Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Resource Provider Science Gateway Grid Computing at NCSA by alicejenny

VIEWS: 41 PAGES: 101

									               TeraGrid 08
      The Third Annual TeraGrid Conference




Tom Scavo, Jim Basney , Terry Fleury, Von Welch
 National Center for Supercomputing Applications
                 June 9–13, 2008



                 http://gridshib.globus.org/
                     Tutorial:
       Building Science Gateways


                   TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
 National Center for Supercomputing Applications
                   June 9, 2008


                 http://gridshib.globus.org/
       Birds-of-a-Feather Session:
   Attribute-based Auditing and
Authorization for Science Gateways

                    TeraGrid 08
 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
  National Center for Supercomputing Applications
                   June 11, 2008


                  http://gridshib.globus.org/
         Science Gateways
       Working Group Session

                   TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
 National Center for Supercomputing Applications
                  June 12, 2008


                 http://gridshib.globus.org/
            GridShib @ TeraGrid 08

 Tutorial: Building Science Gateways
   Mon, 8:00am–12:00pm
 Birds-of-a-Feather Session: Attribute-based
  Auditing and Authorization for Science
  Gateways
   Wed, 5:30–6:30pm
 Poster Session: A Federated Identity Model
  for Science Gateways
   Wed, 6:30–8:30pm
 Science Gateways Working Group Session
   Thu, 3:00–4:30pm

                   http://gridshib.globus.org/
Grid Security Infrastructure
           (GSI)




         http://gridshib.globus.org/
                Grid Authentication

 Traditionally, grid authentication has been via
  trusted X.509 identity certificates
 GSI relies heavily on X.509 proxy certificates
   A proxy cert is a short-lived certificate signed by the
    user’s identity certificate
 Multiple GSI authentication mechanisms:
   GSI Transport (SSL/TLS)
   GSI Secure Message (WS-Security)
   GSI Secure Conversation (WS-SecureConversation)



                      http://gridshib.globus.org/
  The Classic Grid Use Case




    A non-browser user
 issues a proxy certificate
and initiates a grid request
    on her own behalf.



         http://gridshib.globus.org/
                     Issue a Proxy Certificate
                                         grid-proxy-init




X.509 End Entity Cred                                                 X.509 Proxy Credential
Issuer: Certification Authority                                       Issuer: End User
Subject: End User                                                     Subject: End User+




                                  Key                                                          Key




                                           myproxy-logon
                                        http://gridshib.globus.org/
                     Classic GSI


GT4 Client                                           GT4 Server
                                                   Java WS Container



Globus WS                                             Globus Web
  Client                                                Service
                            X.509 proxy
                             certificate



 X.509 proxy
  credential                                            Gridmap
               Key




                     http://gridshib.globus.org/
          Identity-based Access Control

 The distinguished name (DN) in the proxy
  certificate is used as a basis for coarse-
  grained access control
 If the subject DN is in an access control list
  called a gridmap file, access is allowed
 A gridmap file also maps DNs to usernames
    Associated with each DN are zero or more local
     usernames
    GRAM, for example, requires a local account in
     which to run a job request

                     http://gridshib.globus.org/
                   Gridmap File

 The gridmap has a flat file format:             DN1

  DN → [user0, user1, …, usern-1]                 username1
                                                  DN2

 The gridmap has dual functions:                 username2
                                                  …

   1. Authorization Policy
   2. Username Mapping Policy
 A single gridmap file serves both functions
 Identity-based gridmap files trade off flexibility
  and scalability for simplicity


                    http://gridshib.globus.org/
GridShib-enabled GSI




     http://gridshib.globus.org/
                 GridShib Project

 The goal of the GridShib Project is to introduce
  attribute-based authorization to Globus-based
  grids
 GridShib software allows Globus Toolkit and
  Shibboleth to interoperate
 Classic GridShib (circa 2004–2005) pulls
  attributes from a Shibboleth Attribute Service
 The current emphasis is on browser users and
  attribute push, specifically, the TeraGrid Science
  Gateway Use Case

                   http://gridshib.globus.org/
                    GridShib Software
 GridShib for GT
    Consumes X.509-bound SAML assertions issued by the
     GridShib CA or the GridShib SAML Tools. Issues SAML attribute
     queries to a Shibboleth IdP with GridShib for Shibboleth
     installed.
 GridShib for Shibboleth
    Responds to attribute queries from GridShib for GT.
 GridShib CA
    Issues short-lived X.509 credentials to browser users.
 GridShib SAML Tools
    Issue or requests SAML assertions and optionally binds these
     assertions to X.509 proxy certificates.


                          http://gridshib.globus.org/
                    GridShib Software
 GridShib for GT
    Consumes X.509-bound SAML assertions issued by the
     GridShib CA or the GridShib SAML Tools. Issues SAML attribute
     queries to a Shibboleth IdP with GridShib for Shibboleth
     installed.
 GridShib for Shibboleth
    Responds to attribute queries from GridShib for GT.
 GridShib CA
    Issues short-lived X.509 credentials to browser users.
 GridShib SAML Tools
    Issue or requests SAML assertions and optionally binds these
     assertions to X.509 proxy certificates.


