Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.

Slides:

Advertisements

Similar presentations

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

GT 4 Security Goals & Plans Sam Meder

MyProxy: A Multi-Purpose Grid Authentication Service

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

Grid Security. Typical Grid Scenario Users Resources.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

June 30th, 2005EuroPKI2005 “Towards a Unified Authentication and Authorization Infrastructure for Grid Services: Implementing an Enhanced OCSP Service.

GT4 Introductory and Advanced Practicals Rachana Ananthakrishnan, Charles Bacon, Lisa Childers Argonne National Laboratory University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Globus 4 Guy Warner NeSC Training.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

What Happens When Cloud Computing Meets HPC Dr. Dan Fraser Director, CDIGS (Community Driven Improvement of Globus Software)

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

A Swift Talk about Globus Technology: What Can It Do for Me? OOI Cyberinfrastructure Design Meeting, San Diego, October The Globus Team (presented.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Grid Based Infrastructure for Distributed Medical Imaging Carl Kesselman ISI Fellow Director, Center for Grid Technologies Information Sciences Institute.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.

Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,

OSG AuthZ components Dane Skow Gabriele Carcassi.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

Security Solutions Rachana Ananthakrishnan University of Chicago.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

1 Discussion about: * Security Provisioning and Validation * * Policy Enforcement Complexity * * Data Integrity Verification * 11th Middleware Security.

1 GT4 Security Tutorial Rachana Ananthakrishnan Charles Bacon.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Trygve Aspelien and Yuri Demchenko

2NCSA/University of Illinois

OGSA-WG Basic Profile Session #1 Security

A gLite Authorization Framework

Advances in Middleware Security - a Globus perspective

TeraGrid 08 The Third Annual TeraGrid Conference

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

A Grid Authorization Model for Science Gateways

NSF Middleware Initiative: GridShib

Presentation transcript:

Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University of Chicago & Argonne National Laboratory GlobusWorld 2008 May 13-15, Oakland, California, U.S.A.

2 Content GT4.2 Security Features & Roadmap >Rachana Ananthakrishnan Building Secure Virtual Organizations –ESG: Easy PKI & OpenID OSG & EGEE: Authorization Interoperability >Frank Siebenlist –caBIG: GAARDS - Grid Authentication and Authorization with Reliably Distributed Services >Kunal Modi –TeraGrid: Attribute-based Authorization for Science Gateways Using GridShib >Tom Scavo –Break… !! GridShib-CA Demo !! GW08: May 13-15, 2008

3 What is new? GT4.2 Security Features

4GW08: May 13-15, 2008 Incubator Projects Globus Software: dev.globus.org Security Execution Mgmt Info Services Common Runtime Globus Projects Other MPICH- G2 GridWay Data Mgmt Incubator Mgmt Cog WF LRMA GAARDS OGROGDTEUGP HOC-SAPURSE GridShib Introduce Dyn Acct WEEP Gavia JSC Gavia MS DDM Virt WkSp SGGC Metrics ServMark GridFTP Reliable File Transfer OGSA-DAI GRAM MDS4 CAS Data Rep Delegation Replica Location Java Runtime C Runtime Python Runtime GT4 C SecGT4 Docs MEDICUS GSI- OpenSSH MyProxy

5 Authentication RFC 3820 compliant proxy –Support added and 4.2 –Interoperable with other compliant implementations Signing policy in Java security –Required in GT 4.2 and optional in GT –Ensures presented credentials compliant with CA policy –Policy configured with trusted certificates GW08: May 13-15, 2008

6 Transport Security HTTPS connection caching –Support in GT 4.2 –Improves performance –Connections with same parameters cached External OpenSSL support –Required GT 4.2 and optional GT –Leverage OpenSSL installed on local machine GW08: May 13-15, 2008

7 GT 4.2 Java Authorization Framework WS independent system Pluggable PIPs, PDPs and combining algorithm Default Permit Override mechanism All GT 4.0.x PDPs supported Additional interceptors: –Parameter PIP, Operation parameter –Resource Property PDP GW08: May 13-15, 2008

