gridshib: campus/grid rbac integration penn state grid computing workshop august 5th, 2005
DESCRIPTION
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005. Von Welch [email protected]. Outline. Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status. Shibboleth. http://shibboleth.internet2.edu/ Internet2 project - PowerPoint PPT PresentationTRANSCRIPT
GridShib:Campus/Grid RBAC
Integration
Penn State Grid Computing WorkshopAugust 5th, 2005
Von Welch
August 5th, 2005 2PSU Grid Computing Workshop
Outline• Overview of Shibboleth and Globus
• Our Motivation and Use Cases
• Integration Approach
• Status
August 5th, 2005 3PSU Grid Computing Workshop
Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web
resources (via browsers)– Provides attributes for authorization between
institutions
• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’
• Standards-based (SAML)• Being extended to non-web resources
August 5th, 2005 4PSU Grid Computing Workshop
Acknowledgements• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,
Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
August 5th, 2005 5PSU Grid Computing Workshop
Shibboleth• Identity Provider composed of single sign-on
(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues
authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA
• Attribute Authority responds to queries regarding handle
August 5th, 2005 6PSU Grid Computing Workshop
Shibboleth• Service Provider composed of Assertion
Consumer and Attribute Requestor• Assertion Consumer parses
authentication assertion• Attribute Requestor: request attributes
from AA– Attributes used for authorization
• Where Are You From (WAYF) service determines user’s Identity Provider
August 5th, 2005 7PSU Grid Computing Workshop
Shibboleth (Simplified)
AA
SSO
ShibbolethIdP
Handle
Attributes
SAML
AR
ACS
ShibbolethSP
Handle
LDAP(e.g.)
August 5th, 2005 8PSU Grid Computing Workshop
Globus Toolkit• http://www.globus.org
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs
• Some initial attribute-based authorization
August 5th, 2005 9PSU Grid Computing Workshop
Motivation• Many Grid VOs are focused on science
or business other than IT support– Don’t have expertise or resources to run
security services
• Allow for leveraging of Shibboleth code and deployments run by campuses
August 5th, 2005 10PSU Grid Computing Workshop
Use Cases• Project leveraging campus attributes
– Simplest case
• Project-operated Shib service– Project operates own service, conceptually
easy, but not ideal
• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for
provisioning of attribute administration
August 5th, 2005 11PSU Grid Computing Workshop
Integration Approach• Conceptually, replace Shibboleth’s
handle-based authentication with X509– Provides stronger security for non-web
browser apps– Works with existing PKI install base
• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible
August 5th, 2005 12PSU Grid Computing Workshop
GridShib (Simplified)
A
SSO
Shibboleth
DN
Attributes
DN
DN
SAML
SSL/TLS, WS-Security
August 5th, 2005 13PSU Grid Computing Workshop
Integration Areas• Assertion Transmission
• Attribute Authority Discovery
• Distribute Attribute Administration
• User Registration
• Pseudonymous Interaction
• Authorization
August 5th, 2005 14PSU Grid Computing Workshop
Assertion Transmission• How to get SAML assertions from AA
into Globus?• Initially: Pull mode with Globus acting as
a Shibboleth Attribute Requestor• Will explore Pull modes to help with
privacy and role combination• Implement Grid Name Mapper to map
X509 DNs to local identities used to obtain attributes
August 5th, 2005 15PSU Grid Computing Workshop
Attribute Authority Discovery• No interactive WAYF service in the Grid
• Place identifier of Identity Provider in cert– Either in long-term EEC or short-term
Proxy Cert
• Will explore pushing attributes– Avoids the problem– Might also address combined attributes
from multiple AAs
August 5th, 2005 16PSU Grid Computing Workshop
Distributed Attribute Administration
• Campus is ideal for running services, but may not know all attributes of users
• How does a campus issue attributes for which it is not authoritative?– E.g. IEEE Membership of staff– In Grid case, Project Membership
• This may be the largest hurdle due to social, political and/or legal issues– Need accepted cookbook for process
• Plan on exploring signet– http://middleware.internet2.edu/signet/
August 5th, 2005 17PSU Grid Computing Workshop
LDAP
Getting Attributes into a Site’s Attribute Authority
uid: jdoeeduPersonAffiliation: …isMemberOf: …eduPersonEntitlement: …
SIS
HR
On-site Authorities
Loaders PersonRegistry
GroupRegistry
GrouperUI
PrivilegeRegistry
Off-site Authorities
SignetUI
Attribute Authority
Core Business Systems
Shib/GridShib
using Shibboleth
August 5th, 2005 18PSU Grid Computing Workshop
User Registration• How does the mapping from the User’s X509
DN to local Campus identity get made in NameMapper configuration?
• In initial version, this will be manual process• Yes, far from ideal• We envision
– Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically
– Or a portal that hides all the X509 from the user and also handles this mapping
• E.g. PURSE, GAMA
August 5th, 2005 19PSU Grid Computing Workshop
Pseudonymous Interaction• How to maintain Shibboleth
pseudonymous functionality with X509?
• Will develop online CA that issues certificates with non-identifying DNs– Register with AA just as SSO– Basically holder-of-key assertions
August 5th, 2005 20PSU Grid Computing Workshop
Authorization• Develop authorization framework in Globus
Toolkit• Pluggable modules for processing
authentication, gathering and processing attributes and rendering decisions
• XACML used for expressing gathered identity, attribute and policy information– Convert Attributes into common format for policy
evaluation– Allows for common evaluation of attributes
expressed in SAML and X509 (and others…)
August 5th, 2005 21PSU Grid Computing Workshop
GridShib Status• Testing initial version internal to project
• Will be a drop-in addition to GT 4.0 and Shibboleth 1.3
• Current adapting to last minute Shibboleth 1.3 changes and doing internal testing
• Plan on beta release in 2-3 weeks
• Looking for interested beta testers
August 5th, 2005 22PSU Grid Computing Workshop
Questions?• Project website:
– http://grid.ncsa.uiuc.edu/GridShib/
• My email:– [email protected]