NSF Middleware Initiative: GridShib Tom Barton University of Chicago
NSF Middleware Initiative (NMI) Grant: Policy Controlled Attribute Framework What: shibbolize NMI Grids We call it “GridShib” Participants Von Welch, UIUC/NCSA (PI) Kate Keahey, UChicago/Argonne (PI) Frank Siebenlist, Argonne Tom Barton, UChicago 2 years starting December 1, 2004 Coordination already established with related JISC-funded project at Oxford I2MM Fall 2004
Critical mass of impending need Two types of grid use cases: Large grid, far-flung participants, several types of roles among them Examples: NEESgrid, Earth System Grid, TeraGrid, Grid3 (GriPhyN, iVDGL, and PPDG) Grid-mapfile approach doesn’t scale Centralized access to campus grid resources for research computing Examples: UChicago, USC, UAB I2MM Fall 2004
Enterprise middleware value proposition fits VOs too Leverage Identity Provider operations at participants’ home organizations rather than duplicate Identity Provider activities within each Virtual Organization Participants use familiar home-issued credentials Ease resource provider’s burden by removing need to act as an Identity Provider too Overall security & auditability is improved by locating these support functions with IT staff tasked specifically for such purposes I2MM Fall 2004
Time is finally right Others are now trying non-browser-based shibbolization approaches roughly analogous to what we envision Shibboleth & SAML have shown how to authorize the anonymous user Sufficiently abstracted security related interfaces & services provided by NMI Grid componentry Plug: all code elements in prospective solution are NMI components. We’re building on work of many people over 3+ years. I2MM Fall 2004
Grid-Shib integration essentials Design principles No modification to typical grid client applications No change to shibboleth’s model of administrative and end-user maintenance of attribute release policies Leverage high-quality campus Identity Provider operations Accommodations for Grid shibbolization Identity Provider Discovery (pull models) Basic sequence of events (push models) Use of an identifer in X.509 certificate as a subject handle for use by the Attribute Authority I2MM Fall 2004
Project activities Gather use cases and requirements Extend and test Globus Toolkit, GridLogon, and Shibboleth Attribute Authority to enable 4 modes of operation User identified, attributes pulled User identified, attributes pushed User pseudonymous, attributes pulled User pseudonymous, attributes pushed I2MM Fall 2004
Highlighted elements of potential solution Globus Toolkit 4.0’s support of WSRF (Web Services Resource Framework) Transportable End Point References, used to identify Attribute Authority and grid resource to each other GridLogon extensions Itself an extension of MyProxy Integrate with local authentication service Cryptographically bind identified & anonymous X.509 certificate pairs I2MM Fall 2004
User pseudonymous, attributes pulled I2MM Fall 2004
Timeline December 1, 2004: formal start Year 1 Year 2 Basic integration: code supporting pull model with user identified Year 2 Advanced integration: code supporting push and user pseudonymity I2MM Fall 2004
Bigger picture proposition Middleware value proposition applies to common infrastructure enabling run-time VO security services … Identity management systems Authentication services & certificate authorities Attribute services like the Shibboleth Attribute Authority … and potentially to common infrastructure for managing VO privileges & groups VOMS CAS Permis Signet Grouper I2MM Fall 2004