Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

Published byDominick Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr."— Presentation transcript:

1 Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr

2 Gateway Objectives for PY4 and 5 TeraGrid integration will be straightforward for new and existing gateway developers There will be a set of easy to discover general services provided by and for Gateways The targeted support program will be well- organized We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users There will be a funded cross-directorate gateway program at the NSF Presented December, 2007

3 We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users A unique identifier for each end gateway user per community account must exist in TGCDB Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism Attribute-based authentication in production and easy to use Presented December, 2007

4 How will we meet those goals? Attribute-based authentication –In our case, GridShib for Globus –Fantastic documentation and assistance Thanks Jim Basney, Tom Scavo, Terry Fleury –http://www.teragridforum.org/mediawiki/index.php?title =Science_Gateway_Credential_with_Attributeshttp://www.teragridforum.org/mediawiki/index.php?title =Science_Gateway_Credential_with_Attributes From the April, 2009 TeraGrid review panel –“The TG has stated the goal of switching to an attribute- based authentication mechanism for all Gateways by September of 2009. The panel recommends that every effort be made to complete this work on schedule.”

5 How will this be made available at RP sites? science-gateway CTSS kit, which includes commsh –NCSA-developed, PSC-enhanced tool to restrict community accounts –http://teragridforum.org/mediawiki/index.php?title=Community_Shel lhttp://teragridforum.org/mediawiki/index.php?title=Community_Shel l GridShib for Globus Toolkit –NCSA-developed tool to collect, process, store and log attributes Future TG-specific efforts will store these in the TGCDB –http://gridshib.globus.org/http://gridshib.globus.org/ Installation instructions –http://software.teragrid.org/pacman/ctss4/ctss-science-gateway- registration/README.install

6 Ambitious, but achievable goal By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB Next steps –RP testing through Feb 2009 –Globus Toolkit 4.0.9 released Feb 2009 –Capability Kit V2 released Mar 2009 –Production installations of Capability Kit V2 –6-month gateway transition – March through August News postings, education process, log analysis to identify who still needs to make the switch, lots of support –Big party in September! Presented January, 2009

7 What’s happened between January and now? One word - GRAM5 –http://dev.globus.org/wiki/GRAM/GRAM5http://dev.globus.org/wiki/GRAM/GRAM5 Two words – party delayed GRAM5 replacing GRAM2 (aka pre-WS GRAM) –AAAA changes incorporated only in GRAM5 since GRAM2 is being retired –ssh support only in GRAM5 So, now we must wait for a production version of GRAM5 before we have attribute support for pre- WS GRAM and ssh

8 GRAM5 timeline Alpha versions installed –QueenBee and Abe, thanks! Sept 15, 2009 news posted about GRAM5 availability for testing –http://news.teragrid.org/view-item.php?item=4266http://news.teragrid.org/view-item.php?item=4266 Steps to TeraGrid availability –Globus staff completes GT 5.0.0 (December 2009) –VDT patching and verification (Alain Roy, 1-2 wks) –GIG staff completes TeraGrid packaging (1-2 wks) –ADs plan TG-wide deployment NOS (and RPs), UFP, software-wg, user services, gateways

9 Additional info Also need site-local accounting scripts to send attributes to TGCDB –RP accounting staff Who’s already done? –NICS has installed GT4 with attributes Thank you Victor and Rick Thank you Matthew at NCAR for attribute support in AMP gateway which is running on Kraken –Early “attribute-enhanced” GT4 install experiences A novice RP should set aside maybe 1 week to do the entire install (being very generous), and an expert GRAM4 admin should be able to do the entire install in 2 days Side note –Jon Siwek replaces Tom Scavo supporting this effort at NCSA Thanks for replacing such a key team member promptly

10 Gateway User Count Quarterly Meeting Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Browser username proxy credential SAML Key Blacklist Policy Web Interface Science Gateways add user attributes to the community credential and deliver those attributes to the Resource Provider, where they are logged and used for blacklisting.

11 Gateway User Count Quarterly Meeting GridShib for GT WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Blacklist Policy Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Security table GRAM audit table TGCDB AMIE upload Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting.

12 Gateway kit installed at 4 sites today http://www.teragrid.org/userinfo/software/ctss_results.php http://www.teragrid.org/userinfo/software/ctss_results.php Installed on –Abe –Lonestar –NCSA IA64 (testing) –Kraken –QueenBee –Condor (testing) –Steele (testing) Not installed on –Lincoln –Cobalt –Big Red –Ranch –Spur –Pople –BigBen –ORNL cluster –Frost

13 Sites to target Sites available after 3/31/10 –Lincoln –Cobalt –Big Red –Ranch –Spur –Pople –BigBen –ORNL cluster –Frost New systems –Track 2 C, D –XD vis/data systems at NICS, TACC –Others?

