A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,

Slides:

Advertisements

Similar presentations

Load Balancing in a Cluster-based Active Jiani Guo (Student Member, IEEE) Laxmi Bhuyan (Fellow, IEEE) March 15 th 2005 Seo, Dong Mahn.

Advertisements

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

W w w. h p c - e u r o p a. o r g HPC-Europa Portal: Uniform Access to European HPC Infrastructure Ariel Oleksiak Poznan Supercomputing.

MyProxy Jim Basney Senior Research Scientist NCSA

Federated Identity for Grid Architects Tom Scavo NCSA

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.

1 June 21-22, 2005 Lao PDR Poverty-Environment Nexus Case Study: Non Timber Forest Product (NTFP ) By Phouthone Sophathilath National Agriculture and Forestry.

Per DöfnäsWTO TBT Workshop on SDoC 21 March A manufacturers experiences: Transition to SDoC in the IT/Telecom sector in the European Communities.

Slovenian experience on 98/34 Notification Procedure Conference on the Functioning of the 98/34 Notification Procedure, Brussels, 22 June 2005 mag. Irena.

Shibboleth Development and Support Services SDSS Development Federation Next Phase Sandy Shaw, EDINA JISC CM Programme Meeting, Windermere, 14–15 November.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

GT 4 Security Goals & Plans Sam Meder

M.Nedim Alpdemir, Anastasios Gounaris¹, Arijit Mukherjee², Desmond Fitzgerald, Norman W. Paton¹, Paul Watson², Rizos Sakellariou¹, Alvaro A.A. Fernandes¹,

VO Support and directions in OMII-UK Steven Newhouse, Director.

OSG/TeraGrid Interopations: The Authz Perspective Von Welch (NCSA) Presenting work by Christopher A. Baumbauer (Purdue U.) Greg Cross (U. Chicago) Stuart.

UKOLN is supported by: Emergent technologies & digitisation: the institutional impact. Liz Lyon & Kevin Edge VCs Retreat, October a.

UKOLN is supported by: Starting to explore the role of memory institutions within the social fabric of the new Web Dr Liz Lyon, UKOLN, University of Bath,

VGISCs view VGISC Uses Cases Geneva October 2005.

Virginia Housing Development Authoritys NoVA Preservation Initiatives Affordable Housing Advisory Committee December 16, 2005.

March 18, 2005Computers in Libraries SPACE THE FUTURE FRONTIER Don Albrecht Jennifer S. Kutzik Colorado State University Libraries.

EU-Russia Symposium & Brokerage Event Moscow, March 14-15, 2005 Improving research and project management skills Dr. Andrey Girenko, EURICE GmbH.

May 5, 2005Estevez - CS Spring Improve Radio Link Modeling in Wireless Sensor Network Simulation Ricky Estevez CS526, Spring 2005, Dr. Chow.

Using Several Ontologies for Describing Audio-Visual Documents: A Case Study in the Medical Domain Sunday 29 th of May, 2005 Antoine Isaac 1 & Raphaël.

Evolution of the Configuration Database Design Andrei Salnikov, SLAC For BaBar Computing Group ACAT05 – DESY, Zeuthen.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

May 9, September 2005, Barcelona, Spain Prioritization of Forestry Themes for the SRA Risto Päivinen.

UKOLN is supported by: IESR, the JISC IE and beyond Andy Powell, UKOLN, University of Bath Using the IESR: what’s in it for you?

CAS: Central Instrument for Managing for Results.

Load Balancing Hybrid Programming Models for SMP Clusters and Fully Permutable Loops Nikolaos Drosinos and Nectarios Koziris National Technical University.

Computer Networking Lecture 20 – Queue Management and QoS.

SU/IU Service-Learning Symposium Nov Strategies and challenges to institutionalising service-learning at a South African university Magda Fourie.

Spring Part III: Introduction to XPath XML Path Language.

MyProxy: A Multi-Purpose Grid Authentication Service

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Science Gateways on the TeraGrid Von Welch, NCSA (with thanks to Nancy Wilkins-Diehr, SDSC for many slides)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Grid Authorization Landscape and Futures Von Welch NCSA

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

Grid Account Management: A Case Study GGF 9 PGM-RG Chicago, IL October 5-8, 2003 Doru Marcusiu Assistant Director Grid and Security.

