MyProxy and NVO or Web SSO for Grid Portals

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.
MyProxy Jim Basney Senior Research Scientist NCSA
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Holding slide prior to starting show. A Grid-based Problem Solving Environment for GECEM Maria Lin and David Walker Cardiff University Yu Chen and Jason.
How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Shibboleth: An Introduction
Holding slide prior to starting show. A Portlet Interface for Computational Electromagnetics on the Grid Maria Lin and David Walker Cardiff University.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
2NCSA/University of Illinois
LIGO Identity and Access Management
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
Grid Security.
CAS and Web Single Sign-on at UConn
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Grid accounting system
NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit
Security for Open Science
Viet Tran Institute of Informatics Slovakia
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
MyProxy Integration with PubCookie
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
Federated Environments and Incident Response: The Worst of Both Worlds
Use of MyProxy for the FusionGrid
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Grid Computing Software Interface
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike Freemon National Center for Supercomputing Applications University of Illinois at Urbana-Champaign, IL, USA mfreemon@ncsa.uiuc.edu National Center for Supercomputing Applications

Acknowledgements National Center for Supercomputing Applications

GRIDS Center GRIDS Center NSF Middleware Initiative (NMI) Mission NCSA, U. Wisconsin, USC, U. Chicago, SDSC http://www.grids-center.org NSF Middleware Initiative (NMI) http://www.nsf-middleware.org Mission Assist science projects to be successful in the use of grid technologies for doing science Services Software Distributions, Build & Test, Training, Technical Support, Consulting National Center for Supercomputing Applications

NVO National Virtual Observatory Ray Plante Related Astronomy Projects NVO's objective is to enable new science by greatly enhancing access to data and computing resources. NVO makes it easy to locate, retrieve, and analyze data from archives and catalogs worldwide. http://www.us-vo.org Ray Plante Radio Astronomer at NCSA Local PI for the NVO project Related Astronomy Projects DES Dark Energy Survey LSST Large Synoptic Survey Telescope IVOA International Virtual Observatory Alliance National Center for Supercomputing Applications

Organizational Landscape Each major regional VO will run a User Authentication Server (UAS) UASs are CAs ~6 UAS’s worldwide Examples include NVO, EUR, China, S.America Ten or more Portal Sites NVO, NCSA, NOAO, NRAO, STSCI, DES, LSST, etc. Forty or more Resource Providers Web Services, GridFTP, GRAM National Center for Supercomputing Applications

Authentication Requirements Browser-based access Use GSI, but hide details, X.509 credentials, etc. Support multiple portal servers Single Sign-On (SSO) across the portal servers Portal servers in different domains Limit trust of portal servers Allow only short-term secrets/credentials to pass through portal server Differentiate between two different types of credentials Support “weak accounts/certificates”, requiring only email verification to create Support “strong accounts/certificates”, requiring personal review by an security administrator before issuing Preserve the ability for power users to retrieve GSI credentials for client-side applications Authentication is handled by the UAS’s Authorization is the responsibility of the Resource Providers Individual portal applications need to access resources from multiple administrative domains (resource providers). National Center for Supercomputing Applications

Introducing the Players MyProxy Pubcookie PURSe National Center for Supercomputing Applications

What is MyProxy? An Online Certificate Authority Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others National Center for Supercomputing Applications

What is Pubcookie? Open-source software for intra-institutional* single sign-on web authentication University of Washington Part of the National Science Foundation Middleware Initiative (NMI) EDIT software release http://www.pubcookie.org Limits the exposure of end-user passwords by ensuring they're only sent to a trusted login service * Can be Inter-(DNS)domain Implemented using HTTP cookies (intra-domain) and HTTP “redirects” (inter-domain) National Center for Supercomputing Applications

Maintaining State Across DNS Domains Pubcookie uses an HTML form that immediately POSTs to the target, passing the "cookie data" as request parameters. <html> <body onLoad="document.relay.submit()"> <form method=post action="https://pubcookie.ncsa.uiuc.edu/" name=relay> <input type=hidden name=pubcookie_g_req  value="b25lPXNreTIuZmdpdC5vcmcmdHdvPS8mdWU9MSZmb3VyPWE1JmZpdm U9R0VUJnNpeD1za3kyLmZnaXQub3JnJnNldmVuPS90ZXN0YXBwJmVp ZXh0PSZob3N0bmFtZT1za3kyLmZnaXQub3JnJm5pbmU9MSZmaWxlPS ZyZWZlcmVyPShudWxsKSZzZXNzX3JlPTAmcHJlX3Nlc3NfdG9rPTIw NjM3MjQ2OTAmZmxhZz0w"> <input type=hidden name=post_stuff value=""> <input type=hidden name=relay_url value="https://sky2.freemon.com/PubCookie.reply"> </form> </html> National Center for Supercomputing Applications

