The e –Infrastructure AAI roadmap in Europe Trends in European AA policy

The e–Infrastructure AAI roadmap in Europe

Trends in European AA policy

EUGridPMA Karlsruhe meeting

David Groep, NIKHEF

8th EUGridPMA Meeting, Karlsruhe, 2006

2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 2

Aims of the Integrated AAI

Roadmap for the European e-Infrastructures

create a single seamless AA experience for the user

Spans– the authentication/ID provisioning domain – as well as the authorisation area– across any kind of application

• ‘grids’ like we know today• network access (eduroam)• web resource access• (m)any other services


Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged.

The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces.

Recommendation to the e-IRGAustrian EU Presidency 2006

e-IRG integrated AAI Roadmap


e-IRG mandate

The main objective of the e-IRG is to support on the political, advisory and monitoring level, the creation of a policy and administrative framework for the easy and cost-effective shared use of electronic resources in Europe (focusing on Grid-computing, data storage, and networking resources) across technological, administrative and national domains.

The e-IRG consists of official delegations from the ministries of Education of the various European countries. It has an important role in assigning funding priorities for EU framework programmes and the strategy for e-Europe.


Contributors

Roadmap contributors and actors in the field

• e-IRG (high-level policy)

• TERENA: TF-EMC2, TF-Mobility• IGTF

• eduroam™• GEANT2 JRA5 (eduGAIN)• REFEDs• many national federations (CH, ES, NL, NO, UK, …)• software providers: Shibboleth, A-Select, PAPI, …


Grid Authorization

• ‘user’ centric communities• either grass-roots or infrastructure-based

• primary applications today in compute/data/database access


Grid AuthZ status

• User-centric community management today– for (virtually) all grids based on authentication by IGTF

accredited authorities

• these assertions are used for authorization, where– there is far greater variety in mechanisms and concepts– software in a continuous transition phase– actual user communities are ‘expert’ and relatively ‘small’,

i.e., O(100 000) users


Grid Authorization

Current (deployed) models in most compute/data gridsall based on ‘proxies’, implementing SSO and delegation

• Identity-based authorization– lists of authorized users, possibly organised on a VO basis– model is being deprecated in larger deployments

• Attribute-based authorization– VO-managed {databases, directories} issuing VO-signed assertions– VO identity itself based on IGTF certificates– resource providers grant access based on these VO attributes– pushed down with the service request (typically as ACs embedded as

an extension in the proxy certificate), “VOMS”

• in part supported by (proxy) credential caches: “MyProxy”


Grid Characteristics

• Special characteristics– rights delegation (typically to processes)– rights/role selection based on the ‘session’,

and not the target resource per se– ‘on-demand’ creation of new sources of authority (VOs)

• grid communities cut through organisations


Software developments in AA

(grid) software has become flexible over the past few years:• most software now supports

both push and pull of attributes and assertions• it’s slowly becoming syntax-agnostic (X509 (AC), SAML, …)

12

3

4

Pull

1

2

3

4

Push


OGSA AA model

• Grid (OGSA) AA architecture– explicitly acknowledges multiple sources of authority

in the authorization chain

Key Material

Group of unique names Organizational role

Server

UserAttributesVO

Policy

ResourceAttributesSite

Policy

Policy

Authorization PolicyArchitecture

Local SiteKerberosIdentity

PolicyEnforcement

Point

VOOther

Stakeholders

Site/Resource

OwnerAuthorization

Service/PDP

Policy andattributes.

Allow orDeny

Resource

Standardize

Delegation

User

Process actingon user’s behalf

PKI/KerberosIdentity

TranslationService

PKIIdentity

Delegation Policy

graphic: OGSA 1.0, GGF standard track document


Grid Middleware AA support

PERMIS/XACML PDP,or a SAML PIP, or …

runtime graphic: Globus Toolkit 4, Frank Siebenlist et al.


More initiatives

• eduGAIN – summary with too many experts in the room – based on ‘federation connectors’ to mediate between federations

(domains, realms)

– common services• Home Location Service

• (can be extended with others)

– basic interactions• (AccessReq/AccesResp)

• AuthNDataReq/ AuthNDataResp

• HomeLocationReq/ HomeLocationResp

• AttrReq/ AttrResp

• AuthZReq/ AuthZResp

– using WS and SAML

– see links provided by Reimer and Diego


What is happing now?

