Presentation on theme: "Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with."— Presentation transcript:
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
Agenda caBIG caGrid caGrid Security Overview (GAARDS) Dorian Authentication Service Grid Trust Service (GTS) Grid Grouper Authz / Common Security Module (CSM) Additional Information
National Cancer Institute 2015 Goal Relieve suffering and death due to cancer by the year 2015
Cancer Biomedical Informatics Grid (caBIG TM ) Need: Enable investigators and research teams nationwide to combine and leverage their findings and expertise in order to meet NCI 2015 Goal. Strategy: Create scalable, actively managed organization that will connect members of the NCI-supported cancer enterprise by building a biomedical informatics network National Cancer Institute Initiative Over 800 Participants Over 80 Organizations Over 70 Projects
caBIG Community Organization
caGrid Grid Infrastructure for caBIG Enterprise Level Grid Components caGrid Components Grid Service Graphical Development Toolkit (Introduce) Metadata Advertisement and Discovery Semantic Services Data Service Infrastructure Analytical Service Infrastructure Identifiers Workflow Security
GAARDS Overview Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) GAARDS provides services and tools for the administration and enforcement of security policy in an enterprise Grid. Developed on top of the Globus Toolkit Extends the Grid Security Infrastructure (GSI) Provide enterprise services and administrative tools for: Grid User Management Identity Federation Trust management Group/VO management Access Control Policy management and enforcement Integration between existing security domains and the grid security domain.
GAARDS Components Dorian Grid User Account Management Integration point between external security domains and the grid. Allows accounts managed in external domains to be federated and managed in the grid. Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid Grid Trust Service (GTS) Creation and Management of a federated trust fabric. Supports applications and services in deciding whether or not signers of digital credentials/user attributes can be trusted. Supports the provisioning of trusted certificate authorities and corresponding CRLS. Grid Grouper Group management service for the grid Provides a group-based authorization solution for the Grid Enforce authorization policy based on membership to groups
GAARDS Components Authentication Service Integrates existing credentials providers into the grid. Provides a uniform grid interface for authenticating to existing credential providers. Applications can communicate with any credential provider. Authz/Common Security Module (CSM) Provides a centralize approach to managing and enforcing access control policy authorization. Security Metadata Ensures communication interoperability between grid services
GAARDS in Action
GAARDS in Action Authenticate with Local Credential Provider SAML Assertion User authenticates to local credential provider using your everyday user credentials
GAARDS in Action SAML Assertion Grid Credentials Application obtains grid credentials from Dorian using SAML provided by the local provider.
GAARDS in Action Grid Credentials Application uses grid credentials to invoke secure grid services.
GAARDS in Action Grid Service authenticates the user by asking the GTS whether or not the signer of the credential should be trusted. Should I trust the credential signer?
GAARDS in Action Authorization Grid Service asks CSM or their access control policy enforcer whether or not the user can perform X and resource Y. Is Authorized?
GAARDS in Action Authorization Alternative Grid Service can enforce local policy based on user membership to groups maintained in Grid Grouper. Is member of?
Grid Account Management is Difficult User required to manage long term certificate and private key. How are they obtained? Traditionally user generate a key pair and certificate request locally, then contact ( ) a CA administrator to get a signed certificate. Mobility Issues User generally work on more that one computer Certificate and private key need to be available to users on each machine. Traditionally users need to copy around certificate and private key. Hassle for the users, some of which dont have the expertise to accomplish Security Concerns. Difficult to administrate Few tools for administrate provisioning of user accounts. Difficult to revoke accounts Limited information available to administrators for making decisions Why cant they leverage their existing accounts to access the grid?
Dorian Grid User Account Management Administrative interface for account provisioning and management. Built in Certificate Authority Manages Grid Credentials for each user. Enables users to authenticate and create grid proxies, which they may use to access the grid. Identity Management and Federation Integration point between external security domains and the grid. User may use existing credentials to obtain a grid proxy. Users authenticate to IdP, obtain a SAML assertion (proof) which is then given to Dorian to facilitate the creation of a grid proxy. Automated Account Creation and Provisioning Built in Identity Provider Comprehensive Administrative UI
Dorian Proxy Creation Users authenticate to IdP. Obtain a SAML assertion (proof) from IdP. Send SAML Assertion to Dorian in exchange for a grid proxy. Proxy Creation (Detailed) User Authenticates to Local IdP Local IdP Issues Signed SAML Assertion to user. User Authenticates to Dorian with SAML Assertion Dorian verifies the signature of the SAML Assertion. Signing IdP must be registered with Dorian is a trusted provider Dorian locates users grid account or creates one if does not exist. Dorian ensures users has rights to create a proxy Client and Dorian negotiate to create a proxy.
