentication is that it needs to be pervasive instead of just being limited to online experience. Besides that the technology that would actually help achieve this should be va
Read more

Understanding IAM Technology: Web Single Sign On (Web SSO) Part I - Introduction and Use Case Definition

Image
Update September 6, 2015: Part II in the series is now available . Update August 19,2006: I am rewriting this entry based on the methodology I am using for some of other domains. Hopefully, the new methodology would make it more useful to some of you. I talk to a lot of people from developer background who still do not have a good background in the IAM technology. Eventhough there is a lot of information on the web, I have felt a lack of good technological discussion on the various component that  actually form the IAM domain. Some of the good sources for the information on IAM are Microsoft Identity and Access Management Series Archie Reed Oracle Federated Identity Buyers guide Oracle Identity Management Buyer's Guide Identity Management Dissected Most of these document discuss the basic concepts but do not extend it to existing technologies and how it applies to them. This series is an attempt to look at the technology behind the Identity and access manage
Read more