Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security. Typical Grid Scenario Users Resources.
Authz work in GGF David Chadwick
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications COI Identity Management and Federation: Design Issues, Process,
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Shibboleth: An Introduction
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Grid Authorization Landscape and Futures Von Welch NCSA
GridShib Grid-Shibboleth Integration An Overview Von Welch
Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
2NCSA/University of Illinois
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
Federated Environments and Incident Response: The Worst of Both Worlds
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications June 9, 2008

TeraGrid 08  Tutorial: Building Science Gateways  Mon, 8:00am–12:00pm  Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways  Wed, 5:30–6:30pm  Poster Session: A Federated Identity Model for Science Gateways  Wed, 6:30–8:30pm  Science Gateways Working Group Session  Thu, 3:00–4:30pm

The Science Gateway Use Case A browser user authenticates to a grid portal. The portal issues a proxy certificate and initiates a grid request on behalf of the user

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account A science gateway is a convenient intermediary between a browser user and a grid resource provider.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Each gateway is issued a community credential that uniquely identifies the gateway.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Resource providers associate the community credential with a local community account.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway then issues a short-lived proxy credential signed by its community credential.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway submits the job on the user’s behalf, authenticating as itself to the resource.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate.

Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account After the job is executed, the result is returned to the browser user via the gateway web interface.

Community Account Model: The Good  The Community Account Model  simplifies the user experience  simplifies gateway implementation and deployment  simplifies gridmap file management at the RP  A community credential is issued to each gateway  A single community account is created at the RP  The gateway issues proxy certificates and makes grid requests on behalf of the user

Community Account Model: The Bad  The community account model has some significant drawbacks, however:  End user identity is unknown to the RP  Course-grained access control at the resource (by design)  Awkward approach to auditing and incident response  In the event of an emergency, the RP is forced to disable all access to the community account  Less than adequate accounting mechanisms  All this can be traced to a single problem…

Community Account Model: The Ugly All requests look exactly the same to the resource provider! If the gateway would only pass the user’s name and contact information to the resource provider, all previously mentioned problems would be solved

Grid Authorization Model  We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider  Extends the Community Account Model  Asserts end user identity to the RP  Permits fine-grained access control at the RP  Provides strong auditing and effective incident response  Allows dynamic blacklisting of problem accounts or runaway processes  A lightweight approach that does not require new wire protocols or extensive new middleware infrastructure  Complements existing SAML-based middleware infrastructure on today's campuses

Grid Authorization Model  The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider  Using GridShib SAML Tools, the gateway 1.issues a SAML assertion containing the user's authentication context and attributes 2.binds the SAML assertion to a proxy certificate signed by the community credential 3.authenticates to the resource by presenting the SAML-laden proxy certificate

X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ Key trscavo += X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : trscavo Key

GridShib-enabled Science Gateway A browser user authenticates to a grid portal. The portal binds a self-issued SAML assertion to a proxy certificate and initiates a grid request on behalf of the user.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username An enhancement to the community account model increases the information flow between the gateway and the resource provider.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username A software component called GridShib SAML Tools is integrated into the gateway portal environment.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username Another software component called GridShib for GT is deployed at the resource provider.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username These two GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username Again the browser user authenticates to the gateway by presenting a username and password.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : trscavo Key The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., ).

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key The GridShib SAML policy information point (PIP) extracts the SAML token from the proxy certificate, parses it, and writes the information to a log file.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key The security information in the SAML token is also used to populate a SAML security context within the container.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Blacklist Policy The service compares the information in the security context to the blacklist, denying access if any request info is on the blacklist.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Authz Policy Blacklist Policy The service combines the information in the security context with its access control policy, allowing access if and only if policy is satisfied.

Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Authz Policy Blacklist Policy As before, after the service executes the job, the result is returned to the browser user via the gateway web interface.

GridShib-enabled Science Gateway  Simple installation and configuration of GridShib SAML Tools at the gateway  Includes GridShib Security Framework  Exposes both a command-line interface and a Java API  End user identity and contact information (e.g., ) transmitted to RP  Push much of the responsibility for auditing and incident response back onto the RP  Big Advantage: No need to shut down the entire gateway in the event of an incident!

User Attributes  Gateway entityID :   Subject name identifier:   Authentication statement  authentication method: urn:oasis:names:tc:SAML:1.0:am:password  authentication instant: T12:10:  IP address:  Attribute statement  isMemberOf attribute: group://gisolve.org/gisolve  mail attribute:

GridShib-enabled Resource Provider  The end user and the end user’s contact information (and other attributes) are logged  Effective auditing and incident response  Blacklist an IP address or name identifier on demand  Exposes a SAML security context  Fine-grained, attribute-based access control

Acknowledgments  Original Project PIs  Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist  Developers  Rachana Ananthakrishnan, Jim Basney, Tim Freeman, Raj Kettimuthu, Terry Fleury, Tom Scavo  The GridShib work was funded by the NSF National Middleware Initiative (NMI awards and ). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.  The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.

Thank you! GridShib

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.