sc06 – powerful beyond imagination tampa, fl nov 14, 2006 scaling teragrid access: a roadmap...
Post on 27-Dec-2015
216 Views
Preview:
TRANSCRIPT
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Scaling TeraGrid Access:A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure
Von Welch
NCSA
Manager, Security Research and Development
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Acknowledgments This represents thinking by myself and a number of others: Ian
Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett, Jill Gemmill, Dane Skow
Whitepaper http//gridshib.globus.org/tg-paper.html
Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn
Peters, Dane Skow Attendees: 42 persons, representatives from all TeraGrid Resource
Provider sites, OSG, Internet2, Globus http://www-fp.mcs.anl.gov/tgmeeting/AAA-Agenda.htm
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
A vision for the TeraGrid Federated Identity
Plan for a world where users can be authenticated via their home campus identity management system Outsource authentication and avoid identity management burden
Allow communities to assert user attributes Enable attribute-based authorization of users by RP site
Allow for user authentication with authorization by community
Prototype system in testbed, with involvement of interested parties to work out issues
All usage still billed to an allocation Community or individual
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Identity
The Vision
Cam
pu
ses
Attributes
…nanoHUB NVOLEAD
Co
mm
un
itie
s
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Testbed Use Cases
1. Individual New User
2. Individual Existing User Access
3. Shibboleth authentication to Gateway
4. Gateway attribute authorization to RP Use Case
5. OSG/VOMS access
6. Educational Access
7. Incident Response
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Challenges
Auditing/logging For incident response Tracking communities
Account management Community Accounts Dynamic Workspaces
Policy and Configuration Creation, distribution, management Balance with site autonomy
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Testbed Timeline
Complete testbed definition by end of 2006 Start testbed deployment January 1, 2007
Ok, maybe January 2nd, 2007
Expect three to six months of evaluation Then generate plan for production deployment Seeking participation from admins, users,
communities, resources
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Testbed Software Components Enhanced CTSSv3 stack
Grid authentication (GSI/PKI/X.509 certificates)
Existing GT component extensions to enable attribute-based authorization (GridShib, Virtual Workspace for VOMS)
Installed on TeraGrid resources - alternate ports or head nodes
VOMS test server Shibboleth and related software
myVocs, GridShib
Leverage InQueue/TestShib, InCommon, UTexas Federation OpenIdp
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Grid Authentication
Globus Toolkit provides authentication services via X.509 credentials
When requesting a service, the user presents an X.509 certificate RFC 3820 proxy certificate or standard end entity
certificate
GridShib leverages the existing authentication mechanisms in GT
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Grid Authorization
Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles) map DNs to
local identity (e.g., Unix logins) Community Authorization Service (CAS)
Some attribute-based authorization has appeared and is proving useful E.g. VOMS, caBIG
Extensions to GT exist from GridShib, Virtual Workspace project
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
VOMS
Attribute system developed by the EU Data Grid Uses X.509 attribute certificates (RFC 3281) In use by EGEE, OSG
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Shibboleth
System developed by Internet2 to allow for federated identity management
Allows for inter-organization access to web resources
Not an identity management system Exposes campus identity and attributes in
standard format Based on SAML as defined by OASIS Policies for attribute release and transient handles to
allow privacy
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
Why Shibboleth?
A large (and growing) installed base on campuses around the world
Professional development and support team at Inetnet2
Additional tools from GridShib, UAB, MAMS (Australia), SWITCH, UK
Some commercial support now as well A standards-based, open source implementation A standard attribute vocabulary (eduPerson)
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
GridShib
Provides for interoperability between Shibboleth and Grids (Globus Toolkit 4.0)
GridShib for Globus Toolkit A plugin for GT 4.0
GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP
GridShib SAML Tools Tools for adding SAML to Grid credentials
GridShib CA Converting Shibboleth authentication to Grid credentials
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
myVocs
myVocs developed @ UAB Gemmill and Robinson NMI funded http://www.myvocs.org
myVocs allows for VOs based on Shibboleth identities
Users register via Shibboleth and can be added to myVocs-maintained groups
myVocs acts as a Shibboleth proxy to add group information to user’s normal Shibboleth information
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
myVocs-GridShib integration
GridShib authorizes use of Grid Services based on Shibboleth identities
Integration allows for the creation and management of Grid VOs based on Shibboleth
Demo’ed at I2 in April (and can do so anytime for interest parties)
SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006
OpenIdp
A Shibboleth identity provider for those who don’t have one at their campus yet Also from UAB www.openidp.org Email-based registration
Helps to crack the egg Commercial equivalent: protectnetwork.com
top related