• No results found

Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Federated Access Control in Heterogeneous

Intercloud Environment:

Basic Models and Architecture Patterns

Craig Lee, The Aerospace Corporation

On behalf of

Yuri Demchenko, Craig Lee, Canh Ngo, Cees de Laat

Intercloud2014 Workshop

(2)

Outline

• Background to this work

• Federation in Grid and Clouds

• InterCloud Federation Framework (ICFF) and federation infrastructure

patterns

• Federated Access Control and Federated Identity Management in clouds

• Additional information

(3)

Background to this work

• Cloud Federation BoF at OGF and follow on

– As the main motivation motivated work of current author team

with wide consultation with Grid and Cloud community

• Research at the University of Amsterdam on developing

of the Intercloud Architecture Framework (ICAF)

– Where the Intercloud Federation Framework is defined as a

component for multi-provider infrastructure integration

• EGI (European Grid Initiative) Federated Cloud Task

Force

– Building Federated Cloud model based on Grid VO based

federation model

(4)

Federation in Grid and Clouds: Grid VO vs Cloud

Virtual Infrastructure

• Grid federates resources and users by creating Virtual

Organisations (VO)

– VO membership is maintained by assigning VO membership

attributes to VO resources and members

– Resources remain under control of the resource owner

organisation Grid Centers

– Users remain members of their Home Organisations (HO)

• AuthN takes place at HO or Grid portal

• To access VO resources, VO members need to obtain VOMS

certificate or VOMS credentials

• In clouds, both resources and user accounts are

created/provisioned on-demand as virtualised

components/entities

– User accounts/identities can be provisioned together with

access rights to virtual resources

(5)

Cloud Federation: Actors and Roles

• Cloud Service Provider (CSP)

• Cloud Customer (organisational)

– Multitenancy is provided by virtualisation of cloud

resources provided to all/multiple customers

• Cloud User (end user)

• Cloud (Service) Broker

• Identity Provider (IDP)

• Cloud Carrier

• Cloud Service Operator

• Cloud Auditor

(6)

Cloud Federation – Scaling up and down

• Scalability is one of the main cloud feature

– To be considered in the context of hybrid cloud service

model

• Cloud burst and outsourcing enterprise services to cloud

• Cloud services migration and replication between CSP

• Scaling up

– Identities provisioning

– Populating sessions context

• Scaling down

– Identity deprovisioning: Credentials revocation?

– Sessions invalidation vs restarting

(7)

Cloud Federation Models – Identified models

User/customer side federation

• (1.1) Federating users/HO and CSP/cloud domains

– Customer doesn’t have own IDP (IDP-HO)

– Cloud Provider’s IDP is used (IDP-CSP)

• (1.2) Federating HO and CSP domains

– Customer has own IDP-HO1

– It needs to federate with IDP-CSP, i.e. have ability to use HO

identities at CSP services

• (1.3) Using 3rd party IDP for external users

– Example: Web server is run on cloud and external user are registered

for services

Provider (resources) side federation

• (2.1) Federating CSP’s/multi-provider cloud resources

– Used to outsource and share resources between CSP

– Typical for community clouds

(8)

Basic Cloud Federation model (1.1) – Federating

users/HO and CSP/cloud domains (no IDP-HO)

Simple/basic scenario 1: Federating

Home Organisation (HO) and Cloud

Service Provider (CSP) domains

Cloud based services created for

users from HO1 and managed by

HO1 Admin/Management system

Involved major actors and roles

– CSP – Customer – User – IDP/Broker

Cloud accounts A1.1-3 are

provisioned for each user 1-3 from

HO with 2 options

– Individual accounts with new ID::pswd – Mapped/federated accounts that allows

SSO/login with user HO ID::pswd

Federated accounts may use Cloud

IDP/Broker (e.g. KeyStone) or those

created for Service Xa

TODO: Extend with AuthN/AutnZ

service in Virtual Service

Environment

Customer Home Organisation (Infrastructure services) Cloud Customer A1

(Running Service Xa) Management (Ops&Sec) IDP-HO

Cloud

Provider A

CSP IDP/ Broker HO1 Admin/Mngnt System User HO1.2 User HO1.3 User HO1.1 User A1.2 User A1.3 User A1.1 IDP-Xa Federation relations

User side Federation

IDP-Xa is a virtualised

(9)

Basic Cloud Federation model (1.2) – Federating

HO and CSP domains (IDP-HO1 and IDP-CSP)

