Markus Lorch

First experiences using XACML for access control in distributed systems

Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards that define authentication mechanisms, the standards that address authorization are less well defined and tend to work only within homogeneous systems. This paper presents XACML, a standard access control language, as one component of a distributed and inter-operable authorization framework. Several emerging systems which incorporate XACML are discussed. These discussions illustrate how authorization can be deployed in distributed, decentralized systems. Finally, some new and future topics are presented to show where this work is heading and how it will help connect the general components of an authorization system.

The PRIMA system for privilege management, authorization and enforcement in grid environments

Many grid usage scenarios depend on small, dynamic working groups for which the ability to establish transient collaboration with little or no intervention from resource administrators is a key requirement. The system developed, PRIMA, focuses on the issues of management and enforcement of fine-grained privileges. Dynamic account creation and leasing as well as expressive enforcement mechanisms facilitate highly dynamic authorization policies and least privilege access to resources. PRIMA mechanisms enable the use of finegrained access rights, reduce administrative costs to resource providers, enable ad hoc and dynamic collaboration scenarios, and can also be used to provide improved security service to long-lived grid communities while leveraging other work in the grid computing and security domains.

Symphony - A Java-Based Composition and Manipulation Framework for Computational Grids

We introduce the Symphony framework, a software abstraction layer that can sit on top of grid systems. Symphony provides a unified API for grid application developers and offers a graphical user interface for rapid collaborative development and deployment of grid applications and problem solving environments through compositional modeling following the data-flow paradigm. Symphony meta-programs and program components can be distributed, reused and modified. Together with Symphony a new security model is developed that extends existing security architectures to allow for collaboration of grid developers and users in permanent as well as ad-hoc working groups.

A hardware-secured credential repository for Grid PKIs

Public key infrastructures suffer from usability and security problems associated with the request for and secure management of end user credentials. Online credential repositories provide mechanisms to ease these shortcomings but pose attractive targets for attacks due to the accumulation of credentials and the need for remote access to these credentials. Through the extension of an existing credential repository with a cryptographic coprocessor for secure storage of credentials an increase in the security of the service can be achieved. This higher security permits the use of online credential repositories with a wide variety of certificates without violating certification authority regulations. Also, the improved performance afforded by hardware support improves the scalability of a centralized credential storage.

An XACML-based policy management and authorization service for globus resources

We describe our approach to a policy management system and a policy enforcement point which is integrated into the globus toolkit middleware. Our system enables the specification and modification of resource policies by administrative parties through a graphical user interface and the secure association with and transport of these policies to the policy decision components.

The PRIMA Grid Authorization System

Abstract PRIMA, a system for PRIvilege Management and Authorization, provides enhanced Grid security services. The requirements for these services are derived from usage scenarios and supported by a survey of Grid users. The requirements for added flexibility, increased expressiveness, and more precise enforcement are met by a combination of three mechanisms: (1) use of secure, fine-grained privileges representing externalized access rights for Grid resources that can be freely created, shared, and employed by Grid users; (2) a dynamic policy generated for each request combining the request’s user-provided privileges with the resource’s access control policy; and (3) dynamic execution environments specially provisioned for each request that are enforced by the resource’s native operating system and which support legacy applications. PRIMA has been implemented as an extension of the Globus Toolkit Grid middleware.

Supporting Secure Ad-hoc User Collaboration in Grid Environments

We envision that many grid usage scenarios will be based on small, dynamic working groups for which the ability to establish transient collaboration is a key requirement. Current grid security mechanisms support individual users as members of well-defined virtual organizations. Recent research seeks to provide manageable grid security services for self-regulating, stable communities. Our prior work with component-based systems for grid computation demonstrated a need to support spontaneous, limited, short-lived collaborations which rely on shared or delegated fine grained access privileges. Our mechanisms enable the high-level management of such fine grained privileges based on PKIX attribute certificates and enforce resulting access policies through readily available POSIX operating system extensions. In combination, our mechanisms leverage other work in the grid computing and security communities, reduce administrative costs to resource providers, enable ad-hoc collaboration through incremental trust relationships and can be used to provide improved security service to long-lived communities.

Authorization and account management in the Open Science Grid

An attribute-based authorization infrastructure developed for the Open Science Grid is presented. The infrastructure integrates existing identity-mapping and group-membership service using concepts prototyped in the PRIMA system. Authorization scenarios for requests to compute and data resources are detailed. A new SAML obligated authorization decision statement is introduced that attaches an XACML obligation to the authorization decision. The use of obligations enables site-centralized, service-independent policy management. Authorization decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorization service that extends and simplifies the infrastructure is described.

Authorisation and identity mapping services for the Open Science Grid

An attribute-based authorisation infrastructure developed for the Open Science Grid (OSG) is presented. The infrastructure integrates existing identity-mapping and group-membership services using concepts prototyped in the PRIMA system. Authorisation scenarios for requests to compute and data resources are detailed. A new SAML obligated authorisation decision statement is introduced that attaches an XACML obligation to the authorisation decision. The use of obligations enables site-centralised, service-independent policy management. Authorisation decisions are enforced via a Workspace Service that creates constrained execution environments configured in accordance with the obligations and other attribute-based information. Finally, an experimental PRIMA authorisation service that extends and simplifies the infrastructure is described.