                          http://gridshib.globus.org/
               GridShib SAML Tools

 The GridShib SAML Tools (GS-ST) are a
  standalone suite of Java-based client tools
   Binds a SAML assertion to an X.509 proxy certificate
   The same X.509-bound SAML token can be
    transmitted at the transport level or the message level
    (using WS-Security X.509 Certificate Token Profile)
 Includes the GridShib Security Framework, a
  Java API for producing and consuming X.509-
  bound SAML tokens
 GS-ST is a SAML producer

                     http://gridshib.globus.org/
                 GS-ST Features

 Easily installed and configured
 Binds arbitrary content (not just SAML) to a non-
  critical certificate extension
 Multiple output options (SAML, X.509 proxy
  credential, DER-encoded ASN.1)
 CLI with shell scripts (UNIX and Windows)
 Includes a Java API for portal developers
 Leverages the Globus SAML Library, an
  enhanced version of OpenSAML 1.1

                   http://gridshib.globus.org/
               GS-ST Function




Bind a SAML assertion to a non-critical
    X.509 v3 certificate extension


     We call this an X.509-bound SAML token




                  http://gridshib.globus.org/
        grid-proxy-init
                                                           X.509 Proxy Credential
                                                           Issuer: Science Gateway
                                                           Subject: Science Gateway+




X.509 Community Cred
Issuer: TeraGrid CA
Subject: Science Gateway

                                                                                       Key




                           Key




                             http://gridshib.globus.org/
        grid-proxy-init
                                                           X.509 Proxy Credential
                                                           Issuer: Science Gateway
                                                           Subject: Science Gateway+




X.509 Community Cred
Issuer: TeraGrid CA
Subject: Science Gateway

                                                                                          Key




                                                           X.509 Proxy Credential
                                                           Issuer: Science Gateway
                                                           Subject: Science Gateway+
                           Key
                                                           X509v3 extension:
                                                             1.3.6.1.4.1.3536.1.1.1.12:
                                                            <saml:Assertion>
                                                             <saml:NameID>
                                                              trscavo
                                                             </saml:NameID>
     gridshib-saml-issuer                                   </saml:Assertion>

                                                                                          Key


                             http://gridshib.globus.org/
            X.509-bound SAML Token
 GridShib SAML Tools
  produces X.509-bound
  SAML tokens, a new type                         X.509 Proxy Credential
                                                  Issuer: Science Gateway
  of security token that                          Subject: Science Gateway+

  enables attributed-based                        X509v3 extension:
                                                   1.3.6.1.4.1.3536.1.1.1.12:
  authorization in X.509-                         <saml:Assertion>
                                                   <saml:NameID>
  based Grids                                       trscavo
                                                   </saml:NameID>
 The SAML token is bound                         </saml:Assertion>

  to a noncritical X.509v3                                                      Key


  certificate extension




                    http://gridshib.globus.org/
          WS-Security Token Profiles

 OASIS WS-Security Technical Committee
   WSS X.509 Certificate Token Profile [1]
   WSS SAML Token Profile
 Globus implements the former
 We define a new token type:
   X.509-bound SAML Token
 An implementation of [1] automatically handles
  X.509-bound SAML tokens
 No new wire protocols are needed!

                     http://gridshib.globus.org/
                Security Tokens


X.509 Token            SAML Token
SOAP Envelope          SOAP Envelope

SOAP Header            SOAP Header


                          SAML
    X.509
                         assertion
  certificate




 SOAP Body               SOAP Body




                  http://gridshib.globus.org/
                Security Tokens

                                                X.509-bound
X.509 Token            SAML Token               SAML Token
SOAP Envelope          SOAP Envelope            SOAP Envelope

SOAP Header            SOAP Header              SOAP Header


                          SAML
    X.509                                           X.509
                         assertion
  certificate                                     certificate
                                                   SAML
                                                  assertion




 SOAP Body               SOAP Body               SOAP Body




                  http://gridshib.globus.org/
          GridShib-enabled GSI




     A non-browser user binds
a SAML assertion to a proxy certificate
     and initiates a grid request
         on her own behalf



              http://gridshib.globus.org/
                 GridShib for GT

 GridShib for GT (GS4GT) is a plug-in for GT 4.x
   GS4GT is compatible with both GT 4.0 and 4.2
 GS4GT is an implementation of a Grid Service
  Provider, which is analogous to a Shibboleth
  Service Provider, but for X.509-based grids
 GS4GT is a SAML consumer
 Used together, GridShib SAML Tools and
  GridShib for GT enable attribute-based access
  control in Globus-based grids


                    http://gridshib.globus.org/
                GS4GT Features

 Introduces attribute-based authorization into GT
 Exposes a single comprehensive policy decision
  point called the GridShibPDP
 Implements an attribute push model
 Restricts access based on blacklists of IP
  addresses and/or name identifiers
 Provides attribute-based account mapping
 Supports optional gridmap short-circuiting
 Defines an attribute-based authorization policy
  language (in XML)
                   http://gridshib.globus.org/
                       GridShib-enabled GSI