Simple/basic scenario 1: Federating

Home Organisation (HO) and Cloud

Service Provider (CSP) domains

Cloud based services created for

users from HO1 and managed by

HO1 Admin/Management system

Involved major actors and roles

– CSP – Customer – User – IDP/Broker

Cloud accounts A1.1-3 are

provisioned for each user 1-3 from

HO with 2 options

– Individual accounts with new ID::pswd – Mapped/federated accounts that allows

SSO/login with user HO ID::pswd

Federated accounts may use Cloud

IDP/Broker (e.g. KeyStone) or those

created for Service Xa

TODO: Extend with AuthN/AutnZ

service in Virtual Service

Environment

Customer Home Organisation (Infrastructure services) Cloud Customer A1

(Running Service Xa) Management (Ops&Sec) IDP-HO1

Cloud

Provider A

CSP IDP/ Broker HO1 Admin/Mngnt System User HO1.2 User HO1.3 User HO1.1 User A1.2 User A1.3 User A1.1 IDP-Xa Federation relations

(10)

Basic Cloud Federation model (1.3) – Using 3rd

party IDP for external users

Simple/basic scenario 2: Federating

Home Organisation (HO) and Cloud

Service Provider (CSP) domains

Cloud based services created for

external users (e.g. website) and

managed by Customer 1

Involved major actors and roles

– CSP – Customer – User – IDP/Broker

Cloud accounts A1.1-3 are

provisioned for each user 1-3 from

HO with 2 options

– Individual accounts with new ID::pswd – Mapped/federated accounts that allows

SSO/login with user HO ID::pswd

Federated accounts may use Cloud

IDP/Broker (e.g. KeyStone) or those

IDP-Xa created for Service Xa

User side Federation

as instantiated service of the CSP IDPIDP-Xa can be implemented

External Users (Open Internet)

Cloud

Customer A1

(Running Service Xa) Management (Ops&Sec) Ext/3rdParty IDP-HO1

Cloud

Provider A

CSP IDP/ Broker Customer 1 Admin/Mngnt System User Xa.2 UserX a.3 User Xa.1 IDP-Xa Federation relations Direct or Dynamic link

User

User2 User3User User

(11)

Basic Cloud Federation model – Combined User

side federation

Simple/basic scenario 2: Federating

Home Organisation (HO) and Cloud

Service Provider (CSP) domains

Cloud based services created for

external users (e.g. website) and

managed by Customer 1

Involved major actors and roles

– CSP – Customer – User – IDP/Broker

Cloud accounts A1.1-3 are

provisioned for each user 1-3 from

HO with 2 options

– Individual accounts with new ID::pswd – Mapped/federated accounts that allows

SSO/login with user HO ID::pswd

Federated accounts may use Cloud

IDP/Broker (e.g. KeyStone) or those

IDP-Xa created for Service Xa

Cloud

Customer A1

(Running Service Xa)

Cloud

Provider A

CSP IDP/ Broker User Xa.2 UserX a.3 User Xa.1 IDP-Xa

User side Federation

as instantiated service of the CSP IDPIDP-Xa can be implemented

(b) External Users (Open Internet) Management (Ops&Sec) (a) IDP-HO1 (b) 3rd Party IDP (a) HO or (b) Custmr1 MgntSystem Federation relations Direct or Dynamic link

User

User2 User3User User

User1 (a) Enterprise

(12)

Basic Cloud Federation model (2.1) – Federating

CSP’s/multi-provider cloud resources

Cloud provider side

federation for resources

sharing

Federation and Trust

relations are established

between CSP’s via

Identity management

services, e.g. Identity

Providers (IDP)

– May be bilateral or via 3rd party/broker service

Includes translation or

brokering

– Trust relations – Namespaces – Attributes semantics – Policies

Inter-provider federation

is transparent to

customers/users

Provider side Federation

Cloud

Cloud Service Xa IDP-HO1

Cloud

Provider A

CSP IDP-A HO1

Admin/Mngnt HO1.2User HO1.3User User HO1.1 User A1.2 User A1.3 User A1.1 IDP-Xa

User side Infrastructure services

Cloud

Provider N

Rsr M2 Rsr M1 IDP-M Rsr N2 Rsr N1 IDP-N

Cloud

Provider K

Rsr K2 Rsr Kn1 IDP-K Rsr Ak2 Rsr Ak1 Am1Rsr

Inter-provider federation for resources sharing

Federation&Trust relations Rsr

(13)

User side

federation

(b) External Users (Open Internet) (a) IDP-HO1 (b) 3rd Party IDP (a) HO or (b) Custmr1 MgntSystem User

User2 User3User User User1 (a) Enterprise Infrastructure Cloud Provider M Cloud Service Xa

Cloud

Provider A

Cloud Provider N Rsr M2 Rsr M1 IDP-M Rsr N2 Rsr N1 IDP-N Cloud Provider K Rsr K2 Rsr Kn1 IDP-K Rsr Ak2 Rsr Ak1 Am1Rsr

Inter-provider federation for resources sharing Federation & Trust relations Rsr An1 Management (Ops&Sec)