What is PURSe? Portal-based User Registration System Part of the NMI GRIDS Center software release http://www.grids-center.org/solutions/purse PURSe is a web-based system for registering and managing user registries for applications that use the Grid Security Infrastructure (GSI) By leveraging the MyProxy certificate repository, PURSe shields web application users from the complexities of X.509 certificate management National Center for Supercomputing Applications

Let’s Start with Standard Pubcookie… Authn Server Portal #1 “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

Add Portal Access to GSI Credentials (as described in the Martin, Basney, Humphrey 2005 paper – see references) pubcookie granting cookie MyProxy Server Portal #1 Authn Server “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

Let’s Simplify Things for the Portal Application Developer Apache module mod_myproxy http://grid.ncsa.uiuc.edu/myproxy/pubcookie/mod_myproxy.html Intercepts HTTP request in Apache and automatically retrieves the GSI delegation for the authenticated user Perl script Executed via mod_perl National Center for Supercomputing Applications

National Center for Supercomputing Applications

Why Not Use MyProxy for Pubcookie Authentication? pubcookie granting cookie MyProxy Server Portal #1 authn “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

How is MyProxy initially populated? inserts (incl. pswd) user registration request PURSe WebApp User DB Portal #1 creates credentials get delegation MyProxy Server redirect Pubcookie Login Server login page authn Browser redirect Portal #2 National Center for Supercomputing Applications

Opportunities for Improvement - or - “Wouldn’t it be nice…” …to have the user password in only one location? No need to keep passwords/passphrases “in-sync”, or to create administrative or support processes to reset passwords, etc. …to make it easier to deal with “volatile” data in the X.509 certificate (such as SAML assertions)? Simply have the user logoff and logon again …to not require a myproxy-init ? …to simplify PURSE? PURSE is not responsible for creating any certificates, therefore it does not need SimpleCA and does not invoke any MyProxy client functionality National Center for Supercomputing Applications

Deviations from a “Vanilla” Pubcookie/MyProxy/PURSe Implementation Use Online CA functionality of MyProxy MyProxy authenticates users using the PURSE database (RDBMS via PAM) Remove SimpleCA and MyProxy processing from PURSE National Center for Supercomputing Applications

The Design PURSe User WebApp DB Portal #1 MyProxy Server Pubcookie registration request PURSe WebApp inserts User DB Portal #1 get delegation selects MyProxy Server “redirect” Pubcookie Login Server authn login page Browser Limited Trust of Portals Web SSO Across Grid Portals “redirect” Portal #2 National Center for Supercomputing Applications

Roadmap Prototyping by VO projects under way NOAO Science Archive (NSA) National Optical Astronomy Observatory Working system with NSA demo portal http://nvoapp1.ncsa.uiuc.edu – Portal Server http://nvologin.ncsa.uiuc.edu – Login Server CalTech has a portal server hooked in to this login server Winter 2006 and Beyond Settle on main components of the standard User attributes via SAML in X.509 certificate Coexistence and interoperability with Shibboleth National Center for Supercomputing Applications

Related Work Apache 2.2 module (C code) that allows clients to authenticate against a MyProxy server http://grid.ncsa.uiuc.edu/myproxy/apache The client's MyProxy username and passphrase are sent to the web server using HTTP basic authentication The apache module will retrieve the delegation and store it locally on the web server CGI scripts and other web applications can make use of this delegation to perform operations on the client's behalf National Center for Supercomputing Applications

References These Slides Project Documentation http://myproxy.ncsa.uiuc.edu/talks.html Project Documentation http://wiki.ncsa.uiuc.edu/wiki/NVO_SSO MyProxy/Pubcookie Integration Documentation http://grid.ncsa.uiuc.edu/myproxy/pubcookie J. Martin, J. Basney, and M. Humphrey. Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy. 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005. National Center for Supercomputing Applications

Questions? Mike Freemon National Center for Supercomputing Applications University of Illinois at Urbana-Champaign, IL, USA mfreemon@ncsa.uiuc.edu National Center for Supercomputing Applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.