1 / 31

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005. Von Welch vwelch@ncsa.uiuc.edu. Outline. GridShib Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status MyProxy Overview Local Authn Support. Shibboleth.

gelsey
Download Presentation

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tools for Grid/Campus Integration:GridShib and MyProxyInternet2 Advanced CampJuly 1, 2005 Von Welch vwelch@ncsa.uiuc.edu

  2. Outline • GridShib • Overview of Shibboleth and Globus • Our Motivation and Use Cases • Integration Approach • Status • MyProxy • Overview • Local Authn Support I2 Advanced CAMP

  3. Shibboleth • http://shibboleth.internet2.edu/ • Internet2 project • Allows for inter-institutional sharing of web resources (via browsers) • Provides attributes for authorization between institutions • Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ • Standards-based (SAML) • Being extended to non-web resources I2 Advanced CAMP

  4. Shibboleth • Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services • SSO: authenticates user locally and issues authentication assertion with Handle • Assertion is short-lived bearer assertion • Handle is also short-lived and non-identifying • Handle is registered with AA • Attribute Authority responds to queries regarding handle I2 Advanced CAMP

  5. Shibboleth • Service Provider composed of Assertion Consumer and Attribute Requestor • Assertion Consumer parses authentication assertion • Attribute Requestor: request attributes from AA • Attributes used for authorization • Where Are You From (WAYF) service determines user’s Identity Provider I2 Advanced CAMP

  6. Shibboleth (Simplified) SAML Shibboleth IdP Shibboleth SP LDAP (e.g.) AA AR Attributes Handle SSO ACS WWW Handle I2 Advanced CAMP

  7. Globus Toolkit • http://www.globus.org • Toolkit for Grid computing • Job submission, data movement, data management, resource management • Based on Web Services and WSRF • Security based on X.509 identity- and proxy-certificates • Maybe from conventional or on-line CAs • Some initial attribute-based authorization I2 Advanced CAMP

  8. Motivation • Many Grid VOs are focused on science or business other than IT support • Don’t have expertise or resources to run security services • Allow for leveraging of Shibboleth code and deployments run by campuses I2 Advanced CAMP

  9. Use Cases • Project leveraging campus attributes • Simplest case • Project-operated Shib service • Project operates own service, conceptually easy, but not ideal • Campus-operated, project-administered Shib • Ideal mix, but need mechanisms for provisioning of attribute administration I2 Advanced CAMP

  10. Integration Approach • Conceptually, replace Shibboleth’s handle-based authentication with X509 • Provides stronger security for non-web browser apps • Works with existing PKI install base • To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible I2 Advanced CAMP

  11. GridShib (Simplified) SAML Shibboleth A Attributes DN Grid SSO DN SSL/TLS, WS-Security DN I2 Advanced CAMP

  12. Integration Areas • Assertion Transmission • Attribute Authority Discovery • Distribute Attribute Administration • User Registration • Pseudonymous Interaction • Authorization I2 Advanced CAMP

  13. Assertion Transmission • How to get SAML assertions from AA into Globus? • Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor • Will explore Pull modes to help with privacy and role combination • Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes I2 Advanced CAMP

  14. Attribute Authority Discovery • No interactive WAYF service in the Grid • Place identifier of Identity Provider in cert • Either in long-term EEC or short-term Proxy Cert • Will explore pushing attributes • Avoids the problem • Might also address combined attributes from multiple AAs I2 Advanced CAMP

  15. Distributed Attribute Administration • Campus is ideal for running services, but may not know all attributes of users • How does a campus issue attributes for which it is not authoritative? • E.g. IEEE Membership of staff • In Grid case, Project Membership • This may be the largest hurdle due to social, political and/or legal issues • Need accepted cookbook for process • Plan on exploring signet • http://middleware.internet2.edu/signet/ I2 Advanced CAMP

  16. Getting Attributes into a Site’s Attribute Authority SIS Person Registry Loaders Attribute Authority HR Shib/ GridShib Core Business Systems Group Registry LDAP Grouper UI On-site Authorities uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … Privilege Registry Signet UI using Shibboleth Off-site Authorities I2 Advanced CAMP

