GlobusSecurityTigerTeam/CapabilityMatrix

From Globus

Contents 1 Security Projects 2 Capabilities Matrix 3 Additional Management Functions 4 Additional Key Capabilities

Security Projects

Please make sure that everything is categorized & sub categorized correctly...

• Globus Authorization Framework - Run time components that transparently, from the application, collects, validates, asserts (authentication[x509], authorization(SAML, XACML-2/SAML-2), attribute[SAML,X509 certificate (VOMS)]. Combines all these assertions together to evaluate the authorization position on whether the requestor is to be allowed to involke the resource. Currently this is part of Globus Core.

• • PIP - Policy Information Point (collects attributes from attribute assertions) PIP modules are technology specific (e.g. for VOMS, Shibboleth, )

• • PDP - Policy decision points (pluggable components to call out]

• Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) provides services and tools for the administration and enforcement of security policy in an enterprise Grid.

• • Dorian – A grid service for the provisioning and management of grid users accounts. Dorian provides an integration point between external security domains and the grid, allowing accounts managed in external domains to be federated and managed in the grid. Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid.

• • Grid Trust Service(GTS) - The Grid Trust Service (GTS) is a grid-wide mechanism for maintaining and provisioning a federated trust fabric consisting of trusted certificate authorities, such that grid services may make authentication decisions against the most up to date information.

• • Grid Grouper - Provides a group-based authorization solution for the Grid, wherein grid services and applications enforce authorization policy based on membership to groups defined and managed at the grid level.

• • Authentication Service - Provides a framework for issuing SAML assertions for existing credential providers such that they may easily integrated with Dorian and other grid credential providers. The authentication service also provides a uniform authentication interface in which applications can be built on.

• • Common Security Module (CSM) - Provides a centralize approach to managing and enforcing access control policy authorization.

• MyProxy - MyProxy combines an online credential repository with an online certificate authority to allow users to securely obtain credentials when and where needed. Users run myproxy-logon to authenticate and obtain credentials, including trusted CA certificates and Certificate Revocation Lists (CRLs).

• GridShib allows Globus Toolkit and Shibboleth to interoperate. The complete software package consists of two plugins, one for Globus Toolkit and another for Shibboleth. With both plugins installed and configured, a GT Grid Service Provider (SP) may securely request user attributes from a Shibboleth Identity Provider (IdP). (Frank)

• Shibboleth is standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. In addition, it allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner by providing an attribute service. (Frank)

• • Web Single Sign on

• • Attribute service

• Yale-CAS (Central Authentication Service) is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. It provides a SSO service equivalent to Shib's SSO). (Frank)

• Permis is an infrastructure that provides all the necessary facilities for users to manage privileges and authorisation policies and for applications to make authorisation decisions. (Frank)

• VOMS - maintains information about VO memberships and issues X.509 attribute certificates with this information. Also distributed as part of VDT.

• GUMS (Grid User Management System) is a service that provides gridmap-like information from a VOMS or LDAP server. GUMS is a Grid Identity Mapping Service and part of the VO Privilege Project. Identity mapping is necessary when a site's resources do not use GRID credentials natively, but instead use a different mechanism to identify users, such as UNIX accounts or Kerberos principals. In these cases, the GRID credential for each incoming job must be associated with an appropriate site credential. The GUMS server performs this mapping and communicates it to the gatekeepers. Also distributed as part of VDT

• PRIMA contains a globus authz callout that talks to GUMS. Also distributed as part of VDT.

• SAZ looks like some sort of centralized CRL and whitelist maintenance/checking service.

• LCMAPS is a Local Credential MAPping Service, which allows credential acquisition (like Unix user ids) to Grid jobs that run on the local fabric. LCMAPS offers detailed support for plug-in modules. GT2-GRAM specific.

• LCAS (Local Centre Authorization Service) is providing additional authorization for LCMAPS (EGEE Authorization mechanism) (Frank)

• dev.globus Dynamic Accounts based Workspace Management Services allow a Grid client to dynamically create and manage a workspace, implemented as a Unix account, on a remote site. The infrastructure is composed of a factory service that allows an authorized Grid client to create individual accounts or groups of accounts, and an account service that allows an authorized Grid client to manage individual account properties, such as account access policy or time to live (TTL). These concepts are represented as WSRF services and implemented using the GT4 implementation of WSRF.

• GT-CAS (Globus' Community Authorization Service) allows resource providers to specify course-grained access control policies in terms of communities as a whole, delegating fine-grained access control policy management to the community itself. Resource providers maintain ultimate authority over their resources but are spared day-to-day policy administration tasks (e.g. adding and deleting users, modifying user privileges). docs.

• PURSe (Portal-Based User Registration Service) is a system for registering users of Web-based applications that use the Grid Security Infrastructure (based on PKI and X.509 certificates). PURSE coordinates the process of establishing Grid security certificates for new users when logging in to an application web site. Users who already have valid certificates can also easily register with the portal applications. By leveraging the MyProxy certificate repository, PURSe shields web application users from the complexities of X.509 certificate management, and enables rapid registration of users.

• GAMA (Grid Account Management Architecture) is a complete GSI credential management and integration solution tailored for use in emerging CyberInfrastructure through web portals or web service-based clients. GAMA consists of two components: a backend security service that provides secure management of credentials, and a front-end set of portlets that provide tight integration into web/grid portals. (functionally equivalent to PURSe) (Frank)

Capabilities Matrix

The following section references the projects/components above, in relationship to their potential as implementations of the notional security architecture shown below (taken from the OGSA Security Working Group).

