SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Widely Distributed Access Management Tom Barton University of Chicago.
Network, Operations and Security Area Tony Rimovsky NOS Area Director
NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
TeraGrid Privacy Policy: What is it and why are we doing it… Von Welch TeraGrid Quarterly Meeting March 6, 2008.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Grid Authorization Landscape and Futures Von Welch NCSA
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
2005 GRIDS Community Workshop1 Learning From Cyberinfrastructure Initiatives Grid Research Integration Development & Support
Network, Operations and Security Area Tony Rimovsky NOS Area Director
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
2NCSA/University of Illinois
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
TeraGrid Plans for Authentication and Authorization Testbed
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure Von Welch NCSA Manager, Security Research and Development

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Acknowledgments  This represents thinking by myself and a number of others: Ian Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett, Jill Gemmill, Dane Skow  Whitepaper  http//gridshib.globus.org/tg-paper.html http//gridshib.globus.org/tg-paper.html  Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory  Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn Peters, Dane Skow  Attendees: 42 persons, representatives from all TeraGrid Resource Provider sites, OSG, Internet2, Globus 

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 So what the heck am I talking about? “Federated Identity Management”

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Identity Management  Keeping track of people  Who they are  What they are  How they authenticate E.g. their password, certificate name, public key  It’s the process of managing a user database  E.g. /etc/password, Kerberos KDC  For large sites, an actual database

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Ok, what’s Federated Identity Management?  Let’s start with non-federated identity management  This is what we do today  Each site has their own Identity management system  I.e. I have a separate account (username, password, etc.) at NCSA, SDSC, PSC, TACC…  So I have a separate identity at each site and they have no ties (federation) with each other

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Federated Identity Management  Instead of replicating a user in each identity management system, allow systems to leverage each other  E.g. I already have a username and password at the University of Illinois, allow me to use that to authenticate to NCSA, SDSC, PSC…

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Why do we care? (About Federated Identity Management)  Having to manage every user is hard work for a site  Enrollment: Password or key distributed  Maintenance: Password or key reset when forgotten/lost  User’s don’t really care for it either  Need a new username and password for each site  If TeraGrid is going to scale to O(100k) users it can’t enroll them all

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 One more thing…

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 What you are… your Attributes  Up to this point we’ve talked about who you are  And how you authenticate  Equally important is “what you are”  I.e. your attributes  E.g. I’m a “NCSA staff person”, “GridShib project leader”, “TeraGrid staff person”, “Globus security guy”…  Others are more interesting with attributes such as “nanoHUB user”, “ESG PI”, “BioPortal Admin”, “LEAD user”, etc.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Attribute-based Authorization  What I’m allowed to do is often based on what I am  Today this is often implicit and bundled with authentication  E.g. I have an account at PSC because I’m a TeraGrid staff person  What a resource makes an authorization decision based on what I am instead of who, we call this “attribute-based authorization”  When this happens the resource may already know me or may never have heard of me

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Why do we care? (About Attribute-based Authorization)  It separates concerns appropriately  E.g. TeraGrid wants to serve the nanoHUB community  But, TeraGrid doesn’t know who the nanoHub community is, nanoHUB does

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Why do we care? (cont)  Old Model: nanoHub gives TeraGrid a list of all its users, TeraGrid adds each to their user database  And creates a password for them  And then on-going maintenance as users come and go and forget passwords  Once again, this is a large burden on TeraGrid identity management infrastructure

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Science Gateways  Science Gateways represent one form of attribute-based authorization today  Science Gateway represents a user group  Users access TeraGrid through the Science Gateway  TeraGrid gives access to the group as a whole  But has short-coming in that user identity is lost to TeraGrid

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 A vision for the TeraGrid Federated Identity  Plan for a world where users can be authenticated via their home campus identity management system  Outsource authentication and avoid identity management burden  Allow communities to assert user attributes  Enable attribute-based authorization of users by RP site  Allow for user authentication with authorization by community  Prototype system in testbed, with involvement of interested parties to work out issues  All usage still billed to an allocation  Community or individual

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Identity The Vision Campuses Attributes … nanoHUBNVOLEAD Communities

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Cracking the Chicken and Egg Problem  Chicken == Federated Identity-enabled Resources  Egg == Federated Identity-enabled Users  With TeraGrid as the Chicken, try to attract significant users

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Must keep this tied to users  Has potential to suffer from “copper plumbing” syndrome - better infrastructure without obvious user benefit  Identify target communities to participate in testbed  Need right combination of Shibboleth deployment and TeraGrid interest  (Yes, come talk to me, or Dane or Charlie if you are interested.)

