Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent."— Presentation transcript:

1 TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois jbasney@illinois.edu Von Welch Independent Consultant Champaign, IL von@vonwelch.com Nancy Wilkins-Diehr San Diego Supercomputer Center University of California, San Diego wilkinsn@sdsc.edu

2 2 Goal Re-visit 2005 paper –Von Welch, Jim Barlow, James Basney, Doru Marcusiu, Nancy Wilkins-Diehr, "A AAAA model to support science gateways with community accounts," Concurrency and Computation: Practice and Experience, Volume 19, Issue 6, March 2007. http://dx.doi.org/10.1007/s10586-007-0033-8 AAAA (4A): –Authentication, Authorization, Auditing & Accounting Discuss implementation experience, evolution of the model, and lessons learned

3 3 Science Gateway AAAA Model Users access compute resources through a web portal (Science Gateway), rather than directly Gateway submits requests to its “community account” on TeraGrid resources Benefits: –Gateways handle user enrollment Gateway users don’t need TeraGrid accounts Enrollment process tailored to the user community / usage model –Support a large community of users without overwhelming TeraGrid allocations

4 4 Authentication/Authorization Modes Transitive –User authenticates to gateway and gateway authenticates to compute resource –Resource provider has no knowledge of the user’s identity –Gateway is responsible for authorization of individuals Authorization Credentials –Include user identity in the credentials used by the gateway to authenticate to resource providers –Enables per-user accounting and authorization by the resource provider For example: RP could “blacklist” an individual gateway user

5 5 Traditional User Access Model

6 6 Science Gateway AAAA Model (2005)

7 7 Science Gateway AAAA Model (2010)

8 8 Implementation Experience Started with Transitive Mode –Each gateway has community credentials –No central collection of audit/accounting information –No resource provider changes required Migrating to Authorization Credentials Mode –Motivated by NSF requirements for per-user accounting –Gateway adds user identity information to community credential Creating a separate proxy credential per user session –Resource providers install updated software to extract user identity information (for GRAM4, GRAM5, and SSH+qsub) Backward Compatible: Existing software simply ignored the additional information in the credential RPs send user identity information to TeraGrid Central Database using the AMIE protocol

9 9 Implementation Details: Gateways Gateway implements local security (per TG-10) –Control the jobs that run in the community account –Maintain a user registry –Locally collect usage information / logs Add user identity info to community credential –Create a unique proxy certificate for each user session –Use GridShib SAML Tools to insert SAML assertion containing user attributes into the proxy certificate Required: user identifier (may be anonymous) Optional: user email address, client IP address

10 10 Implementation Details: RPs No changes required to support Transitive Mode To support Authorization Mode: –GRAM4: Install GridShib for Globus Toolkit Full support for accounting, audit, and authorization –GRAM5: Gateway attribute support included Only accounting+audit support, not authorization –SSH: gateway-submit-attributes script –GridFTP: no changes, user attributes not captured Gateway user attributes stored in GRAM Audit DB AMIE processing modified: –Retrieve attributes from GRAM Audit DB and include in Notify Project Usage packets to TGCDB

11 11 Implementation Status 7 out of 16 gateways completed –6 in progress; 3 waiting for SSH support 4 RPs have deployed the GRAM4 support with AMIE modifications GRAM5 testing underway SSH support (gateway-submit-attributes script) will be included with GRAM5 CTSS packages

12 12 Lessons Learned (1) Avoid technology dependencies –Initially targeted only GRAM4 Java web services –Later added GRAM5 and SSH+qsub support Understand participant motivations –Keep it simple for gateways and RPs to deploy –Gateways and RPs do the work but don’t receive the primary benefits Budget time for software change management –It can take months to deploy new software at TG RPs Software provided to TG GIG for packaging GIG releases CTSS packages RPs install and test packages RPs move installations to “production”

13 13 Lessons Learned (2) Accept a “good enough” solution –Initial Transitive model is working surprisingly well Keep it simple –Spent too much time on SAML complexities –Focus on core requirement of counting gateway users No SAML used for SSH+qsub support (gateway-submit-attributes) Blacklisting less important –No strong motivation yet for this capability in practice –Gateway security incidents to-date impacted entire gateway rather than an individual gateway user

14 14 Lessons Learned (3) Design for incremental deployment –Gateways and resource providers upgraded at different times to support authorization credentials –Backward compatibility was essential Web portal-based gateways work well –Provide a user-friendly interface to a limited set of applications Meets policy for restricted access to community accounts –Direct command-line or desktop access to community accounts is problematic

15 15 Conclusion Nearing completion of deployment effort Moving from Transitive Mode to Authorization Credentials Mode –To collect usage information for individual gateway users Relying on GRAM Audit DB across GRAM4, GRAM5, and SSH Required a collaborative effort –Thanks to Tom Scavo, Terry Fleury, Jon Siwek, Stu Martin, Joe Bester, Eric Blau, JP Navarro, Michael Shapiro, and others… –Thanks to gateway developers and RP administrators

16 16 Thanks For more details: jbasney@illinois.edu http://teragridforum.org/mediawiki/index.php?title=Scienc e_Gateway_Credential_with_Attributes Informal F2F: today 5:30-6:30 in Brighton 4

Download ppt "TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.

TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,

A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Science Gateways on the TeraGrid Von Welch, NCSA (with thanks to Nancy Wilkins-Diehr, SDSC for many slides)

Science Gateways on the TeraGrid Von Welch, NCSA (with thanks to Nancy Wilkins-Diehr, SDSC for many slides)
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Simo Niskala Teemu Pasanen

Simo Niskala Teemu Pasanen
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Network, Operations and Security Area Tony Rimovsky NOS Area Director

Network, Operations and Security Area Tony Rimovsky NOS Area Director

Similar presentations

Ads by Google