1 / 28

EDINA Geo/Grid - Security

EDINA Geo/Grid - Security. Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland r.sinnott@nesc.gla.ac.uk. ?. 4. Home site authenticates user and pushes attributes to the servic e provider. 3. User selects their home institution.

robbin
Download Presentation

EDINA Geo/Grid - Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland r.sinnott@nesc.gla.ac.uk

  2. ? 4. Home site authenticates user and pushes attributes totheservice provider 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP LDAP 1. User points browser at Grid resource/portal Shibboleth Scenario uid AuthZ Identity Provider Service provider Shib Frontend AuthN What attributes to send? Home Institution 6. Make final AuthZ decision Only see/use what allowed to? Federation Grid Application What sites + attributes to accept (trust)? 5. Pass authentication info and attributestoauthZ function W.A.Y.F. User Grid Portal Log-in once and roam

  3. SPAM-GP Portlets • Will develop four JSR-168 compliant portlets for VO admins: • scoped attributed management portlet (SCAMP) • done • dynamic portal configuration management (CCP) • e.g. configure portal content based on user privileges (security attributes) • attribute release policies (ARP) • e.g. only release my VO specific attributes to VO partners • attribute certificate portlet (ACP) • securely push attributes out to collaborators (builds on DyVOSE project dynamic delegation of authority service)

  4. non-scoped

  5. OMII SPAM-GP project: Scoped Attribute Management Portlet (SCAMP)

  6. scoped attributes

  7. OMII SPAM-GP project: ACP Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles DyVOSE - Dynamic Privilege Management Infrastructure Glasgow Edinburgh LDAP LDAP Glasgow Education VO policies Edinburgh Education VO policies PERMIS based Authorisation checks/decisions Nucleotide + Protein Sequence DB Grid BLAST Service Grid BLAST Data Service data input Implemented by Students Protein/nucleotide data returned based on student team role Grid-data Client

  8. AuthZ 4. Home site authenticates user and pushes attributes totheservice provider 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP LDAP VO wide authZ 1. User points browser at Grid resource/portal Centralised Shibboleth Scenario + VPman project Identity Provider Service provider VOMS AuthN Home Institution 6. Make final AuthZ decision Federation Grid Application 5. Pass authentication info and attributestoauthZ function W.A.Y.F. User Grid Portal

  9. VOMS

  10. VOMS used in push/pull mode with authZ group specs

  11. Existing Demonstration (pushing attributes in SAML)

  12. Joining on CHI

  13. VOMS’ing

  14. The Scenario (1) A VOTES diabetes service is deployed on a GT4 infrastructure(2) A user runs “voms-proxy-init” to generate a proxy certificate including VOMS credentials (3) and tries to invoke the protected stored procedure(4) The PEP passes the user information (including proxy certificate) to the VOMS PIP(5) VOMS PIP validates the credentials and passes back the VOMS Fully Qualified Attribute Name (FQAN) within the subject attributes. (6) The PEP calls the PERMIS PDP pushing the request information and credentials(7) The PERMIS PDP according to the policy decides if this user with certain attributes is authorized to access the service. (8) If successful the stored procedure is invoked, the federated query run and returned results joined and returned to the end user

  15. Successful Nurse Interaction Unuccessful Nurse Interaction => java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client

  16. Successful Nurse Interaction Successful Doctor Interaction => java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client

  17. The Scenario with Permis (VPMan) (1) The client attempts to invoke the PERMIS protected Geronimo service. The PEP extracts the users DN and identifies that it needs attributes from a VOMS server(2) The PEP, via a Subject PIP, pulls back the relevant attributes from VOMS server (3)and passes them to the PDP(4) The permis PDP makes the decision (5) and if ok, submit job using via GridSAM to appropriate Grid Resource

More Related