1.05k likes | 1.18k Views
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008. Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign. Tutorial: Science Gateways, Security, and GridShib. TeraGrid 08
E N D
TeraGrid 08The Third Annual TeraGrid ConferenceLas Vegas, NVJune 9–13, 2008 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign http://gridshib.globus.org/
Tutorial:Science Gateways, Security, and GridShib TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 9, 2008 http://gridshib.globus.org/
Birds-of-a-Feather Session:Attribute-based Auditing and Authorization for Science Gateways TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008 http://gridshib.globus.org/
Science GatewaysWorking Group Session TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications June 12, 2008 http://gridshib.globus.org/
GridShib @ TeraGrid 08 • Tutorial: Science Gateways, Security, and GridShib • Mon, 8:00am–12:00pm • Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways • Wed, 5:30–6:30pm • Poster Session: A Federated Identity Model for Science Gateways • Wed, 6:30–8:30pm • Science Gateways Working Group Session • Thu, 3:00–4:30pm http://gridshib.globus.org/
Definition of Terms Shib != GridShib http://gridshib.globus.org/
Grid Security Infrastructure(GSI) http://gridshib.globus.org/
Grid Authentication • Traditionally, grid authentication has been via trusted X.509 identity certificates • GSI relies heavily on X.509 proxy certificates • A proxy cert is a short-lived certificate signed by the user’s identity certificate • Multiple GSI authentication mechanisms: • GSI Transport (SSL/TLS) • GSI Secure Message (WS-Security) • GSI Secure Conversation (WS-SecureConversation) http://gridshib.globus.org/
The Classic Grid Use Case A non-browser user issues a proxy certificate and initiates a grid request on her own behalf. http://gridshib.globus.org/
Issue a Proxy Certificate grid-proxy-init X.509 Proxy Credential Issuer: End User Subject: End User+ X.509 End Entity Cred Issuer: Certification Authority Subject: End User Key Key myproxy-logon http://gridshib.globus.org/
Classic GSI GT4 Client GT4 Server Java WS Container Globus WS Client Globus Web Service X.509 proxy certificate X.509 proxy credential Gridmap Key http://gridshib.globus.org/
Identity-based Access Control • The distinguished name (DN) in the proxy certificate is used as a basis for coarse-grained access control • If the subject DN is in an access control list called a gridmap file, access is allowed • A gridmap file also maps DNs to usernames • Associated with each DN are zero or more local usernames • GRAM, for example, requires a local account in which to run a job request http://gridshib.globus.org/
Gridmap File • The gridmap has a flat file format:DN → [user0, user1, …, usern-1] • The gridmap has dual functions: • Authorization Policy • Username Mapping Policy • A single gridmap file serves both functions • Identity-based gridmap files trade off flexibility and scalability for simplicity DN1 username1 DN2 username2 … http://gridshib.globus.org/
GridShib-enabled GSI http://gridshib.globus.org/
GridShib Project • The goal of the GridShib Project is to introduce attribute-based authorization to Globus-based grids • GridShib software allows Globus Toolkit and Shibboleth to interoperate • Classic GridShib (circa 2004–2005) pulls attributes from a Shibboleth Attribute Service • The current emphasis is on browser users and attribute push, specifically, the TeraGrid Science Gateway Use Case http://gridshib.globus.org/
GridShib Software • GridShib for GT • Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed. • GridShib for Shibboleth • Responds to attribute queries from GridShib for GT. • GridShib CA • Issues short-lived X.509 credentials to browser users. • GridShib SAML Tools • Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates. http://gridshib.globus.org/
GridShib Software • GridShib for GT • Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed. • GridShib for Shibboleth • Responds to attribute queries from GridShib for GT. • GridShib CA • Issues short-lived X.509 credentials to browser users. • GridShib SAML Tools • Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates. http://gridshib.globus.org/
GridShib SAML Tools • The GridShib SAML Tools (GS-ST) are a standalone suite of Java-based client tools • Binds a SAML assertion to an X.509 proxy certificate • The same X.509-bound SAML token can be transmitted at the transport level or the message level (using WS-Security X.509 Certificate Token Profile) • Includes the GridShib Security Framework, a Java API for producing and consuming X.509-bound SAML tokens • GS-ST is a SAML producer http://gridshib.globus.org/
GS-ST Features • Easily installed and configured • Binds arbitrary content (not just SAML) to a non-critical certificate extension • Multiple output options (SAML, X.509 proxy credential, DER-encoded ASN.1) • CLI with shell scripts (UNIX and Windows) • Includes a Java API for portal developers • Leverages the Globus SAML Library, an enhanced version of OpenSAML 1.1 http://gridshib.globus.org/
GS-ST Function Bind a SAML assertion to a non-critical X.509 v3 certificate extension We call this an X.509-bound SAML token http://gridshib.globus.org/
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ grid-proxy-init X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key Key http://gridshib.globus.org/
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ grid-proxy-init X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: Key <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> gridshib-saml-issuer Key http://gridshib.globus.org/
GridShib SAML Tools produces X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509-based Grids The SAML token is bound to a noncritical X.509v3 certificate extension X.509-bound SAML Token X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key http://gridshib.globus.org/
WS-Security Token Profiles • OASIS WS-Security Technical Committee • WSS X.509 Certificate Token Profile [1] • WSS SAML Token Profile • Globus implements the former • We define a new token type: • X.509-bound SAML Token • An implementation of [1] automatically handles X.509-bound SAML tokens • No new wire protocols are needed! http://gridshib.globus.org/
Security Tokens X.509 Token SAML Token SOAP Envelope SOAP Envelope SOAP Header SOAP Header X.509 certificate SAMLassertion SOAP Body SOAP Body http://gridshib.globus.org/
Security Tokens X.509-boundSAML Token X.509 Token SAML Token SOAP Envelope SOAP Envelope SOAP Envelope SOAP Header SOAP Header SOAP Header X.509 certificate X.509 certificate SAMLassertion SAMLassertion SOAP Body SOAP Body SOAP Body http://gridshib.globus.org/
