350 likes | 498 Views
The VOMS Attribute Authority and its relation with Shibboleth. Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007. What is VOMS. VOMS is… An Attribute Authority. A VO Management System. A source of trust for authorization. VOMS is not… A policy system.
E N D
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8th TF-EMC2 Meeting Firenze, March 2007
What is VOMS • VOMS is… • An Attribute Authority. • A VO Management System. • A source of trust for authorization. • VOMS is not… • A policy system. • An AuthN/AuthZ framework.
VOMS: The problem • In a grid environment, VOs tend to be extremely large and change frequently. • Hundreds or even thousands of users. • Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. • It is not scalable to manage them by hand
VOMS: The solution • Organize users into groups and grant them roles. • Allows for full RBAC authorization. • Also, adds other general-purpose attributes.
Who uses VOMS? • Egee • 10 VOs, 2 servers • InfnGrid • 15 VOs, 2 servers • OSG • 29 VOs, ? servers
VOMS Architecture VOMS DB Secure VOMS-ADMIN Secure
What is VOMS-Admin? • A web application that manages the contents of the VOMS database • Used by VO Administrators mainly to • add/remove users to the VO, • put them in VOMS groups, • assign VOMS roles to them • Provides a WSDL interface to its functions • Has a command line client • Has a web-based user interface
What is VOMSd • VOMSd is the component which listens for user requests and creates Attribute Certificates. • All communication is secured and mutually authenticated. • Allows high customization of ACs. • Which roles to present, validity length, targeting, etc…
VOMSd Architecture VOMSd D B B A C K E N D I / O I N T E R F A C E Internal Logic D B I N T E R F A C E
VOMS data format • Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. • The exact profile is described here: • https://forge.gridforum.org/sf/go/doc13797?nav=1 • ACs are the natural choice in a X.509 world. • The grid is a X.509 world. • The provided clients insert the AC in a non-critical extension of the user proxy. • Immediate compatibility with non-VOMS aware software.
What is a proxy? • A proxy is a short-lived certificate that has as issuer a user certificate. • Standardized in RFC 3820. • Commonly used throughout the grid for authentication and authorization purposes.
VOMS clients • The clients provided are command-line based. • But APIs are available in C,C++ and JAVA. • You could write your own client.
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Subject
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s issuer
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Certificate’s subject
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Type of proxy
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s key strength
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Location
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s validity
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 VO Name
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Data
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Group membership
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 General-Purpose attributes
Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 AC validity
Shibboleth Structure WAYF IdP SP
Shibboleth: Protocol Description User Service Provider Wayf Identity Provider
A common misconception: VOMS Shibboleth Shibboleth IdP =
Similarities • VOMS and a Shibboleth IdP both… • Maintain lists of user identities. • Add attributes to user identities. • Offer a way to distribute such attributes.
Shibboleth and Grids: The problem • “The Shibboleth System is NOT usable in non-Browser scenarios (without a lot of hard thinking)” • “Introduction to Shibboleth – Phases of Deployment” Steve Carmody, 2006 Shibboleth Camp • Unfortunately, grid access and usage relies heavily on non-browser access. • Implies that some translation mechanism is necessary for shib users to access a grid.
An example submission Execution Job Job Broker Job Job Data Storage Data
Shibboleth and Grids: The Solution • Insert Shib attributes directly in a VOMS proxy and use said proxy for grid access. • Implemented by VASH • Collaboration by SWITCH and INFN within EGEE. • Details in my colleague’s presentation.
The VOMS team • Vincenzo Ciaschini • vincenzo.ciaschini@cnaf.infn.it • Valerio Venturi • valerio.venturi@cnaf.infn.it • Andrea Ceccanti • andrea.ceccanti@cnaf.infn.it