Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.

Published byJonah Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch."— Presentation transcript:

1 http://gridshib.globus.org/ TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

2 http://gridshib.globus.org/ Tutorial: Science Gateways, Security, and GridShib TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 9, 2008

3 http://gridshib.globus.org/ Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008

4 http://gridshib.globus.org/ Science Gateways Working Group Session TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications June 12, 2008

5 http://gridshib.globus.org/ GridShib @ TeraGrid 08  Tutorial: Science Gateways, Security, and GridShib  Mon, 8:00am–12:00pm  Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways  Wed, 5:30–6:30pm  Poster Session: A Federated Identity Model for Science Gateways  Wed, 6:30–8:30pm  Science Gateways Working Group Session  Thu, 3:00–4:30pm

6 http://gridshib.globus.org/ Definition of Terms Shib != GridShib

7 http://gridshib.globus.org/ Grid Security Infrastructure (GSI)

8 http://gridshib.globus.org/ Grid Authentication  Traditionally, grid authentication has been via trusted X.509 identity certificates  GSI relies heavily on X.509 proxy certificates  A proxy cert is a short-lived certificate signed by the user’s identity certificate  Multiple GSI authentication mechanisms:  GSI Transport (SSL/TLS)  GSI Secure Message (WS-Security)  GSI Secure Conversation (WS-SecureConversation)

9 http://gridshib.globus.org/ The Classic Grid Use Case A non-browser user issues a proxy certificate and initiates a grid request on her own behalf.

10 http://gridshib.globus.org/ X.509 Proxy Credential Issuer: End User Subject: End User+ Key X.509 End Entity Cred Issuer: Certification Authority Subject: End User Key grid-proxy-init myproxy-logon Issue a Proxy Certificate

11 http://gridshib.globus.org/ GT4 ServerGT4 Client Globus WS Client Globus Web Service X.509 proxy credential Key X.509 proxy certificate Java WS Container Gridmap Classic GSI

12 http://gridshib.globus.org/ Identity-based Access Control  The distinguished name (DN) in the proxy certificate is used as a basis for coarse- grained access control  If the subject DN is in an access control list called a gridmap file, access is allowed  A gridmap file also maps DNs to usernames  Associated with each DN are zero or more local usernames  GRAM, for example, requires a local account in which to run a job request

13 http://gridshib.globus.org/ Gridmap File  The gridmap has a flat file format: DN → [user 0, user 1, …, user n-1 ]  The gridmap has dual functions: 1.Authorization Policy 2.Username Mapping Policy  A single gridmap file serves both functions  Identity-based gridmap files trade off flexibility and scalability for simplicity DN 1 username 1 DN 2 username 2 … DN 1 username 1 DN 2 username 2 …

14 http://gridshib.globus.org/ GridShib-enabled GSI

15 http://gridshib.globus.org/ GridShib Project  The goal of the GridShib Project is to introduce attribute-based authorization to Globus-based grids  GridShib software allows Globus Toolkit and Shibboleth to interoperate  Classic GridShib (circa 2004–2005) pulls attributes from a Shibboleth Attribute Service  The current emphasis is on browser users and attribute push, specifically, the TeraGrid Science Gateway Use Case

16 http://gridshib.globus.org/ GridShib Software  GridShib for GT  Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.  GridShib for Shibboleth  Responds to attribute queries from GridShib for GT.  GridShib CA  Issues short-lived X.509 credentials to browser users.  GridShib SAML Tools  Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates.

17 http://gridshib.globus.org/ GridShib Software  GridShib for GT  Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.  GridShib for Shibboleth  Responds to attribute queries from GridShib for GT.  GridShib CA  Issues short-lived X.509 credentials to browser users.  GridShib SAML Tools  Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates.

18 http://gridshib.globus.org/ GridShib SAML Tools  The GridShib SAML Tools (GS-ST) are a standalone suite of Java-based client tools  Binds a SAML assertion to an X.509 proxy certificate  The same X.509-bound SAML token can be transmitted at the transport level or the message level (using WS-Security X.509 Certificate Token Profile)  Includes the GridShib Security Framework, a Java API for producing and consuming X.509- bound SAML tokens  GS-ST is a SAML producer

19 http://gridshib.globus.org/ GS-ST Features  Easily installed and configured  Binds arbitrary content (not just SAML) to a non- critical certificate extension  Multiple output options (SAML, X.509 proxy credential, DER-encoded ASN.1)  CLI with shell scripts (UNIX and Windows)  Includes a Java API for portal developers  Leverages the Globus SAML Library, an enhanced version of OpenSAML 1.1

