open grid forum 19 january 31, 2007 chapel hill, nc stephen langella ohio state university...
TRANSCRIPT
Open Grid Forum 19January 31, 2007Chapel Hill, NC
Stephen LangellaOhio State [email protected]
Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
www.cagrid.org
Agenda
• caBIG• caGrid• caGrid Security Overview (GAARDS)
• Dorian• Authentication Service• Grid Trust Service (GTS)• Grid Grouper• Authz / Common Security Module (CSM)
• Additional Information
www.cagrid.org
National Cancer Institute 2015 Goal
Relieve suffering and death due to cancer
by the year 2015
www.cagrid.org
Cancer Biomedical Informatics Grid (caBIGTM)
• Need: Enable investigators and research teams nationwide to combine and leverage their findings and expertise in order to meet NCI 2015 Goal.
• Strategy: Create scalable, actively managed organization that will connect members of the NCI-supported cancer enterprise by building a biomedical informatics network• National Cancer Institute Initiative• Over 800 Participants• Over 80 Organizations• Over 70 Projects
www.cagrid.org
caBIG Community Organization
www.cagrid.org
caGrid
• Grid Infrastructure for caBIG• Enterprise Level Grid Components• caGrid Components
• Grid Service Graphical Development Toolkit (Introduce)• Metadata• Advertisement and Discovery• Semantic Services• Data Service Infrastructure• Analytical Service Infrastructure• Identifiers• Workflow• Security
www.cagrid.org
GAARDS Overview
• Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)• GAARDS provides services and tools for the administration and
enforcement of security policy in an enterprise Grid. • Developed on top of the Globus Toolkit • Extends the Grid Security Infrastructure (GSI) • Provide enterprise services and administrative tools for:
• Grid User Management • Identity Federation• Trust management• Group/VO management• Access Control Policy management and enforcement• Integration between existing security domains and the grid security
domain.
www.cagrid.org
GAARDS Components
• Dorian • Grid User Account Management• Integration point between external security domains and the grid.• Allows accounts managed in external domains to be federated and
managed in the grid.• Dorian allows users to use their existing credentials (external to the grid)
to authenticate to the grid
• Grid Trust Service (GTS)• Creation and Management of a federated trust fabric.• Supports applications and services in deciding whether or not signers of
digital credentials/user attributes can be trusted.• Supports the provisioning of trusted certificate authorities and
corresponding CRLS.
• Grid Grouper• Group management service for the grid• Provides a group-based authorization solution for the Grid• Enforce authorization policy based on membership to groups
www.cagrid.org
GAARDS Components
• Authentication Service • Integrates existing credentials providers into the grid.• Provides a uniform grid interface for authenticating to existing
credential providers.• Applications can communicate with any credential provider.
• Authz/Common Security Module (CSM)• Provides a centralize approach to managing and enforcing
access control policy authorization.• Security Metadata
• Ensures communication interoperability between grid services
www.cagrid.org
GAARDS in Action
www.cagrid.org
GAARDS in Action
Authenticate with Local Credential Provider
SAML Assertion
User authenticates to local credential
provider using your everyday user
credentials
www.cagrid.org
GAARDS in Action
SAML AssertionGrid Credentials
Application obtains grid
credentials from Dorian using
SAML provided by the local
provider.
www.cagrid.org
GAARDS in Action
Grid Credentials
Application uses grid
credentials to invoke secure grid services.
www.cagrid.org
GAARDS in Action
Grid Service authenticates the
user by asking the GTS whether or not the signer of the credential
should be trusted.
Should I trust thecredential signer?
www.cagrid.org
GAARDS in Action
Authorization
Grid Service asks CSM or their access control policy
enforcer whether or not the user can
perform X and resource Y.
Is Authorized?
www.cagrid.org
GAARDS in Action
AuthorizationAlternative
Grid Service can enforce local policy
based on user membership to
groups maintained in Grid Grouper.
Is member of?
Dorian
www.cagrid.org
Grid Account Management is Difficult
• User required to manage long term certificate and private key.• How are they obtained?
• Traditionally user generate a key pair and certificate request locally, then contact (email) a CA administrator to get a signed certificate.
• Mobility Issues• User generally work on more that one computer• Certificate and private key need to be available to users on each machine.• Traditionally users need to copy around certificate and private key.• Hassle for the users, some of which don’t have the expertise to accomplish• Security Concerns.
• Difficult to administrate• Few tools for administrate provisioning of user accounts.• Difficult to revoke accounts• Limited information available to administrators for making decisions
• Why cant they leverage their existing accounts to access the grid?
www.cagrid.org
Dorian
•Grid User Account Management• Administrative interface for account
provisioning and management.• Built in Certificate Authority• Manages Grid Credentials for each user.• Enables users to authenticate and create grid
proxies, which they may use to access the grid.
•Identity Management and Federation• Integration point between external security
domains and the grid.• User may use existing credentials to obtain a
grid proxy.• User’s authenticate to IdP, obtain a SAML
assertion (proof) which is then given to Dorian to facilitate the creation of a grid proxy.
• Automated Account Creation and Provisioning
•Built in Identity Provider•Comprehensive Administrative UI
www.cagrid.org
Dorian
•Proxy Creation• User’s authenticate to IdP.• Obtain a SAML assertion (proof) from
IdP.• Send SAML Assertion to Dorian in
exchange for a grid proxy.