Direct or Dynamic link

Federation relations CSP IDP-A IDP-Xa User Xa.2 User Xa.3 User Xa.1

Provider side

federation

Instantiated IDP-A => IDP-Xa

Cloud Federation

Model - Combined

(14)

Basic AuthN and AuthZ services using Federated

IDPs – For additional Credentials validation

IDP-Fed* IDP-Fed* UserRequester Policy Management Identity Attrs Resource Resource Attrs AuthN PEP PDP PAP (Policy)

2 AuthN & Attrs methods:

Push: Attrs obtained by User

Pull: Attrs fetched by AuthN

CVS

CtxHandler

Creds/Attrs Validation with User Home IDP0

ID Creds & Attrs

AuthN Tok/Assert & ID Attrs

Policy

Collection and Validating AuthZ Attrs AuthZ Attrs

IDP0

Creds/Attrs Validation with Federated IDP*

PEP - Policy Enforcement Point

PDP/ADF - Policy Decision Point

IDP – Identity Provider

PAP - Policy Authority Point

CtxHandler - Context Handler

CVS – Credentials Validation

(15)

Basic AuthN and AuthZ services using Federated

IDPs – Federation/Trust domains

IDP-Fed* IDP-Fed HO Policy Management Serv/Requester User/Req Attrs Resource Resource Attrs AuthN PEP PDP PAP (Policy) CVS CtxHandler Creds/Attrs Validation with User Home IDP0

ID Creds & Attrs

AuthN Token/Assert & ID Attrs

Policy

Collection and Validating AuthZ Attrs AuthZ Attrs

IDP0

Creds/Attrs Validation with Federated IDP-HO

User Identity Attrs Federated IDPs Admin/Security Domain 0 (User HO) Admin/Security Domain1 Service Resource Domain R

(16)

Implementation: Intercloud Federation Infrastructure

and Open Cloud eXchange (OCX)

Broker Trust Broker (I/P/S)aaS Provider AAA Gateway IDP Broker Trust Broker (I/P/S)aaS Provider AAA Gateway IDP (I/P/S)aaS Provider AAA Gateway IDP (I/P/S)aaS Provider AAA Gateway IDP FedIDP

OCX

Services

Directory (RepoSLA) Directory (RepoSLA) Discovery

OCX and federated

network infrastructure

Cloud Service Broker Cert Repo (TACAR) TTP Trusted Introducer Federated Cloud Instance Customer A (University A) Federated Cloud Instance Customer B (University B)

GEANT

Trans-European

infrastructure

(17)

Summary and Future work

• The proposed Intercloud Federation Framework is a

part of the general Intercloud Architecture

Framework and intends to provide a basis for further

API and protocols definition

• It is based on wide discussion among OGF, EGI and

cloud security community

• Currently the proposed approach and model are

being implemented as a part of the GEANT

infrastructure to support Intercloud services delivery

to member universities

(18)
(19)

Reference information and diagrams

• VO based Grid federation model

(20)
(21)

VO2007:

VO in Collaborative applications and Complex

Resource Provisioning

– Two basic use cases considered

• Grid based Collaborative applications/environment (GCE) built using

Grid middleware and integrated into existing Grid infrastructure

• Complex resource provisioning like Optical Lightpath provisioning

(OLPP), or bandwidth-on-demand (BoD)

– VO based functionality (and requirements) to support dynamic

security associations

• Dynamic Trust management

– Establishing dynamic trust management relations between VO members

• Attribute and metadata resolution and mapping

– VO-based access control service requires common VO-wide attributes

that however can be mapped to the original ones

• Policy combination and aggregation

– To allow conflict resolution and policy harmonisation between VO

members

(22)

VO2007:

VO bridging inter-organisational barriers

VO allows bridging inter-organisational barriers without changing local policies

– Requires VO Agreement and VO Security policy

– VO dynamics depends on implementation but all current implementations are rather

static

User x1 User x2 Service xa Virtual Organisation X Service xb Service xd Service xe User x5 User x4

VO users and services

Barrier Organisation A Service Ac User A3 User a1 Service Aa Service Ba Service Bc Organisation B

User A1 User A2 Service Ab

User a1 User a1 User x4 User x5 Service Bb Virtual Organisation X

(23)

Example VO Security services operation

T rus t Virtual Organisation X Authentication Service VO Mngnt Attribute Authority Identity Provider Policy Authority Authorisation Service Logging Accounting Trust Mngnt VOMS* Factory

AuthN AttrA AuthZ

Trust Directory Policy Organisation A IP/STS LogAcc Requestor Service xa Resource Service xd Factory

AuthN AttrA AuthZ

Trust Directory Policy Organisation B IP/STS LogAcc VO Context (VO ID/name) (1a) (4b) (2a) (3) (2) (4) (4a) T rus t UserDB (1b) Basic VOMS functionality in Grid

