Birds-of-a-Feather Session Attribute-based Auditing and

Document Sample
Birds-of-a-Feather Session Attribute-based Auditing and Powered By Docstoc
					       Birds-of-a-Feather Session:
   Attribute-based Auditing and
Authorization for Science Gateways

                       TeraGrid 08
 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
  National Center for Supercomputing Applications
     University of Illinois at Urbana-Champaign
                     June 11, 2008

                  http://gridshib.globus.org/
               GridShib @ TeraGrid 08
 Tutorial: Science Gateways, Security, and GridShib
    Mon, 8:00am–12:00pm
 Birds-of-a-Feather Session: Attribute-based Auditing
  and Authorization for Science Gateways
    Wed, 5:30–6:30pm
 Poster Session: A Federated Identity Model for
  Science Gateways
    Wed, 6:30–8:30pm
 Science Gateways Working Group Session
    Thu, 3:00–4:30pm




                        http://gridshib.globus.org/
 Definition of Terms




Shib != GridShib




    http://gridshib.globus.org/
      The Science Gateway Use Case




A browser user authenticates to a grid
  portal. The portal issues a proxy
certificate and initiates a grid request
          on behalf of the user



               http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     A science gateway is a
                                                                     convenient intermediary
                 Web Browser
                                                                  between a browser user and a
Web
                                                                      grid resource provider.
Authn



                 Web Interface                                          Java WS Container



        Webapp                   WS GRAM                                WS GRAM Service
                                  Client




                                                                            community
    community
                                                                             account
    credential
                 Key




           Science Gateway                                            Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     Each gateway is issued a
                                                                   community credential that
                 Web Browser
                                                                  uniquely identifies the gateway.
Web
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                   Resource providers associate
                                                                  the community credential with a
                 Web Browser
                                                                    local community account.
Web
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                  To submit a job, a browser user
                                                                   typically authenticates to the
                 Web Browser
                                                                     gateway by presenting a
 Web
                                                                     username and password.
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community
                                                                              account
    credential
                 Key




           Science Gateway                                             Resource Provider



                                    http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     The gateway then issues a
                                                                    short-lived proxy credential
                 Web Browser
                                                                      signed by its community
Web
                                                                              credential.
Authn



                 Web Interface                                           Java WS Container



        Webapp                   WS GRAM                                 WS GRAM Service
                                  Client




                                                                             community
    community                      proxy
                                                                              account
    credential                   credential
                 Key                          Key




           Science Gateway                                              Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                     The gateway submits the job on
                                                                     the user’s behalf, authenticating
                 Web Browser
                                                                         as itself to the resource.
Web
Authn



                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                 community
    community                      proxy
                                                                                  account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                      The resource authenticates the
                                                                      gateway and maps the request
                 Web Browser
                                                                     to the community account based
Web
                                                                         on the identity in the proxy
Authn                                                                            certificate.


                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                community
    community                      proxy
                                                                                 account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
                       Classic Science Gateway
                                                                       After the job is executed, the
                                                                     result is returned to the browser
                 Web Browser
                                                                        user via the gateway web
Web
                                                                                  interface.
Authn



                 Web Interface                                              Java WS Container



        Webapp                   WS GRAM                                    WS GRAM Service
                                  Client
                                                         proxy
                                                       certificate


                                                                                 community
    community                      proxy
                                                                                  account
    credential                   credential
                 Key                          Key




           Science Gateway                                                 Resource Provider



                                      http://gridshib.globus.org/
     Community Account Model: The Good

 The Community Account Model
   simplifies the user experience
   simplifies gateway implementation and deployment
   simplifies gridmap file management at the RP
 A community credential is issued to each
  gateway
 A single community account is created at the RP
 The gateway issues proxy certificates and
  makes grid requests on behalf of the user


                    http://gridshib.globus.org/
     Community Account Model: The Bad

 The community account model has some
  significant drawbacks, however:
   End user identity is unknown to the RP
   Course-grained access control at the resource (by
    design)
   Awkward approach to auditing and incident response
   In the event of an emergency, the RP is forced to
    disable all access to the community account
   Less than adequate accounting mechanisms
 All this can be traced to a single problem…

                    http://gridshib.globus.org/
  Community Account Model: The Ugly



All requests look exactly the same
      to the resource provider!

