Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

Slides:

Advertisements

Similar presentations

TeraGrid's GRAM Auditing & Accounting, & its Integration with the LEAD Science Gateway Stuart Martin Computation Institute, University of Chicago & Argonne.

Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy Jim Basney Senior Research Scientist NCSA

User Services Transition To XD TG Quarterly Management Meeting, San Juan 12/7/2010 Amit & Sergiu.

TG09 Gateway Face to Face Please make yourself comfortable at the front of the room! Nancy Wilkins-Diehr TeraGrid Area Director for Science Gateways

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

Transition. TG/XD Transition TG awardees are expected to make funding last until March 31, 2010 XD start date is Apr 1, 2010 RP Planning – non-Track 2.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Mission-Based Management November 2007 Electronic CV System Users Group.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Core Services I & II David Hart Area Director, UFP/CS TeraGrid Quarterly Meeting December 2008.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GIG Software Integration: Area Overview TeraGrid Annual Project Review April, 2008.

TeraGrid Information Services December 1, 2006 JP Navarro GIG Software Integration.

Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

GIG Software Integration Project Plan, PY4-PY5 Lee Liming Mary McIlvain John-Paul Navarro.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.

TeraGrid Information Services John-Paul “JP” Navarro TeraGrid Grid Infrastructure Group “GIG” Area Co-Director for Software Integration and Information.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

SSO current status 10/6/10 Area Director’s call. Easy as 1-2-3! Fully diagrammed login and certificate set-up process, pre- Single Sign-on You can see.

TeraGrid Information Services JP Navarro, Lee Liming University of Chicago TeraGrid Architecture Meeting September 20, 2007.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

GRAM: Software Provider Forum Stuart Martin Computational Institute, University of Chicago & Argonne National Lab TeraGrid 2007 Madison, WI.

CTSS 4 Strategy and Status. General Character of CTSSv4 To meet project milestones, CTSS changes must accelerate in the coming years. Process –Process.

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

GRAM5 - A sustainable, scalable, reliable GRAM service Stuart Martin - UC/ANL.

UFP/CS Update David Hart. Highlights Sept xRAC results POPS Allocations RAT follow-up User News AMIE WebSphere transition Accounting Updates Metrics,

1 PY4 Project Report Summary of incomplete PY4 IPP items.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

The huge amount of resources available in the Grids, and the necessity to have the most up-to-date experimental software deployed in all the sites within.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

TeraGrid Privacy Policy: What is it and why are we doing it… Von Welch TeraGrid Quarterly Meeting March 6, 2008.

TeraGrid CTSS Plans and Status Dane Skow for Lee Liming and JP Navarro OSG Consortium Meeting 22 August, 2006.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

TeraGrid Advanced Scheduling Tools Warren Smith Texas Advanced Computing Center wsmith at tacc.utexas.edu.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

TeraGrid Extension Gateway Activities Nancy Wilkins-Diehr TeraGrid Quarterly, September 24-25, 2009 The Extension Proposal!

SAN DIEGO SUPERCOMPUTER CENTER Inca Control Infrastructure Shava Smallen Inca Workshop September 4, 2008.

Presented by: Tony Rimovsky TeraGrid Account Management Tony Rimovsky, Area Director for Network Operations and Security

Alain Roy Computer Sciences Department University of Wisconsin-Madison Condor & Middleware: NMI & VDT.

NOS Report Jeff Koerner Feb 10 TG Roundtable. Security-wg In Q a total of 11 user accounts and one login node were compromised. The Security team.

Data, Visualization and Scheduling (DVS) TeraGrid Annual Meeting, April 2008 Kelly Gaither, GIG Area Director DVS.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

Feb 2-4, 2004LNCC Workshop on Computational Grids & Apps Middleware for Production Grids Jim Basney Senior Research Scientist Grid and Security Technologies.

TeraGrid-Wide Operations Von Welch Area Director for Networking, Operations and Security NCSA, University of Illinois April, 2009.

