Difference between revisions of "GCube Security Model"
(→Components) |
(→Model) |
||
Line 40: | Line 40: | ||
===Model=== | ===Model=== | ||
− | The following VO authorisation model | + | The definition and management of access policies for gCube resources is a process involving two main actors: |
+ | |||
+ | * Resource Administrators: these actors are the owners of resources. They have the ultimate control over resource usage. They defines Sharing Rules, ruling the usage of their resources over Virtual Organization. | ||
+ | * VO Administrators: these actors are in charge of define Permissions, describing how a resource, made available to the VO by a Resource Administrator, can be used by Users. | ||
+ | |||
+ | The following diagram shows main elements of the VO authorisation model of gCube. In particular, authorisation policies in gCube are scope specific, being the scope concept defined in the [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/Reference_Model gCube reference model]. It is worth noticing that each scope of the gCube reference model corresponds to a Virtual Organisation in the following model. | ||
+ | |||
<center>[[Image:VO_Model.jpg|500px]]</center> | <center>[[Image:VO_Model.jpg|500px]]</center> | ||
+ | |||
Line 50: | Line 57: | ||
Each element in the diagram is briefly introduced below: | Each element in the diagram is briefly introduced below: | ||
* '''VO''': Each VO in the hierarchy represent a context in which authorization policies are defined and evaluated. | * '''VO''': Each VO in the hierarchy represent a context in which authorization policies are defined and evaluated. | ||
− | * '''User''': Users of the gCube system. Every user will be univocally identified using a set of user credentials as described in the | + | * '''User''': Users of the gCube system. Every user will be univocally identified using a set of user credentials as described in the Authentication section above. Users can be part of more than one VO. |
* '''Resource''': This element represents the set of gCube resources. Each resource is identified through a resource id, unique in the gCube infrastructure. Resources can be included in more than one VO. | * '''Resource''': This element represents the set of gCube resources. Each resource is identified through a resource id, unique in the gCube infrastructure. Resources can be included in more than one VO. | ||
* '''Operation''': Operations represents actions that can be performed on resources. Each operation is identified by an id that is unique among those of operations available on resources of a given class. | * '''Operation''': Operations represents actions that can be performed on resources. Each operation is identified by an id that is unique among those of operations available on resources of a given class. | ||
+ | * '''Sharing Rule''': These policies are defined by Resource Administrators to grant a VO access to a given resource. Sharing rules applies to VO as a whole. | ||
+ | * '''Permission''': Permissions are defined by VO Managers to grant the right to perform operations, described by Sharing Rules, to users with a specific role in the VO. Worth noticing that Permissions are defined starting to Sharing Rules and cannot be less restrictive of Sharing Rules they derives from. | ||
+ | * '''Role''': Roles are associated to users in order to grant them the associated set of permissions. Roles in the gCube authorisation model are associated to users in the context of a given scope. | ||
− | + | Policy enforcement is performed by resources contacting the authorization components, described below, and verifying that the operation asked by the client complies with the set of defined policies (Sharing Rules and Permissions). The '''push authorization model''' is used to enforce authorization for gCube resources<ref name="AUTHZ_MODELS">http://www.ogf.org/documents/GFD.38.pdf</ref>. In such a model a piece of information, named Attribute Certificate (AC) is signed by a trusted identity on user's request. The AC is embedded in the client certificate and sent to the Running Instance during authentication[<ref name="ATTRIB_CERT">http://www.ietf.org/rfc/rfc3281.txt</ref>]. RIs can thus extract user roles from the received certificate and, knowing the resource id, the scope, and the operation invoked, contact the authorization component asking for an authorization decision. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | Policy enforcement | + | |
===Components=== | ===Components=== |
Revision as of 15:31, 9 July 2009
This page describes the overall security model of gCube. Firstly, the authentication handling is introduced, briefly describing the model and components used by gCube to verify user's identity. Secondly, the authorization section gives a brief description of how the access control is managed in gCube, also introducing main services and components in charge to maintain and enforce authorization policies.
