XPOLA—An Extensible Capability-based Authorization Infrastructure

for GridsLiang Fang, Dennis Gannon

Indiana UniversityFrank Siebenlist

Argonne National Laboratory

04/22/23 PKI R&D 05 2

Outline• The Grid security • The problems to be solved• XPOLA

– Macroscopic view– Microscopic view– User’s view

• Challenges and future work• Conclusion

04/22/23 PKI R&D 05 3

The Grid

1997Pre-Web services era

2002 2004

OGSA

(SOAP-based) Web services era

Grid service = Web service + OGSA

04/22/23 PKI R&D 05 4

Grid Security Infrastructure (GSI)

• GSI adopts public key cryptography as the basis to provide the Grid three main functionalities:– Secure communication: SSL, WS Security– Mutual authentication: PKI– Delegation: proxy certificate

• Authorization (& Authentication): – A gatekeeper daemon maps a Grid identity to a local

account at run time according to a gridmap file. – The Grid identity is allowed to do all the account’s

rights.

04/22/23 PKI R&D 05 5

A Grid User’s Odyssey• Alice wants to access a Grid service. Unfortunately,

she has to …

Account Application

CertificateApplication

Grid-mapRegistration

(Learn how to) Configure

Her ServiceEnvironment

Finally, Timeto use the

Grid service.

~3days ~1wk ~0.5 day

~0.5 hr(Learn how to)Get her Grid

proxy certready

~1day

(Learn how to)Manage herX.509 cert

~0.5 day

04/22/23 PKI R&D 05 6

The Authorization Problems in Real Grid Applications

• Inscalable in administration and maintenance– Host accounts– X.509 certificates

• Coarse-grained authorization– An authorized user can do much more than accessing a service

• For example, in Linked Environments for Atmospheric Discovery (LEAD) project– How to provide the authorization to meteorological Grid services running on TeraGrid to THOUSANDS of scientists and grade school students?– Only a few privileged UNIX accounts available.– Grid services could be dynamically generated (by workflow engines as well as individual scientists).– Of course, no security breach is acceptable .

04/22/23 PKI R&D 05 7

Existing Grid Security Solutions to Fine-grained Authorization

• ACL Model– Akenti, Shibboleth, PERMIS

• Capability Model– CAS, VOMS, PRIMA

• Why we need XPOLA– The above (was) not addressing general Web/Grid services in compliant with Web services security specs.– With central admins, most of them do not address dynamic services well.

1Client Resource Authority2

The ACL Model

Client ResourceAuthority 1 2

The Capability Model

R1 R2 R3Alice xBob x x x

Carol xThe Access Control Matrix

04/22/23 PKI R&D 05 8

XPOLA: The Characteristics• Principle of Least Authority/Privilege (POLA)-

compliant: Strictly fine-grained authorization.• Scalable in administration and maintenance: It is

never assumed that the service user has an account on the machines. The infrastructure is built on a Peer-to-peer chain-of-trust model. No central administrator involved.

• WS-Security Compliant: Conforms to WS-Security for both persistent and transient Web/Grid services.

• Extensible: PKI and SAML-based, but allows other alternatives.

• Dynamic and Reusable: Grid resources (Web services and Grid services) are made available to users through manually or automatically generated capabilities, which can be used for multiple requests in their valid lifetimes.

04/22/23 PKI R&D 05 9

XPOLA: The Big PictureService Provider

PersistentStorage

Service Requester

Request Processing

Capability Request

create

update

destroy

Capability Manager(Capman)

Registry(EPRservice A, …)

HostToken Agent

CommunityInformativeAuthority

ProcessingStack

SVCA

capabilitytoken

04/22/23 PKI R&D 05 10

XPOLA: Capabilities• A capability includes:

– Policy Document• Bindings of the provider’s distinguished name (DN), as well as the users’ DNs.• Identifier of the Grid resource.

– Optional: operations of a Web service instance• Life time (notbefore, notafter)

– The provider’s signature generated with his private key.• Security Assertion Markup Language (SAML):

• Each capability is a set of SAML assertions• AuthorizationDecisionStatement

• However the policy document and protection mechanism can be extensible: XACML, symmetric keys, …

04/22/23 PKI R&D 05 11

XPOLA: Web Services Security• Web services security

– A series of emerging XML-based security standards from W3C and OASIS for SOAP-based Web services, to provide authentication, integrity, confidentiality and so on.

• XSOAP conforms to Web services security.

• SOAP Binding

Body

Header

WS Security Section (User’s Signature, …)

SOAP Message

Capability Token

Provider’s Signature

Policies (SAML Assertions)

04/22/23 PKI R&D 05 12

XPOLA: Enforcement

SOAP Sig Verification SOAP Sig Generation

Valid? Fault Generation

Token VerificationY

Token Sig Valid?

Owner/User Match?

Policy Decision?

Expired?

Fault Generation

Application Service

Token Insertion

Authentication Processing Node

Authorization Processing Node

N

Other Processing Nodes

An arrivingSOAP Msg

A dispatchedSOAP Msg

N

04/22/23 PKI R&D 05 13

Proxy ManagerPortlet

WeatherServicePortlet

User Context

proxycertificate

proxycertificate

Grid Portal

WeatherService

capabilitytoken

User

Capability ManagerPortlet

capabilitytoken

capabilitytoken

capabilitytoken

capabilitytoken

ProviderXPOLA: User’s View in Grid Portals

04/22/23 PKI R&D 05 14

Challenges and Future Work• Revocation• Performance and Scalability

– Message level session-based communication– Load balancing

• Denial of Service (DoS) Mitigation

04/22/23 PKI R&D 05 15

Conclusion• XPOLA provides fine-grained authorization

infrastructure to general Web and Grid services.

• More than that– It scales– Extensible– WS-Security compliant– Adaptable for dynamic services– Reusable– User (as well as provider) friendly