•Proxy Creation (Detailed)• User Authenticates to Local IdP• Local IdP Issues Signed SAML
Assertion to user.• User Authenticates to Dorian with
SAML Assertion• Dorian verifies the signature of the
SAML Assertion.• Signing IdP must be registered
with Dorian is a trusted provider• Dorian locates user’s grid account or
creates one if does not exist.• Dorian ensures user’s has rights to
create a proxy• Client and Dorian negotiate to create a
proxy.
www.cagrid.org
Dorian – Proxy Creation
•Proxy Creation Workflow• Client authenticates with Local IdP• Client creates public/private key
pair to use for grid proxy.• Client requests Dorian to create a
grid proxy.• Dorian verifies that the SAML
assertion provided by the user is signed by a Trusted IdP and that the user has a valid account.
• Dorian locates the user’s grid credentials, private key and certificate
• Dorian uses the public key provided to create a proxy certificate and signs it with the user’s private key
• Dorian returns the proxy certificate to the user.
• The user may now use the proxy to authenticate to grid services
Dorian
Authentication ServiceOhio State University
JohnDoe
SAML Assertion
Username / Password
Grid Service
SAML Assertion
PrivateKey
PublicKey
SAML Assertion
PublicKey
JohnDoe’sPrivate
Key
JohnDoe’sCertificate
JohnDoe’sProxy Certificate
Signed
JohnDoe’sProxy Certificate
JohnDoe’sProxy Certificate
PrivateKey
JohnDoe’sProxy Certificate
www.cagrid.org
Grid User Account Creation
• A grid account is created the first time a user accesses Dorian with a SAML Assertion signed by a registered Trusted Identity Provider
•Each grid account has a status associated with it.• Active, Pending, Suspended, Expired…………• Only users with an Active Status will be given access to the grid.
•The initial status of a user account upon creation depends on the user policy configured with their IdP.
•A User Policy is applied to a user’s account every time they request that a proxy is created.
•User Policies enable the administration of Dorian to be as hands on/off as the administrators wish.
www.cagrid.org
Grid User Accounts
•Grid User Account Managed through Grid Service Interface using Admin UI•Grid User Account
• IdP Local User Id• Uniquely Identifies a user
within the context of an IdP• First Name• Last Name• Email• User’s role with respect to Dorian• User Account Status • Grid Credentials
• Private Key • Long term Certificate
•Grid Identity• Dorian CA Metadata• Trusted IdP Id• Local User Id
/O=OSU/OU=BMI/OU=caGrid/OU=Dorian/OU=localhost/OU=IdP [1]/CN=jdoe
Dorian CA Metadata IdP IdLocal User Id
www.cagrid.org
Managing Trusted Identity Providers
•Trusted Identity Provider – An Identity Provider in which Dorian is configured to trust and manage grid user accounts.
• Id - Dorian assigned Identifier for the IdP.
• Name – Human Readable Name for easy identification
• Status – Active / Suspended• User Policy – Executed when users
authenticate, dictates a policy to apply to a user’s account
• Authentication Method• IdP Certificate - Certificate whose
corresponding private key will be used in signing SAML assertions.
www.cagrid.org
Dorian Identity Provider
•Dorian Identity Provider (Dorian IdP)- Enables developers, smaller groups, research labs, unaffiliated users, and other groups without an IdP to use Dorian as their IdP, such that they may leverage Dorian for creating grid credentials.
• Registration- Provides a registration mechanism through the grid service interface.
• Authentication- Username/Password Authentication over grid service interface, successful authentication returns a SAML assertion which can later be consume by Dorian in exchange for a grid proxy.
• Account Management – Provides administrative operations for managing Dorian IdP accounts.
www.cagrid.org
Dorian IdP – Registration / Authentication
•Potential Users obtain and account on the Dorian IdP by registering.•Grid Service Interface provides a mechanism for registering with the Dorian IdP account.•Dorian GUI provides graphical interface for registering with the Dorian IdP•Account creation depends on how the Dorian IdP is configured
• Auto Creation• Manual Creation
•Once Approved, registered users can authenticate (username, password) to the Dorian IdP to obtain a SAML Assertion which can then be used to create a proxy.
www.cagrid.org
Dorian IdP User Management
•Dorian IdP User Management• Manage User Account Information• Manage Account Status• Grant IdP Admin Rights
•Account Management done through grid service interface, only users with admin rights may manage accounts.•Full Account Management Support through the Dorian GUI.
Authentication Service
www.cagrid.org
Authentication Service
• The role of the AuthenticationService is to provide a uniform grid interface for authenticating to existing credential providers.• Leveraged as a Integration point between local identity management and Grid identify federation. • To achieve this goal, we define a framework as a set of interfaces that can be implemented by a credential provider• caGrid provides an default implementation that exposes the Common Security Module (CSM) as an IdP.
Organization
Dorian Authentication Service Local Identity management
Supported Credential Providers
• LDAP• RDBMS
www.cagrid.org
Authentication Service - Design
Authentication Service
Grid Service Authentication Provider Framework
AuthenticationProvider
SubjectProvider
SAMLProvider
Created Using Introduce Toolkit
Credential Providers can be
integrated by implementing this interface