  17. User Registration • How does the mapping from the User’s X509 DN to local Campus identity get made in NameMapper configuration? • In initial version, this will be manual process • Yes, far from ideal • We envision • Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically • Or a portal that hides all the X509 from the user and also handles this mapping • E.g. PURSE, GAMA I2 Advanced CAMP

  18. Pseudonymous Interaction • How to maintain Shibboleth pseudonymous functionality with X509? • Will develop online CA that issues certificates with non-identifying DNs • Register with AA just as SSO • Basically holder-of-key assertions I2 Advanced CAMP

  19. Authorization • Develop authorization framework in Globus Toolkit • Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions • XACML used for expressing gathered identity, attribute and policy information • Convert Attributes into common format for policy evaluation • Allows for common evaluation of attributes expressed in SAML and X509 (and others…) I2 Advanced CAMP

  20. GridShib Status • Testing initial version internal to project • Will be a drop-in addition to GT 4.0 and Shibboleth 1.3 • Plan on releasing Beta version 2-3 weeks after Shibboleth 1.3 is released • Looking for interested testers • Project website: • http://grid.ncsa.uiuc.edu/GridShib/ I2 Advanced CAMP

  21. Acknowledgements and Details • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit • Funded under NSF award SCI-0438424 • GridShib team: NCSA, U. Chicago, ANL • Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team I2 Advanced CAMP

  22. MyProxy Enhancements for Local Integration Bill Baker, Jim Basney and Von Welch NCSA

  23. What is MyProxy? • Independent Globus Toolkit add-on since 2000 • To be included in Globus Toolkit 4.0 • A service for securing private keys • Keys stored encrypted with user-chosen password • Keys never leave the MyProxy server • A service for retrieving proxy credentials • A commonly-used service for grid portal security • Integrated with OGCE, GridSphere, and GridPort, PURSE, GAMA I2 Advanced CAMP

  24. CA User Proxy Credentials • RFC 3820: Proxy Certificate Profile • Associate a new private key and certificate with existing credentials • Short-lived, unencrypted credentials for multiple authentications in a session • Restricted lifetime in certificate limits vulnerability of unencrypted key • Credential delegation (forwarding) without transferring private keys signs signs Proxy A signs Proxy B I2 Advanced CAMP

  25. Proxy Delegation Delegator Delegatee 1 2 Generate new key pair Proxy certificate request 3 Sign new proxy certificate 4 Proxy Proxy Proxy I2 Advanced CAMP

  26. MyProxy System Architecture MyProxy client Store proxy MyProxy server Retrieve proxy Proxy delegation over private TLS channel Credentialrepository I2 Advanced CAMP

  27. MyProxy: Credential Mobility Obtain certificate tg-login.ncsa.teragrid.org ca.ncsa.uiuc.edu Store proxy myproxy.teragrid.org tg-login.caltech.teragrid.org Retrieve proxy tg-login.sdsc.teragrid.org tg-login.uc.teragrid.org I2 Advanced CAMP

  28. MyProxy and Grid Portals MyProxy server Portal Fetch proxy Login GridFTP server Access data I2 Advanced CAMP

  29. MyProxy and PAM • MyProxy now has ability to use PAM for authentication • As a replacement for locally-stored password • Users can use existing authentication mechanism to access Grid Credentials • Has been tested with PAM modules for LDAP, Kerberos, OTP (CryptoCard) via RADIUS I2 Advanced CAMP

  30. LTER Grid Example LTER Portal LDAP Username & Password MyProxy server Creds Proxy PAM LTER LDAP Job Submission GridFTP I2 Advanced CAMP

  31. Status • PAM Support in MyProxy v2.0 which is released • Available at http://myproxy.ncsa.uiuc.edu • Pam-specific documentation: • http://grid.ncsa.uiuc.edu/myproxy/pam.html • PAM enhancements funded by NMI Grids Center I2 Advanced CAMP

More Related