        GT4 Client                                                             GT4 Server
                                                                              Java WS Container
                                                                             (with GridShib for GT)
                    Globus WS                                         GridShib                  Globus Web
                      Client                                          SAML PIP                    Service
                                                     SAML
                                              proxy
                                              certificate
 GridShib                                                                            Security
                           SAML                                                      Context
SAML Tools          proxy
                    credential    Key



                                                                      Logs                  Blacklist   Authz
 end entity                                                                                  Policy     Policy
 credential
              Key




                                        http://gridshib.globus.org/
              GS4GT Configuration Files
                                                         GridShib
 The SAML Entity Map maps SAML                       SAML Entity Map
  issuers to X.509 issuers                               entityID1 DN1

 A SAML issuer in this file is trusted                  entityID2 DN2
                                                         …
 The SAML Entity Map will be
  replaced by SAML Metadata (XML)
 A blacklist is a list of identifiers
  (SAML identifiers or subject DNs)                       GridShib
 A user whose identifier is on the                    Blacklist Policy
  blacklist will be denied access                        identifier1

 The flat file blacklist will be replaced               identifier2
                                                         …
  by a database table

                        http://gridshib.globus.org/
                 GS4GT Policy Files

                          DN1
            Globus
                          username1
          Gridmap file
                          DN2
                          username2
                          …




  GridShib                                                  GridShib
Mapping Policy                                             Authz Policy



           <XML>                                   <XML>




                     http://gridshib.globus.org/
                 GS4GT Policy Files

 Two separate attribute-based policy files:
  1. Authorization Policy
      [A0, A1, …, Am-1]

  2. Username Mapping Policy
      [A0, A1, …, Am1-1] → [user0, user1, …, usern1-1]
      [A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] …
 A single XML-based policy file may encapsulate
  both types of policies

                      http://gridshib.globus.org/
                      Summary

 Fine-grained, attribute-based authorization
 Introduces X.509-bound SAML tokens
   Works at both the transport level or the message level
 No modifications to GT clients are required
 If the service is not GridShib-enabled, the X.509-
  bound SAML token is simply ignored




                     http://gridshib.globus.org/
A Grid Authorization Model for
      Science Gateways




          http://gridshib.globus.org/
      The Science Gateway Use Case




A browser user authenticates to a grid
  portal. The portal issues a proxy
certificate and initiates a grid request
          on behalf of the user



               http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     A science gateway is a
                                                                     convenient intermediary
                 Web Browser
                                                                  between a browser user and a
Web
                                                                      grid resource provider.
Authn



                 Web Interface                                          Java WS Container



        Webapp                   WS GRAM                                WS GRAM Service
                                  Client




                                                                            community
    community
                                                                             account
    credential
                 Key




           Science Gateway                                            Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     Each gateway is issued a
                                                                   community credential that
                 Web Browser
                                                                  uniquely identifies the gateway.
Web
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                   Resource providers associate
                                                                  the community credential with a
                 Web Browser
                                                                    local community account.
Web
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                  To submit a job, a browser user
                                                                   typically authenticates to the
                 Web Browser
                                                                     gateway by presenting a
 Web
                                                                     username and password.
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     The gateway then issues a
                                                                    short-lived proxy credential
                 Web Browser
                                                                      signed by its community
Web
                                                                              credential.
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community                      proxy
                                                                              account
    credential                   credential
                 Key                          Key




           Science Gateway                                              Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     The gateway submits the job on
                                                                     the user’s behalf, authenticating
                 Web Browser
                                                                         as itself to the resource.
Web
Authn



                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                 community
    community                      proxy
                                                                                  account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                      The resource authenticates the
                                                                      gateway and maps the request
                 Web Browser
                                                                     to the community account based
Web
                                                                         on the identity in the proxy
Authn                                                                            certificate.


                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                community
    community                      proxy
                                                                                 account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                       After the job is executed, the
                                                                     result is returned to the browser
                 Web Browser
                                                                        user via the gateway web
Web
                                                                                  interface.
Authn



                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                 community
    community                      proxy
                                                                                  account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
     Community Account Model: The Good

 The Community Account Model
   simplifies the user experience
   simplifies gateway implementation and deployment
   simplifies gridmap file management at the RP
 A community credential is issued to each
  gateway
 A single community account is created at the RP
 The gateway issues proxy certificates and
  makes grid requests on behalf of the user


                    http://gridshib.globus.org/
     Community Account Model: The Bad

 The community account model has some
  significant drawbacks, however:
   End user identity is unknown to the RP
   Course-grained access control at the resource (by
    design)
   Awkward approach to auditing and incident response
   In the event of an emergency, the RP is forced to
    disable all access to the community account
   Less than adequate accounting mechanisms
 All this can be traced to a single problem…

                    http://gridshib.globus.org/
  Community Account Model: The Ugly



All requests look exactly the same
      to the resource provider!

