Collaborative research requires flexible and fine-grained access control, beyond the common all-or-nothing access based purely on authentication. Existing systems can be hard to use, and do not lend themselves naturally to federation. We present an access-control architecture which builds on RDFs natural strength as an integration framework, which uses RDF scavenged from X.509 certificates, and policies expressed as ontologies and SPARQL queries, to provide flexible and distributed access control. We describe initial implementations

Doherty, T.

Gray, N.

Lusted, J.

Sinnott, R.O.

English

Enlighten

       Gray, N., Sinnott, R.O., Doherty, T. and Lusted, J. (2009) Advanced grid authorisation using semantic technologies - AGAST.In: UK e-Science All Hands Meeting, 7-9 Dec 2009, Oxford, UK. http://eprints.gla.ac.uk/7458/  Deposited on: 9 September 2011   Enlighten – Research publications by members of the University of Glasgow http://eprints.gla.ac.uk Advanced Grid Authorisation using SemanticTechnologies – AGASTNorman Gray12, Richard O Sinnott2, Thomas Doherty2 and Jeff Lusted11 Department of Physics and Astronomy, University of Leicester, UK,2 Department of Physics and Astronomy, University of Glasgow, UKnorman@astro.gla.ac.ukAbstract. Collaborative research requires flexible and fine-grained ac-cess control, beyond the common all-or-nothing access based purely onauthentication. Existing systems can be hard to use, and do not lendthemselves naturally to federation. We present an access-control archi-tecture which builds on RDF’s natural strength as an integration frame-work, which uses RDF scavenged from X.509 certificates, and policiesexpressed as ontologies and SPARQL queries, to provide flexible anddistributed access control. We describe initial implementations.Collaborative research often demands finer-grained security that goes beyondthe authentication-only paradigm of many e-Infrastructure systems. There aresolutions for finer-grained access control, but in our experience these are oftenfragile, inflexible and difficult to establish, maintain and federate (for furtherdiscussion of these problems, see [1], which focuses on just one use-case). Inthis paper we present results of the JISC-funded AGAST project (www.nesc.ac.uk/hub/projects/agast), illustrating an approach to the specification andenforcement of security policies that is based on semantic technologies and thenatural integratability of RDF data, and which addresses many of the limitationsof existing security solutions. We illustrate the approach by describing sampleclient implementations in two scientific disciplines.There is a good deal of contemporary interest in authentication (‘AuthN’)and identity technology, rather less so in authorisation (‘AuthZ’). This is at leastpartly because this is hard, and that in turn is because the networked identities(on which access-control decisions must be made) are and will remain hetero-geneous, time-varying, and distributed. The AGAST architecture, based as it ison the natural ‘webbiness’ of RDF and the associated standards of the Seman-tic Web, is a much more natural fit to this distributed, and opportunisticallyavailable identity and access-control information (ACI).Existing technology in this area relies on distributed Attribute Authority(AA) architectures such as Shibboleth (shibboleth.internet2.edu), and cen-tralised ones such as VOMS [2]. The typical scenario is as follows: the AAscommunicate attributes to a Policy Enforcement Point (PEP, using the termi-nology of X.812 [3]) using SAML or X.509 Attribute Certificates (AC); oncethere, the role of the Policy Decision Point (PDP) is taken by a PERMIS sys-tem (www.permis.org), which implements a role-based access control system toAllHands 09, ‘AGAST’, Gray: p1 of 3determine whether the available attributes indicate that the user has a suitablerole in a hierarchy represented by the PERMIS policy. Crucially, the role hierar-chy is static, and the available attributes are fixed and globally pre-agreed; themapping of attributes to PERMIS roles is also fixed, and fundamentally basedon string comparison; there is no way to cope with attributes deliberately oraccidentally having different meanings at different AAs (for example a ‘lecturer’at one institution may be allowed to borrow an unlimited number of books, butthe same role elsewhere may borrow only a limited number). That is, integrationis hard, and though federation can be made to work, it is not natural to do so.PEP TranslatorsLDAPRDBMSSAMLShibPDPAccess requestAccess decisionSPARQLACI/RDF(Cert info)Policy...local system boundaryFig. 