Get documents about "Globus Security in the Real World
Document Sample
Globus Security
in the Real World
GridWorld/GlobusWORLD 2006
Sep 11-14, Washington, DC
Frank Siebenlist - ANL/UofChicago (franks@mcs.anl.gov)
Von Welch - NCSA (vwelch@ncsa.uiuc.edu)
http://www.globus.org/
Outline
Part One: Von Welch, NCSA
Grid Security Overview
Grid Authentication
Identity Management
The Move to Federation
Part Two: Frank Siebenlist, ANL
Big Picture and Futures
Qs?
GlobusWORLD 2006 Globus Security in the Real World 2
The Grid Security Goal
Allow for the creation and operation of
virtual organizations
Composed of non-trival resources
From multiple institutions
And users
From multiple institutions
Acting in a coordinated manner
GlobusWORLD 2006 Globus Security in the Real World 3
Virtual Organization Org 3
Org 1
Org 2
Policy
GlobusWORLD 2006 Globus Security in the Real World 4
Grid Security must address…
Trust between resources without organization support
Bridging differences between mechanisms
Authentication, assertions, policy…
Allow for controlled sharing of resources
Delegation from site to VO
Allow for coordination of shared resources
Delegation from VO to users, users to resources
...all with dynamic, distributed user communities and
least privilege.
GlobusWORLD 2006 Globus Security in the Real World 5
Why Grid Security is Hard
Resources being used may be valuable & the problems
being solved sensitive
Both users and resources need to be careful
Dynamic formation and management of virtual
organizations (VOs)
Large, dynamic, unpredictable…
VO Resources and users are often located in distinct
administrative domains
Can’t assume cross-organizational trust agreements
Different mechanisms & credentials
X.509 vs Kerberos, SSL vs GSSAPI,
X.509 vs. X.509 (different domains),
X.509 attribute certs vs SAML assertions
GlobusWORLD 2006 Globus Security in the Real World 6
Why Grid Security is Hard…
Interactions are not just client/server,
but service-to-service on behalf of the user
Requires delegation of rights by user to service
Services may be dynamically instantiated
Standardization of interfaces to allow for discovery,
negotiation and use
Implementation must be broadly available & applicable
Standard, well-tested, well-understood protocols;
integrated with wide variety of tools
Policy from sites, VO, users need to be combined
Varying formats
Want to hide as much as possible from applications!
GlobusWORLD 2006 Globus Security in the Real World 7
Grid IdM vs Web Idm
How does Grid security compare towards
movements in the Web identity management
saml?
E.g. Liberty, user-centric identity
Many of the same issues on establishing user
identity
Grid can leverage this space
Grid has (so far) had less emphasis on privacy
Grid adds challenges of resource coordination
through delegation
User-driven trust between service providers
GlobusWORLD 2006 Globus Security in the Real World 8
Security Layers
Authorization Grid-Mapfile/SAML/X.509 ACS
Delegation X.509 Proxy Certificates
Authentication X.509 ID Certificates
Message
Protection WS-Security/WS-SecureConversation
Message SOAP
Format
GlobusWORLD 2006 Globus Security in the Real World 9
Grid Security Infrastructure (GSI)
Use GSI as a standard mechanism for
bridging disparate security mechanisms
Basic support for delegation, policy
distribution
Translate from other mechanisms to/from
GSI as needed
Convert from GSI identity to local identity
for authorization
GlobusWORLD 2006 Globus Security in the Real World 10
Grid Security Infrastructure (GSI)
Based on standard PKI technologies
CAs allow one-way, light-weight trust
relationships (not just site-to-site)
SSL protocol or WS-Security for
authentication, message protection
X.509 Certificates for asserting identity
for users, services, hosts, etc.