           If the gateway would only pass
      the user’s name and contact information
                to the resource provider,
all previously mentioned problems would be solved



                 http://gridshib.globus.org/
               Grid Authorization Model
 We describe a grid authorization model that significantly
  increases the information flow between a science
  gateway and a resource provider
    Extends the Community Account Model
    Asserts end user identity to the RP
    Permits fine-grained access control at the RP
    Provides strong auditing and effective incident response
    Allows dynamic blacklisting of problem accounts or runaway
     processes
    A lightweight approach that does not require new wire protocols
     or extensive new middleware infrastructure
    Complements existing SAML-based middleware infrastructure
     on today's campuses

                         http://gridshib.globus.org/
              Grid Authorization Model

 The proposed model incorporates GridShib
  SAML Tools at the gateway and GridShib for
  GT at the resource provider
 Using GridShib SAML Tools, the gateway
   1. issues a SAML assertion containing the user's
      authentication context and attributes
   2. binds the SAML assertion to a proxy certificate
      signed by the community credential
   3. authenticates to the resource by presenting the
      SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

                       http://gridshib.globus.org/
                                                    <saml:Assertion>
X.509 Proxy Credential                               <saml:NameID>
Issuer: Science Gateway                               trscavo
Subject: Science Gateway+                            </saml:NameID>
                                                    </saml:Assertion>
                                       +                                =
                            Key




                              X.509 Proxy Credential
                              Issuer: Science Gateway
                              Subject: Science Gateway+
                              X509v3 extension:
                                1.3.6.1.4.1.3536.1.1.1.12:
                                  <saml:Assertion>
                                   <saml:NameID>
                                    trscavo
                                   </saml:NameID>
                                  </saml:Assertion>

                              http://gridshib.globus.org/ Key
    GridShib-enabled Science Gateway




  A browser user authenticates to
  a grid portal. The portal binds a
   self-issued SAML assertion to
a proxy certificate and initiates a grid
    request on behalf of the user.


               http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                              An enhancement to the
                                                                             community account model
                                                                           increases the information flow
                      Web Browser                                          between the gateway and the
             Web
                                                                                 resource provider.
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                           SAML PIP            Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider


                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                            A software component called
                                                                              GridShib SAML Tools is
                                                                             integrated into the gateway
                      Web Browser                                                portal environment.
             Web
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                           SAML PIP            Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider


                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                            Another software component
                                                                             called GridShib for GT is
                                                                             deployed at the resource
                      Web Browser                                                    provider.
             Web
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                           SAML PIP            Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider


                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                            These two GridShib software
                                                                             components produce and
                                                                            consume Security Assertion
                      Web Browser                                            Markup Language (SAML)
             Web
                                                                                      tokens.
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                           SAML PIP            Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider


                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               Again the browser user
                                                                           authenticates to the gateway by
                                                                             presenting a username and
                      Web Browser                                                    password.
              Web
             Authn

                      Web Interface                                             Java WS Container
                                                                               (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib            WS GRAM
                                          Client                           SAML PIP             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider


                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               This time the gateway uses the
                                                                               GridShib SAML Tools to issue an
                                                                                 X.509-bound SAML token.
                      Web Browser

             Web
             Authn

                      Web Interface                                                 Java WS Container
                                                                                   (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib            WS GRAM
                                          Client                               SAML PIP             Service

                            username

                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               The SAML token bound to the
                                                                               proxy certificate contains the
                                                                              name of the end user and other
                      Web Browser                                               user attributes (e.g., e-mail).
             Web
             Authn

                      Web Interface                                                Java WS Container
                                                                                  (with GridShib for GT)

attributes
                     Webapp              WS GRAM                              GridShib            WS GRAM
                                          Client                              SAML PIP             Service

                            username

                  GridShib               X.509 Proxy Credential
                                             SAML
                 SAML Tools              Issuer: Science Gateway
                                         proxy
                                         Subject: Science Gateway+
                                         credential Key

                                         X509v3 extension:
                     community
                      credential          1.3.6.1.4.1.3536.1.1.1.12:
                                   Key
                                         <saml:Assertion>
                                          <saml:NameID>
             Science Gateway               trscavo                               Resource Provider
                                          </saml:NameID>
                                         </saml:Assertion>
                                                http://gridshib.globus.org/
                                                                     Key
         Grid Authorization Model for Gateways
                                                                               The gateway authenticates as
                                                                               itself to the resource provider,
                                                                               presenting the proxy certificate
                      Web Browser                                                 with bound SAML token.
             Web
             Authn

