1 / 23

Von Welch vwelch@ncsa.uiuc

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005. Von Welch vwelch@ncsa.uiuc.edu. What is GridShib.

aspen
Download Presentation

Von Welch vwelch@ncsa.uiuc

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridShib:Campus/Grid RBAC IntegrationGGF15 Workshop: Leveraging Site Infrastructure for Multi-Site GridsOctober 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu

  2. What is GridShib • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit • Funded under NSF award SCI-0438424 • GridShib team: NCSA, U. Chicago, ANL • Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team GGF15

  3. Motivation • Many Grid VOs are focused on science or business other than IT support • Don’t have expertise or resources to run security services • Allow for leveraging of Shibboleth code and deployments run by campuses GGF15

  4. Outline • Overview of Shibboleth • Overview of Globus/Grid PKI • Approach • Status and Future Plans GGF15

  5. Campus Infrastructure Attributes Example U. Identities GGF15

  6. Example U. Student? Check out book… Access student records… Is student John Smith? GGF15

  7. Ersatz State Example U. Privacy Check out book… Different protocols Different Schemas GGF15

  8. Shibboleth • http://shibboleth.internet2.edu/ • Internet2 project • Allows for inter-institutional sharing of web resources (via browsers) • Provides attributes for authorization between institutions • Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ • Standards-based (SAML) • Being extended to non-web resources GGF15

  9. Uses SAML to express Identity and attributes to Allow for interoperability Ersatz State SAML Authn/Authz Shibboleth Uses short-lived identifiers To protest privacy of users. GGF15

  10. Example U. Ersatz State Pseudonymous Identifier Is a student Shibboleth Check out book… Pseudonymous Identifier GGF15

  11. Shibboleth • Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services • SSO: authenticates user locally and issues authentication assertion with Handle • Assertion is short-lived bearer assertion • Handle is also short-lived and non-identifying • Handle is registered with AA • Attribute Authority responds to queries regarding handle GGF15

  12. Shibboleth • Service Provider composed of Assertion Consumer and Attribute Requestor • Assertion Consumer parses authentication assertion • Attribute Requestor: request attributes from AA • Attributes used for authorization • Where Are You From (WAYF) service determines user’s Identity Provider GGF15

  13. Shibboleth (Simplified) SAML Shibboleth IdP Shibboleth SP LDAP (e.g.) AA AR Attributes Handle SSO ACS WWW Handle GGF15

  14. Globus Toolkit • http://www.globus.org • Toolkit for Grid computing • Job submission, data movement, data management, resource management • Based on Web Services and WSRF • Security based on X.509 identity- and proxy-certificates • Maybe from conventional or on-line CAs • Some initial attribute-based authorization GGF15

  15. Grid PKI • Large investment in PKI at the international level for Grids • TAGPMA, GridPMA, APGridPMA • Dozens of CAs, thousands of users • Really painful to establish • But its working… • And it’s not going way easily GGF15

  16. Integration Approach • Conceptually, replace Shibboleth’s handle-based authentication with X509 • Provides stronger security for non-web browser apps • Works with existing PKI install base • To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible GGF15

  17. Use Cases • Project leveraging campus attributes • Simplest case • Project-operated Shib service • Project operates own service, conceptually easy, but not ideal • Campus-operated, project-administered Shib • Ideal mix, but need mechanisms for provisioning of attribute administration GGF15

  18. GridShib (Simplified) SAML Shibboleth A Attributes DN Grid SSO DN SSL/TLS, WS-Security DN GGF15

  19. Authorization • Delivering attributes is half the story… • Currently have a simple authorization mechanisms • List of attributes required to use service or container • Developing finer-grain authorization for GRAM GGF15

  20. Authorization Plans • Develop authorization framework in Globus Toolkit • Siebenlist et. al. at Argonne • Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions • Work in OGSA-Authz WG to allow for callouts to third-party authorization services • E.G. PERMIS • Convert Attributes (SAML or X509) into common format for policy evaluation • XACML-based GGF15

  21. GridShib Status • Beta release publically available • Drop-in addition to GT 4.0 and Shibboleth 1.3 • Project website: • http://gridshib.globus.org • Very interested in feedback GGF15

  22. Future Plans • Integration of GridShib with MyProxy Online CA • Allow for use of Grid Resources by users without long-term X509 credentials • Collaboration with Jim Basney • Signet/Grouper integration for distributed attribute administration • See Tom Barton’s talk GGF15

  23. Questions? • My email: • vwelch@ncsa.uiuc.edu • Project website: • http://gridshib.globus.org GGF15

More Related