webfts as a first wlcg/hep fim pilot andrea manzi andrey kiryanov 2 8 th fim4r meeting
TRANSCRIPT
What is WebFTS?• https://webfts.cern.ch• Web based tool to transfer files between
grid/cloud storages• Modular protocol support
• gsiftp, http(s), xrootd and srm• Cloud extensions: dropbox, CERNBox
• Initial development funded by
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 3
Based on FTS3 FTS3 is the service responsible for distributing the
majority of LHC data across the WLCG infrastructure
Low level data movement service, responsible for moving sets of files from one site to another while allowing participating sites to control the network resource usage
Used by LHC VOs + many others VOs part of EGI ~20PB monthly transfer volume / ~2.2M files per
day (WLCG) http://dashb-fts-transfers.cern.ch/ui/
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 4
“X509 free” access• X509 delegation is needed to let WebFTS
access the grid on users behalf• Users make private key available to browser
• Not available via browser API
• We are trying to replace user certificate delegation with transparent access via Identity Federation (pilot project for WLCG)
• The same technology may be used for other types of services, e.g. job submission.
WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 5
Architecture
WebFTSWebFTS
CERN SSO
CERN SSOIdPIdP
Cre
den
tials
Attr
ibu
tes
Web
Red
irect
WA
YF SA
ML
VOMSVOMSIdPIdPIdPIdPIdPIdP
GridStorageElement
GridStorageElement
X.509VOMS
STSSTS
IOTACA
IOTACA
SA
ML
X.5
09V
OM
S
Slide adapted from Romain Wartel, GDB Sept 2014
7
eduGAIN
WebFTS as a first WLCG/HEP FIM pilot
Built on existing federations and infrastructures
CERN participates in eduGAIN via SWITCHaai Many NRENs participate in eduGAIN too
04/02/2015 8
What happens when you log-in to SSO?
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 10
SSO
Auth request (redirect)
SAML Assertion
Apache
SSO plug-in
SAML = Security Assertion Markup LanguageSAML Assertion is essentially a signed list of attributes (name, email,
etc.)
Aut
h.
SA
ML
Web browser
HTTP session
STS
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 11
• Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return.• STS is an implementation of WS-Trust OASIS standard and
it speaks SOAP.• This functionality is based on so-called IOTA CA
(Identifier-Only Trust Assurance Certification Authority) that issues short-living (days) X.509 certificates.• At CERN we can get such certificates from “CERN CA”
(which is NOT “CERN Grid CA”) – the same that signs EduRoam certificates.
SAML2 Assertio
n
What’s in all this for WebFTS?
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 12
Auth request (redirect)
SAML2 Assertion
Apache
SSO plug-in
STS
Auth request
Web browserSAML2 Assertion
X.509 certificate FTS3RESTAPI(JavaScript context)
Aut
h.
SA
ML2
IOTA CA
SSO
Next steps
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 13
• The way STS issues certificates has to change. Basically STS has more than one mode of operation:• It can generate a key pair, sign it with a CA, and send
both certificate and private key back to us. This is what is used right now, but this is wrong because private key is transmitted over the network.
• It can generate a proxy certificate (with or without VOMS extensions) based on a public key provided from our side. This is more secure but this requires changes in the delegation code on WebFTS side ( ongoing )
• VOMS integration is implemented by FTS now. Waiting for STS VOMS integration.
Open Issues
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 14
• Above all we have to convince sites to trust IOTA-profile CAs.• It has to be discussed at the level of
Infrastructures: EGI, WLCG, ..• How we associate different identities of the same
user (e.g. normal X.509 certificate and IdF) ?• Now we manually map the X509 user credentials
with IOTA CA DN on the VOMS ( as alias)• But how to guarantee this DN to be unique?
Open Issues[ii]
04/02/2015WebFTS as a first WLCG/HEP FIM pilot 15
• STS RA for the IOTA CA should use an eduGAIN persistent identifier attribute to ask for a unique DN• Which attributes can be consider persistent and unique
in eduGAIN?• Looks like the eduPersonPrincipalName can be
reassigned according to local policy..• Can we use SAML2 Persistent Identifier ? And are all
eduGAIN IdPs providing it?• What about a combination of attributes?
What we have achieved so far?
• IdF-enabled WebFTS is a working prototype available at https://webfts-dev.cern.ch/• only few testing Storage Elements have IOTA
CA configured
• This is an important step towards “X.509-free” access to Grid resources.
• As said the same technology may be used for other types of services
WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 16