KAoS Semantic Policy and Domain Services - PowerPoint PPT Presentation

About This Presentation
Title:

KAoS Semantic Policy and Domain Services

Description:

... (KPO) The current version of KPO defines concepts including actions, actors, places, groups, policies, etc, distinguishes between authorizations and ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 40
Provided by: PaulC121
Category:

less

Transcript and Presenter's Notes

Title: KAoS Semantic Policy and Domain Services


1
KAoS SemanticPolicy and Domain Services
  • An Application of DAML/OWL
  • to a Web-Services Based
  • Grid Architecture

2
Outline
  • Introduction
  • KAoS Overview
  • Integration of OGSA and KAoS
  • Related Work
  • Future Work

3
Introduction
  • IHMC has developed KAoS Services to manage
    multi-agent systems.
  • KAoS domain services provide an organizational
    structure to an agent community which facilitates
    policy management of agent actions.
  • The general nature of KAoS Services has enabled
    application in domains outside of agent systems.

4
Introduction
  • Grid researchers envision the formation of
    Virtual Organizations (VOs)3, where people and
    resource gather to address complex problems that
    require extensive collaboration.
  • Most VOs are managed in a manner similar to
    network administration, which is inadequate to
    handle complex permissions and trust
    relationships.

5
Community work indicates need
  • The problem of service management and access
    control is shared by agent-based systems, web
    services, and Grid computing.
  • Solutions begin to appear in three communities.
  • Grid computing Community Authorization Service
    (CAS)5
  • Web services XACML9
  • Multi-agent systems KAoS, Rei, Ponder,etc.12

6
Merging trends indicate opportunity
  • Grid computing and Web services
  • They face similar challenges such as service
    advertisement, matchmaking, etc.
  • The Globus Project presents the Open Grid Service
    Architecture (OGSA)6 which is based on Web
    service specifications
  • Agent-based systems, Web services and Grid
    computing
  • Work on Semantic Web Services and Semantic Grid
    makes them much more suited as platforms for
    multi-agent systems7,8

7
Our approach
  • Apply KAoS Domain and Policy Services to manage
    the Web Services based OGSA-compliant Globus
    Toolkit 3 (GT3) Grid environment.

8
Outline
  • Introduction
  • KAoS Overview
  • Integration of OGSA and KAoS
  • Related Work
  • Future Work

9
KAoS overview
  • KAoS is a collection of componentized domain and
    policy services oriented to complex agent
    environments.
  • Based on the pluggable infrastructure of Java
    Agent Services (JAS1), KAoS is compatible with a
    number of agent or non-agent platforms, including
  • the DARPA CoABS Grid,
  • Brahms, etc.,
  • and now GT3.

10
KAoS domain services
  • KAoS domain services structure groups of
    agents/resources/services into domains and
    subdomains.
  • Domains can represent any sort of group
    imaginable.
  • Complex organizational structures.
  • Dynamic task-oriented teams.
  • Grid Virtual Organizations for resource sharing.

11
KAoS policy services
  • KAoS policy services allow for specification,
    management, conflict resolution and disclosure of
    policies within domains.

12
Policy representation
  • KAoS policies are represented in DAML/OWL and are
    based on the KAoS Policy Ontologies (KPO)
  • The current version of KPO
  • defines concepts including actions, actors,
    places, groups, policies, etc,
  • distinguishes between authorizations and
    obligations, and
  • can be extended with additional classes and rules
    for a given application.

13
Policy specification
  • KAoS Policy Administration Toolkit (KPAT) makes
    policy creation and management easier.

14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Policy distribution and enforcement
  • Each agent is associated with a Guard.
  • All policies that pertain to an agent will be
    distributed to its Guard.
  • A platform-specific Enforcer intercepts the
    agents actions and queries the Guard to decide
    whether the actions are authorized.
  • If not, the actions will be blocked by
    platform-specific enforcement mechanisms.

19
Outline
  • Introduction
  • KAoS Overview
  • Integration of OGSA and KAoS
  • Related Work
  • Future Work

20
Overview of the integration
  • KAoS and GT3 are perfect complements because
  • KAoS provides policy and domain services needed
    by GT3.
  • GT3 GSI provides platform-specific enforcement
    mechanisms required by KAoS.
  • The KAoS Grid service provides an interface
    between GT3 and KAoS.

21
KAoS Grid Service Architecture
Client
Grid Service Stub
KAoS Domain and Policy Services
Container
Grid Service Stub
KAoS Grid Service
JAS
JAS
KAoS Guard
22
Registration
  • A client must register with KAoS Grid service in
    order to use the domain and policy services.
  • Clients that are not in a domain will only have
    limited default authorizations.
  • Clients send their own X.509 proxy certificates
    to the KAoS Grid Service for authentication.

23
Grid policy expression
  • Sample policy format
  • It is permitted for actor(s) X to perform
    action(s) Y on target(s) Z.
  • Coarse-grain policies
  • are based on the existing KPO, and
  • permit or forbid overall access to a Grid
    service.
  • An example
  • It is forbidden for Client X to perform a
    communication action if the action has a
    destination of Chat Service Y.
  • Fine-grain policies
  • require extending KPO with new concepts, and
  • permit or forbid access to an operation of a Grid
    service.

24
Ontology creation
  • Since Grid service requires a extension to KPO,
    we are working on a tool to generate a DAML/OWL
    ontology for a given WSDL document.
  • The generated ontologies can be modified to refer
    to a generic ontology.
  • Grid administrators load the ontology extension
    and specify the policies using KPAT.

25
Policy deconfliction
  • KAoS provides the capability to identify
    confliction of policies through a theorem prover
    and can harmonize them if desired.