Clouds provide full

resources and infrastructure

services virtualisation

(24)

VO2007:

VOMS – standard-de-facto for VO

management

• VO Membership Service (VOMS) is a standard-de-facto

for VO management and VO-based authorisation in Grid

– VO is represented as a complex, hierarchical structure with

groups and subgroups

• Subgroup management may be delegated to different administrators

– Every user in a VO is characterised by the set of attributes

• Group/subgroup membership, roles and capabilities – so-called

3-tuples

• Combination of all 3-tuples for the user is expressed as a Fully

Qualified Attribute Name (FQAN)

• FQAN is included into VOMS X.509 Attribute Certificate (AC)

– VOMS infrastructure

• May contain multiple VOMS serves and synchronised VODB’s

• Supports user calls for VOMS AC’s and VOMS admin tasks

– VOM Registration is developed by Open Science Grid (OSG)

project to support users self-registration

(25)

VO2007:

Dynamic Security Associations

Session

– establishes security context in the form of session key that

can be a security token or simple UID bound to secure credential/context

• Session may associate/federate users, resources and actions/processes

Job/workflow

– more long-lived association and may include few

sessions

• May need to associate more distributed collection of users and resources for

longer time required to deliver a final product or service

• Job and workflow may contain decision points that switch alternative

flows/processes

• Security context may change during workflow execution or Job lifetime

• Job description may contain both user and resource lists and also provide

security policy and trust anchor(s) (TA)

Project or mission oriented cooperation

– established for longer time

cooperation (involving people and resources) to conduct some activity

• This is actually the area of currently existing VO associations

Inter-organisational association or federation

– established for

long-term cooperation, may have a wide scope of cooperative areas

• This is the area of inter-university associations

– Shibboleth Attribute Authority Services (SAAS) is designed for this kind of

federations

(26)

VO2007:

Conceptual VO Operational Models

User-centric VO (VO-U)

- manages user federation and

provide attribute assertions on user (client) request

Resource/Provider centric VO (VO-R)

- supports

provider federation and allows SSO/access control

decision sharing between resource providers

Agent centric VO (VO-A)

- provides a context for

inter-domain agents operation, that process a request on

behalf of the user and provide required trust context to

interaction with the resource or service

Project centric VO (VO-G)

- combines User centric and

Provider centric features what actually corresponds to

current VO use in Grid projects

(27)

VO2007:

Conceptual VO Management

Framework

– VO establishes own virtual administrative and security

domains

• It may be separate or simply bridge VO-member domains

– VO management service should provide the following

functionalities

• Registration and association of users and groups with the VO

• Management of user attributes (groups, roles, capabilities)

• Association of services with the VO

• Association of policies with the VO and its component services

– VO Registry service for wider VO implementation may be

required

(28)

VO2007:

VO Security Services

– VO as a component of the Security infrastructure should

provide the following security services

• Policy Authorities (e.g. GPBox)

• Trust management service (GridPMA)

• Identity Management Service (by HO)

• Attribute Authorities (VOMS)

• Authorization service (CAS)

• Authentication service

References

Download now ( PDF - 28 Page - 892.71 KB )

Related documents

Cloud deployment model and cost analysis in Multicloud

In this architecture consumer take service either from private cloud provider or public cloud provider .This model involves user, broker, federated catalog system (internal

Cylindricity of workpiece in conventional lathe machine

This chapter discussed the general information of medium carbon steel and its properties, cutting tool, lathe machine, turning process, as well as coordinate measuring

HOUSE PRINCIPAL CLERK S OFFICE (919) FAX (919) NORTH CAROLINA HOUSE OF REPRESENTATIVES 2011

Wesleyan Blvd., Ste... New

Comparing effects of instruction on word meaning and word form on early literacy abilities in kindergarten

In the current study, effects on word learning and transfer to phonological awareness and letter knowledge were compared between two classroom vocabulary instruction groups: one

Liberty Specs Tutorial

SP is federated authentication Issuance of assertion User IDP SP Authentication Assertion Issued If user is not already authenticated at IdP then initial authentication

Information Security Group Active-client based identity management

• Such a system enables an Identity Provider (IdP) to support authentication of a User (and assertion of user attributes) to a Service..

Metabolic syndrome and neuroprotection

Staggering evidence demonstrates that AD pathogenesis is strongly associated with oxidative stress, inflammation, and insulin, glucose, and lipid dysregulation; all of

Colloid/nanoparticle formation and mobility in the context of deep geological nuclear waste disposal (Project KOLLORADO-2) ; final report (KIT Scientific Reports ; 7645)

Within Kollorado-2 batch experiments on RN sorption reversibility kinetics with Zn– and Ni-labeled montmorillonite colloids in the presence of granite fracture filling material