Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.

Published byVerity Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006."— Presentation transcript:

1 TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006

2 Workshop Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory –Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn Peters, Dane Skow Attendees: 42 persons, representatives from all TeraGrid Resource Provider sites, OSG, Internet2, Globus http://www-fp.mcs.anl.gov/tgmeeting/AAA-Agenda.htm Whitepaper ( Von Welch, Ian Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett) http//gridshib.globus.org/tg-paper.html http//gridshib.globus.org/tg-paper.html

3 Authentication vs Authorization Identifier: A unique name –(username, DN, GUID, SSN, etc.) Authentication: Verifying Identity of users –associating them with a Identifier Authorization: Deciding whether or not a request will be granted –Different authentication methods have different levels of certainty Authorization Policy: The set of rules by which an authorization decision is made Authentication does not imply Authorization –E.g. just because you trust a CA doesn’t mean all the user with certificates from it are authorized

4 Issues with Authentication Status Quo IDs sometimes contain sensitive information (e.g. SSN) ID sources do not typically have direct, ongoing relationship with users Many sources of authentication mean confusion, error and insecurity for all parties Protection of online secrets is difficult and point of attack Scaling beyond ~100 sources of identity call for index and/or hierarchy –100+ in MacOS X default, etc –Currently 90+ CAs in IGTF PMA set –~1500 Institutions in EDUCAUSE

5 Authorization Status Quo Currently solely ID based – A user has only one mapping in the system no capability for roles Single group membership Need prior knowledge of group membership –Maintenance /synchronization problem No differentiation between services for access levels –Allocated users –Authenticated users –TG Community users –Partner/Campus users –Public Scaling –Workload scales by ID not by group –Adds new sources of authority to manage

6 Account Management Status Quo Single Account/authorization doesn’t map to rich set of services Persistent Execution Environments –Pre-provisioning individual environments (accounts) has large overhead and vulnerabilities –Shared environments –Environment configuration for groups must be independently duplicated Traceable actions –Need to preserve connection from actions (and costs) to individual initiating the action for troubleshooting

7 Operational Example Number and Levels of Credentials –Resource specific (login) credentials Direct machine logins TeraGrid webpages TeraGrid forum –Grid service credentials Users internal TeraGrid X509 credentials (from kx509, MyProxy, etc) Gateway/broker credentials User’s external x509 credentials (from DOEGrids, etc) –Gateway community credentials Portal login/password Home institution credentials –Commercial credentials Scale of compromise recovery effort is large –Single general server compromise 1000s of credentials

8 Authentication Process Today User and RP share a secret. –RP authoritative itself Maintains contact information –User RP correction relationship –Individual traceability * CAs issue identify credentials –RP can validate credentials (trusting CA) –CA maintains contact information (maybe) –Typically not available to RP –CA has loose relation to user –User CA RP correction relationship –Individual traceability * * Provided there’s no collusion

9 Future User authenticates to local institution/authority, – authority vouches for user (by constructing appropriate attributes in credential) –RP can validate authority attribute and binding to request (?) –RP may itself be a local institution –Local institution maintains contact information with user –Heirarchies allowed (ala bond brokers) –Individual traceability (maybe pseudynmous)

10 Individual User Environment Resource TGCDB uid project (G)Id Grant Process Use cases: Traditional users, Development O(10) O(1) O(10) O(1000) O(1)

11 Authenticated User Environment Resource TGCDB project (G)Id Grant Process Use cases: Grid-savvy user communities, Production runs, user managed services uid O(10) ? O(10) O(1) O(10) O(1)

12 Gateway Gateway Environment Resource TGCDB project Grant Process Use cases: Large communities of users, novice users, public uid GId ComId O(1) ? O(10) O(1) O(10) O(1) ? O(1)O(100) ? O(1000) O(100) O(1000) O(100) O(100-10 6 ) ? O(1)

13 Community Gateway Accounts Shift authentication and authorization from RP to the Science Gateway Whole community then appears as “one” user to the RP in terms of authorization –One grid-mapfile and /etc/password entry or perhaps (a mapped set of) virtual machine images –Except accounting and troubleshooting. We still need an individual identifier

14 The Proposal Plan for a world where users can be authenticated via their home campus identity management system Enable attribute-based authorization of users by RP site –Allow for user authentication with authorization by community Prototype system in testbed, with involvement of interested parties to work out issues All usage still billed to an allocation –Community or individual

15 Testbed

16 Testbed Components Enhanced CTSSv3 stack –Existing GT component extensions to enable attribute-based authorization Identify testbed resources –UChicago/ANL, NCSA Mercury, ORNL –Use OSG/TG VOMS test server Handful of user communities –Science Gateway, Educational, OSG, others TBD. Use of Shibboleth and related software –myVocs, GridShib –Leverage InQueue/TestShib, UT Fed

