tools for grid/campus integration: gridshib and myproxy internet2 advanced camp july 1, 2005
DESCRIPTION
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005. Von Welch [email protected]. Outline. GridShib Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status MyProxy Overview Local Authn Support. Shibboleth. - PowerPoint PPT PresentationTRANSCRIPT
Tools for Grid/Campus Integration:
GridShib and MyProxy
Internet2 Advanced CampJuly 1, 2005
Von Welch
July 1, 2005 2I2 Advanced CAMP
Outline• GridShib
– Overview of Shibboleth and Globus– Our Motivation and Use Cases– Integration Approach– Status
• MyProxy– Overview– Local Authn Support
July 1, 2005 3I2 Advanced CAMP
Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web
resources (via browsers)– Provides attributes for authorization between
institutions
• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’
• Standards-based (SAML)• Being extended to non-web resources
July 1, 2005 4I2 Advanced CAMP
Shibboleth• Identity Provider composed of single sign-on
(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues
authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA
• Attribute Authority responds to queries regarding handle
July 1, 2005 5I2 Advanced CAMP
Shibboleth• Service Provider composed of Assertion
Consumer and Attribute Requestor• Assertion Consumer parses
authentication assertion• Attribute Requestor: request attributes
from AA– Attributes used for authorization
• Where Are You From (WAYF) service determines user’s Identity Provider
July 1, 2005 6I2 Advanced CAMP
Shibboleth (Simplified)
AA
SSO
ShibbolethIdP
Handle
Attributes
SAML
AR
ACS
ShibbolethSP
Handle
LDAP(e.g.)
July 1, 2005 7I2 Advanced CAMP
Globus Toolkit• http://www.globus.org
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs
• Some initial attribute-based authorization
July 1, 2005 8I2 Advanced CAMP
Motivation• Many Grid VOs are focused on science
or business other than IT support– Don’t have expertise or resources to run
security services
• Allow for leveraging of Shibboleth code and deployments run by campuses
July 1, 2005 9I2 Advanced CAMP
Use Cases• Project leveraging campus attributes
– Simplest case
• Project-operated Shib service– Project operates own service, conceptually
easy, but not ideal
• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for
provisioning of attribute administration
July 1, 2005 10I2 Advanced CAMP
Integration Approach• Conceptually, replace Shibboleth’s
handle-based authentication with X509– Provides stronger security for non-web
browser apps– Works with existing PKI install base
• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible
July 1, 2005 11I2 Advanced CAMP
GridShib (Simplified)
A
SSO
Shibboleth
DN
Attributes
DN
DN
SAML
SSL/TLS, WS-Security
July 1, 2005 12I2 Advanced CAMP
Integration Areas• Assertion Transmission
• Attribute Authority Discovery
• Distribute Attribute Administration
• User Registration
• Pseudonymous Interaction
• Authorization
July 1, 2005 13I2 Advanced CAMP
Assertion Transmission• How to get SAML assertions from AA
into Globus?• Initially: Pull mode with Globus acting as
a Shibboleth Attribute Requestor• Will explore Pull modes to help with
privacy and role combination• Implement Grid Name Mapper to map
X509 DNs to local identities used to obtain attributes
July 1, 2005 14I2 Advanced CAMP
Attribute Authority Discovery• No interactive WAYF service in the Grid
• Place identifier of Identity Provider in cert– Either in long-term EEC or short-term
Proxy Cert
• Will explore pushing attributes– Avoids the problem– Might also address combined attributes
from multiple AAs
July 1, 2005 15I2 Advanced CAMP
Distributed Attribute Administration
• Campus is ideal for running services, but may not know all attributes of users
• How does a campus issue attributes for which it is not authoritative?– E.g. IEEE Membership of staff– In Grid case, Project Membership
• This may be the largest hurdle due to social, political and/or legal issues– Need accepted cookbook for process
• Plan on exploring signet– http://middleware.internet2.edu/signet/
July 1, 2005 16I2 Advanced CAMP
LDAP
Getting Attributes into a Site’s Attribute Authority
uid: jdoeeduPersonAffiliation: …isMemberOf: …eduPersonEntitlement: …
SIS
HR
On-site Authorities
Loaders PersonRegistry
GroupRegistry
GrouperUI
PrivilegeRegistry
Off-site Authorities
SignetUI
Attribute Authority
Core Business Systems
Shib/GridShib
using Shibboleth
July 1, 2005 17I2 Advanced CAMP
User Registration• How does the mapping from the User’s X509
DN to local Campus identity get made in NameMapper configuration?
