GridShib:Campus/Grid RBAC

Integration

GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids

October 3th, 2005

Von Welch

vwelch@ncsa.uiuc.edu

Oct 3rd, 2005 2GGF15

What is GridShib• NSF NMI project to allow the use of Shibboleth-issued

attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424

• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,

Tom Scavo, Frank Siebenlist, Von Welch

• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

Oct 3rd, 2005 3GGF15

Motivation• Many Grid VOs are focused on science

or business other than IT support– Don’t have expertise or resources to run

security services

• Allow for leveraging of Shibboleth code and deployments run by campuses

Oct 3rd, 2005 4GGF15

Outline• Overview of Shibboleth

• Overview of Globus/Grid PKI

• Approach

• Status and Future Plans

Oct 3rd, 2005 5GGF15

Campus Infrastructure

Oct 3rd, 2005 6GGF15

Student?

Check out book…

Access student records…

Is student John Smith?

Oct 3rd, 2005 7GGF15

Check out book…

Different protocols

Privacy

Different Schemas

Oct 3rd, 2005 8GGF15

Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web

resources (via browsers)– Provides attributes for authorization between

institutions

• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’

• Standards-based (SAML)• Being extended to non-web resources

Oct 3rd, 2005 9GGF15

SAMLAuthn/Authz

Uses SAML to expressIdentity and attributes toAllow for interoperability

Uses short-lived identifiersTo protest privacy of users.

Oct 3rd, 2005 10GGF15

Check out book…

PseudonymousIdentifier

Is a studentPseudonymousIdentifier

Oct 3rd, 2005 11GGF15

Shibboleth• Identity Provider composed of single sign-on

(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues

authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA

• Attribute Authority responds to queries regarding handle

Oct 3rd, 2005 12GGF15

Shibboleth• Service Provider composed of Assertion

Consumer and Attribute Requestor• Assertion Consumer parses

authentication assertion• Attribute Requestor: request attributes

from AA– Attributes used for authorization

• Where Are You From (WAYF) service determines user’s Identity Provider

Oct 3rd, 2005 13GGF15

Shibboleth (Simplified)

AA

SSO

ShibbolethIdP

Handle

Attributes

SAML

AR

ACS

ShibbolethSP

Handle

LDAP(e.g.)

Oct 3rd, 2005 14GGF15

Globus Toolkit• http://www.globus.org

• Toolkit for Grid computing– Job submission, data movement, data

management, resource management

• Based on Web Services and WSRF

• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs

• Some initial attribute-based authorization

Oct 3rd, 2005 15GGF15

Grid PKI• Large investment in PKI at the

international level for Grids– TAGPMA, GridPMA, APGridPMA– Dozens of CAs, thousands of users

• Really painful to establish

• But its working…– And it’s not going way easily

Oct 3rd, 2005 16GGF15

Integration Approach• Conceptually, replace Shibboleth’s

handle-based authentication with X509– Provides stronger security for non-web

browser apps– Works with existing PKI install base

• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

Oct 3rd, 2005 17GGF15

Use Cases• Project leveraging campus attributes

– Simplest case

• Project-operated Shib service– Project operates own service, conceptually

easy, but not ideal

• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for

provisioning of attribute administration

Oct 3rd, 2005 18GGF15

GridShib (Simplified)

A

SSO

Shibboleth

DN

Attributes

DN

DN

SAML

SSL/TLS, WS-Security

Oct 3rd, 2005 19GGF15

Authorization• Delivering attributes is half the story…

• Currently have a simple authorization mechanisms– List of attributes required to use service or

container

• Developing finer-grain authorization for GRAM

Oct 3rd, 2005 20GGF15

Authorization Plans• Develop authorization framework in Globus

Toolkit– Siebenlist et. al. at Argonne– Pluggable modules for processing authentication,

gathering and processing attributes and rendering decisions

• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.G. PERMIS

• Convert Attributes (SAML or X509) into common format for policy evaluation– XACML-based

Oct 3rd, 2005 21GGF15

GridShib Status• Beta release publically available

• Drop-in addition to GT 4.0 and Shibboleth 1.3

• Project website:– http://gridshib.globus.org

• Very interested in feedback

Oct 3rd, 2005 22GGF15

Future Plans• Integration of GridShib with MyProxy

Online CA– Allow for use of Grid Resources by users

without long-term X509 credentials– Collaboration with Jim Basney

• Signet/Grouper integration for distributed attribute administration – See Tom Barton’s talk

Oct 3rd, 2005 23GGF15

Questions?• My email:

– vwelch@ncsa.uiuc.edu

• Project website:– http://gridshib.globus.org