280 likes | 306 Views
This document discusses the implementation of single sign-on (SSO) at RAL and DLS, focusing on authentication and integrated identity management. It covers topics such as site authentication, grid authentication, authorization, and terminal access.
E N D
Single Sign-on at RAL(and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006
Contents (approximately) • Goals • Current status • Site authentication • Grid authentication • Authorisation • Terminal access
The Problem • Integrated Access (Authentication) • Identity management • Implemented locally… • …integrate with future national efforts… • …and international
What is SSO? • Central password management • Don’t reuse the same password • Stored securely in one location • Central account management • ISIS, DLS, CLF – 14500 users • Keep up to date • User office can add new ones
What is SSO? • Use account with all resources • cf. Grid – certificate used with all grids (well, sort of) • Shibboleth, with web resources • Generally requires consistent attribute management (resp., VOM(S), AAs)
Authentication – web based • If on-site, use federal id (Active Directory/Kerberos) • If off-site, use certificate • if loaded into browser • Otherwise username/password • Same as fed username/password • Not allowed to store password… • System must know these are the same
Account Management • DLS: Vintela for account management • Commercial • Accounts and password managed across Windows & Linux • PAM module for Linux • Allows users to reset passwords &c
Site Authentication • Microsoft Active Directory (20002003) • Compatible with Kerberos 5 • As long as server is MS • Publishing data • “Corporate Data Repository” • RFC2307
Grids • GridPP • More complex middleware stack • Plain ol’ ssh login • Uses VOMS for authorsation • NGS & SCARF • Basic Globus 2.4 toolkit (VDT dist) • gsissh login (more later) • Basic (Unix group) or no VO mgmt
“Data Grids” • i.e., SRB (new one will be different?) • Can use X.509 or username/password • Password stored in file in ~ • Not integrated: • inQ uses username/password only • X.509 must be compiled in • Integrate with everything else? • Separate db column for SRB ids?
Shibboleth • Site password to common web resources • Web-resources • Depends on http proto (eg redirects) • SWITCH in EGEE • Work on Shibifying middleware, starting with gatekeeper • Shib2 will be less web-specific
Shibboleth deployment • SDSS • JISC funded, under core middleware programme • Early deployment of UK Federation • UK Federation will encompass all HEI and FEI • SDSS will become UK Federation
Shibboleth Deployment • CCLRC has IdP in SDSS • Doesn’t cover all site, only ShibGrid project • ShibGrid? Shibboleth access to Grid • Collab ‘tween Oxford & CCLRC • IdP? • SSO (password) and AA (attributes)
Shibboleth Deployment • Shibboleth Service Provider: • Portals (for NGS) to access Grid • “ShibGrid” project • MyProxy • Used for credential conversion
Java SSH Term • Written in Java (no, really) • Standalone – untar and run • Applet • xterm • Understands (most) ANSI control seqs
Java SSH Term • Took open source terminal (in sf.net) • And GSISSH plugin contrib’d from Canada • Authenticate: • With site AD/K5 magic biscuit (see later) • Via MyProxy (username/password) • Via certificate (private key passphrase)
Java SSH Term • Picks up magic AD/K5 biscuit • Integrated with site Active Directory • Callout, no naughty storing passwords • Works! • But only with Java 1.6 for this • Available in beta
Java SSH Term SRB SRM User Interface > echo hello world hello world WN WN MyProxy ID database VOMS
Java SSH Term – User view • Use “proper” Grid (X.509) cert • Upload a proxy to myproxy once a week • Terminal gets proxies where you need them • Or use a proxy from the built-in CA • No need for PKCS#12 PEM conv • Or even no need for understanding certs
Java SSH Term – Admin view • Can shut down vanilla ssh • Key mgmt is Somebody Else’s Problem™ • Decreased support load…(potentially) • Must trust a MyProxy CA • UK: Tie into CA hierarchy • Separate hierarchy for NGS
(planned) UK hierarchy Trusted CA (Explicit Trust) e-Science ROOT Accredited CA e-Science CA Credential conversion top level NGS Training and Monitoring Institutional CC CA Institutional CC CA Institutional CC CA
Java SSH Term • Try it! • http://www.grid-support.ac.uk/ • Public link may be for the non-AD/K5 one • Secret link for the Java 1.6 version • Until Java 1.6 is out • Email me
User Management • DLS and ISIS have 14-15000 users • Already ~6-7000 unique users in DB • How to establish – and maintain – uniqueness? • Users get accounts locally • Accounts set up by User Office • Give them Unix UID? • RFIO and NFS use 16 bit UID…
Vintela • Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL • Commercial • Manage user accounts across Linux and Windows • Uses RFC2307-with-extensions • “Make more scalable” • Caching daemon makes system scalable
Vintela • “Active Roles” • Users can unlock their own accounts • Questions • Scriptable user creation • NSS module for NIS • PAM module calls out to Active Directory • Suport for RH, SuSe, Solaris, HPUX, AIX
Future work • Better database integration (eduPerson) • Identity management (next slide) • Users may have different ids in different contexts? • Authorisation needed • VOMS integration • Site attributes, maybe? VO attributes! • Combined?
Identity Management – TODO • Tie together all the identities in central DB • Grid certificates • Low assurance (credential conversion) certificates • SRB identities • Tapestore ids • Unix user ids • How to populate with initial data…
Summary • Terminal access to Grid • In production • Non-certificate access via myproxy • To integrate with CA rollover • Handles all grid-proxy-init • Much of account mgmt solved • Integrating with future SSO efforts