20 http://gridshib.globus.org/ GS-ST Function Bind a SAML assertion to a non-critical X.509 v3 certificate extension We call this an X.509-bound SAML token

21 http://gridshib.globus.org/ X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key grid-proxy-init X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ Key

22 http://gridshib.globus.org/ X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: trscavo Key X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key gridshib-saml-issuer grid-proxy-init X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ Key

23 http://gridshib.globus.org/ X.509-bound SAML Token  GridShib SAML Tools produces X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509- based Grids  The SAML token is bound to a noncritical X.509v3 certificate extension X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: trscavo Key

24 http://gridshib.globus.org/ WS-Security Token Profiles  OASIS WS-Security Technical Committee  WSS X.509 Certificate Token Profile [1]  WSS SAML Token Profile  Globus implements the former  We define a new token type:  X.509-bound SAML Token  An implementation of [1] automatically handles X.509-bound SAML tokens  No new wire protocols are needed!

25 http://gridshib.globus.org/ Security Tokens X.509 TokenSAML Token SOAP Envelope SOAP Header SAML assertion SOAP Body SOAP Envelope SOAP Header X.509 certificate SOAP Body

26 http://gridshib.globus.org/ Security Tokens X.509 TokenSAML Token X.509-bound SAML Token SOAP Envelope SOAP Header SAML assertion SOAP Body SOAP Envelope SOAP Header X.509 certificate SAML assertion SOAP Body SOAP Envelope SOAP Header X.509 certificate SOAP Body

27 http://gridshib.globus.org/ GridShib-enabled GSI A non-browser user binds a SAML assertion to a proxy certificate and initiates a grid request on her own behalf

28 http://gridshib.globus.org/ GridShib for GT  GridShib for GT (GS4GT) is a plug-in for GT 4.x  GS4GT is compatible with both GT 4.0 and 4.2  GS4GT is an implementation of a Grid Service Provider, which is analogous to a Shibboleth Service Provider, but for X.509-based grids  GS4GT is a SAML consumer  Used together, GridShib SAML Tools and GridShib for GT enable attribute-based access control in Globus-based grids

29 http://gridshib.globus.org/ GS4GT Features  Introduces attribute-based authorization into GT  Exposes a single comprehensive policy decision point called the GridShibPDP  Implements an attribute push model  Restricts access based on blacklists of IP addresses and/or name identifiers  Provides attribute-based account mapping  Supports optional gridmap short-circuiting  Defines an attribute-based authorization policy language (in XML)

30 http://gridshib.globus.org/ GT4 ServerGT4 Client Globus WS Client GridShib SAML PIP proxy certificate GridShib SAML Tools end entity credential Key SAML Globus Web Service Logs Java WS Container (with GridShib for GT) Security Context proxy credential SAML Key Authz Policy Blacklist Policy GridShib-enabled GSI

31 http://gridshib.globus.org/ identifier 1 identifier 2 … identifier 1 identifier 2 … GridShib Blacklist Policy GridShib SAML Entity Map entityID 1 DN 1 entityID 2 DN 2 … entityID 1 DN 1 entityID 2 DN 2 … GS4GT Configuration Files  The SAML Entity Map maps SAML issuers to X.509 issuers  A SAML issuer in this file is trusted  The SAML Entity Map will be replaced by SAML Metadata (XML)  A blacklist is a list of identifiers (SAML identifiers or subject DNs)  A user whose identifier is on the blacklist will be denied access  The flat file blacklist will be replaced by a database table

32 http://gridshib.globus.org/ DN 1 username 1 DN 2 username 2 … DN 1 username 1 DN 2 username 2 … Globus Gridmap file GridShib Authz Policy GridShib Mapping Policy GS4GT Policy Files

33 http://gridshib.globus.org/ GS4GT Policy Files  Two separate attribute-based policy files: 1.Authorization Policy [A 0, A 1, …, A m-1 ] 2.Username Mapping Policy [A 0, A 1, …, A m 1 -1 ] → [user 0, user 1, …, user n 1 -1 ] [A 0, A 1, …, A m 2 -1 ] → [user 0, user 1, …, user n 2 -1 ] …  A single XML-based policy file may encapsulate both types of policies

34 http://gridshib.globus.org/ Summary  Fine-grained, attribute-based authorization  Introduces X.509-bound SAML tokens  Works at both the transport level or the message level  No modifications to GT clients are required  If the service is not GridShib-enabled, the X.509- bound SAML token is simply ignored

35 http://gridshib.globus.org/ A Grid Authorization Model for Science Gateways

36 http://gridshib.globus.org/ The Science Gateway Use Case A browser user authenticates to a grid portal. The portal issues a proxy certificate and initiates a grid request on behalf of the user

37 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account A science gateway is a convenient intermediary between a browser user and a grid resource provider.

