Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

Published byFranklin Hilary Bruce Modified over 5 years ago

Similar presentations

Presentation on theme: "TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch"— Presentation transcript:

1 Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008

2 Tutorial: Science Gateways, Security, and GridShib
TeraGrid 08 Tutorial: Science Gateways, Security, and GridShib Mon, 8:00am–12:00pm Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways Wed, 5:30–6:30pm Poster Session: A Federated Identity Model for Science Gateways Wed, 6:30–8:30pm Science Gateways Working Group Session Thu, 3:00–4:30pm

3 Definition of Terms Shib != GridShib

4 The Science Gateway Use Case
A browser user authenticates to a grid portal.  The portal issues a proxy certificate and initiates a grid request on behalf of the user

5 Classic Science Gateway
A science gateway is a convenient intermediary between a browser user and a grid resource provider. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

6 Classic Science Gateway
Each gateway is issued a community credential that uniquely identifies the gateway. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

7 Classic Science Gateway
Resource providers associate the community credential with a local community account. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

8 Classic Science Gateway
To submit a job, a browser user typically authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

9 Classic Science Gateway
The gateway then issues a short-lived proxy credential signed by its community credential. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential proxy credential community account Key Key Science Gateway Resource Provider

10 Classic Science Gateway
The gateway submits the job on the user’s behalf, authenticating as itself to the resource. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

11 Classic Science Gateway
The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

12 Classic Science Gateway
After the job is executed, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

13 Community Account Model: The Good
The Community Account Model simplifies the user experience simplifies gateway implementation and deployment simplifies gridmap file management at the RP A community credential is issued to each gateway A single community account is created at the RP The gateway issues proxy certificates and makes grid requests on behalf of the user

14 Community Account Model: The Bad
The community account model has some significant drawbacks, however: End user identity is unknown to the RP Course-grained access control at the resource (by design) Awkward approach to auditing and incident response In the event of an emergency, the RP is forced to disable all access to the community account Less than adequate accounting mechanisms All this can be traced to a single problem…

15 Community Account Model: The Ugly
All requests look exactly the same to the resource provider! If the gateway would only pass the user’s name and contact information to the resource provider, all previously mentioned problems would be solved

16 Grid Authorization Model
We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider Extends the Community Account Model Asserts end user identity to the RP Permits fine-grained access control at the RP Provides strong auditing and effective incident response Allows dynamic blacklisting of problem accounts or runaway processes A lightweight approach that does not require new wire protocols or extensive new middleware infrastructure Complements existing SAML-based middleware infrastructure on today's campuses

17 Grid Authorization Model
The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider Using GridShib SAML Tools, the gateway issues a SAML assertion containing the user's authentication context and attributes binds the SAML assertion to a proxy certificate signed by the community credential authenticates to the resource by presenting the SAML-laden proxy certificate

18 + = <saml:Assertion> <saml:NameID> trscavo
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> + = Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key

19 GridShib-enabled Science Gateway
A browser user authenticates to a grid portal.  The portal binds a self-issued SAML assertion to a proxy certificate and initiates a grid request on behalf of the user.

20 Grid Authorization Model for Gateways
An enhancement to the community account model increases the information flow between the gateway and the resource provider. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

21 Grid Authorization Model for Gateways
A software component called GridShib SAML Tools is integrated into the gateway portal environment. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

22 Grid Authorization Model for Gateways
Another software component called GridShib for GT is deployed at the resource provider. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

23 Grid Authorization Model for Gateways
These two GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

24 Grid Authorization Model for Gateways
Again the browser user authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

25 Grid Authorization Model for Gateways
This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider

26 Grid Authorization Model for Gateways
The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., ). Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : username GridShib SAML Tools proxy credential SAML Key community credential Key <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Science Gateway Resource Provider Key

27 Grid Authorization Model for Gateways
The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider

28 Grid Authorization Model for Gateways
The GridShib for GT extracts the SAML token from the proxy certificate, parses it, and writes the information to a log file. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key community credential Logs Key Science Gateway Resource Provider

