The e –Infrastructure AAI roadmap in Europe Trends in European AA policy
description
Transcript of The e –Infrastructure AAI roadmap in Europe Trends in European AA policy
The e–Infrastructure AAI roadmap in Europe
Trends in European AA policy
EUGridPMA Karlsruhe meeting
David Groep, NIKHEF
8th EUGridPMA Meeting, Karlsruhe, 2006
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 2
Aims of the Integrated AAI
Roadmap for the European e-Infrastructures
create a single seamless AA experience for the user
Spans– the authentication/ID provisioning domain – as well as the authorisation area– across any kind of application
• ‘grids’ like we know today• network access (eduroam)• web resource access• (m)any other services
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 3
Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged.
The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces.
Recommendation to the e-IRGAustrian EU Presidency 2006
e-IRG integrated AAI Roadmap
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 4
e-IRG mandate
The main objective of the e-IRG is to support on the political, advisory and monitoring level, the creation of a policy and administrative framework for the easy and cost-effective shared use of electronic resources in Europe (focusing on Grid-computing, data storage, and networking resources) across technological, administrative and national domains.
The e-IRG consists of official delegations from the ministries of Education of the various European countries. It has an important role in assigning funding priorities for EU framework programmes and the strategy for e-Europe.
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 5
Contributors
Roadmap contributors and actors in the field
• e-IRG (high-level policy)
• TERENA: TF-EMC2, TF-Mobility• IGTF
• eduroam™• GEANT2 JRA5 (eduGAIN)• REFEDs• many national federations (CH, ES, NL, NO, UK, …)• software providers: Shibboleth, A-Select, PAPI, …
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 6
Grid Authorization
• ‘user’ centric communities• either grass-roots or infrastructure-based
• primary applications today in compute/data/database access
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 7
Grid AuthZ status
• User-centric community management today– for (virtually) all grids based on authentication by IGTF
accredited authorities
• these assertions are used for authorization, where– there is far greater variety in mechanisms and concepts– software in a continuous transition phase– actual user communities are ‘expert’ and relatively ‘small’,
i.e., O(100 000) users
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 8
Grid Authorization
Current (deployed) models in most compute/data gridsall based on ‘proxies’, implementing SSO and delegation
• Identity-based authorization– lists of authorized users, possibly organised on a VO basis– model is being deprecated in larger deployments
• Attribute-based authorization– VO-managed {databases, directories} issuing VO-signed assertions– VO identity itself based on IGTF certificates– resource providers grant access based on these VO attributes– pushed down with the service request (typically as ACs embedded as
an extension in the proxy certificate), “VOMS”
• in part supported by (proxy) credential caches: “MyProxy”
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 9
Grid Characteristics
• Special characteristics– rights delegation (typically to processes)– rights/role selection based on the ‘session’,
and not the target resource per se– ‘on-demand’ creation of new sources of authority (VOs)
• grid communities cut through organisations
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 10
Software developments in AA
(grid) software has become flexible over the past few years:• most software now supports
both push and pull of attributes and assertions• it’s slowly becoming syntax-agnostic (X509 (AC), SAML, …)
12
3
4
Pull
1
2
3
4
Push
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 11
OGSA AA model
• Grid (OGSA) AA architecture– explicitly acknowledges multiple sources of authority
in the authorization chain
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
graphic: OGSA 1.0, GGF standard track document
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 12
Grid Middleware AA support
PERMIS/XACML PDP,or a SAML PIP, or …
runtime graphic: Globus Toolkit 4, Frank Siebenlist et al.
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 13
More initiatives
• eduGAIN – summary with too many experts in the room – based on ‘federation connectors’ to mediate between federations
(domains, realms)
– common services• Home Location Service
• (can be extended with others)
– basic interactions• (AccessReq/AccesResp)
• AuthNDataReq/ AuthNDataResp
• HomeLocationReq/ HomeLocationResp
• AttrReq/ AttrResp
• AuthZReq/ AuthZResp
– using WS and SAML
– see links provided by Reimer and Diego
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 14
What is happing now?
