managed all across different organizations collaborating in the grid ... services. Keywords: GT4 security services management, web service-oriented.
Distributed Provision and Management of Security Services in Globus Toolkit 4 Félix J. García Clemente, Gregorio Martínez Pérez, Andrés Muñoz Ortega, Juan A. Botía Blaya, and Antonio F. Gómez Skarmeta Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia, Spain {fgarcia, gregorio, skarmeta}@dif.um.es, {amunoz, juanbot}@um.es
Abstract. Globus Toolkit version 4 (GT4) provides a set of new services and tools, completing a first step towards the migration to web services of previous Globus Toolkit versions. It provides components addressing basic issues related to security, resource discovery, data movement and management, etc. However, it still lacks from advanced management frameworks that may be linked to GT4 services and thus providing a system-wide view of these services. This is especially true in the case of security related services. They need to be properly managed all across different organizations collaborating in the grid infrastructure. This paper presents the major achievements when designing and developing a semantic-aware management framework for GT4 security services. Keywords: GT4 security services management, web service-oriented management, semantic-aware policy checking and validation.
1 Introduction and Motivation Globus Toolkit version 4 (GT4) provides a range of new services and features, including a first robust implementation of Globus Web Services components, allowing GT4 to complete the first stage of migration to web services that began with GT3. The management of grid services is a complex task, with a high number of issues to be considered. Really useful grid infrastructures should offer a number of tools for managing such services. Their purpose should be that of facilitating the management tasks of grid users and administrators. They may also provide some added-value services as those related with checking the validity of grid management rules, performing proactive monitoring, etc. thus enabling automatic and dynamic management frameworks. Even though these features are of real need for grid infrastructures, the Globus toolkit does not provide any particular solution to distributed grid management [7]. However, several active working groups and projects are starting to address some of these issues. For example, some important solutions are provided by KAoS and PERMIS. KAoS [13] is a set of platformindependent services, allowing fine-grained policy-based management of grid services on the Globus platform. By providing an interface between the Globus grid R. Meersman, Z. Tari et al. (Eds.): OTM 2006, LNCS 4276, pp. 1325 – 1335, 2006. © Springer-Verlag Berlin Heidelberg 2006
1326
F.J. García Clemente et al.
and KAoS, it enables the use of KAoS mechanisms to manage GSI (Grid Security Infrastructure)-enabled grid services. Other solution is PERMIS [11] that is a Privilege Management software that uses the principles of Role-Based Access Control (RBAC) to deploy an authorisation service into a Globus container. In the same line, the POSITIF (Policy-based Security Tools and Framework) [12] EU IST project proposes the design and implementation (as contribution to the opensource community) of a framework for managing security policies for the grid scenario based on GT4. Moreover, POSITIF framework meets certain requirements that make it different to other existing solutions. These requirements are the integration of web-services in the whole management cycle (from the definition task to the enforcement and monitoring processes) and the use of semantic-aware management languages enabling different added-value features, such as detection and resolution of conflicts existing between different grid management policies specified on the basis of decision rules. This paper is structured as follows. First, the section 2 presents the main ideas behind the specification of semantically-rich policies in the POSITIF framework and how policies are represented. Then, we present how POSITIF framework has been linked with GT4 in section 3, along with the way security policies have been defined and the tools developed to evaluate this proposal in a real GT4 scenario. Finally, we conclude this paper with our remarks and statements of direction in section 4.