Several domains implemented some integrated AAI today

• ‘evaluationary’ grid middleware solutions – targeted at ‘expert power users’

• wireless network access – targeted at ‘the masses’, almost irrespective of status

• web resources – targeted at ‘selected academic users’, but not very selective as resources are not ‘high

value’• …


Production app: eduroam

• transparent (wireless) network access based on credentials issued by the home organisation– distributed RADIUS infrastructure based on

pair-wise hierarchical trust– no ‘qualified’ AuthZ


Production apps examples

• Examples from the Access Management Infrastructure for the UK – ScienceDirect– BlackBoard– BIOSIS– CAB Abstracts– Education Image Gallery, Education Media Online– Index to The Times– Land, Life & Leisure– Statistical Accounts of Scotland– Landmap– Zetoc Alert, Search

• other domains started use similar technology (such as Dutch government DigID project using A-Select)


Issues with integration

• Wider value range of resources to control– from ‘low-risk’ wireless access to ‘high-risk’ supercomputers

• To engage more users, the current model of user-held credentials, or having disparate credentials for ‘grid’ and other activities, not necessarily sustainable– only scientific power users could maybe manage– general audience just cannot handle the current grid AA systems

• need integrated models, that respects both local autonomy, recognises existing credential quality, and retains the global coordination we have today– note that this is technology-agnostic, its pure policy– the software stacks we have today can almost do anything


Possible interfaces to integration

1. indirect AuthN based on existing IdM’s

2. enable grid AuthN systems (e.g. VOMS) to also propagate other (home) IdM attributes

3. enable resource access controls to talk to multiple SoAs

4. express VO membership as a function of home IdM attributes

The reverse can also be considered• VO membership could entitle you to ‘guest’ associate-ship with a real

organisationso that (selected) VO members can use resources that are available to the real organisation

• these scenario’s are largely independent of the middleware (GSI or Shib or A-Select or …)

• except that SAML cannot yet well support (restricted) delegation


PKI AuthN based on existing IdMs

• see presentation by Christoph Witzig in a moment


2. Propagating other IdP attributesslide from: Chistoph Witzig, SWITCH, EGEE MWSG 2006-09-27


3. Multiple SoA support in access control

• enable resource access controls to talk to multiple SoAs– based on pluggable authorization framework, such as in newer

middleware like Globus Toolkit 4, gLite, &c

graphic from: Chistoph Witzig, SWITCH, GGF16, February 2006


4. VO membership as function of home attributes

role: productionmembers:- John Doe- the students of UHO:class 101, 2008- Maggie

query to resolve membership list of FQAN


Many interesting issues to be addressed

Technical issues solvable – policy harmonisation is non-trivial

• far wider range of qualities in the attributes• different incentives for keeping information current• responsibility for attributes resides with different parties

– VO to manage community membership –but can small VOs maintain such an infrastructure? a task for an (independent) ‘e-Infrastructure’ provider

– home organisation to manage organic attributes – but not attributes are usually considered ‘equally valuable’, and there is lots of variety between the UHOs

– access rights may suddenly depend on attributes with different quality


encourage work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions.

e-IRG RecommendationDutch EU Presidency 2004

• how do we go about it?• what role do we have in this domain? • we have experience in policy coordination ...


Proposal: possible directions forward

• At the national level, for each authority– monitor developments towards the creation of national AAIs and

federations– engage in (national) AAI initiatives that support your current and

potential subscriber base– promote the bridging of emerging federations at the national level

• At the European and global level– ensure awareness of IGTF policy coordination work and

its relevance to developments in the overall AAI developments– actively foster the definition of levels of assurance, its expression in

all relevant syntaxes, and engage in the definition of these levels– ensure that our policies do not inadvertently put up roadblocks on the

way towards an integrated AAI– promote (national) federations that interface with our current and

future subscriber base at both the authN and (later) the AuthZ level

The e –Infrastructure AAI roadmap in Europe Trends in European AA policy

Documents

Transcript of The e –Infrastructure AAI roadmap in Europe Trends in European AA policy