1 / 17

WebFTS as a first WLCG/HEP FIM pilot

WebFTS is a modular protocol-based tool to transfer files between grid/cloud storages, supported by FTS3 service distributing LHC data. It enables "X509-free" access and utilizes Identity Federation for transparent access. WebFTS architecture integrates IOTA CA, STS, SSO, VOMS, and supports eduGAIN for federated access. The solution requires STS certificate issuance improvement and addresses open issues such as identity association and attribute uniqueness within eduGAIN. Explore the progress achieved with IdF-enabled WebFTS prototype.

hwatts
Download Presentation

WebFTS as a first WLCG/HEP FIM pilot

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebFTS as a first WLCG/HEP FIM pilot Andrea Manzi Andrey Kiryanov 8th FIM4R meeting

  2. What is WebFTS? • https://webfts.cern.ch • Web based tool to transfer files between grid/cloud storages • Modular protocol support • gsiftp, http(s), xrootd and srm • Cloud extensions: dropbox, CERNBox • Initial development funded by WebFTS as a first WLCG/HEP FIM pilot

  3. Based on FTS3 • FTS3 is the service responsible for distributing the majority of LHC data across the WLCG infrastructure • Low level data movement service, responsible for moving sets of files from one site to another while allowing participating sites to control the network resource usage • Used by LHC VOs + many others VOs part of EGI • ~20PB monthly transfer volume / ~2.2M files per day (WLCG) http://dashb-fts-transfers.cern.ch/ui/ WebFTS as a first WLCG/HEP FIM pilot

  4. “X509 free” access • X509 delegation is needed to let WebFTS access the grid on users behalf • Users make private key available to browser • Not available via browser API • We are trying to replace user certificate delegation with transparent access via Identity Federation (pilot project for WLCG) • The same technology may be used for other types of services, e.g. job submission. WebFTS as a first WLCG/HEP FIM pilot

  5. WebFTS pilot WebFTS as a first WLCG/HEP FIM pilot

  6. Architecture IOTA CA STS IdP IdP IdP IdP CERN SSO VOMS X.509 VOMS SAML SAML Redirect WAYF Credentials Attributes Grid Storage Element WebFTS X.509 VOMS Web Slide adapted from Romain Wartel, GDB Sept 2014

  7. eduGAIN • Built on existing federations and infrastructures • CERN participates in eduGAIN via SWITCHaai • Many NRENs participate in eduGAIN too WebFTS as a first WLCG/HEP FIM pilot 8

  8. IdF and CERN SSO • CERN SSO service is based on Microsoft’s ADFS (Active Directory Federation Services) • In order to benefit from SSO our web server (Apache) needs a special plug-in: • Shibboleth –supported by CERN, widespread solution, supports all possible standards, but not easy to configure. • Mellon – pure SAML2 SP. First integration done via some development versions. Since last week a specific package has been distributed by CERN for SL5/6, so it’s also officially supported. WebFTS as a first WLCG/HEP FIM pilot

  9. What happens when you log-in to SSO? Web browser HTTP session SSO Apache Auth request (redirect) Auth. SAML SSO plug-in SAML Assertion SAML = Security Assertion Markup Language SAML Assertion is essentially a signed list of attributes (name, email, etc.) WebFTS as a first WLCG/HEP FIM pilot

  10. STS • Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return. • STS is an implementation of WS-Trust OASIS standard and it speaks SOAP. • This functionality is based on so-called IOTA CA (Identifier-Only Trust Assurance Certification Authority) that issues short-living (days) X.509 certificates. • At CERN we can get such certificates from “CERN CA” (which is NOT “CERN Grid CA”) – the same that signs EduRoam certificates. WebFTS as a first WLCG/HEP FIM pilot

  11. What’s in all this for WebFTS? STS FTS3 REST API Web browser X.509 certificate SAML2 Assertion (JavaScript context) IOTA CA SAML2 Assertion Auth request SSO Apache Auth request (redirect) SAML2 Auth. SAML2 Assertion SSO plug-in WebFTS as a first WLCG/HEP FIM pilot

  12. Next steps • The way STS issues certificates has to change. Basically STS has more than one mode of operation: • It can generate a key pair, sign it with a CA, and send both certificate and private key back to us. This is what is used right now, but this is wrong because private key is transmitted over the network. • It can generate a proxy certificate (with or without VOMS extensions) based on a public key provided from our side. This is more secure but this requires changes in the delegation code on WebFTS side ( ongoing ) • VOMS integration is implemented by FTS now. Waiting for STS VOMS integration. WebFTS as a first WLCG/HEP FIM pilot

  13. Open Issues • Above all we have to convince sites to trust IOTA-profile CAs. • It has to be discussed at the level of Infrastructures: EGI, WLCG, .. • How we associate different identities of the same user (e.g. normal X.509 certificate and IdF)? • Now we manually map the X509 user credentials with IOTA CA DN on the VOMS ( as alias) • But how to guarantee this DN to be unique? WebFTS as a first WLCG/HEP FIM pilot

  14. Open Issues[ii] • STS RA for the IOTA CA should use an eduGAIN persistent identifier attribute to ask for a unique DN • Which attributes can be consider persistent and unique in eduGAIN? • Looks like the eduPersonPrincipalNamecan be reassigned according to local policy.. • Can we use SAML2 Persistent Identifier ? And are all eduGAINIdPs providing it? • What about a combination of attributes? WebFTS as a first WLCG/HEP FIM pilot

  15. What we have achieved so far? • IdF-enabled WebFTS is a working prototype available at https://webfts-dev.cern.ch/ • only few testing Storage Elements have IOTA CA configured • This is an important step towards “X.509-free” access to Grid resources. • As said the same technology may be used for other types of services WebFTS as a first WLCG/HEP FIM pilot

  16. https://github.com/cern-it-sdc-id/webfts Questions? WebFTS as a first WLCG/HEP FIM pilot

More Related