1. The Semantic PDP architectureWe can use the natural integration features of RDF – its ‘webbiness’ – tosupport much more flexible access control policy specification and subsequentenforcement. For example: we may decide that a particular confidential resourcecan be seen only by members of the class ns1:Medic, which consists of the unionof the classes ns1:Doctor and ns1:Nurse in some local or standard ontology.We then wish to integrate the class ns2:Krankenschwester, which is an elementof an ‘ontology’ which may be an LDAP schema or AC attribute set, or beotherwise derivable from a X.509 certificate; the ‘translators’ in Fig. 1 translatethis information into RDF. If we then state as an element of local policy thatns2:Krankenschwester is a subclass of ns1:Nurse, then immediately anyonewhose (remote) credentials indicate they are of type ns2:Krankenschwesteris (locally deemed to be) provably a ns1:Nurse and thus also a ns1:Medic;in this way distinct (PERMIS or other) role hierarchies can be aligned andcombined straightforwardly and robustly. This is a simple example: the pointis that expressing the access problem in RDF makes the relevant mappingsalmost trivially expressible. Crucially, all of the components of this chain ofreasoning could potentially have come from different sources (interoperability),AllHands 09, ‘AGAST’, Gray: p2 of 3locally translated into RDF (the ‘RDF-native’ ACI of FOAF+SSL would be anatural fit here). In this scenario, the policy information is expressed in the setof available classes (and the mappings implied by the translators), the logicalrelationships between the classes, the grant of access to members of one of theclasses, and the query which asks whether a user is a ns1:Medic. Reference [4]uses a similar service-based PDP, but without the semantic policies.This architecture has been implemented in the AGAST project through aRESTful web-service acting as a PDP: Qadi. A PEP client of the service maydefine a policy as an ontology, as illustrated above. When a user attempts toaccess the service, the PEP obtains or extracts information about that user asRDF, and uploads that to a newly-created ‘decider’ (this may simply requireposting the X.509 user- or attribute-certificate used for authentication). It thenasks the decider ‘is the user X in the class of entities permitted access?’, towhich the Qadi service can reply with a simple yes or no, which the PEP canact upon by permitting or denying the user access. The policy is expressedin the combination of the uploaded ontology and the SPARQL query used tointerrogate it.We have implemented case-studies using this architecture, in the contextof clinical trials (VOTES, www.nesc.ac.uk/hub/projects/votes), and remoteprocessing in astronomy. We will discuss both use-cases in detail, confirmingthe basic feasibility of the approach, and confirming that the server software isindeed substantially easier to set up and configure, and the client software easierto integrate, than existing well-developed approaches.In summary: users have and will retain multiple identities and numerous pre-existing permissions to resources, and semantic web approaches can integratethese resources, and allow us to reason with them, in a natural way.References1. Richard O Sinnott, Thomas Doherty, Norman Gray, and Jeff Lusted. Semanticsecurity: Specification and enforcement of semantic policies for security-driven col-laborations. In 7th HealthGrid Conference, Berlin, Germany, Studies in HealthTechnology and Informatics. IOS Press, 2009.2. R. Alfieri, R. Cecchini, V. Ciaschini, L. dell’Agnello, A´. Frohner, A. Gianoli,K. Lo˜rentey, and F. Spataro. VOMS, an authorization system for virtual orga-nizations. In Grid Computing, volume 2970 of Lecture Notes in Computer Science,pages 33–40. Springer, 2004.3. Information technology – open systems interconnection — security frameworks foropen systems: Access control framework (ITU-T Rec X.812 = ISO/IEC-10181-3:1996). International Standard ISO-10181-3/X.812, 1996.4. Marcin Adamski, Michal Kulczewski, Krzysztof Kurowski, Jarek Nabrzyski, andAlastair Hume. Security and performance enhancements to OGSA-DAI for griddata virtualization. Concurrency and Computation: Practice and Experience, 19:1–11, 2007.AllHands 09, ‘AGAST’, Gray: p3 of 3

an authorization system for virtual organizations.

Information technology { open systems interconnection | security frameworks for open systems:

Security and performance enhancements to OGSA-DAI for grid data virtualization.

Semantic security: Speci and enforcement of semantic policies for security-driven collaborations.

Advanced grid authorisation using semantic technologies - AGAST

Enlighten: Publications

Advanced grid authorisation using semantic technologies - AGAST

Abstract

Similar works

Full text

Available Versions

Enlighten

Enlighten: Publications