280 likes | 396 Views
EDINA Geo/Grid - Security. Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland r.sinnott@nesc.gla.ac.uk. ?. 4. Home site authenticates user and pushes attributes to the servic e provider. 3. User selects their home institution.
E N D
EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland r.sinnott@nesc.gla.ac.uk
? 4. Home site authenticates user and pushes attributes totheservice provider 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP LDAP 1. User points browser at Grid resource/portal Shibboleth Scenario uid AuthZ Identity Provider Service provider Shib Frontend AuthN What attributes to send? Home Institution 6. Make final AuthZ decision Only see/use what allowed to? Federation Grid Application What sites + attributes to accept (trust)? 5. Pass authentication info and attributestoauthZ function W.A.Y.F. User Grid Portal Log-in once and roam
SPAM-GP Portlets • Will develop four JSR-168 compliant portlets for VO admins: • scoped attributed management portlet (SCAMP) • done • dynamic portal configuration management (CCP) • e.g. configure portal content based on user privileges (security attributes) • attribute release policies (ARP) • e.g. only release my VO specific attributes to VO partners • attribute certificate portlet (ACP) • securely push attributes out to collaborators (builds on DyVOSE project dynamic delegation of authority service)
OMII SPAM-GP project: Scoped Attribute Management Portlet (SCAMP)
OMII SPAM-GP project: ACP Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles DyVOSE - Dynamic Privilege Management Infrastructure Glasgow Edinburgh LDAP LDAP Glasgow Education VO policies Edinburgh Education VO policies PERMIS based Authorisation checks/decisions Nucleotide + Protein Sequence DB Grid BLAST Service Grid BLAST Data Service data input Implemented by Students Protein/nucleotide data returned based on student team role Grid-data Client
AuthZ 4. Home site authenticates user and pushes attributes totheservice provider 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP LDAP VO wide authZ 1. User points browser at Grid resource/portal Centralised Shibboleth Scenario + VPman project Identity Provider Service provider VOMS AuthN Home Institution 6. Make final AuthZ decision Federation Grid Application 5. Pass authentication info and attributestoauthZ function W.A.Y.F. User Grid Portal
VOMS used in push/pull mode with authZ group specs
Existing Demonstration (pushing attributes in SAML)
The Scenario (1) A VOTES diabetes service is deployed on a GT4 infrastructure(2) A user runs “voms-proxy-init” to generate a proxy certificate including VOMS credentials (3) and tries to invoke the protected stored procedure(4) The PEP passes the user information (including proxy certificate) to the VOMS PIP(5) VOMS PIP validates the credentials and passes back the VOMS Fully Qualified Attribute Name (FQAN) within the subject attributes. (6) The PEP calls the PERMIS PDP pushing the request information and credentials(7) The PERMIS PDP according to the policy decides if this user with certain attributes is authorized to access the service. (8) If successful the stored procedure is invoked, the federated query run and returned results joined and returned to the end user
Successful Nurse Interaction Unuccessful Nurse Interaction => java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client
Successful Nurse Interaction Successful Doctor Interaction => java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath ./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client
The Scenario with Permis (VPMan) (1) The client attempts to invoke the PERMIS protected Geronimo service. The PEP extracts the users DN and identifies that it needs attributes from a VOMS server(2) The PEP, via a Subject PIP, pulls back the relevant attributes from VOMS server (3)and passes them to the PDP(4) The permis PDP makes the decision (5) and if ok, submit job using via GridSAM to appropriate Grid Resource