POLICY SPECIFICATION AND DELEGATION IN GLOBUS PROXIES

Babu Sundaram , University of Houston
Christopher Nebergall , Western Illinois University
Steven Tuecke, Argonne National Labs

[ Presented as Research gem at SC2000 ]

Abstract

Grid Security gets complicated when users need a single log-on to distributed resources that have heterogeneous local policies. Policy languages with rich features and functionalities are needed to specify security policies in proxies. This approach is examined for the Globus toolkit. Also, facilities for site administrators to specify local policies were considered. Classified Advertisements, from the University of Wisconsin Condor project, were used to specify and evaluate policies as attributes. The appropriate attributes have been identified. Also, the authentication and the authorization processes are successfully implemented by modifying the Globus Proxy initiation, Gatekeeper, and Job-manager. This provides fine-grained control and more protection against stolen proxies.

 

Technologies involved : SSL, PKI, X.509 certificates, Condor, Classified Advertisements

Overview of Proxies in Globus 1.1.3

• Short-lived credential that acts as a stand-in for the user
• Limited to use, More chance to abuse... :-)
• All delegated proxies are 'limited' by default
• No facility for user to control and specify site/job restriction
• Gatekeeper has to accept every proxy from a user ( normally!! )

 

What do we add...

• Add facilities to specify policies
• More protection against stealing of credentials
• Authentication and authorization are now Negotiation (Match-making)
• Simply, fine-grained control on what you want to do ...

 

How to achieve the goal?

• Classified Advertisements - Policy Language
• Modify grid-proxy-init, gatekeeper, jobmanager to deal with ClassAds
• Restrictions attached as extensions to certificates
• Match between Client ClassAd and Gatekeeper ClassAd = Authentication
• So, what is Authorization equivalent to??

 

Link to the Poster exhibited at the SC2000 Conference. You can also take a look at the poster slides ppt