Contents
Authentication
"Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one."[1]
Being gCube a distributed system, the authentication process mainly focuses on verifying the identity of communicating entities, i.e. users (through the gCube portal), and Running Instances. This is achieved through the use of authentication tokens, i.e. piece of information, that are exchanged between communicating entities to prove their mutual identity.
Delegation
In short, delegation is the process of letting a system entity, typically a service or an application, to act on behalf of another one, e.g a user. This is normally needed in distributed N-Tier multi-domain applications to take (limited) advantage of privileges grant to the original entity, without the need to directly assign them to the delegated entity[2]. Therefore, identity delegation in gCube refers to the process of allowing system services and resources to act on user's behalf. An important point concerning delegation is that, in gCube, services can be dynamically deployed, and autonomously operate in the infrastructure. This implies that a delegation mechanism of user's credentials is required by those services that act in the infrastructure on the user's behalf.
Model
gCube architecture exploits the Public Key Infrastructure[3] (PKI) to uniquely identify users and services in the infrastructure. gCube users and services are provided with an authentication token, named credentials, i.e. a private key and a public certificate, that are used to authenticate them to other entities. In PKI, credentials are issued and revoked to users by a trusted entity, named Certification Authority (CA). The gCube infrastructure is designed to support CAs acknowledged by the International Grid Trust Federation[4] (IGTF) as well as an infrastructure-specific CA, named "D4Science CA" in the following.
As from the previous, each interaction between gCube Running Instances, e.g. a service invocation, should be performed in gCube using valid credentials, issued by a trusted Certification Authority (CA).
As a consequence of this every authenticated communication between gCube entities is performed using valid credentials, issued by a trusted Certification Authority (CA). As far as the security protocol used during the communication, gCube adopts the HTTPS[5] one. This mechanism provides integrity and privacy, by means of encryption, for authenticated communications. The choice of the HTTPS mechanism to protect gCube interactions, in place of message-level mechanisms like WS-SecureMessage and WS-SecureConversation[6], is mainly due to the better performances provided by HTTPS with respect to message-level security mechanisms.
Nevertheless, despite HTTPS performances, security does not come for free. Sometimes, the overhead introduced in service invocation by the security handshake can take much longer than the invocation itself, thus excessively penalizing the service usability. For this reason, wherever the cost of security was judged too high with respect to advantages introduced, unauthenticated invocations among gCube entities have been allowed also. In those cases, as unauthenticated invocations are performed without valid credentials, neither authentication nor authorization are enforced.
Components
Credentials in the gCube infrastructure are managed by the following set of components:
- MyProxy service - the MyProxy[7] service maintains a delegated short-term copy of user's credentials. The gCube MyProxy configuration allows for storing both credentials issued by IGTF CAs, both for credentials issued by the D4Science CA. In this second case short-lived credentials are generated on the fly for the user, using the MyProxy online CA functionality[8].
- Delegation and CredentialRenewal services - The Delegation service provides gCube services with valid credentials to authenticate themselves in the infrastructure. The provisioning of credentials to services operated by the Delegation depends on service security configuration, being the use of container credentials the most common, and simple, case. For services requiring to act on the user behalf, the Delegation interacts with the Credentials Renewal service to retrieve delegated user's credentials. The delegation of user's credentials to a service is subject to a defined set of delegation policies.
A more detailed description of the structure and behaviour of the authentication-related components can be found in the Virtual Organisation Management page.
Authorization
"Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy. For example, Human Resources staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be granted or rejected."[9].
Authorization rights in gCube are based upon the Role Based Access Control[10](RBAC) model. In RBAC, each identity is associated to one or more attributes, named roles, that are, in turn, linked to permissions granted to the role itself. This allows for a more flexible management of permissions, with respect to mandatory access control (MAC) and discretionary access control (DAC), that directly link permissions to identities.
As a consequence, gCube users must held a role to operate in the gCube infrastructure. In particular authorization policies in the system are defined with respect to roles, that, in turn, are assigned to users. Each resource is then in charge to enforce authorization policies on incoming requests.
In distributed, multi-domain systems the term Virtual Organisation (VO) refers to virtual environments spanning across different administrative domains[11]. gCube architecture mainly aims at enabling Virtual Research Environments, and for this reason Virtual Organizations are a core concept of GCube. In particular, when it comes to authorization, the RBAC model must be merged to the sharing of resources typically enabled in the context of a VO.