NCSA RP Update John Towns. NCSA Resource updates Cobalt –CXFS update Lincoln –production since mid-March –final configuration 192 compute nodes – Dell.

TeraGrid User Portal Migration Project Summery Jeff Koerner Director of Operations TeraGrid GIG Matt Heinzel Director TeraGrid GIG September 2009.

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.

Gateway Security Summit, January 28-30, 2008 Welcome to the Gateway Security Summit Nancy Wilkins-Diehr Science Gateways Area Director.

CTSS Rollout update Mike Showerman JP Navarro April

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009.

TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.

Software Integration Highlights CY2008 Lee Liming, JP Navarro GIG Area Directors for Software Integration University of Chicago, Argonne National Laboratory.

Visualization Update June 18, 2009 Kelly Gaither, GIG Area Director DV.

TG ’08, June 9-13, State of TeraGrid John Towns Co-Chair, TeraGrid Forum Director, Persistent Infrastructure National Center for Supercomputing.

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

TeraGrid Software Integration: Area Overview (detailed in 2007 Annual Report Section 3) Lee Liming, JP Navarro TeraGrid Annual Project Review April, 2008.

TeraGrid Accounting System Progress and Plans David Hart July 26, 2007.

TeraGrid User Portal and Online Presence David Hart, SDSC Area Director, User-Facing Projects and Core Services TeraGrid Annual Review April 6, 2009.

TeraGrid 08 The Third Annual TeraGrid Conference

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

A Grid Authorization Model for Science Gateways

NSF Middleware Initiative: GridShib

Presentation transcript:

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr

Gateway Objectives for PY4 and 5 TeraGrid integration will be straightforward for new and existing gateway developers There will be a set of easy to discover general services provided by and for Gateways The targeted support program will be well- organized We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users There will be a funded cross-directorate gateway program at the NSF Presented December, 2007

We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users A unique identifier for each end gateway user per community account must exist in TGCDB Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism Attribute-based authentication in production and easy to use Presented December, 2007

How will we meet those goals? Attribute-based authentication –In our case, GridShib for Globus –Fantastic documentation and assistance Thanks Jim Basney, Tom Scavo, Terry Fleury – =Science_Gateway_Credential_with_Attributeshttp:// =Science_Gateway_Credential_with_Attributes From the April, 2009 TeraGrid review panel –“The TG has stated the goal of switching to an attribute- based authentication mechanism for all Gateways by September of The panel recommends that every effort be made to complete this work on schedule.”

How will this be made available at RP sites? science-gateway CTSS kit, which includes commsh –NCSA-developed, PSC-enhanced tool to restrict community accounts – lhttp://teragridforum.org/mediawiki/index.php?title=Community_Shel l GridShib for Globus Toolkit –NCSA-developed tool to collect, process, store and log attributes Future TG-specific efforts will store these in the TGCDB – Installation instructions – registration/README.install

Ambitious, but achievable goal By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB Next steps –RP testing through Feb 2009 –Globus Toolkit released Feb 2009 –Capability Kit V2 released Mar 2009 –Production installations of Capability Kit V2 –6-month gateway transition – March through August News postings, education process, log analysis to identify who still needs to make the switch, lots of support –Big party in September! Presented January, 2009

What’s happened between January and now? One word - GRAM5 – Two words – party delayed GRAM5 replacing GRAM2 (aka pre-WS GRAM) –AAAA changes incorporated only in GRAM5 since GRAM2 is being retired –ssh support only in GRAM5 So, now we must wait for a production version of GRAM5 before we have attribute support for pre- WS GRAM and ssh

GRAM5 timeline Alpha versions installed –QueenBee and Abe, thanks! Sept 15, 2009 news posted about GRAM5 availability for testing – Steps to TeraGrid availability –Globus staff completes GT (December 2009) –VDT patching and verification (Alain Roy, 1-2 wks) –GIG staff completes TeraGrid packaging (1-2 wks) –ADs plan TG-wide deployment NOS (and RPs), UFP, software-wg, user services, gateways