38 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Each gateway is issued a community credential that uniquely identifies the gateway.

39 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Resource providers associate the community credential with a local community account.

40 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.

41 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway then issues a short-lived proxy credential signed by its community credential.

42 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway submits the job on the user’s behalf, authenticating as itself to the resource.

43 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate.

44 http://gridshib.globus.org/ Classic Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account After the job is executed, the result is returned to the browser user via the gateway web interface.

45 http://gridshib.globus.org/ Community Account Model: The Good  The Community Account Model  simplifies the user experience  simplifies gateway implementation and deployment  simplifies gridmap file management at the RP  A community credential is issued to each gateway  A single community account is created at the RP  The gateway issues proxy certificates and makes grid requests on behalf of the user

46 http://gridshib.globus.org/ Community Account Model: The Bad  The community account model has some significant drawbacks, however:  End user identity is unknown to the RP  Course-grained access control at the resource (by design)  Awkward approach to auditing and incident response  In the event of an emergency, the RP is forced to disable all access to the community account  Less than adequate accounting mechanisms  All this can be traced to a single problem…

47 http://gridshib.globus.org/ Community Account Model: The Ugly All requests look exactly the same to the resource provider! If the gateway would only pass the user’s name and contact information to the resource provider, all previously mentioned problems would be solved

48 http://gridshib.globus.org/ Grid Authorization Model  We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider  Extends the Community Account Model  Asserts end user identity to the RP  Permits fine-grained access control at the RP  Provides strong auditing and effective incident response  Allows dynamic blacklisting of problem accounts or runaway processes  A lightweight approach that does not require new wire protocols or extensive new middleware infrastructure  Complements existing SAML-based middleware infrastructure on today's campuses

49 http://gridshib.globus.org/ Grid Authorization Model  The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider  Using GridShib SAML Tools, the gateway 1.issues a SAML assertion containing the user's authentication context and attributes 2.binds the SAML assertion to a proxy certificate signed by the community credential 3.authenticates to the resource by presenting the SAML-laden proxy certificate http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

50 http://gridshib.globus.org/ X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ Key trscavo += X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: trscavo Key

51 http://gridshib.globus.org/ GridShib-enabled Science Gateway A browser user authenticates to a grid portal. The portal binds a self-issued SAML assertion to a proxy certificate and initiates a grid request on behalf of the user.

52 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username An enhancement to the community account model increases the information flow between the gateway and the resource provider.

53 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username A software component called GridShib SAML Tools is integrated into the gateway portal environment.

54 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username Another software component called GridShib for GT is deployed at the resource provider.

55 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username These two GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens.

56 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username Again the browser user authenticates to the gateway by presenting a username and password.

57 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.

58 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: trscavo Key The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., e-mail).

59 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token.

60 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key The GridShib for GT extracts the SAML token from the proxy certificate, parses it, and writes the information to a log file.

61 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key The security information in the SAML token is also used to populate a SAML security context within the container.

62 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Blacklist Policy The service compares the information in the security context to the blacklist, denying access if any request info is on the blacklist.

63 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Authz Policy Blacklist Policy The service combines the information in the security context with its access control policy, allowing access if and only if policy is satisfied.

64 http://gridshib.globus.org/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Authz Policy Blacklist Policy As before, after the service executes the job, the result is returned to the browser user via the gateway web interface.

65 http://gridshib.globus.org/ GridShib-enabled Science Gateway  Simple installation and configuration of GridShib SAML Tools at the gateway  Includes GridShib Security Framework  Exposes both a command-line interface and a Java API  End user identity and contact information (e.g., e-mail) transmitted to RP  Push much of the responsibility for auditing and incident response back onto the RP  Big Advantage: No need to shut down the entire gateway in the event of an incident!