Several domains implemented some integrated AAI today
• ‘evaluationary’ grid middleware solutions – targeted at ‘expert power users’
• wireless network access – targeted at ‘the masses’, almost irrespective of status
• web resources – targeted at ‘selected academic users’, but not very selective as resources are not ‘high
value’• …
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 15
Production app: eduroam
• transparent (wireless) network access based on credentials issued by the home organisation– distributed RADIUS infrastructure based on
pair-wise hierarchical trust– no ‘qualified’ AuthZ
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 16
Production apps examples
• Examples from the Access Management Infrastructure for the UK – ScienceDirect– BlackBoard– BIOSIS– CAB Abstracts– Education Image Gallery, Education Media Online– Index to The Times– Land, Life & Leisure– Statistical Accounts of Scotland– Landmap– Zetoc Alert, Search
• other domains started use similar technology (such as Dutch government DigID project using A-Select)
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 17
Issues with integration
• Wider value range of resources to control– from ‘low-risk’ wireless access to ‘high-risk’ supercomputers
• To engage more users, the current model of user-held credentials, or having disparate credentials for ‘grid’ and other activities, not necessarily sustainable– only scientific power users could maybe manage– general audience just cannot handle the current grid AA systems
• need integrated models, that respects both local autonomy, recognises existing credential quality, and retains the global coordination we have today– note that this is technology-agnostic, its pure policy– the software stacks we have today can almost do anything
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 18
Possible interfaces to integration
1. indirect AuthN based on existing IdM’s
2. enable grid AuthN systems (e.g. VOMS) to also propagate other (home) IdM attributes
3. enable resource access controls to talk to multiple SoAs
4. express VO membership as a function of home IdM attributes
The reverse can also be considered• VO membership could entitle you to ‘guest’ associate-ship with a real
organisationso that (selected) VO members can use resources that are available to the real organisation
• these scenario’s are largely independent of the middleware (GSI or Shib or A-Select or …)
• except that SAML cannot yet well support (restricted) delegation
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 19
PKI AuthN based on existing IdMs
• see presentation by Christoph Witzig in a moment
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 20
2. Propagating other IdP attributesslide from: Chistoph Witzig, SWITCH, EGEE MWSG 2006-09-27
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 21
3. Multiple SoA support in access control
• enable resource access controls to talk to multiple SoAs– based on pluggable authorization framework, such as in newer
middleware like Globus Toolkit 4, gLite, &c
graphic from: Chistoph Witzig, SWITCH, GGF16, February 2006
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 22
4. VO membership as function of home attributes
role: productionmembers:- John Doe- the students of UHO:class 101, 2008- Maggie
query to resolve membership list of FQAN
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 23
Many interesting issues to be addressed
Technical issues solvable – policy harmonisation is non-trivial
• far wider range of qualities in the attributes• different incentives for keeping information current• responsibility for attributes resides with different parties
– VO to manage community membership –but can small VOs maintain such an infrastructure? a task for an (independent) ‘e-Infrastructure’ provider
– home organisation to manage organic attributes – but not attributes are usually considered ‘equally valuable’, and there is lots of variety between the UHOs
– access rights may suddenly depend on attributes with different quality
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 24
encourage work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions.
e-IRG RecommendationDutch EU Presidency 2004
• how do we go about it?• what role do we have in this domain? • we have experience in policy coordination ...
2006-10-05 8th EUGridPMA Meeting - trends in European AA policy 25
Proposal: possible directions forward
• At the national level, for each authority– monitor developments towards the creation of national AAIs and
federations– engage in (national) AAI initiatives that support your current and
potential subscriber base– promote the bridging of emerging federations at the national level
• At the European and global level– ensure awareness of IGTF policy coordination work and
its relevance to developments in the overall AAI developments– actively foster the definition of levels of assurance, its expression in
all relevant syntaxes, and engage in the definition of these levels– ensure that our policies do not inadvertently put up roadblocks on the
way towards an integrated AAI– promote (national) federations that interface with our current and
future subscriber base at both the authN and (later) the AuthZ level