Practical Distributed Authorization for GARA

1
Practical Distributed Authorization for GARA

• Andy Adamson and Olga Kornievskaia
• Center for Information Technology Integration
• University of Michigan, USA

2
Outline

• Background and motivation
• Security architecture of the current scheme
• Design of the authorization framework
• Modified authentication mechanism
• Video clip of the demo
• Reservation flow walk through

3
Background

• Grid computing is an initiative for advancement
  of distributed computing that enables flexible
  sharing of resources distributed among
  administrative domains
• GARA General-purpose Architecture for
  Reservation and Allocation Quality of Service
  reservation mechanism for different types of
  resources
• Project partners University of Michigan
  (Physics, CITI), European Organization for
  Nuclear Research (CERN), Argonne National
  Laboratory (ANL), Merit, and others

4
End to End Performance

• Reliable high-speed end to end network services
  are important to scientific collaborators
• Video, audio, large data transfers
• Long haul networks demonstrate good performance
  due to overprovisioning
• The Last-mile is often a network bottleneck
• Reliable end-to-end network service is achieved
  by reserving network resources within end-point
  institution networks, coupled with the good
  performance of overprovisioned long haul
  networks.

5
Automated network reservation

• QoS functionality is a common feature in network
  hardware
• QoS configuration is currently done by hand
• We address the need for an automated network
  reservation system
• Security of all communications is vital
• Difficult security problem due to cross-domain
  nature of end-to-end network resource allocation

6
Project based on Globus GARA

• GARA is a GRID network reservation service
• GARA uses the PKI based Grid Security
  Infrastructure (GSI) for authentication and
  coarse authorization
• Authentication uses long-term PK and short term
  proxy credentials
• Authorization is controlled by an ACL-based flat
  file
• Our contributions
• Fine-grained cross-domain authorization
• PK credentials based on Kerberos identity
• Secure web interface

7
Cross-domain Authorization

• Use existing local group services
• Avoid replicating data and management tasks
• Group name-space shared by domains
• Local administrators manage group membership as
  usual
• KeyNote Policy Engine makes authorization
  decision
• Fine-grained authorization expressed in KeyNote
  policy rules
• Group membership
• Amount of bandwidth allowed
• Time/duration of reservation

8
Local Domain Authorization

• Local GARA contacts local group service to see
  what groups a user is a member of
• Group membership passed into KeyNote along with
  reservation request parameters
• KeyNote compares input parameters to rules
• If authorized, the local GARA client
• Packages and signs username and group membership
• Adds it to the reservation request that is
  forwarded to the remote site

9
Remote domain Authorization

• Remote GARA accepts and verifies the
  username/group membership from the wire
• Group membership is passed into KeyNote along
  with reservation request parameters
• KeyNote compares input parameters to the rules to
  make authorization decision
• If remote authorization fails, reservation at the
  previous node is cancelled.

10
Kerberos leveraged PKI kx.509
KCT
Web Server
?Service ticket
SSL transcript?
SSL handshake (recorded)
Browser User
KCA
Sign my short-term key
11
Web server as proxy GARA client
Remote GARA KeyNote
Web Server GARA client
Signed group membership gt
Router Pool
Request group membership
Local GARA KeyNote
Group Service
AFS PTS or LDAP
Router Pool
12
Demonstration UMICH to CERN

• Multiple security realms
• AFS Protection Server (PTS) is used for the local
  group service
• MJPEG video conferencing application
• 10 MB/sec stream each way, 147ms round trip
• RTP headers record packet loss statistics
• Iperf traffic generated at each end across video
  and audio receiving router interface
• Cisco 6506 at UMICH, Cisco 7500 at CERN

13
Demonstration UMICH to CERN

• Note high quality video and audio
• Turn on Iperf traffic at one end to degrade video
  and audio signal
• Place a reservation in the near future (1 minute)
  for a short duration (20 seconds)
• Note degraded video and audio return to high
  quality during the 20 second reservation, in
  spite of competing traffic generation
• Note degraded video and audio return at the end
  of the reservation

14
Big Picture
CITI.UMICH.EDU
KCT/KDC
KINIT
KCA
IGRID2002
KX509
KX509
Web Server GARA Client
Browser
SSL
GSI
GARA Service
TELNET
GSI
ATLAS.UMICH.EDU
Cisco 7206
AFS PTS Group Service
GARA Service
MJpeg Host
RX
SSH
Cisco 6506
Reserved Video Conference
MJpeg Host
15
Any Questions?
http//www.citi.umich.edu/projects/qos
16
Demonstration UMICH to CERN

• We demonstrated that a reservation failed if
• User not in correct group
• Requested bandwidth out of bounds
• Time of request is out of bounds

17
Future directions

• On going project extends the existing
  infrastructure to accommodate general web based
  network monitoring tools