2 Representation of Semantic-Aware Security Policies This section provides an overview of the main ideas behind the specification of semantically-rich policies in the POSITIF framework. Additional details can be found at [3] and [12]. • Use of a standard information model. The use of information models eases the task of building efficient and well-integrated security management systems. In this sense, the POSITIF representation is based on a well-recognized standard such as CIM (Common Information Model) [1], thus enabling the management of security services in a uniform manner. The CIM model is independent of any encoding or particular specification. However, for an information model to be useful, it has to be mapped into some implementation. In this sense, CIM can be mapped to multiple structured specifications. As part of our semantic-aware security policy model we have proposed the specification of CIM using OWL [14]. In this sense, authors presented a proposal for expressing CIM objects in OWL, named CIM-OWL, in [4]. • Policies like horn-like rules. Policies will be defined by managers as if-then rules. In consequence, authors have proposed the use of Semantic Web Rule Language (SWRL) [15] which extends the set of OWL axioms to include a high-level abstract syntax for Horn-like rules that can be combined with an OWL knowledge base. A useful restriction in the form of the rules is to limit antecedent and consequent atoms to be named classes, where the classes are defined purely in OWL. Adhering to this format makes it easier to translate rules to or from future or existing rule systems, including Prolog and Jena [8]. In fact, both the rulebased inference engine from the Jena framework and the Pellet reasoner have
Distributed Provision and Management of Security Services in Globus Toolkit 4
1327
been the ones used as part of our deployment in POSITIF. More information on this proposal from authors can be found at [4, 9]. • Separation of system description and policy description. POSITIF separates the formal definition of the desired level of security and the target information system. In this sense, two different languages have been formally defined, named SDL (System Description Language) and SPL (Security Policy Language). SDL describes networked systems and applications conveying the topology of the system, the functionality of each element, and the security capabilities of each component of the system using an ontology based on the CIM information model, while SPL offers to security policy administrators the possibility to specify both high-level policies and low-level policies using horn-like SWRL rules. • Reasoning capabilities. POSITIF incorporates semantic expressiveness into the management information specifications to ease the tasks of validating and reasoning about the policies which definitely help in handling the security management tasks (e.g., conflict resolution). POSITIF management representations are realized in the form of an ontology using OWL that eases to perform useful reasoning tasks. This is due to the fact that OWL is based on description logics. This simple and yet powerful kind of first order-like logic allows to perform reasoning tasks not only on individuals but also on the structure of the base information model which holds the instances, with efficient and sound algorithms. More information on the proposal from authors can be found at [9]. • Integration and interoperability with other frameworks. The use of standards (such as the CIM information model or Web Services over HTTP/HTTPS) eases the integration of the POSITIF framework with other existing management frameworks. This can be of real interest in order to integrate the results presented in this paper with any other approaches coming from any of the different GGF working groups or any other research works as those mentioned before.
Administrator
Ontology System Description Description
Rules
Definition
Security Policies
Security Capabilities
Fig. 1. Specification of security policies
Figure 1 shows our approach for the specification of security policies. The administrator describes the system and its security capabilities using an ontology based on the CIM information model. Then, the administrator uses these ontology
1328
F.J. García Clemente et al.
elements within the body and the head of horn-like rules that really represent the security policies governing the behaviour of the system being managed.
3 Security Policy Management for GT4 Services Globus Toolkit 4 provides effective resource management for the grid-computing environment. It also includes security services for providing secure access to these resources, and then it needs security policy services to determine when the resources can be accessed (or not) from any other entity taking part of the grid infrastructure. In this sense, POSITIF represents a good complement to the GT4 system, providing a wide range of security policy management capabilities that rely on platform-specific enforcement mechanisms, and thus helping grid managers to define the right policies that should be applied and enforced in the grid components. By providing an interface between GT4-based grids and the POSITIF framework, we enable the use of POSITIF mechanisms to manage Grid Security Infrastructure (GSI) [6] enabled grid services. GSI (also called GT Security) is the basis for GT4 security layer and it is composed of a set of command-line tools to manage certificates, and a set of Java classes to easily integrate security into web services. GSI offers programmers features such as transport-level and message-level security, authentication through X.509 digital certificates, several authorization schemes, credential delegation and single sign-on, and different levels of security (i.e., container, service, and resource). GSI is the only component of the GT4 that we use in the integration. The interface is a POSITIF plug-in, which we called GT4 Security Plug-in. The plug-in itself is a grid plug-in that gives grid clients and services the ability to check the action to perform on the basis of current policies. Figure 2 shows the basic architecture.
system description
block security map
security policy
threads and vulnerabilities
POSITIF framework GT4 Security plug-in SB GT4 Security Engine
GT4 Service
Fig. 2. GT4 security plug-in
This plug-in links grid services to the POSITIF framework. Currently GT4 Security plug-in has been deployed as an authorization interceptor because GT4 makes it easier this way. In the future, when GT4 supports new interceptors for other types of policies (e.g., privacy) the plug-in will be adding this new functionality easily thanks to the extensibility of the POSITIF framework.
