250 likes | 340 Views
A Grid Authorization Model for Science Gateways. Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008. Classic Science Gateway.
E N D
A Grid Authorization Model for Science Gateways Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008
Classic Science Gateway A science gateway is a convenient intermediary between a browser user and a grid resource provider. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 2 of 25
Classic Science Gateway Each gateway is issued a community credential that uniquely identifies the gateway. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 3 of 25
Classic Science Gateway Resource providers associate the community credential with a local community account. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 4 of 25
Classic Science Gateway To submit a job, a browser user typically authenticates to the gateway by presenting a username and password. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 5 of 25
proxy credential Key Classic Science Gateway The gateway then issues a short-lived proxy credential signed by its community credential. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 6 of 25
proxy certificate Classic Science Gateway The gateway submits the job on the user’s behalf, authenticating as itself to the resource. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 7 of 25
Classic Science Gateway The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 8 of 25
Classic Science Gateway After the job is executed, the result is returned to the browser user via the gateway web interface. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 9 of 25
Classic Science Gateway So what’s wrong with this classic science gateway scenario ? Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 10 of 25
Classic Science Gateway jsmith mjones All requests look exactly the same to the resource provider ! Web Browser WebAuthn Web Interface Java WS Container commacct Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 11 of 25
Classic Science Gateway Resource Providers need gateway user information for accounting and incident response. http://gridshib.globus.org/ Slide 12 of 25
WebAuthn attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools communitycredential Key Grid Authorization Model for Gateways An enhancement to the community account model increases the information flow between the gateway and the resource provider. Web Browser Web Interface Java WS Container (with GridShib for GT) Science Gateway Resource Provider http://gridshib.globus.org/ Slide 13 of 25
Grid Authorization Model for Gateways Two new GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 14 of 25
Grid Authorization Model for Gateways Again the browser user authenticates to the gateway by presenting a username and password. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 15 of 25
proxy credential Key Grid Authorization Model for Gateways This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools SAML communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 16 of 25
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key Grid Authorization Model for Gateways The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., e-mail). Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools proxy credential SAML Key communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 17 of 25
proxy certificate SAML Grid Authorization Model for Gateways The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service username GridShib SAML Tools proxy credential SAML Key communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 18 of 25
Security Context Logs Grid Authorization Model for Gateways GridShib for GT extracts the SAML token from the proxy certificate and writes the information to a log file. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key communitycredential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 19 of 25
Grid Authorization Model for Gateways GridShib for GT compares the information in the security context to the blacklist, denying access if any request info is on the blacklist. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools Security Context proxy credential SAML Key Blacklist Policy communitycredential Logs Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 20 of 25
Grid Authorization Model for Gateways As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools Security Context proxy credential SAML Key Blacklist Policy communitycredential Logs Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 21 of 25
Web Browser WebAuthn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShibfor GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools Security Context proxy credential SAML Key Blacklist Policy communitycredential Logs Key Science Gateway Resource Provider Grid Authorization Model for Gateways As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. http://gridshib.globus.org/ Slide 22 of 25
AMIEupload Security table GRAM audit table TGCDB Integration with TeraGrid Central Database Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Java WS Container (with GridShib for GT) GridShibfor GT WS GRAM Service Security Context Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting. Blacklist Policy Logs http://gridshib.globus.org/ Slide 23 of 25
Summary • Using GridShib SAML Tools, science gateways send user attributes to resource providers • Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control • The TeraGrid central database captures TeraGrid-wide accounting data http://gridshib.globus.org/ Slide 24 of 25
Acknowledgments • GridShib Project PIs • Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist • GridShib Developers • Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo • The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. • The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA. Thank You! http://gridshib.globus.org/ Slide 25 of 25