Presentation is loading. Please wait.

Presentation is loading. Please wait.

MyProxy and NVO or Web SSO for Grid Portals

Published byBethanie Caldwell Modified over 6 years ago

Similar presentations

Presentation on theme: "MyProxy and NVO or Web SSO for Grid Portals"— Presentation transcript:

1 MyProxy and NVO or Web SSO for Grid Portals
GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike Freemon National Center for Supercomputing Applications University of Illinois at Urbana-Champaign, IL, USA National Center for Supercomputing Applications

2 Acknowledgements National Center for Supercomputing Applications

3 GRIDS Center GRIDS Center NSF Middleware Initiative (NMI) Mission
NCSA, U. Wisconsin, USC, U. Chicago, SDSC NSF Middleware Initiative (NMI) Mission Assist science projects to be successful in the use of grid technologies for doing science Services Software Distributions, Build & Test, Training, Technical Support, Consulting National Center for Supercomputing Applications

4 NVO National Virtual Observatory Ray Plante Related Astronomy Projects
NVO's objective is to enable new science by greatly enhancing access to data and computing resources. NVO makes it easy to locate, retrieve, and analyze data from archives and catalogs worldwide. Ray Plante Radio Astronomer at NCSA Local PI for the NVO project Related Astronomy Projects DES Dark Energy Survey LSST Large Synoptic Survey Telescope IVOA International Virtual Observatory Alliance National Center for Supercomputing Applications

5 Organizational Landscape
Each major regional VO will run a User Authentication Server (UAS) UASs are CAs ~6 UAS’s worldwide Examples include NVO, EUR, China, S.America Ten or more Portal Sites NVO, NCSA, NOAO, NRAO, STSCI, DES, LSST, etc. Forty or more Resource Providers Web Services, GridFTP, GRAM National Center for Supercomputing Applications

6 Authentication Requirements
Browser-based access Use GSI, but hide details, X.509 credentials, etc. Support multiple portal servers Single Sign-On (SSO) across the portal servers Portal servers in different domains Limit trust of portal servers Allow only short-term secrets/credentials to pass through portal server Differentiate between two different types of credentials Support “weak accounts/certificates”, requiring only verification to create Support “strong accounts/certificates”, requiring personal review by an security administrator before issuing Preserve the ability for power users to retrieve GSI credentials for client-side applications Authentication is handled by the UAS’s Authorization is the responsibility of the Resource Providers Individual portal applications need to access resources from multiple administrative domains (resource providers). National Center for Supercomputing Applications

7 Introducing the Players
MyProxy Pubcookie PURSe National Center for Supercomputing Applications

8 What is MyProxy? An Online Certificate Authority
Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others National Center for Supercomputing Applications

9 What is Pubcookie? Open-source software for intra-institutional* single sign-on web authentication University of Washington Part of the National Science Foundation Middleware Initiative (NMI) EDIT software release Limits the exposure of end-user passwords by ensuring they're only sent to a trusted login service * Can be Inter-(DNS)domain Implemented using HTTP cookies (intra-domain) and HTTP “redirects” (inter-domain) National Center for Supercomputing Applications

10 Maintaining State Across DNS Domains
Pubcookie uses an HTML form that immediately POSTs to the target, passing the "cookie data" as request parameters. <html> <body onLoad="document.relay.submit()"> <form method=post action=" <input type=hidden name=pubcookie_g_req  value="b25lPXNreTIuZmdpdC5vcmcmdHdvPS8mdWU9MSZmb3VyPWE1JmZpdm U9R0VUJnNpeD1za3kyLmZnaXQub3JnJnNldmVuPS90ZXN0YXBwJmVp ZXh0PSZob3N0bmFtZT1za3kyLmZnaXQub3JnJm5pbmU9MSZmaWxlPS ZyZWZlcmVyPShudWxsKSZzZXNzX3JlPTAmcHJlX3Nlc3NfdG9rPTIw NjM3MjQ2OTAmZmxhZz0w"> <input type=hidden name=post_stuff value=""> <input type=hidden name=relay_url value=" </form> </html> National Center for Supercomputing Applications

