1 / 14

Security Model Proposal

Security Model Proposal. Outline. Approach & Use case What does ESG have today Portal Solution Multiple Portals (SSO Test) Proposed extension to ESG current architecture. Problem and Use Case. Approaching Security from the perspective of adding two grids together

prescott-adams
Download Presentation

Security Model Proposal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Model Proposal

  2. Outline • Approach & Use case • What does ESG have today • Portal Solution • Multiple Portals (SSO Test) • Proposed extension to ESG current architecture.

  3. Problem and Use Case • Approaching Security from the perspective of adding two grids together • What happens when two grids decide to work together? • How do users access each others resources? • Main use case: • SSO within NCAR for multiple web servers. • Users authenticated at ORNL want to use ESG resources via a gateway (a – through a portal; b – directly via a client) w/o re-authenticating. • Same but user access is controlled through a portal.

  4. What do we have now? • Two cases • ESG Portal assumes the user identity • ESG Portal operates on behalf of the user

  5. Current Implementation I Database (username/pass, attributes, access policy) 2. Authenticate ESG Portal (AuthZ) (AuthN ACEGI) 3. AuthZ 1. Contact with Username/pass 4. Get user proxy, using username/pass MyProxy 5. Access grid service impersonating user Client Browser Grid Resource

  6. Current Implementation II 2. Authenticate Database (username/pass, attributes, access policy) ESG Portal (AuthZ) (AuthN ACEGI) 3. AuthZ MyProxy 1. Contact with Username/pass 5. Insecure access for user 4. Access grid service for user as portal Client Browser OpenDAP Server Grid Resource

  7. ESG Architecture Diagram • Compare the attached architecture diagram from Luca.

  8. Current Implementation Notes • OpenDAP Access • OpenDAP has no way to limit its access • Only done thro’ firewall protections and obscurity

  9. SSO Test Case • Two Portals inside NCAR Firewall • Use ACEGI for AuthN • Yale CAS for AuthN/redirection • Shib-sso could do the same thing • Compatible w/TeraGrid • Identity management server could make integration easier

  10. Proposed Solution • Single identity management service • Single authorization service • Above access centralized database with attributes • MyProxy for credentials

  11. Identity Management Service CAS 1. SSO with thin client ESG Portal 3. Authenticate Database (username/pass, attributes, access policy) 6. AuthZ Policy Access MyProxy AuthZ Service 2. Redirect. Client provides username/pass OpenDAP Server 5. Authorize 8. Insecure access for user 4. Authenticated session CDP Portal 7. Access for user as portal Client Browser 1. Contact CDP Portal Grid Resource

  12. Identity Management Service CAS 2. SSO with fat client Database (username/pass, attributes, access policy) 2. Username pass 5. Access policy AuthZ Service MyProxy 1. Get credential 4. Authorize 3. Authenticate 6. Do task Fat Client Grid Resource 3. Access resource using credential OpenDAP Server

  13. Identity Management Server CAS/Shib-sso SSO Implementation Centralized Identity Management Server Browser CAS/Shib-sso ESGPortal 1 Database (username/pass) 3 4 2 2 • Client contacts portal • Redirected to Identity Mgmt Service • Authenticate • Authenticated Session Redirected to portal 4 CAS/Shib-sso CDP Portal 1

  14. Possible Next Steps • Reach agreement at the conceptual / diagram level • Face-to-face meeting to design a detailed architecture & workplan.

More Related