TeraGrid Plans for Authentication and Authorization Testbed

Slides:

Advertisements

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Federated Identity for Grid Architects Tom Scavo NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

SOS August 21, 2006 GGF Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

2NCSA/University of Illinois

OGF PGI – EDGI Security Use Case and Requirements

David Kelsey CCLRC/RAL, UK

Ian Bird GDB Meeting CERN 9 September 2003

Security for Open Science

THE STEPS TO MANAGE THE GRID

The New Virtual Organization Membership Service (VOMS)

Leigh Grundhoefer Indiana University

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Shibboleth for Non-Web-Based Applications: GridShib

NSF Middleware Initiative: GridShib

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

From Prototype to Production Grid

TeraGrid 08 The Third Annual TeraGrid Conference

Community AAI with Check-In

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

Federated Environments and Incident Response: The Worst of Both Worlds

A Grid Authorization Model for Science Gateways

Appropriate Access InCommon Identity Assurance Profiles

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

NSF Middleware Initiative: GridShib

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

TeraGrid Plans for Authentication and Authorization Testbed Von Welch, NCSA Science Gateway Call October 6, 2006 National Center for Supercomputing Applications

Workshop Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn Peters, Dane Skow Attendees: 42 persons, representatives from all TeraGrid Resource Provider sites, OSG, Internet2, Globus http://www-fp.mcs.anl.gov/tgmeeting/AAA-Agenda.htm Whitepaper (Von Welch, Ian Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett) http//gridshib.globus.org/tg-paper.html National Center for Supercomputing Applications

Authentication vs Authorization Identifier: A unique name for an entity (username, DN, GUID, SSN, etc.) Authentication: Verifying Identity of users associating them with a Identifier Authorization: Deciding whether or not a request will be granted Different authentication methods have different levels of certainty Authorization Policy: The set of rules by which an authorization decision is made Authentication does not imply Authorization E.g. just because you trust a CA doesn’t mean all the user with certificates from it are authorized National Center for Supercomputing Applications

Attributes Attribute: A property of an entity Entities may have lots of properties The same property may apply to many entities E.g. community membership, affiliation, age, gender, height, occupation Attribute-based authorization: Authorization based on who someone is (their identity) but what they are (their attributes) E.g. you can buy me a beer if your age > 21 years National Center for Supercomputing Applications

Authorization Status Quo Currently solely ID based A user has only one mapping in the system no capability for roles Single group membership Need prior knowledge of group membership Maintenance /synchronization problem No differentiation between services for access levels Allocated users Authenticated users TG Community users Partner/Campus users Public Scaling Workload scales by ID not by group Adds new sources of authority to manage National Center for Supercomputing Applications

Account Management Status Quo Single Account/authorization doesn’t map to rich set of services Persistent Execution Environments Pre-provisioning individual environments (accounts) has large overhead and vulnerabilities Shared environments Environment configuration for groups must be independently duplicated Traceable actions Need to preserve connection from actions (and costs) to individual initiating the action for troubleshooting National Center for Supercomputing Applications

Operational Example Number and Levels of Credentials Resource specific (login) credentials Direct machine logins TeraGrid webpages TeraGrid forum Grid service credentials Users internal TeraGrid X509 credentials (from kx509, MyProxy, etc) Gateway/broker credentials User’s external x509 credentials (from DOEGrids, etc) Gateway community credentials Portal login/password Home institution credentials Commercial credentials Scale of compromise recovery effort is large Single general server compromise 1000s of credentials National Center for Supercomputing Applications

Authentication Process Today User and RP share a secret. RP authoritative itself Maintains contact information User <-> RP correction relationship Individual traceability * CAs issue identify credentials RP can validate credentials (trusting CA) CA maintains contact information (maybe) Typically not available to RP CA has loose relation to user User <-> CA <-> RP correction relationship * Provided there’s no collusion National Center for Supercomputing Applications

Future User authenticates to local institution/authority, authority vouches for user (by constructing appropriate attributes in credential) RP can validate authority attribute and binding to request (?) RP may itself be a local institution Local institution maintains contact information with user Hierarchies allowed (ala bond brokers) Individual traceability (maybe pseudonymous) National Center for Supercomputing Applications

