Incubator/GAARDS

From Globus

Project Overview

The Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) provides services and tools for the administration and enforcement of security policy in an enterprise Grid. GAARDS was developed on top of the Globus Toolkit and extends the Grid Security Infrastructure (GSI) to provide enterprise services and administrative tools for: 1) grid user management, 2) identity federation, 3) trust management, 4) group/VO management 5) Access Control Policy management and enforcement, and 5) Integration between existing security domains and the grid security domain. GAARDS services can be used individually or grouped together to meet the authentication and authorization needs for Grids. Below is a list of some of the core services provided by GAARDS:

GAARDS Security Infrastructure

• Dorian – A grid service for the provisioning and management of grid users accounts. Dorian provides an integration point between external security domains and the grid, allowing accounts managed in external domains to be federated and managed in the grid. Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid.
• Grid Trust Service(GTS) - The Grid Trust Service (GTS) is a grid-wide mechanism for maintaining and provisioning a federated trust fabric consisting of trusted certificate authorities, such that grid services may make authentication decisions against the most up to date information.
• Grid Grouper - Provides a group-based authorization solution for the Grid, wherein grid services and applications enforce authorization policy based on membership to groups defined and managed at the grid level.
• Authentication Service - Provides a framework for issuing SAML assertions for existing credential providers such that they may easily integrated with Dorian and other grid credential providers. The authentication service also provides a uniform authentication interface in which applications can be built on.
• Common Security Module (CSM) - Provides a centralize approach to managing and enforcing access control policy authorization.

The diagram on this page illustrates the GAARDS security infrastructure, in order for users/applications to communicate with secure services, they need grid credentials. Obtaining grid credentials requires having a Grid User Account. Dorian provides two methods for registering for a grid user account: 1) Register directly with Dorian 2) By having an existing user account in another security domain. It is anticipated that most users will use their existing locally provided credentials for obtaining grid credentials and only users that are un-affiliated with an existing credential provider should register directly with Dorian. In order to use an existing user account to obtain grid credentials, the existing credential provider must be registered in Dorian as a Trusted Identity Provider. It is anticipated that the majority of grid user accounts will be provisioned based on existing accounts. The advantages to this approach are: 1) users can use their existing credentials to access the grid 2) administrators only need to manage a single account for a given user. To obtain grid credentials, Dorian requires proof or a SAML assertion (see Dorian design guide for details) that proves that the user locally authenticated. The GAARDS Authentication service provides a framework for issuing SAML assertions for existing credential providers such that they may be used to obtain grid credentials from Dorian. The authentication service also provides a uniform authentication interface in which applications can be built on. Figure 1 illustrates the process for obtaining grid credentials, the user/application first authenticates with their local credential provider via the authentication service and obtains a SAML assertion as proof they authenticated. They then use the SAML assertion provided by the authentication service to obtain grid credentials from Dorian. Assuming the local credential provider is registered with Dorian as a trusted identity provider and that the user’s account is in good standing, Dorian will issue grid credentials to the user. It should be noted that the use of the authentication service is not required; an alternative mechanism for obtaining the SAML assertion required by Dorian can be used. If as user is registered directly with Dorian and not through an existing credential provider, they may contact Dorian directly for obtaining grid credentials.

Once a user has obtained grid credentials from Dorian they may invoke secure services. Upon receiving grid credentials from a user, a secure service authenticates the user to ensure that the user has presented valid grid credentials. Part of the grid authentication process is verifying that grid credentials presented were issued by a trusted grid credential provider (i.e Dorian, other certificate authorities). The Grid Trust Service(GTS) maintains a federated trust fabric of all the trusted digital signers in the grid. Credential providers such as Dorian and grid certificate authorities are registered as trusted digital signers and regularly publish new information to the GTS. Grid services authenticate grid credentials against the trusted digital signers in a GTS.

Once the user has been authenticated, a secure grid service next determines if a user is authorized to perform what they requested. Grid services have many different options available to them for performing authorization. The GAARDS infrastructure provides two approaches which can each be used independently or can be used together. It is important to note any other authorization approach can be used in conjunction with the GAARDS authentication/trust infrastructure. The Grid Grouper service provides a group-based authorization solution for the Grid, wherein grid services and applications enforce authorization policy based on membership to groups defined and managed at the grid level. Grid services can use Grid Grouper directly to enforce their internal access control policies. Assuming the authorization policy is based on membership to groups provisioned by Grid Grouper; services can determine whether a caller is authorized by simply asking grid grouper whether the caller is in a given group. The Common Security Module (CSM) is a more centralized approach to authorization. CSM is a tool for managing and enforcing access control policy centrally. Access control policies can be based on membership to groups in Grid Grouper. Grid services that use CSM for authorization simply ask CSM with a user can perform a given action. Based on the access control policy maintained in CSM, CSM decides whether or not a user is authorized. In Figure 1, the grid services defer the authorization to CSM. CSM enforces its group based access control policy by asking Grid Grouper whether the caller is a member of the groups specified in the policy.

Product Metadata

Status

GAARDS is currently under development as part of the caGrid project. caGrid is the core middleware for the caBIG project. GAARDS is an effort undergoing incubation at Globus. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful Globus projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by Globus. The status of the GAARDS is: Newly accepted Incubator Project November 2006, as defined by the Incubator Process Guidelines found at http://dev.globus.org/wiki/Incubator/Incubator_Process .

Download Software and Documentation

Download Software

Software Documentation

Technical Resources

Roadmap

Coming Soon.

Incubator Project Metadata

Committers

Stephen Langella, Ohio State University
Scott Oster, Ohio State University
Shannon Hastings, Ohio State University
Joshua Phillips, Semantic Bits

Mailing Lists

• CAGRID_USERS-L@LIST.NIH.GOV (archive) - General discussion list for posting questions, comments, and for getting help with technical difficulties. Click here to join this list.
• CAGRID_DEVELOPERS-L@LIST.NIH.GOV - Developers discussion list.

Policies

The GAARDS Project adheres to the Globus Alliance Project Guidelines.

Guidelines for committers

• Currently this projects source code is being managed at the caBIG GForge.

Guidelines for individual contributors

• If you wish to become a contributer to this project please email Stephen Langella at langella@bmi.osu.edu

Contributors

The GAARDS project gratefully acknowledges the following contributors

• Joel Saltz, Ohio State University
• Tahsin Kurc, Ohio State University
• Frank Siebenlist, Argonne National Labs
• Tom Barton, University of Chicago
• Avinash Shanbhag, NCICB