Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

Published byByron Cross Modified over 7 years ago

Similar presentations

Presentation on theme: "Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016."— Presentation transcript:

1 Bringing Federated Identity to Grid Computing Dave Dykstra dwd@fnal.gov CISRC16 April 6, 2016

2 Outline Introduction & motivation Background – Grid security & job management – InCommon, CILogon, and SAML ECP – MyProxy Details of the Federated Identity/Grid integration Status Related Work Security considerations Conclusions 4/6/162

3 Introduction Open Science Grid (OSG) – NSF-funded – Collaboration between over 100 independent sites supplying High Throughput Computing (HTC) OSG does not own the computers, commodity hardware Also about 100 Virtual Organizations (VOs) and separately about 100 individual Principal Investigators (PIs) Continually changing and growing Now expanding to commercial clouds & portion of HPC systems – Grown to over 100 million CPU hours/month end of 2016 Close to ½ the full time of Titan Fermilab is one of the major entry points 4/6/163

4 Introduction Grid security is heavily based on X.509 certificates – Very important for its distributed multiple-owner nature Managing certificates by hand is often an impediment for grid users that are not tech savvy – Especially each year as certificates expire Fermilab has a grid job submission system (Jobsub) that hides certificates from users – The certificate management piece has shortcomings, however 4/6/164

5 Motivations for change The shortcomings are – It only works with Fermilab Kerberos Inconvenient challenge for remote collaborators – It requires running our own Kerberos Certificate Authority (KCA) Expensive to maintain Losing software support later this year Jobsub also supports manually-maintained certs, but we don’t want to lose automation We would like to modernize to Federated Identity and so not require everyone to have local login 4/6/165

6 Background – grid security Grid users tracked in Virtual Organizations (VOs) User certificate Distinguished Names (DNs) registered in Virtual Organization Membership Service (VOMS) servers – Cryptographically adds info to proxy certificate VOMS proxy certs are sent with jobs – usually short-lived to limit their use if stolen and in case user’s VO membership is revoked Grid User Mapping Service (GUMS) servers additionally used to map DNs to access rights 4/6/166

7 Background – grid job management Grid job management typically uses two layers – Pilot Workflow Management System (e.g. GlideinWMS) provides uniform global queue – Grid job submission system (e.g. Jobsub) feeds the global queue End users interact with the job submission system – System responsible for renewing users’ VOMS proxy certificates for long-lived jobs – Jobsub maintains extra “Robot” kerberos credentials for every potential user in order to get new KCA certs to make new VOMS proxies 4/6/167

8 Background - old Jobsub submit flow 4/6/168 Grid Jobsub Client Jobsub Server jobsub_submit submission KCA certificate VOMS 3 VOMS proxy kx509 1 2 Fermilab KCA voms-proxy-init submits jobs 4 Robot KCA certificate FNAL user renews proxy 5

9 Background – InCommon, CILogon, ECP InCommon Federation – Internet2’s identity federation for education & research CILogon – InCommon’s X.509 Certificate Authority (CA) service – The CA we use is CILogon Basic CA InCommon primarily used for web, but CILogon also supports SAML 2.0’s protocol for non-web browser environments – Enhanced Client or Proxy (ECP) – Does not require cookies or javascript – Option in Shibboleth Identity Provider (IdP) 4/6/169

10 Background - MyProxy MyProxy is a secure server for storage of proxy certificates – Software available from NCSA – Has many controls over who can access the proxies 4/6/1610

11 Basic grid/federated identity plan Make use of existing InCommon CILogon Basic CA and existing federated identity service Write new cigetcert command line tool to get certs – Generic tool, not Fermilab-specific – Authenticate with Kerberos or username/password – Get 4 week certificate from CILogon, store 1 week proxy on local disk and 4 week proxy in MyProxy Complies with International Grid Trust Foundation (IGTF) rules Change jobsub_submit to attempt to use cigetcert with Kerberos, and if that fails, tell user to run it to enter “Services” password Change Jobsub server to renew proxies out of MyProxy Automatically register all new user DNs in VOMS (as old ones are) 4/6/1611

12 Jobsub infrastructure with CILogon Jobsub client 1-week /tmp/x509up_u* Jobsub server User proxy Worker node Worker node User VOMS proxy VOMS GUMS cigetcert ECP IdP CILogon Basic CA CILogon Basic CA MyProxy Authenticate the user Issue 4-week cert 4-week proxy Retrieve and renew proxy 12 User VOMS proxy 4/6/16

13 Startup 4/6/1613 invokes cigetcert Get cert jobsub_submit SAML Authentication request Jobsub Client 5 3 CILogon IdP 1 Jobsub Server Get opts 2 Get ECP IdP list 4

14 Getting a certificate 4/6/1614 CILogon Not Authorized - Requests Basic Authentication Repeats SAML auth request with user credentials SAML Assertion 4-week certificate for user Prompts user for password IdP 7 6 8 9 10 cigetcert

15 Storing proxies 4/6/1615 MyProxy generates 1-week proxy cigetcert /tmp/x509* stores one-week proxy generates 4-week proxy stores 4-week grid proxy discards 4-week certificate’s key 1-week grid proxy 4-week grid proxy 4-week certificate for user 11 12 13

16 Job submission & renewal 4/6/16 uses proxy retrieves Jobsub Client /tmp/x509* Jobsub Server MyProxy short-lived grid proxy jobsub_submit 14 VOMS proxy voms-proxy-init 15 VOMS submission Grid submits jobs 16 renews proxy 17 16

17 Status cigetcert is feature-complete – Available in Scientific Linux Fermi – Could move into Scientific Linux if needed MyProxy ready in production, Jobsub in pre- production All 16 VOs will be transitioned gradually through September Only Fermilab IdP supported this year – Phase 2 plans to add other institutions’ IdPs – cigetcer t & Jobsub are ready for phase 2 4/6/1617

18 Related work LIGO – Similar tool for getting a certificate with ECP – LIGO-specific, and without Kerberos or MyProxy support LTERN & DataOne – Use ECP, but little other published details ECP clients – https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP 4/6/1618

19 Security considerations Federated trust – Institutions are trusted, and verified by certs – If can’t reach misbehaving user’s institution, they can be cut off at VOMS and/or GUMS Limit number of command line tools that prompt for passwords – Don’t want users to become callous about typing in their password 4/6/1619

20 Conclusions Certificate-free as far as user is concerned Easier on remote users – no need for Kerberos Easier on FNAL – no need for our own CA Easily expandable to other institutions’ IdPs cigetcert available for general use with any institution that has an ECP-enabled IdP 4/6/1620

21 Links cigetcert – https://github.com/fermitools/cigetcert https://github.com/fermitools/cigetcert – man page: https://git.io/vgcZmhttps://git.io/vgcZm ECP – http://www.cilogon.org/ecp http://www.cilogon.org/ecp 4/6/1621

Download ppt "Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016."

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.

Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Similar presentations

Ads by Google