17 Must keep this tied to users Has potential to suffer from “copper plumbing” syndrome - better infrastructure without obvious user benefit Identify a small number of target communities to participate in testbed –Need right combination of Shibboleth deployment and TeraGrid interest

18 Testbed Use Cases 1.Individual New User 2.Individual Existing User Access 3.Shibboleth authentication to Gateway 4.Gateway attribute authorization to RP Use Case 5.OSG/VOMS access 6.Educational Access 7.Incident Response

19 Individual New TG User Registration process here… –Campus id gets into TGCDB as part of process –Utilize Shibboleth tooling for Registration process User authenticate with campus credentials –Gets short-lived X509 credential with DN based on Shibboleth-provided Id –With campus attributes –No TG attributes (maybe project in future?) User access via gsi-ssh, GRAM, gridftp –X509 cred w/attributes presented to RP –DN+attribute registration matched to local UID through gxmap (mod) RP does authorization based on DN –Provisioning may use attribute common set (TBD) –TP logs other attributes

20 Individual New TG User

21 Testbed Slide courtesy Von Welch, NCSA

22 Individual Existing User Access (Start with user having allocation and TG account) User authenticate with campus credentials –Gets short-lived X509 credential with DN based on Shibboleth-provided Id –With campus attributes –No TG attributes (maybe project in future?) User registers DN with TeraGrid (one-time process) and bind to TG TGCDB row for that user –Can’t be automated - DN comes from Campus Id –Through user portal - Shibboleth and kerberos authenticated binder User access via gsi-ssh, GRAM, gridftp Includes both UT Federation Users, as well as InQueue/TestShib users –X509 cred w/attributes presented to RP RP does authz based on DN/grid-mapfile –TP logs other attributes

23 Shib-Enabled Gateway Use Case Gateway is shib-protected (standard shib) –Gateway must Shibboleth SP software User needs to provide campus id to gateway User authenticates to Gateway using campus id Gateway authorizes user based on campus id –Logs other attributes

24 Gateway Attribute-based authZ Use case This case could follow previous or use another authentication method Gateway registers attribute-signing key with RPs RP maps Gateway attribute to local UID/GID Gateway gets short-lived X509 cred –Gets EEC from MyProxy –Creates signed attribute and inserts into proxy, bound to user DN –With community attribute + campus attributes (if available) Gateway access vis gsi-ssh, GRAM, gridftp –Presentation of X509 cred w/attributes to end resource RP maps to community account based on community attribute –Verified and validates attribute from gateway TP logs other attributes

25 Gateway Attribute-based authorization to RP Gateway generates X.509 credential –Or requests one from MyProxy Includes local gateway attribute with their identity for user –Policy to ensure uniqueness Gateway access vis gsi-ssh, GRAM, gridftp –Presentation of X509 cred w/attributes to end resource RP maps to community account based on community attribute –RP logs other attributes

26 CMS/VOMS access User authenticates in standard OSG manner –Obtains VOMS credential User access via gsi-ssh, GRAM, gridftp –Presentation of X509 cred w/VOMS attributes to end resource RP maps to community account based on community attribute –TP logs other attributes

27 Educational Access Use Case Based on current training account model –Create N accounts and hand out N usernames/passwords PI given class allocation –Process issue TBD PI creates accounts –Number, duration –TGCDB handles expiration? –PI gets list of usernames and passwords for accounts RPs create accounts PI hands out username & password to each student Students does one-time registration with provided password to bind Shib-derived DN to training account Students authenticate with campus credentials to GridShib-CA –Looks like normal individual user at this point…

28 Identifying Key Communities Large enough to suffer scaling problems –So there’s a payoff for the work Feasibly represented by Shibboleth or VOMS in the next 2 years Or represented by a persistent attribute authority (e.g. a Gateway) –So that it’s not yet another security system Some subset of community represented now –So that there’s someone to work with in evaluating the use cases

29 Technical and Policy Issues to be Resolved (a subset) What identifiers and attributes are needed by TeraGrid from campuses? How will other attributes be sourced? E.g. Gateway communities. Policy distribution mechanisms –Consistent TG-wide policy vs Site autonomy Agreement between TeraGrid and campuses providing attributes Identify issues related to forensics/incident response and accounting Scaling issues with key services

30 Issues which will remain challenges Numerous, small, dynamic VOs will remain difficult to support –This is key to capturing the ultimate vision of grid as infrastructure Policy rules (expression and interpretation) remain terra incognita –There are grammars and engines, but little operating experience Scaling growth in number of authorities needs improvement –Lessons to be learned from DNS

31 Phased Deployment 1.Enable logging of attributes through the system –Improves traceability and prepares for attribute handling 2.Enable group membership decisions based on attributes –Provides for community based authorization 3.Enable attribute based authorization/provisioning decisions –Enables user mapping to different environments –Enables specialized provisioning by attribute set

Download ppt "TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google