Proxy Certificates
GSI extension to X.509 certificates for
delegation, single sign-on
GlobusWORLD 2006 Globus Security in the Real World 11
X.509 for Global Authentication
Initially Grids were smaller, no institutional
support
Didn’t want to relying on instituional
support for Grid authentication
PKI was chosen for its ability to certify
large number of dispersed users
Globus Project ran the initial “Globus CA”
Issued O(1k) certificates
GlobusWORLD 2006 Globus Security in the Real World 12
The Grid PKI
Large “Grid CAs” and PKIs started
appearing
NASA IPG, DOE Grids, EU Data Grid, NCSA
Alliance, etc.
GGF CAOps Working group standardized
operations
The Global Grid PKI emerged:
International Grid Trust Federation
GlobusWORLD 2006 Globus Security in the Real World 13
Proxy Certificates:
Single Sign-on and Delegation
Extension to X.509 certificates
Standardized in RFC 3820
Coordination of Multiple resources requires single sign-
on
Manual authentication for each operation unfriendly (to say
the least)
Allows authenticate once, act multiply
And delegation
Allow services to act on user’s behalf
E.g. coordination of services
GlobusWORLD 2006 Globus Security in the Real World 14
Alternate CA's:
Adding Federation to the Mix
As Grids started to grow, institutions
started getting involved
Institutions with Grid users already in their
local identity management (IdM) systems
These institutions started providing their
users with credentials based on their
existing authentication systems
E.g. KCA, MyProxy On-line CA, GridShib
And federation starting emerging in the
Grid space
GlobusWORLD 2006 Globus Security in the Real World 15
MyProxy: Easy Security by
Leveraging Local Authentication
Authenticate
MyProxy
On-line CA
PAM/SASL
Credentials
Trust Config
e.g. CA certs,
CRLS
Kerberos LDAP OTP SQL …
See Jim Basney’s Talk for more details
GlobusWORLD 2006 Globus Security in the Real World 16
GridShib:
Grid-Shibboleth Interoperability
Shibboleth developed by Internet2 for
inter-organizational web authorization
Based on SAML
Moving to SAML2
GridShib allows translation of Shibboleth
Identities (identifiers and attributes) to
X.509 for use in Grid
See my Thursday talk for more details
GlobusWORLD 2006 Globus Security in the Real World 17
PURSE:
Community-based Authentication
Portal extensions (CGI scripts) that automate user registration
requests.
Solicits basic data from user.
Generates cert for user
Use MyProxy as backend
Gives user ID/password for MyProxy.
Benefits
Users never have to deal with certificates.
Portal can get user cert from MyProxy when needed.
Database is populated with user data.
GlobusWORLD 2006 Globus Security in the Real World 18
What about authorization?
Grid started out with identity-based authorization
Grid identity mapped to local identity
Scaling has forced move to attribute-based
authorization
Virtual Organization Management Service (VOMS)
Developed EU Data Grid
GridShib and SAML-based attributes
Community Authorization Service
Fine-grained privileges
GlobusWORLD 2006 Globus Security in the Real World 19
Outline
Part Two: Frank Siebenlist, ANL
GT’s Authorization Processing Framework
Configuration, Metadata, etc.