Individual User Environment Resource TGCDB (G)Id uid project O(1000) O(1000) Grant Process O(10) Use cases: Traditional users, Development National Center for Supercomputing Applications

Authenticated User Environment Resource TGCDB (G)Id uid project Grant Process Use cases: Grid-savvy user communities, Production runs, user managed services National Center for Supercomputing Applications

Gateway Environment Gateway Resource TGCDB Grant Process Use cases: ComId uid GId Resource TGCDB project Grant Process Use cases: Large communities of users, novice users, public National Center for Supercomputing Applications

Community Gateway Accounts Shift authentication and authorization from RP to the Science Gateway Whole community then appears as “one” user to the RP in terms of authorization One grid-mapfile and /etc/password entry or perhaps (a mapped set of) virtual machine images Except accounting and troubleshooting. We still need an individual identifier National Center for Supercomputing Applications

The Proposal Plan for a world where users can be authenticated via their home campus identity management system Enable attribute-based authorization of users by RP site Allow for user authentication with authorization by community Prototype system in testbed, with involvement of interested parties to work out issues All usage still billed to an allocation Community or individual National Center for Supercomputing Applications

Testbed National Center for Supercomputing Applications

Testbed Components Enhanced CTSSv3 stack Identify testbed resources Existing GT component extensions to enable attribute-based authorization Identify testbed resources UChicago/ANL, NCSA Mercury, ORNL Use OSG/TG VOMS test server Handful of user communities Science Gateway, Educational, OSG, others TBD. Use of Shibboleth and related software myVocs, GridShib Leverage InQueue/TestShib, UT Fed National Center for Supercomputing Applications

Must keep this tied to users Has potential to suffer from “copper plumbing” syndrome - better infrastructure without obvious user benefit Identify a small number of target communities to participate in testbed Need right combination of Shibboleth deployment and TeraGrid interest National Center for Supercomputing Applications

Testbed Use Cases Individual New User Individual Existing User Access Shibboleth authentication to Gateway Gateway attribute authorization to RP Use Case OSG/VOMS access Educational Access Incident Response National Center for Supercomputing Applications

Individual New TG User Registration process here… Campus id gets into TGCDB as part of process Utilize Shibboleth tooling for Registration process User authenticate with campus credentials Gets short-lived X509 credential with DN based on Shibboleth-provided Id With campus attributes No TG attributes (maybe project in future?) User access via gsi-ssh, GRAM, gridftp X509 cred w/attributes presented to RP DN+attribute registration matched to local UID through gxmap (mod) RP does authorization based on DN Provisioning may use attribute common set (TBD) TP logs other attributes National Center for Supercomputing Applications

Identifying Key Communities Large enough to suffer scaling problems So there’s a payoff for the work Feasibly represented by Shibboleth or VOMS in the next 2 years Or represented by a persistent attribute authority (e.g. a Gateway) So that it’s not yet another security system Some subset of community represented now So that there’s someone to work with in evaluating the use cases National Center for Supercomputing Applications

Technical and Policy Issues to be Resolved (a subset) What identifiers and attributes are needed by TeraGrid from campuses? How will other attributes be sourced? E.g. Gateway communities. Policy distribution mechanisms Consistent TG-wide policy vs Site autonomy Agreement between TeraGrid and campuses providing attributes Identify issues related to forensics/incident response and accounting Scaling issues with key services National Center for Supercomputing Applications

Issues which will remain challenges Numerous, small, dynamic VOs will remain difficult to support This is key to capturing the ultimate vision of grid as infrastructure Policy rules (expression and interpretation) remain terra incognita There are grammars and engines, but little operating experience Scaling growth in number of authorities needs improvement Lessons to be learned from DNS National Center for Supercomputing Applications

Phased Deployment Enable logging of attributes through the system Improves traceability and prepares for attribute handling Enable group membership decisions based on attributes Provides for community based authorization Enable attribute based authorization/provisioning decisions Enables user mapping to different environments Enables specialized provisioning by attribute set National Center for Supercomputing Applications