Embed Size (px)
Citation preview
2008-06-04 1
A Multipolicy Authorization Framework for Grid Security
Bo Lang, Ian Foster, Frank Siebenlist, Rachana Ananthakrishnan,
Tim Freeman
Reporter : Po - Jen Lo
2008-06-04
P - J - L
2
Abstract
在 GT4中,他們建立一個認證的架構,他可以支援 multiple policies. 因為 Grid的系統是由數個獨立的 domains所組成
這篇 paper描述他們整個認證架構設計的概念並且介紹他的結構
最後他們介紹一個新的機制 blacklist/whitelist
2008-06-04
P - J - L
3
Outline
The XACML Authorization Model2
Blacklist/Whitelist Based Authorization4
Introduction31
The GT4 Authorization Framework33
Conclusion35
2008-06-04
P - J - L
4
Introduction
A Grid system is a virtual organization comprising several independent autonomous domains.
Authorization is an important part of the Grid security system.
The authorization mechanism of the Grid system Support multiple security policies Have the flexibility to support dynamic changes in
security policies
2008-06-04
P - J - L
5
The XACML Authorization Model
GT4 implements the WSRF specification. GT4 authorization framework was constructed
based on the OASIS XACML and SAML standards .
The XACML authorization model mainly contains
PEP Policy Enforcement Point
PDP Policy Decision Point
PIP Policy Information Point
PAP Policy Administration Point
2008-06-04
P - J - L
6
The XACML Authorization Model
2008-06-04
P - J - L
7
The GT4 Authorization Framework
In a Grid system, each domain has its own security policy grid-mapfile , ACL (Access Control List), CAS,
SAML authorization decision assertions, and XACML policy statements
GT4 authorization framework needs to support multiple security policies and also needs to be flexible can be changed easily for different application
environments
2008-06-04
P - J - L
8
The GT4 Authorization Framework
The Framework Architecture
2008-06-04
P - J - L
9
The GT4 Authorization Framework
The PDP of the Authorization Framework we abstract the common characteristic of the policies
and define an abstract PDP.
The PDP abstraction defines a common interface that can be used to interact with the PEP or with other PDPs.
The policy framework is object-oriented.• New policies can be added just by inheriting the PDP class• The existing policies can be removed and modified at any
time
2008-06-04
P - J - L
10
The GT4 Authorization Framework
The PDP of the Authorization Framework
2008-06-04
P - J - L
11
They can also be introduced into the Grid services access control area for establishing a simple and effective authorization mechanism.
If the authorization mechanism detects the requestor on the blacklist or whitelist, it will make an access decision immediately.
Blacklist/Whitelist Based Authorization
2008-06-04
P - J - L
12
designed and implemented a prototype BlackListPDP and WhiteListPDP under the GT4 authorization framework
The implementation of these two PDPs has two layers: functional layer
• The blacklist/whitelist access interface, which now contains a member testing method
implementation layer• Two levels
– JNDI– composed by different naming and directory services
Blacklist/Whitelist Based Authorization
2008-06-04
P - J - L
13
Blacklist/Whitelist Based Authorization
2008-06-04
P - J - L
14
Conclusion
We have built a flexible multipolicy authorization framework for GT4. The framework is based on the XACML and SAML specifications.
The blacklist/whitelist authorization system established under the GT4 authorization framework can provide a simple and efficient method for Grid service access control.
2008-06-04 15