• In initial version, this will be manual process• Yes, far from ideal• We envision
– Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically
– Or a portal that hides all the X509 from the user and also handles this mapping
• E.g. PURSE, GAMA
July 1, 2005 18I2 Advanced CAMP
Pseudonymous Interaction• How to maintain Shibboleth
pseudonymous functionality with X509?
• Will develop online CA that issues certificates with non-identifying DNs– Register with AA just as SSO– Basically holder-of-key assertions
July 1, 2005 19I2 Advanced CAMP
Authorization• Develop authorization framework in Globus
Toolkit• Pluggable modules for processing
authentication, gathering and processing attributes and rendering decisions
• XACML used for expressing gathered identity, attribute and policy information– Convert Attributes into common format for policy
evaluation– Allows for common evaluation of attributes
expressed in SAML and X509 (and others…)
July 1, 2005 20I2 Advanced CAMP
GridShib Status• Testing initial version internal to project
• Will be a drop-in addition to GT 4.0 and Shibboleth 1.3
• Plan on releasing Beta version 2-3 weeks after Shibboleth 1.3 is released
• Looking for interested testers
• Project website:– http://grid.ncsa.uiuc.edu/GridShib/
July 1, 2005 21I2 Advanced CAMP
Acknowledgements and Details• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,
Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
MyProxy Enhancements for Local Integration
Bill Baker, Jim Basney
and Von Welch
NCSA
July 1, 2005 23I2 Advanced CAMP
What is MyProxy?• Independent Globus Toolkit add-on since
2000– To be included in Globus Toolkit 4.0
• A service for securing private keys– Keys stored encrypted with user-chosen password– Keys never leave the MyProxy server
• A service for retrieving proxy credentials• A commonly-used service for grid portal
security– Integrated with OGCE, GridSphere, and GridPort,
PURSE, GAMA
July 1, 2005 24I2 Advanced CAMP
Proxy Credentials• RFC 3820: Proxy Certificate Profile• Associate a new private key and
certificate with existing credentials• Short-lived, unencrypted credentials
for multiple authentications in a session– Restricted lifetime in certificate limits
vulnerability of unencrypted key
• Credential delegation (forwarding) without transferring private keys
CA
User
ProxyA
signs
signs
ProxyB
signs
July 1, 2005 25I2 Advanced CAMP
Proxy Delegation
Delegator Delegatee
Generate new key pair
Sign new proxy certificate
Proxy
Proxy certificate request
ProxyProxy
12
3
4
July 1, 2005 26I2 Advanced CAMP
MyProxy System Architecture
MyProxy server
Credentialrepository
Retrieve proxy
Store proxy
Proxy delegation over private TLS channel
MyProxy client
July 1, 2005 27I2 Advanced CAMP
MyProxy: Credential Mobility
myproxy.teragrid.org
tg-login.uc.teragrid.org
tg-login.caltech.teragrid.org
tg-login.sdsc.teragrid.org
tg-login.ncsa.teragrid.org ca.ncsa.uiuc.eduObtain certificate
Store proxy
Retrieve proxy
July 1, 2005 28I2 Advanced CAMP
MyProxy and Grid Portals
Portal
MyProxy server
GridFTP server
Login Fetch proxy
Access data
July 1, 2005 29I2 Advanced CAMP
MyProxy and PAM• MyProxy now has ability to use PAM for
authentication– As a replacement for locally-stored
password
• Users can use existing authentication mechanism to access Grid Credentials
• Has been tested with PAM modules for LDAP, Kerberos, OTP (CryptoCard) via RADIUS
July 1, 2005 30I2 Advanced CAMP
LTER Grid Example
MyProxy server
PAM
LTERLDAP
LTER Portal
Creds
Job Submission GridFTP
LDAPUsername
& Password
Proxy
July 1, 2005 31I2 Advanced CAMP
Status• PAM Support in MyProxy v2.0 which is
released
• Available at http://myproxy.ncsa.uiuc.edu
• Pam-specific documentation:– http://grid.ncsa.uiuc.edu/myproxy/pam.html
• PAM enhancements funded by NMI Grids Center