180 likes | 289 Views
Attribute-based Authentication for Gateways. Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr. Gateway Objectives for PY4 and 5. TeraGrid integration will be straightforward for new and existing gateway developers
E N D
Attribute-based Authenticationfor Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr
Gateway Objectives for PY4 and 5 • TeraGrid integration will be straightforward for new and existing gateway developers • There will be a set of easy to discover general services provided by and for Gateways • The targeted support program will be well-organized • We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users • There will be a funded cross-directorate gateway program at the NSF Presented December, 2007
We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users • A unique identifier for each end gateway user per community account must exist in TGCDB • Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism • Attribute-based authentication in production and easy to use Presented December, 2007
How will we meet those goals? • Attribute-based authentication • In our case, GridShib for Globus • Fantastic documentation and assistanceThanks Jim Basney, Tom Scavo, Terry Fleury • http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes • From the April, 2009 TeraGrid review panel • “The TG has stated the goal of switching to an attribute-based authentication mechanism for all Gateways by September of 2009. The panel recommends that every effort be made to complete this work on schedule.”
How will this be made available at RP sites?science-gateway CTSS kit, which includes • commsh • NCSA-developed, PSC-enhanced tool to restrict community accounts • http://teragridforum.org/mediawiki/index.php?title=Community_Shell • GridShib for Globus Toolkit • NCSA-developed tool to collect, process, store and log attributes • Future TG-specific efforts will store these in the TGCDB • http://gridshib.globus.org/ • Installation instructions • http://software.teragrid.org/pacman/ctss4/ctss-science-gateway-registration/README.install
Ambitious, but achievable goal • By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB • Next steps • RP testing through Feb 2009 • Globus Toolkit 4.0.9 released Feb 2009 • Capability Kit V2 released Mar 2009 • Production installations of Capability Kit V2 • 6-month gateway transition – March through August • News postings, education process, log analysis to identify who still needs to make the switch, lots of support • Big party in September! Presented January, 2009
What’s happened between January and now? • One word - GRAM5 • http://dev.globus.org/wiki/GRAM/GRAM5 • Two words – party delayed • GRAM5 replacing GRAM2 (aka pre-WS GRAM) • AAAA changes incorporated only in GRAM5 since GRAM2 is being retired • ssh support only in GRAM5 • So, now we must wait for a production version of GRAM5 before we have attribute support for pre-WS GRAM and ssh
GRAM5 timeline • Alpha versions installed • QueenBee and Abe, thanks! • Sept 15, 2009 news posted about GRAM5 availability for testing • http://news.teragrid.org/view-item.php?item=4266 • Steps to TeraGrid availability • Globus staff completes GT 5.0.0 (December 2009) • VDT patching and verification (Alain Roy, 1-2 wks) • GIG staff completes TeraGrid packaging (1-2 wks) • ADs plan TG-wide deployment • NOS (and RPs), UFP, software-wg, user services, gateways
Additional info • Also need site-local accounting scripts to send attributes to TGCDB • RP accounting staff • Who’s already done? • NICS has installed GT4 with attributes • Thank you Victor and Rick • Thank you Matthew at NCAR for attribute support in AMP gateway which is running on Kraken • Early “attribute-enhanced” GT4 install experiences • A novice RP should set aside maybe 1 week to do the entire install (being very generous), and an expert GRAM4 admin should be able to do the entire install in 2 days • Side note • Jon Siwek replaces Tom Scavo supporting this effort at NCSA • Thanks for replacing such a key team member promptly
Gateway User Count Science Gateways add user attributes to the community credential and deliver those attributes to the Resource Provider, where they are logged and used for blacklisting. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools Security Context proxy credential SAML Key Blacklist Policy communitycredential Logs Key Science Gateway Resource Provider Quarterly Meeting
Gateway User Count AMIEupload Security table GRAM audit table TGCDB Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Java WS Container (with GridShib for GT) GridShibfor GT WS GRAM Service Security Context Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting. Blacklist Policy Logs Quarterly Meeting
Gateway kit installed at 4 sites todayhttp://www.teragrid.org/userinfo/software/ctss_results.php • Installed on • Abe • Lonestar • NCSA IA64 (testing) • Kraken • QueenBee • Condor (testing) • Steele (testing) • Not installed on • Lincoln • Cobalt • Big Red • Ranch • Spur • Pople • BigBen • ORNL cluster • Frost
Sites to target • Sites available after 3/31/10 • Lincoln • Cobalt • Big Red • Ranch • Spur • Pople • BigBen • ORNL cluster • Frost • New systems • Track 2 C, D • XD vis/data systems at NICS, TACC • Others?
Community Account Usage by Sitein 2008 Over 2M CPU hours used by community accounts in 2008
Community Account Usage by Sitein 2009 New gold star in 2009 for TACC 69% of all community account usage Over 8M CPU hours used by community accounts in 2009, 4x that of 2008!
2009 TeraGrid staff activities for reference • Apr-Jun 2009 Accomplishments • Completed GridShib SAML Tools support for accounting integration • Obtains gateway user attributes from GRAM Audit DB for inclusion in AMIE packets • Demonstrated attribute delivery from GISolve to NCSA GRAM Audit DB • Verified attribute integration in RENCI Gateway • CTSS Science Gateway Kit deployed in production at LONI and TACC • Jul-Sep 2009 Plans • Develop support for SSH-based gateways • Assist with testing GRAM2/GRAM5 attribute support • Improve test site (http://gstest.ncsa.uiuc.edu/) to support GRAM2/GRAM5 submissions and test GRAM Audit • Support gateway delivery of attributes to RPs • Support deployment of Science Gateway Kit at RPs • Support AMIE integration by RP accounting administrators Quarterly Meeting
Jul-Sep 2009 Accomplishments • Developed and documented support for SSH-based gateways • http://teragridforum.org/mediawiki/index.php?title=Gateway-Submit-Attributes • Assisted with testing GRAM5 deployment with gateway attribute support on QueenBee • Supported AMIE integration of gateway attribute support by RP accounting administrators on account-wg conference call and email list • Updated test site (http://gstest.ncsa.uiuc.edu/) to support gateway tests using GRAM5 and provide clearer test results to gateway developers • Oct-Dec 2009 Plans • Assist with inclusion of GRAM5 and SSH support for gateway attributes in CTSS • Support gateway delivery of attributes to RPs (19 of 24 gateways remain) • Current status at:http://teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status • Support deployment of Science Gateway Kit at RPs • Current status at:http://info.teragrid.org/web-apps/html/kit-reg-v1/science-gateway.teragrid.org-4.2.0/ • Support AMIE integration by RP accounting administrators • NICS in progress; integration at other RPs pending Quarterly Meeting
Next steps • Planning for GT 5.0.0 update on TeraGrid • Area directors • Continued work on site-local accounting scripts to send attributes to TGCDB • RP accounting staff • After GT5 install, continue to work with gateways on attribute incorporation • Nancy, Jon • PY6 plans include nifty accounting tools from TACC to allow gateways to monitor per-user usage