11 What is PURSe? Portal-based User Registration System
Part of the NMI GRIDS Center software release PURSe is a web-based system for registering and managing user registries for applications that use the Grid Security Infrastructure (GSI) By leveraging the MyProxy certificate repository, PURSe shields web application users from the complexities of X.509 certificate management National Center for Supercomputing Applications

12 Let’s Start with Standard Pubcookie…
Authn Server Portal #1 “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

13 Add Portal Access to GSI Credentials (as described in the Martin, Basney, Humphrey 2005 paper – see references) pubcookie granting cookie MyProxy Server Portal #1 Authn Server “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

14 Let’s Simplify Things for the Portal Application Developer
Apache module mod_myproxy Intercepts HTTP request in Apache and automatically retrieves the GSI delegation for the authenticated user Perl script Executed via mod_perl National Center for Supercomputing Applications

15 National Center for Supercomputing Applications

16 Why Not Use MyProxy for Pubcookie Authentication?
pubcookie granting cookie MyProxy Server Portal #1 authn “redirect” Pubcookie Login Server login page Browser “redirect” Portal #2 National Center for Supercomputing Applications

17 How is MyProxy initially populated?
inserts (incl. pswd) user registration request PURSe WebApp User DB Portal #1 creates credentials get delegation MyProxy Server redirect Pubcookie Login Server login page authn Browser redirect Portal #2 National Center for Supercomputing Applications

18 Opportunities for Improvement - or - “Wouldn’t it be nice…”
…to have the user password in only one location? No need to keep passwords/passphrases “in-sync”, or to create administrative or support processes to reset passwords, etc. …to make it easier to deal with “volatile” data in the X.509 certificate (such as SAML assertions)? Simply have the user logoff and logon again …to not require a myproxy-init ? …to simplify PURSE? PURSE is not responsible for creating any certificates, therefore it does not need SimpleCA and does not invoke any MyProxy client functionality National Center for Supercomputing Applications

19 Deviations from a “Vanilla” Pubcookie/MyProxy/PURSe Implementation
Use Online CA functionality of MyProxy MyProxy authenticates users using the PURSE database (RDBMS via PAM) Remove SimpleCA and MyProxy processing from PURSE National Center for Supercomputing Applications

20 The Design PURSe User WebApp DB Portal #1 MyProxy Server Pubcookie
registration request PURSe WebApp inserts User DB Portal #1 get delegation selects MyProxy Server “redirect” Pubcookie Login Server authn login page Browser Limited Trust of Portals Web SSO Across Grid Portals “redirect” Portal #2 National Center for Supercomputing Applications

21 Roadmap Prototyping by VO projects under way
NOAO Science Archive (NSA) National Optical Astronomy Observatory Working system with NSA demo portal – Portal Server – Login Server CalTech has a portal server hooked in to this login server Winter 2006 and Beyond Settle on main components of the standard User attributes via SAML in X.509 certificate Coexistence and interoperability with Shibboleth National Center for Supercomputing Applications

22 Related Work Apache 2.2 module (C code) that allows clients to authenticate against a MyProxy server The client's MyProxy username and passphrase are sent to the web server using HTTP basic authentication The apache module will retrieve the delegation and store it locally on the web server CGI scripts and other web applications can make use of this delegation to perform operations on the client's behalf National Center for Supercomputing Applications

23 References These Slides Project Documentation
Project Documentation MyProxy/Pubcookie Integration Documentation J. Martin, J. Basney, and M. Humphrey. Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005. National Center for Supercomputing Applications

24 Questions? Mike Freemon
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign, IL, USA National Center for Supercomputing Applications

Download ppt "MyProxy and NVO or Web SSO for Grid Portals"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Security.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.

Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.

Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Similar presentations

Ads by Google