29 Grid Authorization Model for Gateways
The security information in the SAML token is also used to populate a SAML security context within the container. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Key Science Gateway Resource Provider

30 Grid Authorization Model for Gateways
The service compares the information in the security context to the blacklist, denying access if any request info is on the blacklist. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Key Science Gateway Resource Provider

31 Grid Authorization Model for Gateways
The service combines the information in the security context with its access control policy, allowing access if and only if policy is satisfied. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

32 Grid Authorization Model for Gateways
As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

33 GridShib-enabled Science Gateway
Simple installation and configuration of GridShib SAML Tools at the gateway Includes GridShib Security Framework Exposes both a command-line interface and a Java API End user identity and contact information (e.g., ) transmitted to RP Push much of the responsibility for auditing and incident response back onto the RP Big Advantage: No need to shut down the entire gateway in the event of an incident!

34 Subject name identifier: Authentication statement
User Attributes Gateway entityID: Subject name identifier: Authentication statement authentication method: urn:oasis:names:tc:SAML:1.0:am:password authentication instant: T12:10: IP address: Attribute statement isMemberOf attribute: group://gisolve.org/gisolve mail attribute:

35 Configuring GridShib SAML Tools
Some information in the SAML token is static Each gateway provides a configuration file that customizes the static content of each token IdP.entityID= NameID.Format=urn:oid: Attribute.isMemberOf.Name=urn:oid: Attribute.isMemberOf.Value=group://gisolve.org/gisolve

36 Java developers have the following JAR dependencies
Copy these JARs to WEB-INF/lib cog-jglobus.jar commons-codec-1.3.jar commons-logging.jar globus-opensaml-1.1.jar gridshib-common-0_4_2.jar jce-jdk jar log4j jar xalan.jar xercesImpl.jar xml-apis.jar xmlsec jar Endorse!

37 Creating the X.509-bound SAML Token
Other content in the SAML token is dynamic GridShib SAML Tools provides a Java API that a gateway developer can use to issue SAML tokens with dynamic content GlobusCredential issuingCredential = ...; GatewayCredential gc = new GatewayCredential("trscavo"); gc.setCredential(issuingCredential); // compute authnMethod, authnInstant, and ipAddress... gc.setAuthnContext(authnMethod, authnInstant, ipAddress); GlobusCredential proxy = gc.issue();

38 GridShib-enabled Resource Provider
The end user and the end user’s contact information (and other attributes) are logged Effective auditing and incident response Blacklist an IP address or name identifier on demand Exposes a SAML security context Fine-grained, attribute-based access control

39 Is your gateway infrastructure built on a JEE portal framework?
Discussion Topic #1 Is your gateway infrastructure built on a JEE portal framework? If so, which one? If not, what application server do you use?

40 If not, describe your security framework.
Discussion Topic #2 Is your gateway security framework built on the community credential model? If not, describe your security framework.

41 If not, is the community credential stored in the file system?
Discussion Topic #3 Do you use MyProxy? If not, is the community credential stored in the file system?

42 Discussion Topic #4 In your application server environment, how easy is it to obtain the following information: Username Authentication instant IP address address Does your portal framework provide an API to obtain this information or do you have to query a database?

43 Does your gateway control its own DNS domain?
Discussion Topic #5 Does your gateway control its own DNS domain? If not, what is the URL of your gateway?

44 The TeraGrid central database captures TeraGrid-wide accounting data
Summary Using GridShib SAML Tools, science gateways send user attributes to resource providers Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control The TeraGrid central database captures TeraGrid-wide accounting data

45 GridShib Project PIs GridShib Developers Acknowledgments Thank You!
Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GridShib Developers Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo The GridShib work was funded by the NSF National Middleware Initiative (NMI awards and ). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA. Thank You!

Download ppt "TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch"

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Similar presentations

Ads by Google