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Presentation transcript:

A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney, Doru Marcusiu

6/28/20052GSI Credential Management AAAA Science Gateway Model AAAA Model Authentication Authorization Auditing Accounting

6/28/20053GSI Credential Management AAAA Science Gateway Model Outline Motivation –Traditional AAAA Computing Model Proposed AAAA Model Current work and Future Challenges

6/28/20054GSI Credential Management AAAA Science Gateway Model Traditional AAAA Model All user have accounts at each site/resource –NxN matrix Users access resources through low- level interfaces –E.g. Unix Shells, FTP session Resource takes care of all the As

6/28/20055GSI Credential Management AAAA Science Gateway Model Traditional HPC Usage % ls % foo AUTHnAUTHn OS (Authz) Audit Accounting

6/28/20056GSI Credential Management AAAA Science Gateway Model Traditional HPC Usage % ls % foo % ls % foo % ls % foo % ls % foo % ls % foo

6/28/20057GSI Credential Management AAAA Science Gateway Model Motivation Shell-level access to resources is great for power users, but has steep learning curve –Many SG users just need domain-specific interface, e.g. they are not developing or deploying application codes Each resource/site has to maintain state about every user –Scalability problems for large/dynamic user communities No abstraction - users must adapt to all changes in resources

6/28/20058GSI Credential Management AAAA Science Gateway Model Our AAAA Model SG acts as a interface between the community and its resources Much like a traditional Grid Portal, it provides a domain-specific interface However, unlike portals, it exists as a trusted entity in its own right, allowing the resource to outsource AAAA functionality to the SG Resources runs all commands in a community account, which constrains what community can do - account can be constrained to a few community applications

6/28/20059GSI Credential Management AAAA Science Gateway Model Conceptual Model % ls % foo % ls % foo % ls % foo

6/28/200510GSI Credential Management AAAA Science Gateway Model Goals of Model Model is primarily about how one splits the AAAA responsibility between the SG and the resource In general, resource must trust the SG to some degree to provide this functionality in exchange for offload of effort

6/28/200511GSI Credential Management AAAA Science Gateway Model Authentication and Authorization Two Modes: Simple and Authorization Credential Both allow SG to manage user community Authorization Credentials is more complex to deploy, but provides more information to resource

6/28/200512GSI Credential Management AAAA Science Gateway Model Simple Auth[nz] Model % ls % foo Authentication becomes the role of the SG –Users known only to the SG Resource trusts SG to do authentication SG authenticates to resource with its own credential Portal enforces authorization by constraining what actions user can perform Authn

6/28/200513GSI Credential Management AAAA Science Gateway Model Authz Credential Model % ls % foo Authentication still role of the SG –Users known only to the SG SG augments user credentials with authz credentials –E.g. CAS, GAMA, Shibboleth, IU LEAD work Resource trusts SG to do authentication and authz credentials from SG –Doesnt know user, but trusts what SG says about user Resource knows user identifier (may not be that useful, more later) Authn Authz Cred

6/28/200514GSI Credential Management AAAA Science Gateway Model Auditing Model % ls % foo Site still keeps details of what each job does Site have want to contact user –Suspicious activity, job running amuck SG is only way to map a particular job to a user SG has all the contact information for the user Resource may know user identifier, but needs contact information only in SG user database Auditing

6/28/200515GSI Credential Management AAAA Science Gateway Model Accounting Model % ls % foo Site has all the details of what resources each job consumes –May know user who launched them (in authz cred mode) SG needs this information –For reporting, authorization, catch mistakes Need a mechanism to allow resource to report back to SG regularly –And allow SG to make usage back to a job back to a user Accounting

6/28/200516GSI Credential Management AAAA Science Gateway Model Outstanding Challenges How to identify a job between SG and resource? –/bin/foo run at 15:38:13 (my time) not very accurate Standard template for resource/SG agreement –Akin to certificate policy Acceptance of group accounts –Convince folks its ok to outsource

6/28/200517GSI Credential Management AAAA Science Gateway Model Outstanding Challenges (cont) Restricted accounts –Cookbook to restrict account to certain applications Sandboxing of users from each others Community administrators –Those who set up group account

6/28/200518GSI Credential Management AAAA Science Gateway Model The obligatory last slide… NCSA is working on real-world deployment with GridChem community Acknowledgements to the TeraGrid Science Gateway RAT and all the interviewed Portals Complaints to