von welch [email protected]
DESCRIPTION
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005. Von Welch [email protected]. What is GridShib. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/1.jpg)
GridShib:Campus/Grid RBAC
Integration
GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids
October 3th, 2005
Von Welch
![Page 2: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/2.jpg)
Oct 3rd, 2005 2GGF15
What is GridShib• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,
Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
![Page 3: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/3.jpg)
Oct 3rd, 2005 3GGF15
Motivation• Many Grid VOs are focused on science
or business other than IT support– Don’t have expertise or resources to run
security services
• Allow for leveraging of Shibboleth code and deployments run by campuses
![Page 4: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/4.jpg)
Oct 3rd, 2005 4GGF15
Outline• Overview of Shibboleth
• Overview of Globus/Grid PKI
• Approach
• Status and Future Plans
![Page 5: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/5.jpg)
Oct 3rd, 2005 5GGF15
Campus Infrastructure
![Page 6: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/6.jpg)
Oct 3rd, 2005 6GGF15
Student?
Check out book…
Access student records…
Is student John Smith?
![Page 7: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/7.jpg)
Oct 3rd, 2005 7GGF15
Check out book…
Different protocols
Privacy
Different Schemas
![Page 8: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/8.jpg)
Oct 3rd, 2005 8GGF15
Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web
resources (via browsers)– Provides attributes for authorization between
institutions
• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’
• Standards-based (SAML)• Being extended to non-web resources
![Page 9: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/9.jpg)
Oct 3rd, 2005 9GGF15
SAMLAuthn/Authz
Uses SAML to expressIdentity and attributes toAllow for interoperability
Uses short-lived identifiersTo protest privacy of users.
![Page 10: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/10.jpg)
Oct 3rd, 2005 10GGF15
Check out book…
PseudonymousIdentifier
Is a studentPseudonymousIdentifier
![Page 11: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/11.jpg)
Oct 3rd, 2005 11GGF15
Shibboleth• Identity Provider composed of single sign-on
(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues
authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA
• Attribute Authority responds to queries regarding handle
![Page 12: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/12.jpg)
Oct 3rd, 2005 12GGF15
Shibboleth• Service Provider composed of Assertion
Consumer and Attribute Requestor• Assertion Consumer parses
authentication assertion• Attribute Requestor: request attributes
from AA– Attributes used for authorization
• Where Are You From (WAYF) service determines user’s Identity Provider
![Page 13: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/13.jpg)
Oct 3rd, 2005 13GGF15
Shibboleth (Simplified)
AA
SSO
ShibbolethIdP
Handle
Attributes
SAML
AR
ACS
ShibbolethSP
Handle
LDAP(e.g.)
![Page 14: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/14.jpg)
Oct 3rd, 2005 14GGF15
Globus Toolkit• http://www.globus.org
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs
• Some initial attribute-based authorization
![Page 15: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/15.jpg)
Oct 3rd, 2005 15GGF15
Grid PKI• Large investment in PKI at the
international level for Grids– TAGPMA, GridPMA, APGridPMA– Dozens of CAs, thousands of users
• Really painful to establish
• But its working…– And it’s not going way easily
![Page 16: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/16.jpg)
Oct 3rd, 2005 16GGF15
Integration Approach• Conceptually, replace Shibboleth’s
handle-based authentication with X509– Provides stronger security for non-web
browser apps– Works with existing PKI install base
• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible
![Page 17: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/17.jpg)
Oct 3rd, 2005 17GGF15
Use Cases• Project leveraging campus attributes
– Simplest case
• Project-operated Shib service– Project operates own service, conceptually
easy, but not ideal
• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for
provisioning of attribute administration
![Page 18: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/18.jpg)
Oct 3rd, 2005 18GGF15
GridShib (Simplified)
A
SSO
Shibboleth
DN
Attributes
DN
DN
SAML
SSL/TLS, WS-Security
![Page 19: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/19.jpg)
Oct 3rd, 2005 19GGF15
Authorization• Delivering attributes is half the story…
• Currently have a simple authorization mechanisms– List of attributes required to use service or
container
• Developing finer-grain authorization for GRAM
![Page 20: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/20.jpg)
Oct 3rd, 2005 20GGF15
Authorization Plans• Develop authorization framework in Globus
Toolkit– Siebenlist et. al. at Argonne– Pluggable modules for processing authentication,
gathering and processing attributes and rendering decisions
• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.G. PERMIS
• Convert Attributes (SAML or X509) into common format for policy evaluation– XACML-based
![Page 21: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/21.jpg)
Oct 3rd, 2005 21GGF15
GridShib Status• Beta release publically available
• Drop-in addition to GT 4.0 and Shibboleth 1.3
• Project website:– http://gridshib.globus.org
• Very interested in feedback
![Page 22: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/22.jpg)
Oct 3rd, 2005 22GGF15
Future Plans• Integration of GridShib with MyProxy
Online CA– Allow for use of Grid Resources by users
without long-term X509 credentials– Collaboration with Jim Basney
• Signet/Grouper integration for distributed attribute administration – See Tom Barton’s talk
![Page 23: Von Welch vwelch@ncsa.uiuc](https://reader036.vdocuments.us/reader036/viewer/2022081519/56814731550346895db46e1a/html5/thumbnails/23.jpg)
Oct 3rd, 2005 23GGF15
Questions?• My email:
• Project website:– http://gridshib.globus.org