Resources, EPRs, Identifiers & Security
Futures and Conclusion
GlobusWORLD 2006 Globus Security in the Real World 20
GT4’s New AuthZ Framework
GlobusWORLD 2006 Globus Security in the Real World 21
GT4’s New AuthZ Framework
“server-pull”
Shib/SAML Attr Svc
authZ SAML/XACML
(Permis, CAS)
Attribute validation
and normalization
Attribute-based authZ processing
Dynamic PDP-instance creation
Delegation of rights resolution
Decision-chains rooted at rsrc owner
“client-push”
authZ SAML (CAS)
X509 AC (VOMS)
SOAP header or
proxycert
GlobusWORLD 2006 Globus Security in the Real World 22
GT’s AuthZ Processing Framework
Assertion Processing
Client-push
SOAP Header (SAML) + Proxy-certificate embedding (VOMS&SAML)
Server-pull
Shib/SAML Attribute Query
GGF-SAML1 & XACML2-SAML2 AuthZ Query
Assertion Validation, Normalization & Collection
Attribute Assertions
X509 Attribute Certs & SAML Attr/AuthN Assertions, custom&pluggable PIPs
AuthZ Assertions
Proxy-certs, SAML AuthZ, XACML, custom&pluggable PDPs
Crypto & certificate validation + Normalized attribute format
Attributes collected under same entity/actor
Consistent, generic Attribute-based AuthZ Processing
Dynamic creation of AuthZ-language specific PDP-instances
Passes all collected attributes to PDPs
Automatically resolves delegation of right statements/decisions
All decision-chains rooted at resource-owner
GlobusWORLD 2006 Globus Security in the Real World 23
Policy Assertions from Everywhere
GlobusWORLD 2006 Globus Security in the Real World 24
Policy Assertions from Everywhere (2)
PERMIS Shib
XACML LDAP
CAS VOMS SAML Handle
??? Gridmap
XACML
GlobusWORLD 2006 Globus Security in the Real World 25
MyProxy/GridLogon
No long-lived secrets on the user’s workstation
=> move secrets to a secure MyProxy-server
Issue derived short-lived proxy-certificates
=> issue short-lived identity certificates
On-line Certificate Authority (CA)
Need for bootstrap authentication…
Passwords
One-Time-Passwords
Need for “true” secure password protocol
GlobusWORLD 2006 Globus Security in the Real World 26
“Generic” Policy Engine
GlobusWORLD 2006 Globus Security in the Real World 27
CAS++
CAS CAS
CAS CAS
GlobusWORLD 2006 Globus Security in the Real World 28
Real-time Resource Creation
and Policy Management
GlobusWORLD 2006 Globus Security in the Real World 29
CAS++ Development
(or iCAS/eCAS/CAS# ;-) )
“Simple”, generic policy language
With group membership attribute support
Dynamic/real-time object, policy & group creation
Client-push & Server-pull
Co-located, local-PDP config option
Zero-config (Derby-db option)
Java&WS admin interfaces
SAML&XACML AuthZ Query Interface
Shib/SAML Attribute Query Interface
Gridmap-compliant Java interface
…not all finished yet, but… we’re getting there…
PhD-research project for James Moore (ISI)
(pet-project for Carl Kesselman, Rachana Ananthakrishnan, Laura
Pearlman, Ian Foster, Frank Siebenlist)
GlobusWORLD 2006 Globus Security in the Real World 30
AuthN & Trust-Root Provisioning
Bootstrap User’s Trust-Root Config Enhanced MyProxy/GridLogon Svc
from Secure OTP Authentication
Secure mutual OTP-Authentication
and Key-Exchange
OTP AuthN Server +
user’s security config
Short-Lived Cert +
Provisioning of
CA’s, AuthZ/Attr Authorities
OTP
user-workstation
(initially not configured)
GlobusWORLD 2006 Globus Security in the Real World 31
Dynamic and Centrally Managed
Trustroot and Config Provisioning
Perl scripts to push/pull config data
Not very elegant or scaleable… but it works
MyProxy logon option
Bootstrap trust-roots and CRLs provisioning through
MyProxy logon
caGRID’s Grid Trust Service (GTS), MetaData
Infrastructure, Introduce tool
Together they dynamically provision, publish and
discover through code generation, provisioning
services and standardized metadata
GlobusWORLD 2006 Globus Security in the Real World 32
Credential and Assertion
Validation Services
X509 Certificate Validation
CRLs
Distribution through perls-script push, MyProxy, caGRID’s CTS
OCSP
GT4 Integration by Universitat Politècnica de Catalunya
(OGRO - The Open GRid Ocsp Java client API)
XKMS
First implementations emerging…
Attribute Assertion Validation
Simple “crypto-validation”
Config of Naming Authority
David Chadwick’s Certificate Validation Service
(ogsa-authZ-wg)
GlobusWORLD 2006 Globus Security in the Real World 33
EPR Security Issues?
