120 likes | 215 Views
Attribute-based Authentication A Progress Report. TeraGrid Science Gateways Program TeraGrid Round Table 26 March 2009. Gateway User Count.
E N D
Attribute-based AuthenticationA Progress Report TeraGridScience Gateways Program TeraGrid Round Table 26 March 2009
Gateway User Count The initial goal of attribute-based authentication is the ability to routinely report the number of end gateway users to NSF (see sample usage reports below and on the next slide) This is not possible today (without a lot of hand labor) since end-user identity is not known to TeraGrid resource providers TeraGrid Round Table 26 March 2009
Project Description There are three things that need to happen before we can routinely count end gateway users: Gateways must include end-user identity in service requests Resource providers must intercept and persist end-user identity Accounting systems must push end-user identity to the TGCDB If every TeraGrid user had their own user account, this problem would already be solved However, gateways rely on community accounts, which intentionally hides the identity of end users So the basic problem is how to assign an identity to a gateway user and how to propagate that identity throughout the TeraGrid infrastructure (from gateway to TGCDB) TeraGrid Round Table 26 March 2009
The Gateway At the gateway, we assign an identifier to every user (both present and future) Identifier format: user@gateway.teragrid.org Where user is the portal login of the end user and gateway is the short name associated with the science gateway For example: yanliu@gisolve.teragrid.org Now include this end-user identifier along with every gateway request We don’t want to invent a new protocol, so we include the identifier in an ordinary proxy certificate The identifier is transmitted to the resource provider as a result of ordinary X.509 authentication Hence the name attribute-based authentication TeraGrid Round Table 26 March 2009
The Resource Provider The end-user identifier is intercepted and persisted at the resource provider The identifier is extracted from the proxy certificate and persisted in the GRAM audit table The proxy certificate also contains the user’s e-mail address The RP admin can contact the end user directly in the event of a runaway process or other incident As a bonus, we provide a blacklisting capability This gives the RP more control over incoming gateway requests Support for WS GRAM is provided out of the box Additional support for PreWS GRAM is anticipated (Jun 2009) TeraGrid Round Table 26 March 2009
The Accounting System Finally, the site accounting process pushes end-user identity to the TGCDB First pull the identifiers from the GRAM audit table Then decorate the AMIE packets with attributes We will provide a command-line application:$ resolve-attributes < in_file > out_file The input file is a list of local job ids The output file is a corresponding list of gateway user identifiers The accounting process uses the output to decorate the AMIE packets with attributes TeraGrid Round Table 26 March 2009
Project Status The proposed gateway solution was presented at TeraGrid ’08 and is well advanced Gateways use GridShib SAML Tools to bind the end-user identifier to a proxy certificate On March 24, the Software WG announced the availability of a production Science Gateway Support Capability Kit (based on the recently announced Core Integration Kit 4.2.0) The Capability Kit includes an enhanced GRAM service that works with GridShib for GT to extract the identifier from the proxy certificate Current focus is on the accounting piece, which is actively being developed We will provide a command-line tool (due April 2009) that pulls the end-user identifier from the GRAM audit table TeraGrid Round Table 26 March 2009
Timeline • By September 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB • Milestones: • RP testing through Feb 2009 DONE • Capability Kit V2 released Mar 2009 DONE • Accounting tools released Apr 2009 • Production installations of Capability Kit V2 through August 2009 • 6-month gateway transition – March through August • Big party in September! TeraGrid Round Table 26 March 2009
Next Steps • Increased gateway integration • A few gateways have completed the integration, more in progress • Continue the integration process, increasing over the summer • More RPs needed to install Capability Kit V2 • TODO: Identify a grid node, install Capability Kit V2 • What’s the impact on a site? Admin time is needed to deploy and test GT 4.0.8 + GRAM Audit + GridShib for GT • Focus on this between now and August 2009 • Site accounting admins needed to test new tools • Looking for volunteers to test new tools to be released April 2009 • Where do you sign up? • Email tscavo@ncsa.uiuc.edu (RPs) or wilkinsn@sdsc.edu (gateways) • Help is available! TeraGrid Round Table 26 March 2009
More Information? The BIG Picture http://www.teragridforum.org/mediawiki/images/4/43/Tg-gateway-job-acct.pdf Gateway integration status http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status Capability Kit implementation status http://www.teragridforum.org/mediawiki/index.php?title=CTSS_4_Science_Gateway_Capability_Implementation GRAM Audit Attributes in AMIE Packets http://www.teragridforum.org/mediawiki/images/5/5e/GRAMAuditAttributesAMIEPackets.pdf TeraGrid Round Table 26 March 2009
- No Changes required to AMIE- OGSA-DAI provides virtualization for audit and accounting DBs • Accounting process obtains GRAM attributes via direct db connection or OGSA-DAI service interface TeraGrid Resource Provider (RP) GT4 Java Container Core Audit Table Core Deleg Audit Table Delegation sudo RM adapter Resource Manager RFT Audit Table RFT Client / Gateway ** Create Job Get EPR RM log User Job(s) RM Accounting Control Jobwith EPR SEG Reply withaccounting record MJFS MEJS ** GRAM Audit Table Query job Option #1 GRAMattributes Job attributes Accountingprocess Option #2 Query using job_grid_id All jobs attributes OGSA DAI Batch query all jobs Central TG Accounting DB ** Locally convert EPR to Grid JID Local AMIE Accounting AMIE upload TeraGrid Round Table 26 March 2009