Presentation on theme: "The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007."— Presentation transcript:
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007
What is VOMS VOMS is… An Attribute Authority. A VO Management System. A source of trust for authorization. VOMS is not… A policy system. An AuthN/AuthZ framework.
VOMS: The problem In a grid environment, VOs tend to be extremely large and change frequently. Hundreds or even thousands of users. Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. It is not scalable to manage them by hand
VOMS: The solution Organize users into groups and grant them roles. Allows for full RBAC authorization. Also, adds other general-purpose attributes.
What is VOMS-Admin? A web application that manages the contents of the VOMS database Used by VO Administrators mainly to add/remove users to the VO, put them in VOMS groups, assign VOMS roles to them Provides a WSDL interface to its functions Has a command line client Has a web-based user interface
What is VOMSd VOMSd is the component which listens for user requests and creates Attribute Certificates. All communication is secured and mutually authenticated. Allows high customization of ACs. Which roles to present, validity length, targeting, etc…
VOMS data format Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. The exact profile is described here: https://forge.gridforum.org/sf/go/doc13797?nav=1 ACs are the natural choice in a X.509 world. The grid is a X.509 world. The provided clients insert the AC in a non-critical extension of the user proxy. Immediate compatibility with non-VOMS aware software.
What is a proxy? A proxy is a short-lived certificate that has as issuer a user certificate. Standardized in RFC Commonly used throughout the grid for authentication and authorization purposes.
VOMS clients The clients provided are command-line based. But APIs are available in C,C++ and JAVA. You could write your own client.
Shibboleth: Protocol Description User Service Provider Wayf Identity Provider
A common misconception: VOMSShibboleth = IdP
Similarities VOMS and a Shibboleth IdP both… Maintain lists of user identities. Add attributes to user identities. Offer a way to distribute such attributes.
Differences Shibboleth IdPVOMS Has good support for federationsHas basic support for federations Does not support X.509Supports X.509 Supports SAMLSAML support in development Allows third parties to get information on usersDoes not allow third parties to get information on users. Pull modelPush model Mostly geared to website authorizationMostly geared to grid authorization Delegation of credentials not well supportedDelegation of credentials well supported
Shibboleth and Grids: The problem “The Shibboleth System is NOT usable in non-Browser scenarios (without a lot of hard thinking)” “Introduction to Shibboleth – Phases of Deployment” Steve Carmody, 2006 Shibboleth Camp Unfortunately, grid access and usage relies heavily on non-browser access. Implies that some translation mechanism is necessary for shib users to access a grid.
An example submission Broker Execution Storage Job Data Job Data
Shibboleth and Grids: The Solution Insert Shib attributes directly in a VOMS proxy and use said proxy for grid access. Implemented by VASH Collaboration by SWITCH and INFN within EGEE. Details in my colleague’s presentation.
The VOMS team Vincenzo Ciaschini Valerio Venturi Andrea Ceccanti