No way to compare EPRs…
How to associate policy/audit with them
How to “know” whether two EPRs refer to
same resource
Where does the EPR point to tomorrow?
Today it refers to your bank account…
Tomorrow it may refer to yours…
(one of us will be unhappy…)
GlobusWORLD 2006 Globus Security in the Real World 34
W3C WS-Addressing’s
Endpoint References (EPR)
“A Web service endpoint is a (referenceable) entity,
processor, or resource to which Web service messages
can be addressed.”
“Endpoint references convey the information needed to
address a Web service endpoint.”
“Endpoint Reference Comparison. This specification
provides no concept of endpoint identity and therefore
does not provide any mechanism to determine equality
or inequality of EPRs and does not specify the
consequences of their equality or inequality. However,
note that it is possible for other specifications to provide
a comparison function that is applicable within a limited
scope.”
GlobusWORLD 2006 Globus Security in the Real World 35
Resource Identifier Use Case
Resource Mobility.
Assertion Target.
Resource Attributes
Resource Reference Consistency
Resource Metadata Caching
Audit Label
GlobusWORLD 2006 Globus Security in the Real World 36
EPR Minter & Endpoint Identifiers
GlobusWORLD 2006 Globus Security in the Real World 37
EPR & Identifier Consumer
GlobusWORLD 2006 Globus Security in the Real World 38
EPR, EPI and Message
GlobusWORLD 2006 Globus Security in the Real World 39
Resource Identifier requirements
required
1. Consistency with current tooling
2. Unambiguous referencing
3. Client side resource-equality testing
4. A resource identifier in every message.
5. EPR resolution
desirable
6. Works with current/existing tooling
7. Consistency with W3C architecture
8. Unique address
GlobusWORLD 2006 Globus Security in the Real World 40
GGF WS-Naming
Specifications:
Web Service Endpoint Identification and
Resolution: Use Cases and Requirements
Unambiguous Web Service Endpoint Profile
Web Service Endpoint Address Identifier Profile
Web Service Endpoint Name Specification
Endpoint Reference Resolution Specification
GlobusWORLD 2006 Globus Security in the Real World 41
EPR Resolution Svcs (from EPI)
GlobusWORLD 2006 Globus Security in the Real World 42
EPR Conclusion
Current WS-Addressing not good enough!
Need for profiles to require unambiguous
use of EPRs
Need standardize identifier usage for
policy/audit !!!
Need identifier services framework to
provide the trust fabric for the bindings
GlobusWORLD 2006 Globus Security in the Real World 43
caBIG
Cancer Grid project by NCI/NIH
The cancer Biomedical Informatics Grid, or caBIGェ, is a voluntary
network or grid connecting individuals and institutions to enable the
sharing of data and tools, creating a World Wide Web of cancer
research. The goal is to speed the delivery of innovative
approaches for the prevention and treatment of cancer. The
infrastructure and tools created by caBIGェ also have broad utility
outside the cancer community. caBIGェ is being developed under
the leadership of the National Cancer Institute's Center for
Bioinformatics.
BIG project: Over 800 people from more than 80 organizations
are working collaboratively on over 70 projects in a three-year pilot
project.
