EMI INFSORI261611 EMI Common XACML Profile Valery Tschopp

  • Slides: 28
Download presentation
EMI INFSO-RI-261611 EMI Common XACML Profile Valery Tschopp (SWITCH) EMI XACML task force

EMI INFSO-RI-261611 EMI Common XACML Profile Valery Tschopp (SWITCH) EMI XACML task force

Common XACML Profile • Goal – Define a common XACML profile for interoperable authorization

Common XACML Profile • Goal – Define a common XACML profile for interoperable authorization between the three EMI middleware stacks. EMI INFSO-RI-261611 • Requirements – In sync with the common SAML attribute profile – Uses dci-sec. og registered namespace • http: //dci-sec. org/xacml/… 10/2/2020 EMI Security Meeting, Zurich 2

Common XACML Profile • XML Namespaces used EMI INFSO-RI-261611 – http: //dci-sec. org/xacml/attribute –

Common XACML Profile • XML Namespaces used EMI INFSO-RI-261611 – http: //dci-sec. org/xacml/attribute – http: //dci-sec. org/xacml/datatype – http: //dci-sec. org/xacml/algorithm – http: //dci-sec. org/xacml/action – http: //dci-sec. org/xacml/profile 10/2/2020 EMI Security Meeting, Zurich 3

EMI INFSO-RI-261611 XACML Authorization Request 10/2/2020 EMI Security Meeting, Zurich 4

EMI INFSO-RI-261611 XACML Authorization Request 10/2/2020 EMI Security Meeting, Zurich 4

Attribute Data. Types • Group Data. Type Identifier: http: //dci-sec. org/xacml/datatype/group Pattern: (/w[-_. :

Attribute Data. Types • Group Data. Type Identifier: http: //dci-sec. org/xacml/datatype/group Pattern: (/w[-_. : w]*)+ Example: “/emi/test: group” EMI INFSO-RI-261611 • Role Data. Type Identifier: http: //dci-sec. org/xacml/datatype/role Pattern: (/w[-_. : w]*)+ Example: “VO-Admin” 10/2/2020 EMI Security Meeting, Zurich 6

Environment Attribute EMI INFSO-RI-261611 • Profile Identifier Identify the profile implemented by the request

Environment Attribute EMI INFSO-RI-261611 • Profile Identifier Identify the profile implemented by the request sender. MUST be present in the request Attribute. Id: http: //dci-sec. org/xacml/attribute/profile-id Data. Type: http: //www. w 3. org/2001/XMLSchema#any. URI Value: http: //dci-sec. org/xacml/profile/common-ce/1. 0 10/2/2020 EMI Security Meeting, Zurich 7

Subject Attributes • Subject Identifier Identify the submitter of the job to the CE.

Subject Attributes • Subject Identifier Identify the submitter of the job to the CE. MUST be present in the request. Attribute. Id: urn: oasis: names: tc: xacml: 1. 0: subject-id Data. Type: EMI INFSO-RI-261611 urn: oasis: names: tc: xacml: 1. 0: data-type: x 500 Name Value: X. 509 distinguished name of the end-entity certificate. The DN format is RFC 2253. 10/2/2020 EMI Security Meeting, Zurich 8

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Subject Identifier (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Subject Identifier (Example) <ctx: Subject> <ctx: Attribute. Id=”urn: oasis: names: tc: xacml: 1. 0: subject -id” Data. Type=”urn: oasis: names: tc: xacml: 1. 0: datatype: x 500 Name”> <ctx: Attribute. Value> CN=John Doe, DC=example, DC=org </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 9

Subject Attributes (cont. ) • Subject Issuer EMI INFSO-RI-261611 DNs of all the root

Subject Attributes (cont. ) • Subject Issuer EMI INFSO-RI-261611 DNs of all the root CA and all subordinate CA within the certificate chain identifying the job submitter. MUST be present in the request. Attribute. Id: http: //dci-sec. org/xacml/attribute/subject-issuer Data. Type: urn: oasis: names: tc: xacml: 1. 0: data-type: x 500 Name Value: X. 509 distinguished name of the root and issuing CAs of the certificate chain. The DN format is RFC 2253. 10/2/2020 EMI Security Meeting, Zurich 10

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Subject Issuer (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Subject Issuer (Example) <ctx: Subject> <ctx: Attribute. Id=”http: //dci-sec. org/xacml/attribute/subjectissuer ” Data. Type=”urn: oasis: names: tc: xacml: 1. 0: datatype: x 500 Name”> <ctx: Attribute. Value> CN=Example Issuing CA, DC=example, DC=org </ctx: Attribute. Value> <ctx: Attribute. Value> CN=Example Root CA, O=Example Org, C=CH </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 11

Subject Attributes (cont. ) • Virtual Organization (VO) The subject's virtual organization membership. Attribute.