Additional info Also need site-local accounting scripts to send attributes to TGCDB –RP accounting staff Who’s already done? –NICS has installed GT4 with attributes Thank you Victor and Rick Thank you Matthew at NCAR for attribute support in AMP gateway which is running on Kraken –Early “attribute-enhanced” GT4 install experiences A novice RP should set aside maybe 1 week to do the entire install (being very generous), and an expert GRAM4 admin should be able to do the entire install in 2 days Side note –Jon Siwek replaces Tom Scavo supporting this effort at NCSA Thanks for replacing such a key team member promptly

Gateway User Count Quarterly Meeting Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Browser username proxy credential SAML Key Blacklist Policy Web Interface Science Gateways add user attributes to the community credential and deliver those attributes to the Resource Provider, where they are logged and used for blacklisting.

Gateway User Count Quarterly Meeting GridShib for GT WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Blacklist Policy Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Security table GRAM audit table TGCDB AMIE upload Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting.

Gateway kit installed at 4 sites today Installed on –Abe –Lonestar –NCSA IA64 (testing) –Kraken –QueenBee –Condor (testing) –Steele (testing) Not installed on –Lincoln –Cobalt –Big Red –Ranch –Spur –Pople –BigBen –ORNL cluster –Frost

Sites to target Sites available after 3/31/10 –Lincoln –Cobalt –Big Red –Ranch –Spur –Pople –BigBen –ORNL cluster –Frost New systems –Track 2 C, D –XD vis/data systems at NICS, TACC –Others?

Community Account Usage by Site in 2008 Over 2M CPU hours used by community accounts in 2008

Over 8M CPU hours used by community accounts in 2009, 4x that of 2008! Community Account Usage by Site in 2009 New gold star in 2009 for TACC 69% of all community account usage

2009 TeraGrid staff activities for reference Apr-Jun 2009 Accomplishments –Completed GridShib SAML Tools support for accounting integration Obtains gateway user attributes from GRAM Audit DB for inclusion in AMIE packets –Demonstrated attribute delivery from GISolve to NCSA GRAM Audit DB –Verified attribute integration in RENCI Gateway –CTSS Science Gateway Kit deployed in production at LONI and TACC Jul-Sep 2009 Plans –Develop support for SSH-based gateways –Assist with testing GRAM2/GRAM5 attribute support –Improve test site ( to support GRAM2/GRAM5 submissions and test GRAM Audithttp://gstest.ncsa.uiuc.edu/ –Support gateway delivery of attributes to RPs –Support deployment of Science Gateway Kit at RPs –Support AMIE integration by RP accounting administrators Quarterly Meeting

Jul-Sep 2009 Accomplishments –Developed and documented support for SSH-based gateways –Assisted with testing GRAM5 deployment with gateway attribute support on QueenBee –Supported AMIE integration of gateway attribute support by RP accounting administrators on account-wg conference call and list –Updated test site ( to support gateway tests using GRAM5 and provide clearer test results to gateway developershttp://gstest.ncsa.uiuc.edu/ Oct-Dec 2009 Plans –Assist with inclusion of GRAM5 and SSH support for gateway attributes in CTSS –Support gateway delivery of attributes to RPs (19 of 24 gateways remain) Current status at: us –Support deployment of Science Gateway Kit at RPs Current status at: –Support AMIE integration by RP accounting administrators NICS in progress; integration at other RPs pending Quarterly Meeting

Next steps Planning for GT update on TeraGrid –Area directors Continued work on site-local accounting scripts to send attributes to TGCDB –RP accounting staff After GT5 install, continue to work with gateways on attribute incorporation –Nancy, Jon PY6 plans include nifty accounting tools from TACC to allow gateways to monitor per-user usage