Distributed Provision and Management of Security Services in Globus Toolkit 4
1329
3.1 Enforcing Area GT Security includes an Authorization Framework that allows for a variety of authorization schemes, including a grid-mapfile access control list, an access control list defined by a service, a custom authorization handler, and access to an authorization service via the SAML protocol. GT4 Security plug-in uses a custom authorization handler. GT4 Security plug-in is a middleware authorization package that enables any service with POSITIF authorization logic by developing interceptors and enabling them in a security descriptor. What this means is that any request for an authorization decision made by a Globus service is sent to an independent package - i.e. POSITIF framework via GT4 Security plug-in. POSITIF framework is responsible for managing a policy associated with a GT4 service. GT4 authorization configuration involves setting a chain of authorization schemes (also known as Policy Decision Points (PDPs)). When an authorization decision needs to be made the PDPs in the chain are evaluated in turn to arrive to a permit or deny decision. The combining rule for results from the individual PDPs is currently "deny overrides"; that is, all PDPs have to evaluate to permit for the chain to finally evaluate as permit. GT4 Security plug-in includes two interceptors: POSITIFAuthzPDP and POSITIFAuthzPIP (see Figure 3). POSITIFAuthzPDP creates the methods to implement the GT4 PDP interface [2] that must be implemented by all PDPs in the interceptor chain. A PDP is responsible for making decisions on whether a subject is allowed to invoke a certain operation or not. The subject may contain public or private credentials holding attributes collected and verified by the POSITIFAuthzPIP. GT4 Security Engine
plug-in
GT4 Security plug-in
AuthzPDP
AuthzPIP
registration isPermitted GT4 Service
collectAttributes
Fig. 3. GT4 security plug-in implements authorization PDP and PIP
The following example shows a security descriptor with the correct authorization chain configured. In the next example, the values chosen for the scope are pdpscope and pipscope:
It is necessary to configure the interceptors with the URL of the web service to connect to the POSITIF enforcement area. We assume that the PDPConfig object picks up the configuration information from the service deployment descriptor. This is an example.
1330
F.J. García Clemente et al.
3.2 Expressing Semantic-Aware Policies The basic components of any authorization policy are the subjects, actions, targets and the context. A sample policy would read: It is permitted for subject(s) S to perform action(s) A in the target(s) T in the context C. CIM ontology defines the classes depicted in Figure 4 to represent the management concepts that are related to an authorization policy. Privilege is the base class for all types of activities, which are granted or denied to a subject by a target. Authorized-Privilege is the specific subclass for the authorization activity. ManagedElement
* ManagedSystemElement
(reduced)
(See Core Model)
* *
MemberOfCollection
*
Privilege InstanceID: string {key} PrivilegeGranted: boolean (True) AuthorizedTarget Activities : uint16 [ ] ActivityQualifiers : string [ ] QualifierFormats: uint16 [ ]
Collection
Identity InstanceID: string {key}
AuthorizedSubject
Service
Role
*
AuthorizedPrivilege
*
Name: string {key}
Fig. 4. UML diagram of CIM User-Authorization classes
Whether an individual Privilege is granted or denied is defined using the PrivilegeGranted boolean. The association of subjects to AuhorizedPrivileges is accomplished explicitly via the association AuthorizedSubject. The entities that are protected (targets) can be similarly defined via the association AuthorizedTarget. The Role object class is used to represent a position or set of responsibilities within an organization, organizational unit or system administration scope. It is filled by a person or persons represented by Identity class or non-human entities represented by ManagedSystemElement subclasses that may be explicitly or implicitly members of this collection subclass. The Service class is derived from ManagedSystemElement that provides the representation of a service. Since both Service and Role are specializations of MagamentElement, they may be either the target or the subject of Privilege. For our purposes, we use Role and Identity as subject and Service as target. In this context, the policy administrator may decide basic authorization policies, for example: “The service counter permits to query to the students”, or more complex ones, for example “If the service counter permits to query to the students, then the service counter permits to query to the teachers”. Figure 5 shows the logic representation of this policy that can be mapped easily to SWRL. An authorization policy must be applied in an administrative domain described by the SDL language aforementioned where the main grid services will be described. In this particular example, the administrative domain is composed by a role that represent the set of students, a role that represent the set of teachers, and a privilege to query the counter. Figure 6 shows the description of the administrative domain.