                      Web Interface                                                Java WS Container
                                                                                  (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib           WS GRAM
                                          Client                               SAML PIP            Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                  The GridShib SAML policy
                                                                               information point (PIP) extracts
                                                                               the SAML token from the proxy
                      Web Browser                                              certificate, parses it, and writes
             Web
                                                                                 the information to a log file.
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib               WS GRAM
                                          Client                               SAML PIP                Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community                                                 Logs
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               The security information in the
                                                                                 SAML token is also used to
                                                                                 populate a SAML security
                      Web Browser                                               context within the container.
             Web
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                               SAML PIP                   Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key




                     community                                                 Logs
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                  The service compares the
                                                                                  information in the security
                                                                               context to the blacklist, denying
                      Web Browser                                               access if any request info is on
             Web
                                                                                          the blacklist.
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                               SAML PIP                   Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist
                     community
                                                                                                     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                 The service combines the
                                                                                 information in the security
                                                                               context with its access control
                      Web Browser                                               policy, allowing access if and
             Web
                                                                                  only if policy is satisfied.
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                               SAML PIP                   Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist   Authz
                     community
                                                                                                     Policy     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                  As before, after the service
                                                                                executes the job, the result is
                                                                               returned to the browser user via
                      Web Browser                                                 the gateway web interface.
             Web
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                               SAML PIP                   Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist   Authz
                     community
                                                                                                     Policy     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider


                                                 http://gridshib.globus.org/
      GridShib-enabled Science Gateway

 Simple installation and configuration of GridShib
  SAML Tools at the gateway
 Includes GridShib Security Framework
   Exposes both a command-line interface and a Java
    API
 End user identity and contact information (e.g.,
  e-mail) transmitted to RP
 Push much of the responsibility for auditing and
  incident response back onto the RP
 Big Advantage: No need to shut down the
  entire gateway in the event of an incident!

                    http://gridshib.globus.org/
                    User Attributes
 Gateway entityID:
    https://gridshib.gisolve.org/idp
 Subject name identifier:
    trscavo@gisolve.org
 Authentication statement
    authentication method:
     urn:oasis:names:tc:SAML:1.0:am:password
    authentication instant: 2007-08-02T12:10:34-0400
    IP address: 10.81.193.244
 Attribute statement
    isMemberOf attribute: group://gisolve.org/gisolve
    mail attribute: trscavo@gmail.com

                        http://gridshib.globus.org/
     GridShib-enabled Resource Provider


 The end user and the end user’s contact
  information (and other attributes) are logged
 Effective auditing and incident response
 Blacklist an IP address or name identifier on
  demand
 Exposes a SAML security context
 Fine-grained, attribute-based access control



                   http://gridshib.globus.org/
             Comparison with VOMS

 Virtual Organization Membership Service
   The most successful grid authorization model today
 VOMS binds X.509 attribute certificates (instead
  of SAML) to proxy certificates
 VOMS requires the requester to be the subject;
  VOMS will not issue an AC to a requester acting
  on behalf of the subject
 Therefore, a gateway can not call out to a VOMS
  server to obtain attributes for a user
 Conclusion: VOMS can not be used as a basis
  for gateway security
                    http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                    Resource Provider

                                                     Java WS Container
   The GridShib-enhanced                            (with GridShib for GT)
  community account model                       GridShib              WS GRAM
 permits fine-grained access                    SAML PIP               Service
 control and effective incident
  response at the resource.
                                                           Security
                                                           Context




                                             Logs                            Policy




                                                            AMIE
                                  Security                 upload                       GRAM
                                   table                                              audit table



                                                                         TGCDB

                                  http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                   Resource Provider

                                                    Java WS Container
  Since each request is now                        (with GridShib for GT)
 associated with a unique end                  GridShib              WS GRAM
   user, we push job info to                   SAML PIP               Service
 TeraGrid Central for improved
   auditing and accounting.
                                                          Security
                                                          Context




                                            Logs                            Policy




                                                           AMIE
                                 Security                 upload                       GRAM
                                  table                                              audit table



                                                                        TGCDB

                                 http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                  Resource Provider

                                                   Java WS Container
  First, the security context                     (with GridShib for GT)
associated with each incoming                 GridShib              WS GRAM
   request is captured in a                   SAML PIP               Service
        security table.

                                                         Security
                                                         Context




                                           Logs                            Policy




                                                          AMIE
                                Security                 upload                       GRAM
                                 table                                              audit table



                                                                       TGCDB

                                http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                   Resource Provider

                                                    Java WS Container
   Likewise the disposition of                     (with GridShib for GT)
 every job request is captured                 GridShib              WS GRAM
 in an enhanced GRAM audit                     SAML PIP               Service
             table.

                                                          Security
                                                          Context




                                            Logs                            Policy




                                                           AMIE
                                 Security                 upload                       GRAM
                                  table                                              audit table



                                                                        TGCDB

                                 http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                  Resource Provider

                                                   Java WS Container
 An AMIE process joins these                      (with GridShib for GT)
   two tables and pushes an                   GridShib              WS GRAM
    information packet to the                 SAML PIP               Service
  TeraGrid Central Database.