           If the gateway would only pass
      the user’s name and contact information
                to the resource provider,
all previously mentioned problems would be solved



                 http://gridshib.globus.org/
               Grid Authorization Model
 We describe a grid authorization model that significantly
  increases the information flow between a science
  gateway and a resource provider
    Extends the Community Account Model
    Asserts end user identity to the RP
    Permits fine-grained access control at the RP
    Provides strong auditing and effective incident response
    Allows dynamic blacklisting of problem accounts or runaway
     processes
    A lightweight approach that does not require new wire protocols
     or extensive new middleware infrastructure
    Complements existing SAML-based middleware infrastructure
     on today's campuses

                         http://gridshib.globus.org/
              Grid Authorization Model

 The proposed model incorporates GridShib
  SAML Tools at the gateway and GridShib for
  GT at the resource provider
 Using GridShib SAML Tools, the gateway
   1. issues a SAML assertion containing the user's
      authentication context and attributes
   2. binds the SAML assertion to a proxy certificate
      signed by the community credential
   3. authenticates to the resource by presenting the
      SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

                       http://gridshib.globus.org/
                                                    <saml:Assertion>
X.509 Proxy Credential                               <saml:NameID>
Issuer: Science Gateway                               trscavo
Subject: Science Gateway+                            </saml:NameID>
                                                    </saml:Assertion>
                                       +                                =
                            Key




                              X.509 Proxy Credential
                              Issuer: Science Gateway
                              Subject: Science Gateway+
                              X509v3 extension:
                                1.3.6.1.4.1.3536.1.1.1.12:
                                  <saml:Assertion>
                                   <saml:NameID>
                                    trscavo
                                   </saml:NameID>
                                  </saml:Assertion>

                                                             Key


                              http://gridshib.globus.org/
    GridShib-enabled Science Gateway




  A browser user authenticates to
  a grid portal. The portal binds a
   self-issued SAML assertion to
a proxy certificate and initiates a grid
    request on behalf of the user.


               http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                              An enhancement to the
                                                                             community account model
                                                                           increases the information flow
                      Web Browser                                          between the gateway and the
             Web
                                                                                 resource provider.
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                            for GT             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider



                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                            A software component called
                                                                              GridShib SAML Tools is
                                                                             integrated into the gateway
                      Web Browser                                                portal environment.
             Web
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                            for GT             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider



                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                            Another software component
                                                                             called GridShib for GT is
                                                                             deployed at the resource
                      Web Browser                                                    provider.
             Web
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                            for GT             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider



                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                           These two GridShib software
                                                                            components produce and
                                                                           consume Security Assertion
                      Web Browser                                           Markup Language (SAML)
             Web
                                                                                     tokens.
             Authn

                      Web Interface                                            Java WS Container
                                                                              (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib           WS GRAM
                                          Client                            for GT             Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider



                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               Again the browser user
                                                                           authenticates to the gateway by
                                                                             presenting a username and
                      Web Browser                                                    password.
              Web
             Authn

                      Web Interface                                             Java WS Container
                                                                               (with GridShib for GT)

attributes
                     Webapp              WS GRAM                           GridShib            WS GRAM
                                          Client                            for GT              Service

                            username

                  GridShib
                 SAML Tools



                     community
                      credential
                                   Key



             Science Gateway                                                  Resource Provider



                                             http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               This time the gateway uses the
                                                                               GridShib SAML Tools to issue an
                                                                                 X.509-bound SAML token.
                      Web Browser

             Web
             Authn

                      Web Interface                                                 Java WS Container
                                                                                   (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib            WS GRAM
                                          Client                                for GT              Service

                            username

                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               The SAML token bound to the
                                                                               proxy certificate contains the
                                                                              name of the end user and other
                      Web Browser                                               user attributes (e.g., e-mail).
             Web
             Authn