Distributed Provision and Management of Security Services in Globus Toolkit 4
1331
CIM_AuthorizedTarget(authtarget?) ∧ CIM_AuthorizedSubject(authsubject1?) ∧ CIM_Service(counter?) ∧ CIM_AuthorizedPrivilege(privilege?) ∧ Name(counter,”Counter”) ∧ CATPrivilege(authtarget,privilege) ∧ TargetElement(authtarget,counter) ∧ CASPrivilege(authsubject1,privilege) ∧ PrivilegedElement(authsubject1,#Students) Æ CIM_AuthorizedSubject(authsubject2) ∧ CASPrivilege(authsubject2,privilege) ∧ PrivilegedElement(authsubject2,#Teachers) Fig. 5. Example of a security policy Counter positif:authzquery true Query Students Teachers Fig. 6. Representation in OWL of the administrative domain
3.3 Checking and Transforming Area The SWRL-encoded SPL rule (representing the policies governing the behaviour of the grid services) together with the OWL-encoded administrative domain (representing the set of services and related information –e.g., roles– being managed) must be loaded into a rule reasoner in order to make things work. The reasoner will allow us to check the validity of the policy specification by testing it with the reference ontology of the CIM model and its instances. One rule reasoner we can be used for this purpose is the Jena reasoner as authors have been doing during this research. Figure 7 shows the Jena representation of this policy in our grid scenario.
1332
F.J. García Clemente et al. #exampleRule: ( ?authtarget http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.positif.com/cim#CIM_AuthorizedTarget ) ( ?authsubject1 http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.positif.com/cim#CIM_AuthorizedSubject ) ( ?counter http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.positif.com/cim#CIM_Service ) ( ?privilege http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.positif.com/cim#CIM_AuthorizedPrivilege ) ( ?counter http://www.positif.com/cim#Name 'Counter' ) ( ?authtarget http://www.positif.com/cim#CATPrivilege ?privilege ) ( ?authtarget http://www.positif.com/cim#TargetElement ?printer ) ( ?authsubject1 http://www.positif.com/cim#CASPrivilege ?privilege ) ( ?authsubject1 http://www.positif.com/cim#PrivilegedElement http://www.positif.com/cim#Students ) -> ( ?authsubject2 http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.positif.com/cim#CIM_AuthorizedSubject ) ( ?authsubject2 http://www.positif.com/cim#CASPrivilege ?privilege ) ( ?authsubject2 http://www.positif.com/cim#PrivilegedElement http://www.positif.com/cim#Teachers ) Fig. 7. Jena representation of an authorization policy
The rule reasoner performs inference about SWRL rules deriving new individuals (i.e., new instances of CIM class or associations). For our example, the rule reasoner infers new data that grants the privilege to query the counter grid service to the teachers. Another important functionality of the rule-based reasoner is that it eases the detection and resolution of conflicts. A conflict occurs when two policy rules cannot be met simultaneously, e.g., one allows the user to start the service and another prohibits the same user from starting this service. 3.4 Management Area POSITIF framework offers a guided, simple and graphic tool called ORE (Ontology Rule Editor) [10] in the management area. This tool uses grid-related SPL and SDL semantic languages described before. ORE offers several functionalities: • Loads system description, either through OWL files or with the URI that identifies the ontology. Once the ontology is loaded, ORE shows diverse information about it (version, imported ontologies, etc.) and generates a hierarchical tree, which represents the classes and instances contained in the ontology model. • Edits policy rules in a guided and easy way thanks to the Wizard that ORE incorporates with. Both left-hand-side (LHS) and right-hand-side (RHS) tupleelements of any rule are defined in the same way, the Wizard guiding the user across three steps, choosing the subject, predicate and object of the LHS or RHS tuple-element. The Wizard makes semantical checking over the rules created, and warns the user if they are not correct.