                                                         Security
                                                         Context




                                           Logs                            Policy




                                                          AMIE
                                Security                 upload                       GRAM
                                 table                                              audit table



                                                                       TGCDB

                                http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                    Resource Provider

                                                     Java WS Container
    A gateway can query the                         (with GridShib for GT)
      TGCDB for individual                      GridShib              WS GRAM
 accounting records, permitting                 SAML PIP               Service
  fine-grained accounting at
          the gateway.
                                                           Security
                                                           Context




                                             Logs                            Policy




                                                            AMIE
                                  Security                 upload                       GRAM
                                   table                                              audit table



                                                                         TGCDB

                                  http://gridshib.globus.org/
Integration with TeraGrid Central Database
                                                Resource Provider

                                                 Java WS Container
 TeraGrid adminstrators can                     (with GridShib for GT)
     query the TGCDB for                    GridShib              WS GRAM
 aggregate accounting data                  SAML PIP               Service
   for the purposes of NSF
    reporting and planning.
                                                       Security
                                                       Context




                                         Logs                            Policy




                                                        AMIE
                              Security                 upload                       GRAM
                               table                                              audit table



                                                                     TGCDB

                              http://gridshib.globus.org/
                                     Gateway Job Accounting
                                   TeraGrid Resource Provider (RP)


                                                                              -No Changes required to AMIE
                                   GT4 Java Container
                                                               Core Audit     -DAI provides virtualization
                                           Core                  Table
                                                                               for audit and accounting DBs
                                                               Deleg Audit
                                        Delegation               Table                                         Diagram courtesy
                                                                                                                 of Stu Martin
                                            RFT                 RFT Audit
 Client /                                                        Table
Gateway




                                                                                  sudo
                     Create Job                                                            RM
    **               Get EPR                                                             adapter

                Control Job
                with EPR
                                           MJFS                                                                          Resource
  - Query Using                                                                                                          Manager
                                                                                  SEG              RM log
     Grid JID                             MEJS **

               - Reply with                                    GRAM Audit                                                  User
               Accounting record                                 Table                          RM
                                                                                             Accounting
                                                                                                                          Job(s)
                                        OGSA DAI                              GET UNIQUE
                                                                              USER ID +


** Locally convert                                                                                          Local AMIE
 EPR to Grid JID                                                                             AMIE upload    Accounting
                                                                        Central TG
                                                                        Accounting
                                                                           DB
                                                        http://gridshib.globus.org/
        Benefits of TGCDB Integration

 The gateway can query the TGCDB (via OGSA-
  DAI) and implement local, fine-grained
  accounting mechanisms
 TeraGrid administrators can obtain aggregate
  accounting data for NSF reporting and planning




                  http://gridshib.globus.org/
         TeraGrid Deployment Strategy

1. GridShib SAML Tools at the Gateway
  •   http://www.teragridforum.org/mediawiki/index.php?title=Scienc
      e_Gateway_Credential_with_Attributes
2. GridShib for GT at the RP
  •   Integrate GS4GT into CTSS4
3. Integrate with TeraGrid Central Database
  •   Retrofit GRAM 4.0 Audit with end user identity
  •   Assist with the design and implementation of GRAM
      4.2 Audit (in particular, the security table)



                        http://gridshib.globus.org/
A Federated Identity Model for
      Science Gateways




          http://gridshib.globus.org/
                 Federated Identity

 The long term vision is to introduce federated
  identity at the science gateway
 Shibboleth, an open-source implementation of
  the SAML Browser Profiles, provides:
     Ubiquity
     Manageability
     Usability
     Security
 Since Shibboleth is based on SAML, our model
  complements existing campus infrastructure

                      http://gridshib.globus.org/
                                                                            It is well-known that password
                                                                           management at the gateway is a
                                                                           significant administrative burden
                                                                             for both the gateway and the
                                                                                        end user.
                      Web Browser

             Web
             Authn

                      Web Interface                                               Java WS Container
                                                                                 (with GridShib for GT)

attributes
                     Webapp              WS GRAM                             GridShib            WS GRAM
                                          Client                             SAML PIP             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key




             Science Gateway                                                     Resource Provider
                                             http://gridshib.globus.org/
      SAML Identity Provider

                        Web                                              To avoid having to manage
                        Authn                                           passwords at the gateway, we
                                                                        propose a federated identity
                  Web Browser
                                                                        solution on the browser-facing
                                                                              side of the gateway.


              SAML Service Provider

                  Web Interface                                               Java WS Container
                                                                             (with GridShib for GT)

attributes
                  Webapp              WS GRAM                            GridShib            WS GRAM
                                       Client                            SAML PIP             Service

                       username

                 GridShib
                SAML Tools




             Science Gateway                                                Resource Provider
                                          http://gridshib.globus.org/
      SAML Identity Provider

                        Web                                             A third-party Identity Provider
                        Authn                                           on each campus manages user
                                                                            identity and credentials.
                  Web Browser




              SAML Service Provider

                  Web Interface                                               Java WS Container
                                                                             (with GridShib for GT)

attributes
                  Webapp              WS GRAM                            GridShib            WS GRAM
                                       Client                            SAML PIP             Service

                       username

                 GridShib
                SAML Tools




             Science Gateway                                                 Resource Provider
                                          http://gridshib.globus.org/
      SAML Identity Provider

                        Web                                             The gateway, which is protected
                        Authn                                            by a Service Provider, trusts
                                                                             the Identity Provider to
                  Web Browser
                                                                         authenticate the browser user.