Model
The definition and management of access policies for gCube resources is a process involving two main actors:
* Resource Administrators: these actors are the owners of resources. They have the ultimate control over resource usage. They defines Sharing Rules, ruling the usage of their resources over Virtual Organization. * VO Administrators: these actors are in charge of define Permissions, describing how a resource, made available to the VO by a Resource Administrator, can be used by Users.
The following diagram shows main elements of the VO authorisation model of gCube. In particular, authorisation policies in gCube are scope specific, being the scope concept defined in the gCube reference model. It is worth noticing that each scope of the gCube reference model corresponds to a Virtual Organisation in the following model.
Each element in the diagram is briefly introduced below:
- VO: Each VO in the hierarchy represent a context in which authorization policies are defined and evaluated.
- User: Users of the gCube system. Every user will be univocally identified using a set of user credentials as described in the Authentication section above. Users can be part of more than one VO.
- Resource: This element represents the set of gCube resources. Each resource is identified through a resource id, unique in the gCube infrastructure. Resources can be included in more than one VO.
- Operation: Operations represents actions that can be performed on resources. Each operation is identified by an id that is unique among those of operations available on resources of a given class.
- Sharing Rule: These policies are defined by Resource Administrators to grant a VO access to a given resource. Sharing rules applies to VO as a whole.
- Permission: Permissions are defined by VO Managers to grant the right to perform operations, described by Sharing Rules, to users with a specific role in the VO. Worth noticing that Permissions are defined starting to Sharing Rules and cannot be less restrictive of Sharing Rules they derives from.
- Role: Roles are associated to users in order to grant them the associated set of permissions. Roles in the gCube authorisation model are associated to users in the context of a given scope.
Policy enforcement is performed by resources contacting the authorization components, described below, and verifying that the operation asked by the client complies with the set of defined policies (Sharing Rules and Permissions). The push authorization model is used to enforce authorization for gCube resources[12]. In such a model a piece of information, named Attribute Certificate (AC) is signed by a trusted identity on user's request. The AC is embedded in the client certificate and sent to the Running Instance during authentication[[13]]. RIs can thus extract user roles from the received certificate and, knowing the resource id, the scope, and the operation invoked, contact the authorization component asking for an authorization decision.
Components
Following main elements are part of the gCube authorization architecture:
- VOMS - in gCube, a VOMS[14] server maintains the scope hierarchy as a groups hierarchy in a dedicated VOMS VO. It is also in charge to store the set of gCube users, as well as their group membership and roles assigned to them. Finally, VOMS is in charge to release signed Attribute Certificated on user's behalf.
- Authorization Service - This service is in charge to store authorization policies for gCube resources, i.e. which roles are needed in a given VO to perform an operation on a resource. This component is also in charge of issuing authorization decisions, whenever asked by Running Instances.
A more detailed description of the structure and behaviour of the authorization-related components can be found in the Virtual Organisation Management page.
References
- ↑ http://en.wikipedia.org/wiki/Authentication
- ↑ http://middleware.internet2.edu/webiso/docs/draft-lajoie-trust_and_delegation-02.html
- ↑ http://en.wikipedia.org/wiki/Public_key_infrastructure
- ↑ http://www.igtf.net/
- ↑ http://en.wikipedia.org/wiki/HTTP_Secure
- ↑ http://specs.xmlsoap.org/ws/2005/02/sc/WS-SecureConversation.pdf
- ↑ http://grid.ncsa.uiuc.edu/myproxy/
- ↑ http://grid.ncsa.uiuc.edu/myproxy/ca/
- ↑ http://en.wikipedia.org/wiki/Authorization
- ↑ http://en.wikipedia.org/wiki/Role-Based_Access_Control
- ↑ http://www.ci.uchicago.edu/events/VirtOrg2008/VO_report.pdf
- ↑ http://www.ogf.org/documents/GFD.38.pdf
- ↑ http://www.ietf.org/rfc/rfc3281.txt
- ↑ http://grid-auth.infn.it/