Security in ARC Job Management Service AREX

1
Security in ARC Job Management Service (AREX)?
Developers KnowARC Feb 28, 2009
2
Outline

• General Architecture of service container
• Job Management Service (ARC Resource-coupled
  EXecution service, A-REX)?
• Credential Delegation in A-REX
• Delegation related information
• Flexible access control
• Proxy client utility
• Client utilities for job management

3
General Architecture of service container
22/1/2009
4
General Architecture of service container

• Some Concept
• Message chain component (MCC)?
• Service
• Security handler (AuthZ, AuthN, etc.)?
• Hosted by MCC or Service
• Not-Change message Authorization handler, etc.
• Change message WS-Security handler,etc.
• Configurable

5
A-REX Service

• Support for BES, JSDL, preliminary support for
  GLUE2
• Credential delegation on SOAP message level
• Flexible access control enforcement
• Support for transport level security through TLS
  or GSI

6
Credential delegation in A-REX

• A-Rex client delegates X509 credential to A-Rex
  service
• Message (SOAP) level delegation
• A-Rex service will then use the delegated
  credential to act on behalf of the delegator,
  e.g. do GridFTP operation such as
  globus-url-copy.
• Support for multiple-level delegation
• Convenient delegation Interface for extending to
  other service

7
(No Transcript)
8
Credential delegation in A-REX

• delegDelegateCredentialInit is provided as a
  specific SOAP operation
• Generated delegation token is provided as child
  of bes-factoryCreateActivity
• One delegation per-job
• Proxy certificate is identical to each job
• Proxy certificate complies to RFC 3820

9
Delegation related information

• Delegation policy
• Specified by credential delegator to restrict the
  usage (by delegatee) of this delegation
  credential
• Enforced by the service which consumes this
  delegation credential
• Delegation policy is in ARC specific format
• Delegation policy is stored in extension part of
  proxy certificate

10
Delegation related information

• VOMS Attribute
• VOMS ACs (Attribute Certificate) is verified on
  the service side
• Afterward, attributes is parsed and stored in
  session context, and could be used for making
  access control decision on different protocol
  levels, as well as different services (SOAP
  protocol level).

11
Flexible access control

• Policy support
• Gridmap-like policy
• GACL (Grid access control language) policy
• ARC policy
• Service level access control
• Collecting more requester's attributes (beside
  DN, voms attributes) for making decision

12
Proxy client utility

• arcproxy client utility for proxy generation
• Includes the functionality of grid-proxy-init,
  plus the embedding of delegation policy
• Support RFC proxy
• Includes the functionality of contacting VOMS
  server, and generating proxy certificate with
  VOMS AC inside
• ./arcproxy --certificate./cert.pem
  --key./key.pem --trusted certdir./certificates
  --vomses./vomses --vomsknowarc.eu/RolemyRole
  --constraint proxyPolicyFilepolicyfile

13
Client utilities for job management

• arcsub, arcstat, arckill, etc.
• Client is compatible with different kinds service
  by recognize the prefix (ARC0, ARC1, CREAM) to
  service URL
• arcsub -c ARC1https//localhost60000/arex
  job.jsdl
• Adapt to different delegation mechanisms from
  different types of services
• ARC0 lt---gt delegation based on GSI
• ARC1 lt---gtdelegation on SOAP level
• CREAM lt---gt delegation on SOAP level