Distributed Provision and Management of Security Services in Globus Toolkit 4
1333
• Check the defined rules. Using the security checker that incorporates a Jena reasoner. ORE sends the rules to the checker, the checker evaluates them, and the results are returned to ORE and shown to the administrator. In this case, if the checker is allowed to, the facts or actions inferred could be asserted or performed. Figure 8 shows a snapshot of the ORE editor. It is basically compound by a navigator through the ontology used (in the left bottom part of this figure) and two lists (in the upper part of the same window) which reflect the antecedent and consequent elements added, in the form of RDF triplets. As such, three phases are used to create each triplet: one for the subject, one for the property attached to the subject and one for the object.
Fig. 8. ORE editor – loading system description
In our current prototype, GT4 policies are added to POSITIF through ORE editor. When a client requests a GT4 service, the POSITIF plug-in will check if the requested action is authorized on the basis of current policies by querying the POSITIF framework. This query is based on the reasoning capabilities offered as part of SPL.
4 Conclusions and Future Work One of the main limitations in current GT4 infrastructures is the lack of frameworks enabling dynamic and automatic management of resources and services offered across a virtual organization (VO).
1334
F.J. García Clemente et al.
This paper has presented a semantic-aware framework enabling the dynamic management of security services in GT4 infrastructures. The defined framework also represents one step towards the automatic management of security services, considering not only authorization services, and providing also additional reasoning mechanisms to deal with issues such as detection and resolution of conflicts existing between different grid management rules. As statement of direction, this research is now working to incorporate part of the reasoning mechanisms described in this paper to provide dynamic conflict resolution as part of the proactive monitoring components existing in the framework. Some other components of the framework (as the security module area) are being designed and implemented to provide security alarms in grid infrastructures.
Acknowledgments This work has been partially funded by EU POSITIF (Policy-based Security Tools and Framework, IST-002-002314) IST project.
References 1. Common Information Model (CIM) Standards, DMTF, http://www.dmtf.org/standards/ cim (2006) 2. Freeman, T., Ananthakrishnan, R.: Authorization processing for Globus Toolkit Java Web services, developerWorks, IBM (2005) 3. García Clemente, F.J., Martínez Pérez, G., Botía Blaya, J.A., Gómez Skarmeta A.F.: Description of Policies Enriched by Semantics for Security Management. Book Chapter, Book on Web Semantics and Ontology, Idea Group Inc. (2006) 4. García Clemente, F. J., Martinez Pérez, G., Botía Blaya, J. A., Gomez Skarmeta, A. F.: On the Application of the Semantic Web Rule Language in the Definition of Policies for System Security Management. Workshop on Agents, Web Services and Ontologies Merging (AWeSOMe), OnTheMove Workshops, Larnaca, Cyprus (2005) 5. Globus Toolkit Official Documentation, http://www.globus.org/toolkit/docs/ (2006) 6. GT Security (GSI), http://www.globus.org/toolkit/security/ (2006) 7. Harmer, T., Stell, A., McBride, D.: UK Engineering Task Force Globus Toolkit Version 4 Middleware Evaluation. Version 1.0. http://www.nesc.ac.uk/technical_papers/UKeS-200503.pdf (2005) 8. Jena – A Semantic Web Framework for Java, http://jena.sourceforge.net/ (2006) 9. Martínez Perez, G., García Clemente, F.J., Botía Blaya, J.A., Gómez Skarmeta, A.F.: Enabling Conflict Detection using Ontology and Rule-Based Reasoning in the Specification of Security Policies, 13th Workshop of HP OpenView University Association, Côte d'Azur, France (2006) 10. ORE (Ontology Rule Editor), http://sourceforge.net/projects/ore (2006) 11. PERMIS – Privilege and Role Management Infrastructure Standards Validation, http://sec.isi.salford.ac.uk/permis/ (2006) 12. POSITIF (Policy-based Security Tools and Framework) EU IST Project, http://www. positif.org/ (2006)
Distributed Provision and Management of Security Services in Globus Toolkit 4
1335
13. Uszok, A., Bradshaw, J., Jeffers, R.: KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services. In Proceedings of the Second International Conference on Trust Management, Springer-Verlag (2004) 14. Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide. W3C Recommendation. W3C (2004) 15. SWRL: A Semantic Web Rule Language Combining OWL and RuleML, The Rule Markup Initiative, http://www.ruleml.org/swrl/ (2006)