66 http://gridshib.globus.org/ User Attributes  Gateway entityID :  https://gridshib.gisolve.org/idp  Subject name identifier:  trscavo@gisolve.org  Authentication statement  authentication method: urn:oasis:names:tc:SAML:1.0:am:password  authentication instant: 2007-08-02T12:10:34-0400  IP address: 10.81.193.244  Attribute statement  isMemberOf attribute: group://gisolve.org/gisolve  mail attribute: trscavo@gmail.com

67 http://gridshib.globus.org/ Configuring GridShib SAML Tools  Some information in the SAML token is static  Each gateway provides a configuration file that customizes the static content of each token  http://www.teragridforum.org/mediawiki/index.php?title= Science_Gateway_Credential_with_Attributes http://www.teragridforum.org/mediawiki/index.php?title= Science_Gateway_Credential_with_Attributes IdP.entityID=https://gridshib.gisolve.org/idp NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6 NameID.Format.template=%PRINCIPAL%@gisolve.org Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1 Attribute.isMemberOf.Value=group://gisolve.org/gisolve

68 http://gridshib.globus.org/ JAR Dependencies  Java developers have the following JAR dependencies  Copy these JARs to WEB-INF/lib cog-jglobus.jar commons-codec-1.3.jar commons-logging.jar globus-opensaml-1.1.jar gridshib-common-0_4_2.jar jce-jdk13-131.jar log4j-1.2.8.jar xalan.jar xercesImpl.jar xml-apis.jar xmlsec-1.2.1.jar Endorse!

69 http://gridshib.globus.org/ Creating the X.509-bound SAML Token  Other content in the SAML token is dynamic  GridShib SAML Tools provides a Java API that a gateway developer can use to issue SAML tokens with dynamic content  http://www.teragridforum.org/mediawiki/index.php?title= Science_Gateway_Credential_with_Attributes http://www.teragridforum.org/mediawiki/index.php?title= Science_Gateway_Credential_with_Attributes GlobusCredential issuingCredential =...; GatewayCredential gc = new GatewayCredential("trscavo"); gc.setCredential(issuingCredential); gc.addEmailAddress("trscavo@gmail.com"); // compute authnMethod, authnInstant, and ipAddress... gc.setAuthnContext(authnMethod, authnInstant, ipAddress); GlobusCredential proxy = gc.issue();

70 http://gridshib.globus.org/ GridShib-enabled Resource Provider  The end user and the end user’s contact information (and other attributes) are logged  Effective auditing and incident response  Blacklist an IP address or name identifier on demand  Exposes a SAML security context  Fine-grained, attribute-based access control

71 http://gridshib.globus.org/ Comparison with VOMS  Virtual Organization Membership Service  The most successful grid authorization model today  VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificates  VOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subject  Therefore, a gateway can not call out to a VOMS server to obtain attributes for a user  Conclusion: VOMS can not be used as a basis for gateway security

72 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource.

73 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting.

74 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload First, the security context associated with each incoming request is captured in a security table.

75 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload Likewise the disposition of every job request is captured in an enhanced GRAM audit table.

76 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload An AMIE process joins these two tables and pushes an information packet to the TeraGrid Central Database.

77 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload A gateway can query the TGCDB for individual accounting records, permitting fine-grained accounting at the gateway.

78 http://gridshib.globus.org/ Integration with TeraGrid Central Database Resource Provider GridShib SAML PIP WS GRAM Service Policy Logs Java WS Container (with GridShib for GT) Security Context Security table GRAM audit table TGCDB AMIE upload TeraGrid adminstrators can query the TGCDB for aggregate accounting data for the purposes of NSF reporting and planning.

79 http://gridshib.globus.org/ GT4 Java Container Delegation Resource Manager User Job(s) sudo RM adapter RM log MEJS ** MJFS RFT SEG RM Accounting Create Job Get EPR Control Job with EPR Client / Gateway ** - Query Using Grid JID TeraGrid Resource Provider (RP) - Reply with Accounting record Local AMIE Accounting Central TG Accounting DB Core Core Audit Table RFT Audit Table Deleg Audit Table GRAM Audit Table AMIE upload OGSA DAI ** Locally convert EPR to Grid JID -No Changes required to AMIE -DAI provides virtualization for audit and accounting DBs GET UNIQUE USER ID + Diagram courtesy of Stu Martin Gateway Job Accounting

80 http://gridshib.globus.org/ Benefits of TGCDB Integration  The gateway can query the TGCDB (via OGSA- DAI) and implement local, fine-grained accounting mechanisms  TeraGrid administrators can obtain aggregate accounting data for NSF reporting and planning

