A Grid Authorization Model for Science Gateways

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Grid Security. Typical Grid Scenario Users Resources.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
GRAM: Software Provider Forum Stuart Martin Computational Institute, University of Chicago & Argonne National Lab TeraGrid 2007 Madison, WI.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Shibboleth: An Introduction
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Grid Authorization Landscape and Futures Von Welch NCSA
GridShib Grid-Shibboleth Integration An Overview Von Welch
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
2NCSA/University of Illinois
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
TeraGrid Plans for Authentication and Authorization Testbed
Security for Open Science
Shaowen Wang1, 2, Yan Liu1, 2, Nancy Wilkins-Diehr3, Stuart Martin4,5
MyProxy and NVO or Web SSO for Grid Portals
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
MyProxy Integration with PubCookie
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
Federated Environments and Incident Response: The Worst of Both Worlds
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

A Grid Authorization Model for Science Gateways Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008

Classic Science Gateway A science gateway is a convenient intermediary between a browser user and a grid resource provider. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 2 of 25

Classic Science Gateway Each gateway is issued a community credential that uniquely identifies the gateway. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 3 of 25

Classic Science Gateway Resource providers associate the community credential with a local community account. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 4 of 25

Classic Science Gateway To submit a job, a browser user typically authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 5 of 25

Classic Science Gateway The gateway then issues a short-lived proxy credential signed by its community credential. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy credential Key community credential community account Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 6 of 25

Classic Science Gateway The gateway submits the job on the user’s behalf, authenticating as itself to the resource. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 7 of 25

Classic Science Gateway The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 8 of 25

Classic Science Gateway After the job is executed, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 9 of 25

Classic Science Gateway So what’s wrong with this classic science gateway scenario ? Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 10 of 25

Classic Science Gateway jsmith mjones All requests look exactly the same to the resource provider ! Web Browser Web Authn Web Interface Java WS Container commacct Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 11 of 25

Classic Science Gateway Resource Providers need gateway user information for accounting and incident response. http://gridshib.globus.org/ Slide 12 of 25

Grid Authorization Model for Gateways An enhancement to the community account model increases the information flow between the gateway and the resource provider. Web Browser Web Authn WS GRAM Service Webapp WS GRAM Client Web Interface Java WS Container (with GridShib for GT) GridShib SAML Tools attributes username GridShib for GT community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 13 of 25

Grid Authorization Model for Gateways Two new GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 14 of 25

Grid Authorization Model for Gateways Again the browser user authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 15 of 25

Grid Authorization Model for Gateways This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service username GridShib SAML Tools proxy credential Key SAML community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 16 of 25

Grid Authorization Model for Gateways The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., e-mail). Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 17 of 25

Grid Authorization Model for Gateways The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 18 of 25

Grid Authorization Model for Gateways GridShib for GT extracts the SAML token from the proxy certificate and writes the information to a log file. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username Logs Security Context GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 19 of 25

Grid Authorization Model for Gateways GridShib for GT compares the information in the security context to the blacklist, denying access if any request info is on the blacklist. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 20 of 25

Grid Authorization Model for Gateways As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib for GT WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Key Science Gateway Resource Provider http://gridshib.globus.org/ Slide 21 of 25

Grid Authorization Model for Gateways As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Authn Science Gateway WS GRAM Client proxy certificate GridShib SAML Tools community credential Key SAML Webapp attributes Web Browser username proxy credential Web Interface Resource Provider GridShib for GT WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Blacklist Policy http://gridshib.globus.org/ Slide 22 of 25

Integration with TeraGrid Central Database Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Java WS Container (with GridShib for GT) GridShib for GT WS GRAM Service Security Context Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting. Security table GRAM audit table TGCDB AMIE upload Logs Blacklist Policy http://gridshib.globus.org/ Slide 23 of 25

http://gridshib.globus.org/ Slide 24 of 25 Summary Using GridShib SAML Tools, science gateways send user attributes to resource providers Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control The TeraGrid central database captures TeraGrid-wide accounting data http://gridshib.globus.org/ Slide 24 of 25

http://gridshib.globus.org/ Slide 25 of 25 Acknowledgments GridShib Project PIs Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GridShib Developers Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA. Thank You! http://gridshib.globus.org/ Slide 25 of 25