              SAML Service Provider

                  Web Interface                                                Java WS Container
                                                                              (with GridShib for GT)

attributes
                  Webapp              WS GRAM                             GridShib            WS GRAM
                                       Client                             SAML PIP             Service

                       username

                 GridShib
                SAML Tools




             Science Gateway                                                 Resource Provider
                                          http://gridshib.globus.org/
      SAML Identity Provider

                        Web                                             Since we’re already invested in
                        Authn                                              SAML on the back end, we
                                                                        prefer an implementation of the
                  Web Browser
                                                                        standard SAML browser profiles
                                                                             (such as Shibboleth).


              SAML Service Provider

                  Web Interface                                                Java WS Container
                                                                              (with GridShib for GT)

attributes
                  Webapp              WS GRAM                            GridShib             WS GRAM
                                       Client                            SAML PIP              Service

                       username

                 GridShib
                SAML Tools




             Science Gateway                                                 Resource Provider
                                          http://gridshib.globus.org/
      SAML Identity Provider

                         Web
                        Authn
                                                                        A browser user authenticates to
                  Web Browser                                           their preferred campus Identity
                                                                        Provider instead of the science
                                                                                    gateway.

              SAML Service Provider

                  Web Interface                                               Java WS Container
                                                                             (with GridShib for GT)

attributes
                  Webapp              WS GRAM                            GridShib            WS GRAM
                                       Client                            SAML PIP             Service

                       username

                 GridShib
                SAML Tools




             Science Gateway                                                 Resource Provider
                                          http://gridshib.globus.org/
      SAML Identity Provider

                                Web
             SAML
                                Authn
             Assertion
                                                                              The SAML Identity Provider
                          Web Browser                                       issues a SAML token that the
                                                                             user transmits to the gateway
                                                                                    via the browser.

                  SAML Service Provider

                          Web Interface                                           Java WS Container
                                                                                 (with GridShib for GT)

attributes
                          Webapp          WS GRAM                            GridShib            WS GRAM
                                           Client                            SAML PIP             Service

                               username

                          GridShib
                         SAML Tools




               Science Gateway                                                  Resource Provider
                                              http://gridshib.globus.org/
      SAML Identity Provider

                                Web
             SAML
                                Authn
             Assertion
                                                                              The SAML Service Provider
                          Web Browser                                           protecting the gateway
                                                                            consumes the SAML token in
             SAML
                                                                            lieu of a username/password.
             Assertion


                  SAML Service Provider

                          Web Interface                                          Java WS Container
                                                                                (with GridShib for GT)

attributes
                          Webapp          WS GRAM                           GridShib            WS GRAM
                                           Client                           SAML PIP             Service

                               username

                          GridShib
                         SAML Tools




               Science Gateway                                                  Resource Provider
                                              http://gridshib.globus.org/
      SAML Identity Provider

                                   Web
             SAML
                                   Authn
             Assertion
                                                                                         The gateway issues a
                           Web Browser                                                 combined SAML token
                                                                                       containing both campus
             SAML
                                                                                    attributes and local attributes.
             Assertion


                  SAML Service Provider

                          Web Interface                                                   Java WS Container
                                                                                         (with GridShib for GT)

attributes
                          Webapp              WS GRAM                               GridShib             WS GRAM
                                               Client                               SAML PIP              Service

                                 username

                          GridShib
                                                    SAML+
                         SAML Tools
                                              proxy
                                              credential   Key




                          community
                           credential
                                        Key




               Science Gateway                                                          Resource Provider
                                                      http://gridshib.globus.org/
      SAML Identity Provider

                                   Web
             SAML
                                   Authn
             Assertion
                                                                                     The gateway authenticates as
                           Web Browser                                               itself to the resource provider,
                                                                                    presenting the combined X.509-
             SAML
                                                                                           bound SAML token.
             Assertion


                  SAML Service Provider

                          Web Interface                                                    Java WS Container
                                                                                          (with GridShib for GT)

attributes
                          Webapp              WS GRAM                                 GridShib            WS GRAM
                                               Client                                 SAML PIP             Service
                                                                        SAML+
                                 username                        proxy
                                                                 certificate
                          GridShib
                                                    SAML+
                         SAML Tools
                                              proxy
                                              credential   Key




                          community
                           credential
                                        Key




               Science Gateway                                                           Resource Provider
                                                      http://gridshib.globus.org/
      SAML Identity Provider