Dorian – Proxy Creation Proxy Creation Workflow Client authenticates with Local IdP Client creates public/private key pair to use for grid proxy. Client requests Dorian to create a grid proxy. Dorian verifies that the SAML assertion provided by the user is signed by a Trusted IdP and that the user has a valid account. Dorian locates the users grid credentials, private key and certificate Dorian uses the public key provided to create a proxy certificate and signs it with the users private key Dorian returns the proxy certificate to the user. The user may now use the proxy to authenticate to grid services SAML Assertion Username / Password SAML Assertion Signed
Grid User Account Creation A grid account is created the first time a user accesses Dorian with a SAML Assertion signed by a registered Trusted Identity Provider Each grid account has a status associated with it. Active, Pending, Suspended, Expired………… Only users with an Active Status will be given access to the grid. The initial status of a user account upon creation depends on the user policy configured with their IdP. A User Policy is applied to a users account every time they request that a proxy is created. User Policies enable the administration of Dorian to be as hands on/off as the administrators wish.
Grid User Accounts Grid User Account Managed through Grid Service Interface using Admin UI Grid User Account IdP Local User Id Uniquely Identifies a user within the context of an IdP First Name Last Name Users role with respect to Dorian User Account Status Grid Credentials Private Key Long term Certificate Grid Identity Dorian CA Metadata Trusted IdP Id Local User Id /O=OSU/OU=BMI/OU=caGrid/OU=Dorian/OU=localhost/OU=IdP /CN=jdoe Dorian CA MetadataIdP Id Local User Id
Managing Trusted Identity Providers Trusted Identity Provider – An Identity Provider in which Dorian is configured to trust and manage grid user accounts. Id - Dorian assigned Identifier for the IdP. Name – Human Readable Name for easy identification Status – Active / Suspended User Policy – Executed when users authenticate, dictates a policy to apply to a users account Authentication Method IdP Certificate - Certificate whose corresponding private key will be used in signing SAML assertions.
Dorian Identity Provider Dorian Identity Provider (Dorian IdP)- Enables developers, smaller groups, research labs, unaffiliated users, and other groups without an IdP to use Dorian as their IdP, such that they may leverage Dorian for creating grid credentials. Registration- Provides a registration mechanism through the grid service interface. Authentication- Username/Password Authentication over grid service interface, successful authentication returns a SAML assertion which can later be consume by Dorian in exchange for a grid proxy. Account Management – Provides administrative operations for managing Dorian IdP accounts.
Dorian IdP – Registration / Authentication Potential Users obtain and account on the Dorian IdP by registering. Grid Service Interface provides a mechanism for registering with the Dorian IdP account. Dorian GUI provides graphical interface for registering with the Dorian IdP Account creation depends on how the Dorian IdP is configured Auto Creation Manual Creation Once Approved, registered users can authenticate (username, password) to the Dorian IdP to obtain a SAML Assertion which can then be used to create a proxy.
Dorian IdP User Management Manage User Account Information Manage Account Status Grant IdP Admin Rights Account Management done through grid service interface, only users with admin rights may manage accounts. Full Account Management Support through the Dorian GUI.
Authentication Service The role of the AuthenticationService is to provide a uniform grid interface for authenticating to existing credential providers. Leveraged as a Integration point between local identity management and Grid identify federation. To achieve this goal, we define a framework as a set of interfaces that can be implemented by a credential provider caGrid provides an default implementation that exposes the Common Security Module (CSM) as an IdP. DorianAuthentication ServiceLocal Identity management Supported Credential Providers LDAP RDBMS
Authentication Service - Design Authentication Service Grid Service Authentication Provider Framework AuthenticationProvider SubjectProvider SAMLProvider Created Using Introduce Toolkit Credential Providers can be integrated by implementing this interface