8 GT 4.2 Authorization Framework Authorization Engine Policy Enforcement Point bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision GW08: May 13-15, 2008

9 Policy Assertions from Everywhere GW08: May 13-15, 2008

10 CAS Shib LDAP Handle GUMS Grouper VOMS PERMIS XACML SAML SAZ Gridmap XACML ??? Policy Assertions from Everywhere GW08: May 13-15, 2008

11 Community Authorization Service Derby database support –Ease of install and configuration WS Policy support –Used for fine-grained authorization of WS calls Local PDP –Embedded with container for performance PDPs/PIPs –PIP for assertion in proxy –PIP for assertion from SOAP message –PDP for enforcing assertion and trusted CAS server –PDP to callout to CAS (Also in GT 4.0.x) ‏ GW08: May 13-15, 2008

12 Security Configuration Security descriptors for service configuration –Container configuration (admin) ‏ –Service/resource configuration Compliant to schema –Validation at deployment –Stand alone tools to validate GW08: May 13-15, 2008

Building Secure Virtual Organizations ESG: Easy PKI & OpenID OSG & EGEE: Authorization Interoperability

14 Earth System Grid (ESG) Single Sign On Solutions PKI SSO –Single Sign On for non-browser applications –MyProxy Online CA –Auto-provisioning of trust configuration Web SSO –Single sign on for http/https applications –OpenID GW08: May 13-15, 2008

15GW08: May 13-15, 2008 AuthN DB uname password PKI Client Online-CA AuthN Svc WebSSO AuthN Svc Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts authN Svc Integrated WebSSO & PKI-SSO

16 Zero-Config GSI Deployment Bootstrap from username/password –Without preconfiguration No long-lived secrets on the user’s workstation => move secrets to a secure MyProxy-server –Issue derived short-lived proxy-certificates => issue short-lived identity certificates –On-line Certificate Authority (CA) ‏ Provision Trust-Root Info –Trusted CAs, CRLs, OCSP responders Need for bootstrap authentication… –Passwords –One-Time-Passwords GW08: May 13-15, 2008

17GW08: May 13-15, 2008 AuthN & Trust-Root Provisioning OTP AuthN Server + user’s security config user-workstation (initially not configured)‏ Secure mutual OTP-Authentication and Key-Exchange Short-Lived Cert + Provisioning of CA’s, AuthZ/Attr Authorities OTP Enhanced MyProxy/GridLogon Svc Bootstrap User’s Trust-Root Config from Secure OTP Authentication

18 XACML-2/SAML-2 AuthZ Query Interface Attribute-based AuthZ Query Interface –Enhancement to SAML-1.1 interface Standardized in OASIS Requires XACML-2 GT4-PDP for AuthZ framework Requires further profiling for Interoperability GW08: May 13-15, 2008

19 LCMAPS GUMS DynWS VOMS LCAS SAZ PRIMA gpBox Gridmap LCMAPS XACML LCAS EGEE/OSG/Globus AuthZ Interop GW08: May 13-15, 2008 XACML-2 Interface

20GW08: May 13-15, 2008 OSG/EGEE/Fermi/Globus/OpenSAML Development Effort Standardize AuthZ Query Interface for OGF’s PRIMA/GUMS/SAZ –Migration of obligation-extended SAML-1.1 to XACML-2 –Use XACML-2 AuthZ Query for SAZ-banning-check Standardize AuthZ Query Interface for next-gen LCMAPS/LCAS service implementation –XACML-2 Query Interface Standardize Profile for use of Attributes and Obligations Goal is to make PRIMA/GUMS/SAZ and LCMAPS/LCAS plug-compatible on service interface level Standardize AuthZ-ticket for GAAA-AuthZ Toolkit –XACML-2 AuthZ Query Result as (possible) ticket/token –Allows for sophisticated authZ result-caching Source code and details –

Building Secure Virtual Organizations caBIG: GAARDS - Grid Authentication and Authorization with Reliably Distributed Services Kunal Modi

Building Secure Virtual Organizations TeraGrid: Attribute-based Authorization for Science Gateways Using GridShib Tom Scavo