Identity Management System

• Identity Registration: vet&add a user to the "system", provide initial authN creds
  • MyProxy (un/pwd, one time pwd, convert to X.509 proxy cert PC)
  • Dorian (un/pwd, or identity vetter must issue a SAML trusted authN assertion to Dorian, convert to X.509 PC)
  • PURSE (Register new user, or existing user credentials into MyProxy)
  • GAMA
  • RA/CA at EGEE: user identity vetting and subsequent issuing of long-lived X509 EE certs. MyProxy used for issuing PCs to intermediates for long-running jobs. Contemplating online-CA usage.
  • CACL - An online CA, used at SCSC & NCSA.
  • Kerberos
    • Krb5 (u/p -> kerberos) *PKINIT enables Kerberos to accept X.509.
    • SSL Front end to Kerberos (allows to accept X.509)
    • KX509/KCA (login to Kerberos system, obtain PC)
• Server/Service registration : register a service, provide server/services creds, publish
  • Dorian - Issues host credentials to users who have an account.
  • Handle System
  • Index Service?
  • Some support for WS-Naming

Attribute Management and Assertion Communication Mechanism- Methods for managing (or assinging) groups/roles/attributes for users/resources, and then obtaining, collecting, and/or communicating attribute assertions.

• Gridmap - Attributes can be stored and accessed from a Gridmap file.
• LDAP
• Shib - The Shib server makes attributes from LDAP or a relational database available via a SAML attribute query service.
• GT CAS -
• GT CAS++ - Attribute query interface to retreive group attributes from the CAS server, will have a SAML compliant interface as well.
• Permis (uses LDAP protocol to pull attribute information from an attribute service, can also use SAML)
• GridGrouper - uses a proprietary WS-protocol to retrieve attributes from the Grouper Server database. (groups only; group membership can be considered an attribute.)
• PRIMA/GUMS/VOMS - PRIMA/GUMS get attributes from the VOMS server. Protocol is half SAML 1.1 & XACML, plan to upgrade to XACML later this year.
• GT PIP Different modules used to extract attributes from various proxy certs.
  • Extract from SOAP header, Proxy Cert, VOMS cert, SAML assertion... (some authZ servers use attributes internally)
• Equivalent modules embed attributes into proxy certs.
  • VOMS-proxy-init, CAS-proxy-init (SAML), GridShib-proxy-init (SAML)? (Frank)

Authorization Service(Policy Language/Evaluators)- Different mechanisms for expressing policy. Must be created by hand for each site. Depending on the requirements, Authorization servers can be accessible as a network service or embedded locally at the policy enforcement point of the resource. E.g. if you want to centrally manage the policy you can maintain the server and its associated PDPs centrally and everyone calls to it. Or you can push out the policy to each of the managed resources & use local PDPs.

• GT CAS (own policy language accessible via SAML 1.1 AuthZ query svc)
  • Only clients can push creds to server (GT4.0.x)
• GT CAS++ (own policy language accessible XACML-2/SAML-2 AuthZ query Svc)
  • Either client or server access (GT 4.2)
• Permis (own policy language accessible via SAML 1.1 AuthZ query svc)
  • Can be utilized either as a network svc or co-located
• New Permis (own policy language accessible via XACML-2/SAML-2 AuthZ query Svc)
  • Can be utilized either as a network svc or co-located
• PRIMA/GUMS (uses XACML policy language accessible via SAML 1.1 AuthZ query svc)
  • Also supports policies expressed in XACML-2
• GT PDP - Different modules that utilize SAML1.1 or XACML-2/SAML-2 protocols for accessing attributes from PIPs & then evaluating AuthZ decisions.
• Introduce-generated PDP
  • Policy can be defined on a per service and per operation basis, specific to the service, using the GUI
  • Each operation can use a different policy (which is expressed in the generated PDP)
  • Currently supports using CSM and GridGrouper (future release of Introduce will make this an extension point for other authorization engines)
  • Service-specific; not a general policy tool
• Grid Grouper (group-based authorization)
  • Logical membership expressions can be constructed to enforce authorization based on group membership.
• CSM (Common Security Module)
  • Access control policy enforcement system, access control policies are expressed bases on memberships to locally defined groups or based on memberships to groups managed by Grid Grouper. Can be accessed via Java locally or over the network.
• DynAccounts - accesses a centrally accessible gridmap file
  • Accounts are treated like attributes and can be shared
• Java accesses (co-located)
  • Callouts to gridmap file
  • GT-2 Gram/GridFTP AuthZ callouts to LDAP? (Frank)
  • LCMAPS/LCAS - Similar to Dynamic Accounts Only, richer language than gridmap file, but still only co-located. Works with GT-4.

Additional Management Functions

-Key Management - Managing Server credentials

Trust Root Provisioning - Provision the users with information about which CAs to trust

• MyProxy includes a basic mechanism for managing the trust root configuration in the Globus trusted CA directory located by the X509_CERT_DIR environment variable or found in $HOME/.globus/certificates, /etc/grid-security/certificates, or $GLOBUS_LOCATION/share/certificates. Globus software will use the first directory found in this search list. MyProxy server administrators can maintain a trust root configuration on behalf of their users, which users can install and update via the myproxy-logon -T option. See Managing Trust Roots with MyProxy.

• Grid Trust Service(GTS) - The Grid Trust Service (GTS) is a grid-wide mechanism for maintaining and provisioning a federated trust fabric consisting of trusted certificate authorities, such that grid services may make authentication decisions against the most up to date information.

• gxmap system has two major parts: a set of programs used to maintain a Globus grid-mapfile, and a program to maintain a Globus certificates directory (both located under the /etc/grid-security/ directory by default). See also http://www.teragrid.org/userinfo/access/auth_gxmap.php

• EGEE uses RPMs to distribute SW as well as the updated CAs/CRLs.

Additional Key Capabilities

-Secure conversations (session state)

-Privacy policy

-Bindings security (transport, protocol, message security)

-Secure logging