                                   Web
             SAML
                                   Authn
             Assertion
                                                                                      Since the gateway did not
                           Web Browser                                                authenticate the end user
                                                                                    directly, the resource provider
             SAML
                                                                                      must decide if it trusts the
             Assertion                                                                 combined SAML token.
                  SAML Service Provider

                          Web Interface                                                      Java WS Container
                                                                                            (with GridShib for GT)

attributes
                          Webapp              WS GRAM                               GridShib                   WS GRAM
                                               Client                               SAML PIP                    Service
                                                                        SAML+
                                 username                        proxy
                                                                 certificate
                          GridShib                                                                  Security
                                                    SAML+                                           Context
                         SAML Tools
                                              proxy
                                              credential   Key




                          community                                                  Logs
                           credential
                                        Key




               Science Gateway                                                          Resource Provider
                                                      http://gridshib.globus.org/
      SAML Identity Provider

                                   Web
             SAML
                                   Authn
             Assertion
                                                                                    In the case of federated identity,
                           Web Browser                                                access control policy at the
                                                                                        resource provider is more
             SAML
                                                                                     complex since a third security
             Assertion                                                                     domain is involved.
                  SAML Service Provider

                          Web Interface                                                       Java WS Container
                                                                                             (with GridShib for GT)

attributes
                          Webapp              WS GRAM                                 GridShib                  WS GRAM
                                               Client                                 SAML PIP                   Service
                                                                        SAML+
                                 username                        proxy
                                                                 certificate
                          GridShib                                                                   Security
                                                    SAML+                                            Context
                         SAML Tools
                                              proxy
                                              credential   Key



                                                                                      Logs                 Blacklist   Authz
                          community
                                                                                                            Policy     Policy
                           credential
                                        Key




               Science Gateway                                                           Resource Provider
                                                      http://gridshib.globus.org/
      SAML Identity Provider

                                   Web
             SAML
                                   Authn
             Assertion
                                                                                    SAML Web Browser SSO closes
                           Web Browser                                              the loop for complete end-to-end
                                                                                       flow of security information
             SAML
             Assertion


                  SAML Service Provider

                          Web Interface                                                       Java WS Container
                                                                                             (with GridShib for GT)

attributes
                          Webapp              WS GRAM                                 GridShib                  WS GRAM
                                               Client                                 SAML PIP                   Service
                                                                        SAML+
                                 username                        proxy
                                                                 certificate
                          GridShib                                                                   Security
                                                    SAML+                                            Context
                         SAML Tools
                                              proxy
                                              credential   Key



                                                                                      Logs                 Blacklist   Authz
                          community
                                                                                                            Policy     Policy
                           credential
                                        Key




               Science Gateway                                                           Resource Provider
                                                      http://gridshib.globus.org/
Federated Identity Model for Gateways

                       TeraGrid Science Gateway



                                      B                                                 C
                                             X.509 SAML       X.509 SAML
           SAML                              proxy            proxy
           Assertion                         credential Key   certificate

                       Shib-enabled       GridShib-enabled
                        Grid Portal          Grid Client
           response                                           response

                                             X.509
                                             end entity
                                             credential Key                 GridShib-
 Browser                                                                     enabled
                                                                             Grid SP
                                      A                                                 D
                                                                    X.509
           SAML                                               SAML
           Request                                            Request


                        Shibboleth        GridShib-enabled
                       SSO Service        Attribute Service

           SAML                                               SAML
           Assertion                                          Assertion




                       Shibboleth Identity Provider

                         http://gridshib.globus.org/
Birds-of-a-Feather Session




        http://gridshib.globus.org/
 Is your gateway infrastructure built on a JEE
  portal framework?
 If so, which one?
 If not, what application server do you use?




                   http://gridshib.globus.org/
 Is your gateway security framework built on the
  community credential model?
 If not, describe your security framework.




                   http://gridshib.globus.org/
 Do you use MyProxy?
 If not, is the community credential stored in the
  file system?




                    http://gridshib.globus.org/
 In your application server environment, how
  easy is it to obtain the following information:
      Username
      Authentication instant
      IP address
      E-mail address
 Does your portal framework provide an API to
  obtain this information or do you have to query a
  database?


                        http://gridshib.globus.org/
 Does your gateway control its own DNS
  domain?
 If not, what is the URL of your gateway?
 [relate this to "scope"]




                   http://gridshib.globus.org/
                     Acknowledgments

 Original Project PIs
    Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
 Developers
    Rachana Ananthakrishnan, Jim Basney, Tim Freeman,
     Raj Kettimuthu, Terry Fleury, Tom Scavo

 The GridShib work was funded by the NSF National Middleware
  Initiative (NMI awards 0438424 and 0438385). Opinions and
  recommendations in this paper are those of the authors and do not
  necessarily reflect the views of NSF.
 The Science Gateway integration work is funded by the NSF
  TeraGrid Grid Integration Group through a sub-award to NCSA.


                          http://gridshib.globus.org/
  Thank you!



          GridShib
http://gridshib.globus.org/




    http://gridshib.globus.org/

								
To top