Presentation is loading. Please wait.

Presentation is loading. Please wait.

A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,

Similar presentations


Presentation on theme: "A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,"— Presentation transcript:

1 A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney, Doru Marcusiu

2 6/28/20052GSI Credential Management AAAA Science Gateway Model AAAA Model Authentication Authorization Auditing Accounting

3 6/28/20053GSI Credential Management AAAA Science Gateway Model Outline Motivation –Traditional AAAA Computing Model Proposed AAAA Model Current work and Future Challenges

4 6/28/20054GSI Credential Management AAAA Science Gateway Model Traditional AAAA Model All user have accounts at each site/resource –NxN matrix Users access resources through low- level interfaces –E.g. Unix Shells, FTP session Resource takes care of all the As

5 6/28/20055GSI Credential Management AAAA Science Gateway Model Traditional HPC Usage % ls % foo AUTHnAUTHn OS (Authz) Audit Accounting

6 6/28/20056GSI Credential Management AAAA Science Gateway Model Traditional HPC Usage % ls % foo % ls % foo % ls % foo % ls % foo % ls % foo

7 6/28/20057GSI Credential Management AAAA Science Gateway Model Motivation Shell-level access to resources is great for power users, but has steep learning curve –Many SG users just need domain-specific interface, e.g. they are not developing or deploying application codes Each resource/site has to maintain state about every user –Scalability problems for large/dynamic user communities No abstraction - users must adapt to all changes in resources

8 6/28/20058GSI Credential Management AAAA Science Gateway Model Our AAAA Model SG acts as a interface between the community and its resources Much like a traditional Grid Portal, it provides a domain-specific interface However, unlike portals, it exists as a trusted entity in its own right, allowing the resource to outsource AAAA functionality to the SG Resources runs all commands in a community account, which constrains what community can do - account can be constrained to a few community applications

9 6/28/20059GSI Credential Management AAAA Science Gateway Model Conceptual Model % ls % foo % ls % foo % ls % foo

10 6/28/200510GSI Credential Management AAAA Science Gateway Model Goals of Model Model is primarily about how one splits the AAAA responsibility between the SG and the resource In general, resource must trust the SG to some degree to provide this functionality in exchange for offload of effort

11 6/28/200511GSI Credential Management AAAA Science Gateway Model Authentication and Authorization Two Modes: Simple and Authorization Credential Both allow SG to manage user community Authorization Credentials is more complex to deploy, but provides more information to resource

12 6/28/200512GSI Credential Management AAAA Science Gateway Model Simple Auth[nz] Model % ls % foo Authentication becomes the role of the SG –Users known only to the SG Resource trusts SG to do authentication SG authenticates to resource with its own credential Portal enforces authorization by constraining what actions user can perform Authn

13 6/28/200513GSI Credential Management AAAA Science Gateway Model Authz Credential Model % ls % foo Authentication still role of the SG –Users known only to the SG SG augments user credentials with authz credentials –E.g. CAS, GAMA, Shibboleth, IU LEAD work Resource trusts SG to do authentication and authz credentials from SG –Doesnt know user, but trusts what SG says about user Resource knows user identifier (may not be that useful, more later) Authn Authz Cred

14 6/28/200514GSI Credential Management AAAA Science Gateway Model Auditing Model % ls % foo Site still keeps details of what each job does Site have want to contact user –Suspicious activity, job running amuck SG is only way to map a particular job to a user SG has all the contact information for the user Resource may know user identifier, but needs contact information only in SG user database Auditing

15 6/28/200515GSI Credential Management AAAA Science Gateway Model Accounting Model % ls % foo Site has all the details of what resources each job consumes –May know user who launched them (in authz cred mode) SG needs this information –For reporting, authorization, catch mistakes Need a mechanism to allow resource to report back to SG regularly –And allow SG to make usage back to a job back to a user Accounting

16 6/28/200516GSI Credential Management AAAA Science Gateway Model Outstanding Challenges How to identify a job between SG and resource? –/bin/foo run at 15:38:13 (my time) not very accurate Standard template for resource/SG agreement –Akin to certificate policy Acceptance of group accounts –Convince folks its ok to outsource

17 6/28/200517GSI Credential Management AAAA Science Gateway Model Outstanding Challenges (cont) Restricted accounts –Cookbook to restrict account to certain applications Sandboxing of users from each others Community administrators –Those who set up group account

18 6/28/200518GSI Credential Management AAAA Science Gateway Model The obligatory last slide… NCSA is working on real-world deployment with GridChem community Acknowledgements to the TeraGrid Science Gateway RAT and all the interviewed Portals Complaints to


Download ppt "A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,"

Similar presentations


Ads by Google