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Testbed Use Cases 1.Individual New User 2.Individual Existing User Access 3.Shibboleth authentication to Gateway 4.Gateway attribute authorization to RP Use Case 5.OSG/VOMS access 6.Educational Access 7.Incident Response

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Testbed

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Challenges  Auditing/logging  For incident response  Tracking communities  Account management  Community Accounts  Dynamic Workspaces  Policy and Configuration  Creation, distribution, management  Balance with site autonomy

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Testbed Timeline  Complete testbed definition by end of 2006  Start testbed deployment January 1, 2007  Ok, maybe January 2nd, 2007  Expect three to six months of evaluation  Then generate plan for production deployment  Seeking participation from admins, users, communities, resources

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 The Technologies (Warning: Slides may contain acronyms typical of the computer profession. Those with allergies advised to advert their eyes.)

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Prior Work  Numerous others have tread this way before us. To name a few…  Cross-realm authentication  SSH (RSA keys)  Kerberos  RADIUS  Attribute-based authorization  DCE  AFS  One could make arguments to use these.  But I’m going to side-step this.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Testbed Software Components  Enhanced CTSSv3 stack  Grid authentication (GSI/PKI/X.509 certificates)  Existing GT component extensions to enable attribute-based authorization (GridShib, Virtual Workspace for VOMS)  Installed on TeraGrid resources - alternate ports or head nodes  VOMS test server  Shibboleth and related software  myVocs, GridShib  Leverage InQueue/TestShib, InCommon, UTexas Federation  OpenIdp

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Grid Authentication  Globus Toolkit provides authentication services via X.509 credentials  When requesting a service, the user presents an X.509 certificate  RFC 3820 proxy certificate or standard end entity certificate  GridShib leverages the existing authentication mechanisms in GT

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Grid Authorization  Today, Globus Toolkit provides identity-based authorization mechanisms:  Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins)  Community Authorization Service (CAS)  Some attribute-based authorization has appeared and is proving useful  E.g. VOMS, caBIG  Extensions to GT exist from GridShib, Virtual Workspace project

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 VOMS  Attribute system developed by the EU Data Grid  Uses X.509 attribute certificates (RFC 3281)  In use by EGEE, OSG

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Shibboleth  System developed by Internet2 to allow for federated identity management  Allows for inter-organization access to web resources  Not an identity management system  Exposes campus identity and attributes in standard format  Based on SAML as defined by OASIS  Policies for attribute release and transient handles to allow privacy

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Why Shibboleth?  A large (and growing) installed base on campuses around the world  Professional development and support team at Inetnet2  Additional tools from GridShib, UAB, MAMS (Australia), SWITCH, UK  Some commercial support now as well  A standards-based, open source implementation  A standard attribute vocabulary (eduPerson)

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 GridShib  Provides for interoperability between Shibboleth and Grids (Globus Toolkit 4.0)  GridShib for Globus Toolkit  A plugin for GT 4.0  GridShib for Shibboleth  A plugin for Shibboleth 1.3 IdP  GridShib SAML Tools  Tools for adding SAML to Grid credentials  GridShib CA  Converting Shibboleth authentication to Grid credentials

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 myVocs  myVocs UAB  Gemmill and Robinson  NMI funded   myVocs allows for VOs based on Shibboleth identities  Users register via Shibboleth and can be added to myVocs-maintained groups  myVocs acts as a Shibboleth proxy to add group information to user’s normal Shibboleth information

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 myVocs-GridShib integration  GridShib authorizes use of Grid Services based on Shibboleth identities  Integration allows for the creation and management of Grid VOs based on Shibboleth  Demo’ed at I2 in April (and can do so anytime for interest parties)

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 OpenIdp  A Shibboleth identity provider for those who don’t have one at their campus yet  Also from UAB   -based registration  Helps to crack the egg  Commercial equivalent: protectnetwork.com

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Thank you  For more information  Von Welch  GridShib  The white paper - http//gridshib.globus.org/tg-paper.html  Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.