Subject Attributes (cont. ) • Virtual Organization (VO) The subject's virtual organization membership. Attribute. Id: http: //dci-sec. org/xacml/attribute/virtual-organization Data. Type: EMI INFSO-RI-261611 http: //www. w 3. org/2001/XMLSchema#string Value(s): Names of virtual organizations the subject is member of. 10/2/2020 EMI Security Meeting, Zurich 12

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Virtual Organization (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Virtual Organization (Example) <ctx: Subject> <ctx: Attribute. Id=”http: //dci-sec. org/xacml/attribute/virtualorganization” Data. Type=”http: //www. w 3. org/2001/XMLSchema#string”> <ctx: Attribute. Value> atlas </ctx: Attribute. Value> <ctx: Attribute. Value> vo. example. org </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 13

Subject Attributes (cont. ) • Group The subject group membership. Attribute. Id: http: //dci-sec.

Subject Attributes (cont. ) • Group The subject group membership. Attribute. Id: http: //dci-sec. org/xacml/attribute/group Data. Type: EMI INFSO-RI-261611 http: //dci-sec. org/xacml/datatype/group Value(s): Names of the group the subject is member of. 10/2/2020 EMI Security Meeting, Zurich 14

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Group (Example) <ctx: Subject> <ctx: Attribute. Id=”http:

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Group (Example) <ctx: Subject> <ctx: Attribute. Id=”http: //dci-sec. org/xacml/attribute/group” Data. Type=”http: //dci-sec. org/xacml/datatype/group”> <ctx: Attribute. Value> /atlas/analysis </ctx: Attribute. Value> <ctx: Attribute. Value> /mygroup/test </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 15

Subject Attributes (cont. ) • Primary Group The subject primary group membership. Attribute. Id:

Subject Attributes (cont. ) • Primary Group The subject primary group membership. Attribute. Id: http: //dci-sec. org/xacml/attribute/group/primary Data. Type: EMI INFSO-RI-261611 http: //dci-sec. org/xacml/datatype/group Value: Name of the primary group the subject is member of. The primary value MUST be present in the Group attribute value(s). 10/2/2020 EMI Security Meeting, Zurich 16

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Primary Group (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Primary Group (Example) <ctx: Subject> <ctx: Attribute. Id=”http: //dcisec. org/xacml/attribute/group/primary” Data. Type=”http: //dci-sec. org/xacml/datatype/group”> <ctx: Attribute. Value> /atlas/analysis </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 17

Subject Attributes (cont. ) • Role Represents the roles assigned to the subject. The

Subject Attributes (cont. ) • Role Represents the roles assigned to the subject. The subject role MUST be scoped to a particular group or VO name. Attribute. Id: http: //dci-sec. org/xacml/attribute/role Data. Type: EMI INFSO-RI-261611 http: //dci-sec. org/xacml/datatype/role Issuer: Define the Group or VO scope name. MUST be present in the respective attribute (Group or VO) Value(s): 10/2/2020 18 Security Meeting, Zurich to the subject. Names of the EMI role assigned

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Role (Example) <ctx: Subject> <!-- role scoped

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Role (Example) <ctx: Subject> <!-- role scoped to the group --> <ctx: Attribute. Id=”http: //dci-sec. org/xacml/attribute/role” Data. Type=“http: //dci-sec. org/xacml/datatype/role” Issuer="/atlas/analysis”> <ctx: Attribute. Value> Software. Manager </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 19

Subject Attributes (cont. ) • Primary Role Represents the primary role assigned to the

Subject Attributes (cont. ) • Primary Role Represents the primary role assigned to the subject. The primary role MUST be scoped. Attribute. Id: http: //dci-sec. org/xacml/attribute/role/primary Data. Type: EMI INFSO-RI-261611 http: //dci-sec. org/xacml/datatype/role Issuer: Define the Group or VO scope name. MUST be present in the respective attribute (Group or VO) Value: Name of the primary role of the subject. 10/2/2020 EMI Security Meeting, Zurich 20

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Primary Role (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Primary Role (Example) <ctx: Subject> <ctx: Attribute. Id=”http: //dcisec. org/xacml/attribute/role/primary” Data. Type=“http: //dci-sec. org/xacml/datatype/role” Issuer="/atlas/analysis”> <ctx: Attribute. Value> Software. Manager </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 21

Subject Attributes (cont. ) • Resource Owner Identify the owner of the resources. Attribute.

Subject Attributes (cont. ) • Resource Owner Identify the owner of the resources. Attribute. Id: http: //dci-sec. org/xacml/attribute/resource-owner Data. Type: EMI INFSO-RI-261611 urn: oasis: names: tc: xacml: 1. 0: data-type: x 500 Name Value: X. 509 distinguished name of the resource owner. The DN format is RFC 2253. 10/2/2020 EMI Security Meeting, Zurich 22

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Resource Owner (Example) <ctx: Subject> <ctx: Attribute.