https://cabig.nci.nih.gov/
GlobusWORLD 2006 Globus Security in the Real World 44
caBIG/caGrid’s Identifier Services Framework
Identifier
“Naming” of individual Data-Objects
>100 Million Data-Object&IDs
Globally Unique Name for each Data-Object
URI/IRI syntax (opaque to consumer)
Services
Create/modify/delete name-object bindings
Simple Java API
Globally resolve name to data-object
WS-Naming, WS-Transfer & Handle System
Framework
Provide for Trust Fabric => Binding Integrity
Integrated with WS & Handle System admin and security
Policy-driven Administration => Curator Model
Clear accountability
Fully Integrated with caBIG’s Data-Model and Architecture
Use CQL/SQL/XPATH Query Tools
GlobusWORLD 2006 Globus Security in the Real World 45
caBIG’s Identifier & Data-Service
GlobusWORLD 2006 Globus Security in the Real World 46
caBIG’s Identifier & Data-Service
Data Model fully incorporates Identifiers
>100 Million Object+IDs (re-)generated
Integration through simple Java API
Works with existing
CQL/SQL/XPATH
Query Tools
WS-Naming
Resolution
WS-Transfer
Global Naming&Resolution
GET
Through Handle System
GlobusWORLD 2006 Globus Security in the Real World 47
caBIG’s Identifier & Data-Service
Data Model fully incorporates Identifiers
>100 Million Object+IDs (re-)generated
Integration through simple Java API
Works with existing
CQL/SQL/XPATH
Query Tools
WS-Naming
Resolution
WS-Transfer
Global Naming&Resolution
GET
Through Handle System
GlobusWORLD 2006 Globus Security in the Real World 48
Big Picture & Futures
Major Push to Federate and Leverage existing IDM
Systems
Ease of deployment and hiding X509 from end-users
Configuration major deployment Issue
Code Generation, Provisioning and Metadata Svcs
Attr & AuthZ work… now next step…
Emphasis again on config and simplification
Identifiers to raise abstraction level (policy/audit)
Big push in OGSA and caBIG
Portals keep growing as a user interface
Audit will see a big push
Sign of maturity
GlobusWORLD 2006 Globus Security in the Real World 49
Meet the Developers Session at
the Globus Alliance Booth (152A-P7)
Tuesday, September 12
8:00am - 9:00am "Java WS Core and Security (C, Java)" -- Olle Mulmo, Jarek
Gawor, Rachana Anantakrishnan
11:30am -12:30pm "RLS" -- Rob Schuler, Ann Chervenak
12:30pm -1:30pm "MDS" -- Mike D'arcy, Laura Pearlman
3:00pm - 4:00pm "GRAM" – Stu Martin, Peter Lane
6:00pm - 7:00pm "C WS Core" -- Joe Bester
7:00pm - 8:00pm "Python WS Core" -- Joshua Boverhof
Wednesday, September 13
8:00am - 9:00am "GridShib" -- Von Welch, Ton Scavo, Tim Freeman
11:30am - 12:30pm "GT Installation and Administration" -- Charles Bacon
12:30pm - 1:30pm "MyProxy" -- Jim Basney
3:00pm - 4:00pm "GridFTP, XIO, RFT" -- John Bresnahan, Ravi Madduri
GlobusWORLD 2006 Globus Security in the Real World 50
Question: Do you see a Fun & Exciting
Career in my future?
Magic 8 Ball: All Signs Point to YES
Say YES to Great Career Opportunities
SOFTWARE ENGINEER/ARCHITECT
Mathematics and Computer Science Division, Argonne National Laboratory
The Grid is one of today's hottest technologies, and our team in the Distributed
Systems Laboratory (www.mcs.anl.gov/dsl) is at the heart of it. Send us a resume
through the Argonne site (www.anl.gov/Careers/), requisition number MCS-310886.
SOFTWARE DEVELOPERS
Computation Institute, University of Chicago
Join a world-class team developing pioneering eScience technologies and
applications. Apply using the University's online employment application
(http://jobs.uchicago.edu/, click "Job Opportunities" and search for requisition
numbers 072817 and 072442).
See our Posting on the GlobusWorld Job Board or Talk to Any of our Globus Folks
GlobusWORLD 2006 Globus Security in the Real World 51
Extras…
GlobusWORLD 2006 Globus Security in the Real World 52
EPR Resolution Svcs (all)
GlobusWORLD 2006 Globus Security in the Real World 53
Identifier Consumer First Step
GlobusWORLD 2006 Globus Security in the Real World 54
Related docs
