Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

MyProxy: A Multi-Purpose Grid Authentication Service

Lecture 23 Internet Authentication Applications

Grid Security. Typical Grid Scenario Users Resources.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

EGI-InSPIRE RI EGI-InSPIRE RI User Support in IGI: Related Tools and Services in Italy EGI Technical Forum

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

The LGI Pilot job portal EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI solution for high throughput data analysis Peter Solagna EGI.eu Operations.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

WLCG Update Hannah Short, CERN Computer Security.

LIGO Identity and Access Management

Practicals on VOMS and MyProxy

Grid accounting system

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Tweaking the Certificate Lifecycle for the UK eScience CA

Security in OSG Rob Quick

WMS Options: DIRAC and GlideIN-WMS

Community AAI with Check-In

Use of MyProxy for the FusionGrid

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

AAI in EGI Status and Evolution

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016

Outline Introduction & motivation Background – Grid security & job management – InCommon, CILogon, and SAML ECP – MyProxy Details of the Federated Identity/Grid integration Status Related Work Security considerations Conclusions 4/6/162

Introduction Open Science Grid (OSG) – NSF-funded – Collaboration between over 100 independent sites supplying High Throughput Computing (HTC) OSG does not own the computers, commodity hardware Also about 100 Virtual Organizations (VOs) and separately about 100 individual Principal Investigators (PIs) Continually changing and growing Now expanding to commercial clouds & portion of HPC systems – Grown to over 100 million CPU hours/month end of 2016 Close to ½ the full time of Titan Fermilab is one of the major entry points 4/6/163

Introduction Grid security is heavily based on X.509 certificates – Very important for its distributed multiple-owner nature Managing certificates by hand is often an impediment for grid users that are not tech savvy – Especially each year as certificates expire Fermilab has a grid job submission system (Jobsub) that hides certificates from users – The certificate management piece has shortcomings, however 4/6/164

Motivations for change The shortcomings are – It only works with Fermilab Kerberos Inconvenient challenge for remote collaborators – It requires running our own Kerberos Certificate Authority (KCA) Expensive to maintain Losing software support later this year Jobsub also supports manually-maintained certs, but we don’t want to lose automation We would like to modernize to Federated Identity and so not require everyone to have local login 4/6/165

Background – grid security Grid users tracked in Virtual Organizations (VOs) User certificate Distinguished Names (DNs) registered in Virtual Organization Membership Service (VOMS) servers – Cryptographically adds info to proxy certificate VOMS proxy certs are sent with jobs – usually short-lived to limit their use if stolen and in case user’s VO membership is revoked Grid User Mapping Service (GUMS) servers additionally used to map DNs to access rights 4/6/166

Background – grid job management Grid job management typically uses two layers – Pilot Workflow Management System (e.g. GlideinWMS) provides uniform global queue – Grid job submission system (e.g. Jobsub) feeds the global queue End users interact with the job submission system – System responsible for renewing users’ VOMS proxy certificates for long-lived jobs – Jobsub maintains extra “Robot” kerberos credentials for every potential user in order to get new KCA certs to make new VOMS proxies 4/6/167

Background - old Jobsub submit flow 4/6/168 Grid Jobsub Client Jobsub Server jobsub_submit submission KCA certificate VOMS 3 VOMS proxy kx Fermilab KCA voms-proxy-init submits jobs 4 Robot KCA certificate FNAL user renews proxy 5

Background – InCommon, CILogon, ECP InCommon Federation – Internet2’s identity federation for education & research CILogon – InCommon’s X.509 Certificate Authority (CA) service – The CA we use is CILogon Basic CA InCommon primarily used for web, but CILogon also supports SAML 2.0’s protocol for non-web browser environments – Enhanced Client or Proxy (ECP) – Does not require cookies or javascript – Option in Shibboleth Identity Provider (IdP) 4/6/169

Background - MyProxy MyProxy is a secure server for storage of proxy certificates – Software available from NCSA – Has many controls over who can access the proxies 4/6/1610

Basic grid/federated identity plan Make use of existing InCommon CILogon Basic CA and existing federated identity service Write new cigetcert command line tool to get certs – Generic tool, not Fermilab-specific – Authenticate with Kerberos or username/password – Get 4 week certificate from CILogon, store 1 week proxy on local disk and 4 week proxy in MyProxy Complies with International Grid Trust Foundation (IGTF) rules Change jobsub_submit to attempt to use cigetcert with Kerberos, and if that fails, tell user to run it to enter “Services” password Change Jobsub server to renew proxies out of MyProxy Automatically register all new user DNs in VOMS (as old ones are) 4/6/1611

Jobsub infrastructure with CILogon Jobsub client 1-week /tmp/x509up_u* Jobsub server User proxy Worker node Worker node User VOMS proxy VOMS GUMS cigetcert ECP IdP CILogon Basic CA CILogon Basic CA MyProxy Authenticate the user Issue 4-week cert 4-week proxy Retrieve and renew proxy 12 User VOMS proxy 4/6/16

Startup 4/6/1613 invokes cigetcert Get cert jobsub_submit SAML Authentication request Jobsub Client 5 3 CILogon IdP 1 Jobsub Server Get opts 2 Get ECP IdP list 4

Getting a certificate 4/6/1614 CILogon Not Authorized - Requests Basic Authentication Repeats SAML auth request with user credentials SAML Assertion 4-week certificate for user Prompts user for password IdP cigetcert

Storing proxies 4/6/1615 MyProxy generates 1-week proxy cigetcert /tmp/x509* stores one-week proxy generates 4-week proxy stores 4-week grid proxy discards 4-week certificate’s key 1-week grid proxy 4-week grid proxy 4-week certificate for user

Job submission & renewal 4/6/16 uses proxy retrieves Jobsub Client /tmp/x509* Jobsub Server MyProxy short-lived grid proxy jobsub_submit 14 VOMS proxy voms-proxy-init 15 VOMS submission Grid submits jobs 16 renews proxy 17 16

Status cigetcert is feature-complete – Available in Scientific Linux Fermi – Could move into Scientific Linux if needed MyProxy ready in production, Jobsub in pre- production All 16 VOs will be transitioned gradually through September Only Fermilab IdP supported this year – Phase 2 plans to add other institutions’ IdPs – cigetcer t & Jobsub are ready for phase 2 4/6/1617

Related work LIGO – Similar tool for getting a certificate with ECP – LIGO-specific, and without Kerberos or MyProxy support LTERN & DataOne – Use ECP, but little other published details ECP clients – 4/6/1618

Security considerations Federated trust – Institutions are trusted, and verified by certs – If can’t reach misbehaving user’s institution, they can be cut off at VOMS and/or GUMS Limit number of command line tools that prompt for passwords – Don’t want users to become callous about typing in their password 4/6/1619

Conclusions Certificate-free as far as user is concerned Easier on remote users – no need for Kerberos Easier on FNAL – no need for our own CA Easily expandable to other institutions’ IdPs cigetcert available for general use with any institution that has an ECP-enabled IdP 4/6/1620

Links cigetcert – – man page: ECP – 4/6/1621