                      Web Interface                                                Java WS Container
                                                                                  (with GridShib for GT)

attributes
                     Webapp              WS GRAM                              GridShib            WS GRAM
                                          Client                               for GT              Service

                            username

                  GridShib               X.509 Proxy Credential
                                             SAML
                 SAML Tools              Issuer: Science Gateway
                                         proxy
                                         Subject: Science Gateway+
                                         credential Key

                                         X509v3 extension:
                     community
                      credential          1.3.6.1.4.1.3536.1.1.1.12:
                                   Key
                                         <saml:Assertion>
                                          <saml:NameID>
             Science Gateway               trscavo                               Resource Provider
                                          </saml:NameID>
                                         </saml:Assertion>
                                                http://gridshib.globus.org/
                                                                     Key
         Grid Authorization Model for Gateways
                                                                               The gateway authenticates as
                                                                               itself to the resource provider,
                                                                               presenting the proxy certificate
                      Web Browser                                                 with bound SAML token.
             Web
             Authn

                      Web Interface                                                Java WS Container
                                                                                  (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib           WS GRAM
                                          Client                                for GT             Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               The GridShib for GT extracts the
                                                                                  SAML token from the proxy
                                                                                certificate, parses it, and writes
                      Web Browser                                                 the information to a log file.
             Web
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib               WS GRAM
                                          Client                                for GT                 Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib
                                               SAML
                 SAML Tools
                                         proxy
                                         credential   Key




                     community                                                 Logs
                      credential
                                   Key



             Science Gateway                                                       Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                               The security information in the
                                                                                 SAML token is also used to
                                                                                 populate a SAML security
                      Web Browser                                               context within the container.
             Web
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                                for GT                    Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key




                     community                                                 Logs
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                  The service compares the
                                                                                  information in the security
                                                                               context to the blacklist, denying
                      Web Browser                                               access if any request info is on
             Web
                                                                                          the blacklist.
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                                for GT                    Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist
                     community
                                                                                                     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                 The service combines the
                                                                                 information in the security
                                                                               context with its access control
                      Web Browser                                               policy, allowing access if and
             Web
                                                                                  only if policy is satisfied.
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                                for GT                    Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist   Authz
                     community
                                                                                                     Policy     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
         Grid Authorization Model for Gateways
                                                                                  As before, after the service
                                                                                executes the job, the result is
                                                                               returned to the browser user via
                      Web Browser                                                 the gateway web interface.
             Web
             Authn

                      Web Interface                                                    Java WS Container
                                                                                      (with GridShib for GT)

attributes
                     Webapp              WS GRAM                               GridShib                  WS GRAM
                                          Client                                for GT                    Service
                                                                   SAML
                            username                        proxy
                                                            certificate
                  GridShib                                                                    Security
                                               SAML                                           Context
                 SAML Tools
                                         proxy
                                         credential   Key



                                                                               Logs                 Blacklist   Authz
                     community
                                                                                                     Policy     Policy
                      credential
                                   Key



             Science Gateway                                                      Resource Provider



                                                 http://gridshib.globus.org/
      GridShib-enabled Science Gateway

 Simple installation and configuration of GridShib
  SAML Tools at the gateway
 Includes GridShib Security Framework
   Exposes both a command-line interface and a Java
    API
 End user identity and contact information (e.g.,
  e-mail) transmitted to RP
 Push much of the responsibility for auditing and
  incident response back onto the RP
 Big Advantage: No need to shut down the
  entire gateway in the event of an incident!

                    http://gridshib.globus.org/
                    User Attributes
 Gateway entityID:
    https://gridshib.gisolve.org/idp
 Subject name identifier:
    trscavo@gisolve.org
 Authentication statement
    authentication method:
     urn:oasis:names:tc:SAML:1.0:am:password
    authentication instant: 2007-08-02T12:10:34-0400
    IP address: 10.81.193.244
 Attribute statement
    isMemberOf attribute: group://gisolve.org/gisolve
    mail attribute: trscavo@gmail.com