GridShib-enabled GSI A non-browser user binds a SAML assertion to a proxy certificate and initiates a grid request on her own behalf http://gridshib.globus.org/
GridShib for GT • GridShib for GT (GS4GT) is a plug-in for GT 4.x • GS4GT is compatible with both GT 4.0 and 4.2 • GS4GT is an implementation of a Grid Service Provider, which is analogous to a Shibboleth Service Provider, but for X.509-based grids • GS4GT is a SAML consumer • Used together, GridShib SAML Tools and GridShib for GT enable attribute-based access control in Globus-based grids http://gridshib.globus.org/
GS4GT Features • Introduces attribute-based authorization into GT • Exposes a single comprehensive policy decision point called the GridShibPDP • Implements an attribute push model • Restricts access based on blacklists of IP addresses and/or name identifiers • Provides attribute-based account mapping • Supports optional gridmap short-circuiting • Defines an attribute-based authorization policy language (in XML) http://gridshib.globus.org/
GridShib-enabled GSI GT4 Client GT4 Server Java WS Container (with GridShib for GT) Globus WS Client GridShibSAML PIP Globus Web Service proxy certificate SAML GridShib SAML Tools proxy credential Security Context SAML Key Blacklist Policy Authz Policy end entity credential Logs Key http://gridshib.globus.org/
The SAML Entity Map maps SAML issuers to X.509 issuers A SAML issuer in this file is trusted The SAML Entity Map will be replaced by SAML Metadata (XML) A blacklist is a list of identifiers (SAML identifiers or subject DNs) A user whose identifier is on the blacklist will be denied access The flat file blacklist will be replaced by a database table GS4GT Configuration Files GridShibSAML Entity Map entityID1 DN1 entityID2 DN2 … GridShibBlacklist Policy identifier1 identifier2 … http://gridshib.globus.org/
<XML> <XML> GS4GT Policy Files DN1 username1 DN2 username2 … GlobusGridmap file GridShibMapping Policy GridShibAuthz Policy http://gridshib.globus.org/
GS4GT Policy Files • Two separate attribute-based policy files: • Authorization Policy[A0, A1, …, Am-1] • Username Mapping Policy[A0, A1, …, Am1-1] → [user0, user1, …, usern1-1][A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] … • A single XML-based policy file may encapsulate both types of policies http://gridshib.globus.org/
Summary • Fine-grained, attribute-based authorization • Introduces X.509-bound SAML tokens • Works at both the transport level or the message level • No modifications to GT clients are required • If the service is not GridShib-enabled, the X.509-bound SAML token is simply ignored http://gridshib.globus.org/
A Grid Authorization Model for Science Gateways http://gridshib.globus.org/
The Science Gateway Use Case A browser user authenticates to a grid portal. The portal issues a proxy certificate and initiates a grid request on behalf of the user http://gridshib.globus.org/
Classic Science Gateway A science gateway is a convenient intermediary between a browser user and a grid resource provider. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway Each gateway is issued a community credential that uniquely identifies the gateway. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway Resource providers associate the community credential with a local community account. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway To submit a job, a browser user typically authenticates to the gateway by presenting a username and password. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential community account Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway The gateway then issues a short-lived proxy credential signed by its community credential. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway The gateway submits the job on the user’s behalf, authenticating as itself to the resource. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/
Classic Science Gateway After the job is executed, the result is returned to the browser user via the gateway web interface. Web Browser WebAuthn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate communitycredential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/
Community Account Model: The Good • The Community Account Model • simplifies the user experience • simplifies gateway implementation and deployment • simplifies gridmap file management at the RP • A community credential is issued to each gateway • A single community account is created at the RP • The gateway issues proxy certificates and makes grid requests on behalf of the user http://gridshib.globus.org/
Community Account Model: The Bad • The community account model has some significant drawbacks, however: • End user identity is unknown to the RP • Course-grained access control at the resource (by design) • Awkward approach to auditing and incident response • In the event of an emergency, the RP is forced to disable all access to the community account • Less than adequate accounting mechanisms • All this can be traced to a single problem… http://gridshib.globus.org/
Community Account Model: The Ugly All requests look exactly the same to the resource provider! If the gateway would only pass the user’s name and contact information to the resource provider, all previously mentioned problems would be solved http://gridshib.globus.org/
Grid Authorization Model • We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider • Extends the Community Account Model • Asserts end user identity to the RP • Permits fine-grained access control at the RP • Provides strong auditing and effective incident response • Allows dynamic blacklisting of problem accounts or runaway processes • A lightweight approach that does not require new wire protocols or extensive new middleware infrastructure • Complements existing SAML-based middleware infrastructure on today's campuses http://gridshib.globus.org/
Grid Authorization Model • The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider • Using GridShib SAML Tools, the gateway • issues a SAML assertion containing the user's authentication context and attributes • binds the SAML assertion to a proxy certificate signed by the community credential • authenticates to the resource by presenting the SAML-laden proxy certificate http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf http://gridshib.globus.org/
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> + = Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key http://gridshib.globus.org/