81 http://gridshib.globus.org/ TeraGrid Deployment Strategy 1.GridShib SAML Tools at the Gateway http://www.teragridforum.org/mediawiki/index.php?title=Scienc e_Gateway_Credential_with_Attributeshttp://www.teragridforum.org/mediawiki/index.php?title=Scienc e_Gateway_Credential_with_Attributes 2.GridShib for GT at the RP Integrate GS4GT into CTSS4 3.Integrate with TeraGrid Central Database Retrofit GRAM 4.0 Audit with end user identity Assist with the design and implementation of GRAM 4.2 Audit (in particular, the security table)

82 http://gridshib.globus.org/ A Federated Identity Model for Science Gateways

83 http://gridshib.globus.org/ Federated Identity  The long term vision is to introduce federated identity at the science gateway  Shibboleth, an open-source implementation of the SAML Browser Profiles, provides:  Ubiquity  Manageability  Usability  Security  Since Shibboleth is based on SAML, our model complements existing campus infrastructure

84 http://gridshib.globus.org/ Web Authn WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username It is well-known that password management at the gateway is a significant administrative burden for both the gateway and the end user. Resource ProviderScience Gateway

85 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser To avoid having to manage passwords at the gateway, we propose a federated identity solution on the browser-facing side of the gateway.

86 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser A third-party Identity Provider on each campus manages user identity and credentials.

87 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser The gateway, which is protected by a Service Provider, trusts the Identity Provider to authenticate the browser user.

88 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser Since we’re already invested in SAML on the back end, we prefer an implementation of the standard SAML browser profiles (such as Shibboleth).

89 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser A browser user authenticates to their preferred campus Identity Provider instead of the science gateway.

90 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion The SAML Identity Provider issues a SAML token that the user transmits to the gateway via the browser.

91 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion The SAML Service Provider protecting the gateway consumes the SAML token in lieu of a username/password.

92 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username proxy credential SAML+ Key SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion The gateway issues a combined SAML token containing both campus attributes and local attributes.

93 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML+ WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes username proxy credential SAML+ Key SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion The gateway authenticates as itself to the resource provider, presenting the combined X.509- bound SAML token.

94 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML+ WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes username proxy credential SAML+ Key SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion Since the gateway did not authenticate the end user directly, the resource provider must decide if it trusts the combined SAML token.

95 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML+ WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes username proxy credential SAML+ Key Authz Policy Blacklist Policy SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion In the case of federated identity, access control policy at the resource provider is more complex since a third security domain is involved.

96 http://gridshib.globus.org/ Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib SAML PIP proxy certificate GridShib SAML Tools community credential Key SAML+ WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes username proxy credential SAML+ Key Authz Policy Blacklist Policy SAML Service Provider SAML Identity Provider Web Interface Web Browser SAML Assertion SAML Web Browser SSO closes the loop for complete end-to-end flow of security information

97 http://gridshib.globus.org/ Federated Identity Model for Gateways Shib-enabled Grid Portal GridShib-enabled Grid Client Shibboleth SSO Service GridShib-enabled Attribute Service GridShib- enabled Grid SP Browser X.509 proxy certificate SAML response C D A B X.509 proxy credential SAML Key X.509 end entity credential Key Shibboleth Identity Provider TeraGrid Science Gateway SAML Assertion SAML Request X.509 SAML Request

98 http://gridshib.globus.org/ Birds-of-a-Feather Session

99 http://gridshib.globus.org/ Discussion Topic #1  Is your gateway infrastructure built on a JEE portal framework?  If so, which one?  If not, what application server do you use?

100 http://gridshib.globus.org/ Discussion Topic #2  Is your gateway security framework built on the community credential model?  If not, describe your security framework.

101 http://gridshib.globus.org/ Discussion Topic #3  Do you use MyProxy?  If not, is the community credential stored in the file system?

102 http://gridshib.globus.org/ Discussion Topic #4  In your application server environment, how easy is it to obtain the following information:  Username  Authentication instant  IP address  E-mail address  Does your portal framework provide an API to obtain this information or do you have to query a database?

103 http://gridshib.globus.org/ Discussion Topic #5  Does your gateway control its own DNS domain?  If not, what is the URL of your gateway?

104 http://gridshib.globus.org/ Summary  Using GridShib SAML Tools, science gateways send user attributes to resource providers  Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control  The TeraGrid central database captures TeraGrid-wide accounting data

105 http://gridshib.globus.org/ Acknowledgments  GridShib Project PIs  Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist  GridShib Developers  Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo  The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.  The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA. Thank You!

Download ppt "TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google