Subject Attributes (cont. ) EMI INFSO-RI-261611 • Resource Owner (Example) <ctx: Subject> <ctx: Attribute. Id=” http: //dci-sec. org/xacml/attribute/resource -owner” Data. Type=”urn: oasis: names: tc: xacml: 1. 0: datatype: x 500 Name”> <ctx: Attribute. Value> CN=Batman, DC=Metropolis, DC=com </ctx: Attribute. Value> </ctx: Attribute> </ctx: Subject> 10/2/2020 EMI Security Meeting, Zurich 23

Resource Attributes • Resource Identifier Identifies the CE, or a logical grouping of CEs,

Resource Attributes • Resource Identifier Identifies the CE, or a logical grouping of CEs, upon which the action to be authorized will be executed. MUST be present in the request. Attribute. Id: urn: oasis: names: tc: xacml: 1. 0: resource-id Data. Type: EMI INFSO-RI-261611 http: //www. w 3. org/2001/XMLSchema#string Value: Identifier of the resource 10/2/2020 EMI Security Meeting, Zurich 24

Resource Attributes (cont. ) EMI INFSO-RI-261611 • Resource Identifier (Example) <ctx: Resource> <ctx: Attribute.

Resource Attributes (cont. ) EMI INFSO-RI-261611 • Resource Identifier (Example) <ctx: Resource> <ctx: Attribute. Id=”urn: oasis: names: tc: xacml: 1. 0: resource -id” Data. Type=”http: //www. w 3. org/2001/XMLSchema#string”> <ctx: Attribute. Value> http: //example. org/ce/cream-ce-1 </ctx: Attribute. Value> </ctx: Attribute> </ctx: Resource> 10/2/2020 EMI Security Meeting, Zurich 25

Action Attributes • Action Identifier Identifies the action being performed on the CE. MUST

Action Attributes • Action Identifier Identifies the action being performed on the CE. MUST be present in the request. Attribute. Id: urn: oasis: names: tc: xacml: 1. 0: action-id Data. Type: EMI INFSO-RI-261611 http: //www. w 3. org/2001/XMLSchema#string Value: Action to be authorized on the resource. 10/2/2020 EMI Security Meeting, Zurich 26

Action Attributes (cont. ) • Action Identifier Values EMI INFSO-RI-261611 – We should define

Action Attributes (cont. ) • Action Identifier Values EMI INFSO-RI-261611 – We should define a list of Action values. This list is not an absolute constraint, but should be used if applicable. – CREAM CE action values (as example): http: //glite. org/xacml/action/ce/job/register http: //glite. org/xacml/action/ce/job/cancel http: //glite. org/xacml/action/ce/job/purge http: //glite. org/xacml/action/ce/job/get-info http: //glite. org/xacml/action/ce/job/suspend http: //glite. org/xacml/action/ce/job/resume http: //glite. org/xacml/action/ce/job/list http: //glite. org/xacml/action/ce/job/set-lease http: //glite. org/xacml/action/ce/lease/list http: //glite. org/xacml/action/ce/lease/get http: //glite. org/xacml/action/ce/lease/set http: //glite. org/xacml/action/ce/lease/delete http: //glite. org/xacml/action/ce/enable-job-submission http: //glite. org/xacml/action/ce/disable-job-submission 10/2/2020 EMI Security Meeting, Zurich 27

Action Attributes (cont. ) • Action Identifier Values (cont. ) EMI INFSO-RI-261611 – A-REX

Action Attributes (cont. ) • Action Identifier Values (cont. ) EMI INFSO-RI-261611 – A-REX actions (as example): • Attribute. Id: http: //www. nordugrid. org/schemas/policy-arc/types/arex/joboperation Attribute. Value: Create • Attribute. Id: http: //www. nordugrid. org/schemas/policy-arc/types/arex/joboperation Attribute. Value: Modify • Attribute. Id: http: //www. nordugrid. org/schemas/policy-arc/types/arex/joboperation Attribute. Value: Read • Attribute. Id: http: //www. nordugrid. org/schemas/policy-arc/types/arex/operation Attribute. Value: Admin • Attribute. Id: http: //www. nordugrid. org/schemas/policy-arc/types/arex/operation Attribute. Value: Info – EMI Execution Service actions: • Unknown, require examples or requirements 10/2/2020 EMI Security Meeting, Zurich 28

EMI INFSO-RI-261611 Thank you EMI is partially funded by the European Commission under Grant

EMI INFSO-RI-261611 Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611 10/2/2020 EMI Security Meeting, Zurich 29