saml-xacml interoperability
DESCRIPTION
SAML-XACML interoperability. Oscar Koeroo. index. The current setup The architectural big picture (EGEE/OSG) How will this work The requirements Work done and decisions made Stuff to do. Our current architecture. Worker node. Glite: Compute Element or Storage Element. glexec. glexec. - PowerPoint PPT PresentationTRANSCRIPT
INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
SAML-XACML interoperabilityOscar Koeroo
EGEE'07: MWSG Budapest 2
Enabling Grids for E-sciencE
INFSO-RI-031688
index
• The current setup• The architectural big picture (EGEE/OSG)• How will this work• The requirements• Work done and decisions made• Stuff to do
EGEE'07: MWSG Budapest 3
Enabling Grids for E-sciencE
INFSO-RI-031688
L&L plug-ins
(regular set of plug-ins)
L&L plug-ins
(regular set of plug-ins + GPbox)
Our current architecture
LCAS + LCMAPS
Glite: Compute Element or
Storage Element
edg-gk
glexec
edg-gridftp gt4-interface
pre-WS GT4 gk, gridftp,
opensshd
LCAS + LCMAPS
Worker node
glexec
L&L plug-ins
(regular set of plug-ins)
Issues with this setup:• share/distribute the gridmapdir for mapping consistency• share/distribute the configurations for the nodes• share/distribute authorization files, like grid/groupmapfiles and a blacklisting file• Scaling issues; lots of node will probably overload an NFS server
GPbox infrastructure
[xacml]
EGEE'07: MWSG Budapest 4
Enabling Grids for E-sciencE
INFSO-RI-031688
pre-WS GT4 gk,gridftp, opensshd
The big picture
SAML-XACML Query
OSG EGEE
glexecedg-gk
edg-gridftpd
gt4-interface
pre-WS GT4 gk, gridftp, opensshd
dCache
Common SAML XACML library
L&L plug-in: SAML-XACML
Prima + gPlazma:
SAML-XACML
LCAS + LCMAPS
CREAMPilot job on Worker Node
(both EGEE and OSG)
Site Central: LCAS + LCMAPS
L&L plug-ins (regu. set)
Site Central: GUMS (+ SAZ)
SAML-XACML interface
Common SAML XACML library
Front-end node (CE, SE, WN, etc.)
L&L plug-ins (w/ GPbox)
GPbox infrastructure
[xacml]
GPbox infrastructure
[saml-xacml]
EGEE'07: MWSG Budapest 5
Enabling Grids for E-sciencE
INFSO-RI-031688
How it should work (conceptual)
SAML-XACML interface
Globus SAML XACML library
Site Central LCAS + LCMAPS or GUMS and SAZ
SAML-XACML PEP (L&L plug-in or PRIMA)
Globus SAML XACML library
Set of ObligationsObligation handler[N]Obligation handler[N]Obligation handler[N]
<Register set of oblig. IDs + define oblig. Handlers>
<work with PEP environment>
SAML-XACML Query
Q: map.user.to.some.poolOblg: user001, somegrpR:
1
2
3
4
56
EGEE'07: MWSG Budapest 6
Enabling Grids for E-sciencE
INFSO-RI-031688
SAML-XACML lib requirements
• Requirements to Globus– Initial focus on Java and C environment
C-clients (PEP) & C-service (PDP)• Prima & gPlazma
• LCAS and LCMAPS plug-ins
• Newly to be created Site Central service with the LCAS and LCMAPS back-end will be C-based
Java initially server-side only (PDP)• The GUMS server is a Java-Tomcat environment
– Uses TLS connection for client (PEP) / server (PDP) comm. – Must be able to mix our PDP and PEP implementations– Must be separate from the existing Globus Toolkit
We want the library to be lightweight and easily portable
EGEE'07: MWSG Budapest 7
Enabling Grids for E-sciencE
INFSO-RI-031688
SAML-XACML lib requirements
• Requirements to ourselves– Easy interoperation
Understand a common set of obligations and its attributes
– Scalability Low network traffic Low overhead at the end points
– Keeping compatibility with existing LCAS and LCMAPS plug-ins and their functionalities
EGEE'07: MWSG Budapest 8
Enabling Grids for E-sciencE
INFSO-RI-031688
Work done and decisions made
• Understanding the scope of usage Interesting for everybody who was not at the MWSG UCSD lunch
• Understanding the term stateful PDP Note: XACML PDP is (usually only) stateless Passing stateful information (the results of a pool account mapping) from the
obligations’ attributes
• Discussing SAML-XACML protocol details– “Using standard protocols” != “Being standards compliant”– Generation of the protocol stack must be reproducible
• Using Globus SAML-XACML instead of OpenSAML– Globus is committed to fix potential deviation to the specs
• Testing the alfa version of the SAML-XACML library– C and Java; Ongoing process…
• Compilation of a tentative lists of obligations – for EGEE and OSG (next slide…)
EGEE'07: MWSG Budapest 9
Enabling Grids for E-sciencE
INFSO-RI-031688
Tentative lists of obligations
• EGEE Obligations: – UID + GID – Optional multiple 2ndary GIDs– Optional AFS token (type string)
• VO Services Obligations (to be checked with representative from Storage):– Username (for CE)– UID + GID (common w/ EGEE)– RootPath + HomeDir (gPlazma)– Priorities (gPlazma)– File creation mask + directory creation mask
EGEE'07: MWSG Budapest 10
Enabling Grids for E-sciencE
INFSO-RI-031688
Stuff to do….
• Other obligations (or no obligation, just a binary AuthZ decision)
• Reproducibility of the protocol stack, credits to:– Yuri Demchenko– Valerio Venturi– Vincenzo Ciaschini– Alberto Forti– and others…
• Timeline:– Library beta: ~end of October ‘07– Client (LCMAPS plugin) Library beta + 1 month– Service (beta) Library beta + 2 months– Service (production) ~Q1 2008
EGEE'07: MWSG Budapest 11
Enabling Grids for E-sciencE
INFSO-RI-031688
Final words
• The site central solution allows for improved emergency response– Central blacklist– Consistent mappings across a cluster or a site for all the
services
• The interface is going to be standards compliant with SAML2-XACML2
• Globus library will be the first implementation of the protocol stack, hopefully many to follow