14 Community Account Usage by Site in 2008 Over 2M CPU hours used by community accounts in 2008

15 Over 8M CPU hours used by community accounts in 2009, 4x that of 2008! Community Account Usage by Site in 2009 New gold star in 2009 for TACC 69% of all community account usage

16 2009 TeraGrid staff activities for reference Apr-Jun 2009 Accomplishments –Completed GridShib SAML Tools support for accounting integration Obtains gateway user attributes from GRAM Audit DB for inclusion in AMIE packets –Demonstrated attribute delivery from GISolve to NCSA GRAM Audit DB –Verified attribute integration in RENCI Gateway –CTSS Science Gateway Kit deployed in production at LONI and TACC Jul-Sep 2009 Plans –Develop support for SSH-based gateways –Assist with testing GRAM2/GRAM5 attribute support –Improve test site (http://gstest.ncsa.uiuc.edu/) to support GRAM2/GRAM5 submissions and test GRAM Audithttp://gstest.ncsa.uiuc.edu/ –Support gateway delivery of attributes to RPs –Support deployment of Science Gateway Kit at RPs –Support AMIE integration by RP accounting administrators Quarterly Meeting

17 Jul-Sep 2009 Accomplishments –Developed and documented support for SSH-based gateways http://teragridforum.org/mediawiki/index.php?title=Gateway-Submit-Attributes –Assisted with testing GRAM5 deployment with gateway attribute support on QueenBee –Supported AMIE integration of gateway attribute support by RP accounting administrators on account-wg conference call and email list –Updated test site (http://gstest.ncsa.uiuc.edu/) to support gateway tests using GRAM5 and provide clearer test results to gateway developershttp://gstest.ncsa.uiuc.edu/ Oct-Dec 2009 Plans –Assist with inclusion of GRAM5 and SSH support for gateway attributes in CTSS –Support gateway delivery of attributes to RPs (19 of 24 gateways remain) Current status at: http://teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Stat us –Support deployment of Science Gateway Kit at RPs Current status at: http://info.teragrid.org/web-apps/html/kit-reg-v1/science-gateway.teragrid.org-4.2.0/ –Support AMIE integration by RP accounting administrators NICS in progress; integration at other RPs pending Quarterly Meeting

18 Next steps Planning for GT 5.0.0 update on TeraGrid –Area directors Continued work on site-local accounting scripts to send attributes to TGCDB –RP accounting staff After GT5 install, continue to work with gateways on attribute incorporation –Nancy, Jon PY6 plans include nifty accounting tools from TACC to allow gateways to monitor per-user usage

Download ppt "Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr."

Similar presentations

TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.

TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
User Services Transition To XD TG Quarterly Management Meeting, San Juan 12/7/2010 Amit & Sergiu.

User Services Transition To XD TG Quarterly Management Meeting, San Juan 12/7/2010 Amit & Sergiu.
TG09 Gateway Face to Face Please make yourself comfortable at the front of the room! Nancy Wilkins-Diehr TeraGrid Area Director for Science Gateways

TG09 Gateway Face to Face Please make yourself comfortable at the front of the room! Nancy Wilkins-Diehr TeraGrid Area Director for Science Gateways
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Transition. TG/XD Transition TG awardees are expected to make funding last until March 31, 2010 XD start date is Apr 1, 2010 RP Planning – non-Track 2.

Transition. TG/XD Transition TG awardees are expected to make funding last until March 31, 2010 XD start date is Apr 1, 2010 RP Planning – non-Track 2.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Mission-Based Management November 2007 Electronic CV System Users Group.

Mission-Based Management November 2007 Electronic CV System Users Group.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Core Services I & II David Hart Area Director, UFP/CS TeraGrid Quarterly Meeting December 2008.

Core Services I & II David Hart Area Director, UFP/CS TeraGrid Quarterly Meeting December 2008.
Network, Operations and Security Area Tony Rimovsky NOS Area Director

Network, Operations and Security Area Tony Rimovsky NOS Area Director
NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.

NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GIG Software Integration: Area Overview TeraGrid Annual Project Review April, 2008.

GIG Software Integration: Area Overview TeraGrid Annual Project Review April, 2008.
TeraGrid Information Services December 1, 2006 JP Navarro GIG Software Integration.

TeraGrid Information Services December 1, 2006 JP Navarro GIG Software Integration.
Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

Similar presentations

Ads by Google