26
Policy enforcement
  • Policies are forwarded to the Guard associated
    with the KAoS Grid service.
  • When a client requests for a service, the KAoS
    Grid service checks if the requested action is
    authorized by querying the Guard.
  • If the action is authorized, the KAoS Grid
    service returns a restricted proxy certificate
    that can be used to access the service.
  • The local security mechanism uses the restricted
    proxy certificate to allow or block the actions.

27
Local Security Mechanism
(The arrows represent SOAP messages)
Stub
KAoS Grid Service
Client
KAoS
Credential
(if authorized)
WS Security Request Handler
Credential
(Checks whether the arrows match)
Grid Service
28
Impact on GT3
  • GT3 components that need to be modified
  • The Grid service skeleton that all Grid services
    are based on.
  • WS Security Request Handler, which intercepts all
    incoming messages of a service container.
  • Client stubs.
  • Things that do not need to be modified
  • Service source code.
  • Client source code.

29
Outline
  • Introduction
  • KAoS Overview
  • Integration of OGSA and KAoS
  • Related Work
  • Future Work

30
Related work
  • Web service approaches
  • WS-Security, XACML and SAML
  • Globus approach
  • Community Authorization Service

31
Web service approaches
  • WS-Security is complementary to this work,
    providing for the basic needs of message
    integrity, confidentiality, and single-message
    authentication10
  • XACML provides schema and namespaces for for
    access control policies9
  • The disadvantage of XACML is that the meanings
    are implicit.
  • Implicit semantics assume a consensus in human
    interpretation. Ambiguity arises when
    interpretations differ.
  • DAML-based policies can be mapped to lower-level
    XACML representations.

32
Web service approaches (contd)
  • SAML allows for exchanging authentication and
    authorization information10
  • In the SAML model, policies are gathered at the
    Policy Decision Point (PDP).
  • PDP returns the policy decision to the Policy
    Enforcement Point (PEP).
  • Disadvantage of SAML model
  • SAML puts too much burden on services by
    requiring them to gather the evidence needed for
    policy decision.

33
Comparison of CAS and KAoS
  • Compatibility
  • CAS is a prototype that only works with a special
    version of Grid FTP service of GT2.
  • KAoS is designed to work with OGSA-compliant GT3.
  • Policy expression and reasoning
  • CAS server stores the policies as a list of
    rights.
  • KAoS uses DAML/OWL and Java Theorem Prover (JTP)
    to express and reason about policies.

34
Outline
  • Introduction
  • KAoS Overview
  • Integration of OGSA and KAoS
  • Related Work
  • Future Work

35
Obligations
  • Authorization vs. Obligation
  • authorizations constraints that permit or
    forbid some action
  • obligations constraints that require some
    action to be performed, or else serve to waive
    such a requirement
  • KAoS Obligations are working in other areas
    (CoAX, NASA IS, HyRes, etc.)
  • Implementing Obligations with Grid services will
    require some additional handlers and more
    sophisticated action to ontology mapping, but
    should still not impact the client or service
    source code
  • Enablers are components that provide capabilities
    the client may lack in order to meet an obligation

36
(No Transcript)
37
Generalization to Web services
  • Our KAoS implementation on GT3 actually governs
    all GSI-enabled Web services.
  • We are monitoring the progress of Web service
    security standards.

Web services
Secure Grid services
GSI-enabled Web services
Grid services
38
Questions?
39
References
  1. Arnold, G., J. Bradshaw, B. de hOra, D.
    Greenwood, M. Griss, D. Levine, F. McCabe, A.
    Spydell, H. Suguri, S. Ushijima. (2002) Java
    Agent Services Specification. http//www.java-agen
    t.org/
  2. Foster, I., Kesselman, C., Nick, J., Tuecke, S.
    (2002). The Physiology of the Grid An Open Grid
    Services Architecture for Distributed Systems
    Integration. Open Grid Service Infrastructure
    Working Group, Global Grid Forum, 22 June.
  3. Foster, I., Kesselman, C., and Tuecke, S. (2001).
    The Anatomy of the Grid Enabling Scalable
    Virtual Organizations International J.
    Supercomputer Applications , 15(3)
  4. Foster, I., and C. Kesselman. (1998) The Globus
    Project A Status Report. Heterogeneous Computing
    Workshop, IEEE Press, 1998, 4-18.
  5. Pearlman, L., Welch, V., Foster, I., Kesselman,
    C., Tuecke, S. (2002) Community Authorization
    Service for Group Collaboration. IEEE Workshop on
    Policies for Distributed Systems and Networks.
  6. Tuecke, S., Czajkowski, K., Foster, I., Frey, J.,
    Graham, S., Kesselman, C. (2002) Grid Service
    Specification. http//www.gridforum.org/ogsi-wg/dr
    afts/GS_Spec_draft03_2002-07-17.pdf
  7. http//www.semanticgrid.org
  8. http//www.semanticweb.org
  9. http//www.oasis-open.org/committees/tc_home.php?w
    g_abbrevxacml
  10. http//www.oasis-open.org/committees/tc_home.php?w
    g_abbrevsecurity
  11. http//www-fp.globus.org/security/CAS/CAS-Overview
    .ppt
  12. Tonti, G., Bradshaw, J., Jeffers, R., Montanari,
    R., Suri, N., Uszok, A. (2003), Semantic Web
    Languages for Policy Representation and
    Reasoning A Comparison of KAoS, Rei and Ponder.
    Submitted to the 2nd International Semantic Web
    Conference (ISWC2003), Sanibel Island, Florida,
    USA.
Write a Comment
User Comments (0)
About PowerShow.com