                        http://gridshib.globus.org/
        Configuring GridShib SAML Tools

 Some information in the SAML token is static
 Each gateway provides a configuration file that
  customizes the static content of each token
 http://www.teragridforum.org/mediawiki/index.php?title=
  Science_Gateway_Credential_with_Attributes

IdP.entityID=https://gridshib.gisolve.org/idp
NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
NameID.Format.template=%PRINCIPAL%@gisolve.org
Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Attribute.isMemberOf.Value=group://gisolve.org/gisolve




                      http://gridshib.globus.org/
               JAR Dependencies

 Java developers have the following JAR
  dependencies
   Copy these JARs to WEB-INF/lib
             cog-jglobus.jar
             commons-codec-1.3.jar
             commons-logging.jar
             globus-opensaml-1.1.jar
             gridshib-common-0_4_2.jar
             jce-jdk13-131.jar
             log4j-1.2.8.jar
             xalan.jar
             xercesImpl.jar          Endorse!
             xml-apis.jar
             xmlsec-1.2.1.jar


                   http://gridshib.globus.org/
     Creating the X.509-bound SAML Token

 Other content in the SAML token is dynamic
 GridShib SAML Tools provides a Java API that a
  gateway developer can use to issue SAML
  tokens with dynamic content
 http://www.teragridforum.org/mediawiki/index.php?title=
  Science_Gateway_Credential_with_Attributes
GlobusCredential issuingCredential = ...;
GatewayCredential gc = new GatewayCredential("trscavo");
gc.setCredential(issuingCredential);
gc.addEmailAddress("trscavo@gmail.com");
// compute authnMethod, authnInstant, and ipAddress...
gc.setAuthnContext(authnMethod, authnInstant, ipAddress);
GlobusCredential proxy = gc.issue();


                      http://gridshib.globus.org/
     GridShib-enabled Resource Provider


 The end user and the end user’s contact
  information (and other attributes) are logged
 Effective auditing and incident response
 Blacklist an IP address or name identifier on
  demand
 Exposes a SAML security context
 Fine-grained, attribute-based access control



                   http://gridshib.globus.org/
            Discussion Topic #1
 Is your gateway infrastructure built on a JEE
  portal framework?
 If so, which one?
 If not, what application server do you use?




                   http://gridshib.globus.org/
            Discussion Topic #2
 Is your gateway security framework built on the
  community credential model?
 If not, describe your security framework.




                   http://gridshib.globus.org/
             Discussion Topic #3
 Do you use MyProxy?
 If not, is the community credential stored in the
  file system?




                    http://gridshib.globus.org/
                Discussion Topic #4
 In your application server environment, how
  easy is it to obtain the following information:
      Username
      Authentication instant
      IP address
      E-mail address
 Does your portal framework provide an API to
  obtain this information or do you have to query a
  database?


                        http://gridshib.globus.org/
            Discussion Topic #5
 Does your gateway control its own DNS
  domain?
 If not, what is the URL of your gateway?




                   http://gridshib.globus.org/
                   Summary

 Using GridShib SAML Tools, science gateways
  send user attributes to resource providers
 Using GridShib for GT, resource providers use
  these attributes to perform auditing, incident
  response, and attribute-based access control
 The TeraGrid central database captures
  TeraGrid-wide accounting data




                  http://gridshib.globus.org/
                     Acknowledgments

 GridShib Project PIs
    Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
 GridShib Developers
    Rachana Ananthakrishnan, Jim Basney, Terry Fleury,
     Tim Freeman, Raj Kettimuthu, Tom Scavo
 The GridShib work was funded by the NSF National Middleware
  Initiative (NMI awards 0438424 and 0438385). Opinions and
  recommendations in this paper are those of the authors and do not
  necessarily reflect the views of NSF.
 The Science Gateway integration work is funded by the NSF
  TeraGrid Grid Integration Group through a sub-award to NCSA.

                          Thank You!
                          http://gridshib.globus.org/