Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011
Identity federation Goal: to allow users in one organisation to access resources in another, using their home credentials Requires additional infrastructure, trust and policy; this is often known as a “federation”. Significant benefits for users, and identity and service providers – Makes it easier for identity providers to adhere to data protection legislation. – SSO reduces helpdesk burden for identity and service providers. – Simpler credentials management (which also poses new problems) Several identity federations exist nowadays
Project Moonshot Using federated identity in broad range non-web environment Authentication and attributes management done on IdP Targets at commonly deployed services – Mail, file stores, remote access, instant messaging, … – Also focus on clouds, grids, HPC, … Built on tested and proven components – EAP, RADIUS, SAML, GSS-API – Strong focus on standardization
Moonshot Architecture
Moonshot project Started in Spring 2010, led by JANET (UK) Co-funded by Geant and JANET Basic cornerstone(s) delivered recently Basic developers/deployers docs available Several applications moonshot‘ed – Jabber server/client, openLDAP, OpenSSH, – Apache, Firefox – MyProxy – With no or minimal changes to the code-base
IETF Standardization Application Bridging for Federated Access Beyond web (ABFAB) WG „… a federated mechanism for use by other Internet protocols not based on HTML/HTTP…“ Several IETF drafts under development – Use-cases, architecture, missing technology Standards to be delivered by Dec 2011
Moonshot opportunities for Grids Easier access to the infrastructure for users – no need to obtain PKI credentials in advance (transparetnt conversions) – using „friendly“ credentials (native federated authN) Simpler VO establishment and management – based (at least partly) on users‘ „home“ attributes – attractive for small (starting) VO (Pseudo)anonymity
Moonshoting MyProxy Matter of configuration and tiny code changes – Not Moonshot-specific, hopefully fixed in main- stream Both CA and repository mode supported – Attributes count be added to X.509 Grid credentials can be obtained using federated identity: myproxy-logon –l –s server -n
Future moonshoting L&B L&B is a job monitoring service collecting information about jobs Security layer written using GSS-API – Easy transition to other security mechs No PKI needed to access moonshot-enabled L&B User mapping needed (not done)
Identity Federation Federated Access Allow access from Org1 and Org2 Resources of Org1 and Org2 (CE, SE,...) SSH, NFSv4 L&B WMS, CREAM Org 2Org 1 Users‘ passwords are NOT exposed to the services Users don‘t need new credentials Authorization rules can utilize users‘ „home“ attributes Information about users is up-to- date Users do not need to register in advance - „home“ credentials (e.g., passwords) MyProxy - „grid“ credentials (X.509 )