Transcript science gateway - Grid Computing at NCSA

TeraGrid 08
The Third Annual TeraGrid Conference
Las Vegas, NV
June 9–13, 2008
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
http://gridshib.globus.org/
Tutorial:
Science Gateways, Security, and GridShib
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
June 9, 2008
http://gridshib.globus.org/
Birds-of-a-Feather Session:
Attribute-based Auditing and
Authorization for Science Gateways
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
June 11, 2008
http://gridshib.globus.org/
Science Gateways
Working Group Session
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
June 12, 2008
http://gridshib.globus.org/
GridShib @ TeraGrid 08
 Tutorial: Science Gateways, Security, and GridShib
 Mon, 8:00am–12:00pm
 Birds-of-a-Feather Session: Attribute-based Auditing
and Authorization for Science Gateways
 Wed, 5:30–6:30pm
 Poster Session: A Federated Identity Model for
Science Gateways
 Wed, 6:30–8:30pm
 Science Gateways Working Group Session
 Thu, 3:00–4:30pm
http://gridshib.globus.org/
Definition of Terms
Shib != GridShib
http://gridshib.globus.org/
Grid Security Infrastructure
(GSI)
http://gridshib.globus.org/
Grid Authentication
 Traditionally, grid authentication has been via
trusted X.509 identity certificates
 GSI relies heavily on X.509 proxy certificates
 A proxy cert is a short-lived certificate signed by the
user’s identity certificate
 Multiple GSI authentication mechanisms:
 GSI Transport (SSL/TLS)
 GSI Secure Message (WS-Security)
 GSI Secure Conversation (WS-SecureConversation)
http://gridshib.globus.org/
The Classic Grid Use Case
A non-browser user
issues a proxy certificate
and initiates a grid request
on her own behalf.
http://gridshib.globus.org/
Issue a Proxy Certificate
grid-proxy-init
X.509 End Entity Cred
X.509 Proxy Credential
Issuer: Certification Authority
Subject: End User
Issuer: End User
Subject: End User+
Key
Key
myproxy-logon
http://gridshib.globus.org/
Classic GSI
GT4 Client
GT4 Server
Java WS Container
Globus WS
Client
Globus Web
Service
X.509 proxy
certificate
X.509 proxy
credential
Gridmap
Key
http://gridshib.globus.org/
Identity-based Access Control
 The distinguished name (DN) in the proxy
certificate is used as a basis for coarsegrained access control
 If the subject DN is in an access control list
called a gridmap file, access is allowed
 A gridmap file also maps DNs to usernames
 Associated with each DN are zero or more local
usernames
 GRAM, for example, requires a local account in
which to run a job request
http://gridshib.globus.org/
Gridmap File
 The gridmap has a flat file format:
DN → [user0, user1, …, usern-1]
DN1
 The gridmap has dual functions:
username2
username1
DN2
…
1. Authorization Policy
2. Username Mapping Policy
 A single gridmap file serves both functions
 Identity-based gridmap files trade off flexibility
and scalability for simplicity
http://gridshib.globus.org/
GridShib-enabled GSI
http://gridshib.globus.org/
GridShib Project
 The goal of the GridShib Project is to introduce
attribute-based authorization to Globus-based
grids
 GridShib software allows Globus Toolkit and
Shibboleth to interoperate
 Classic GridShib (circa 2004–2005) pulls
attributes from a Shibboleth Attribute Service
 The current emphasis is on browser users and
attribute push, specifically, the TeraGrid Science
Gateway Use Case
http://gridshib.globus.org/
GridShib Software
 GridShib for GT
 Consumes X.509-bound SAML assertions issued by the
GridShib CA or the GridShib SAML Tools. Issues SAML attribute
queries to a Shibboleth IdP with GridShib for Shibboleth
installed.
 GridShib for Shibboleth
 Responds to attribute queries from GridShib for GT.
 GridShib CA
 Issues short-lived X.509 credentials to browser users.
 GridShib SAML Tools
 Issue or requests SAML assertions and optionally binds these
assertions to X.509 proxy certificates.
http://gridshib.globus.org/
GridShib Software
 GridShib for GT
 Consumes X.509-bound SAML assertions issued by the
GridShib CA or the GridShib SAML Tools. Issues SAML attribute
queries to a Shibboleth IdP with GridShib for Shibboleth
installed.
 GridShib for Shibboleth
 Responds to attribute queries from GridShib for GT.
 GridShib CA
 Issues short-lived X.509 credentials to browser users.
 GridShib SAML Tools
 Issue or requests SAML assertions and optionally binds these
assertions to X.509 proxy certificates.
http://gridshib.globus.org/
GridShib SAML Tools
 The GridShib SAML Tools (GS-ST) are a
standalone suite of Java-based client tools
 Binds a SAML assertion to an X.509 proxy certificate
 The same X.509-bound SAML token can be
transmitted at the transport level or the message level
(using WS-Security X.509 Certificate Token Profile)
 Includes the GridShib Security Framework, a
Java API for producing and consuming X.509bound SAML tokens
 GS-ST is a SAML producer
http://gridshib.globus.org/
GS-ST Features
 Easily installed and configured
 Binds arbitrary content (not just SAML) to a noncritical certificate extension
 Multiple output options (SAML, X.509 proxy
credential, DER-encoded ASN.1)
 CLI with shell scripts (UNIX and Windows)
 Includes a Java API for portal developers
 Leverages the Globus SAML Library, an
enhanced version of OpenSAML 1.1
http://gridshib.globus.org/
GS-ST Function
Bind a SAML assertion to a non-critical
X.509 v3 certificate extension
We call this an X.509-bound SAML token
http://gridshib.globus.org/
grid-proxy-init
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X.509 Community Cred
Issuer: TeraGrid CA
Subject: Science Gateway
Key
Key
http://gridshib.globus.org/
grid-proxy-init
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X.509 Community Cred
Issuer: TeraGrid CA
Subject: Science Gateway
Key
X.509 Proxy Credential
Key
gridshib-saml-issuer
Issuer: Science Gateway
Subject: Science Gateway+
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
X.509-bound SAML Token
 GridShib SAML Tools
produces X.509-bound
SAML tokens, a new type
of security token that
enables attributed-based
authorization in X.509based Grids
 The SAML token is bound
to a noncritical X.509v3
certificate extension
http://gridshib.globus.org/
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
WS-Security Token Profiles
 OASIS WS-Security Technical Committee
 WSS X.509 Certificate Token Profile [1]
 WSS SAML Token Profile
 Globus implements the former
 We define a new token type:
 X.509-bound SAML Token
 An implementation of [1] automatically handles
X.509-bound SAML tokens
 No new wire protocols are needed!
http://gridshib.globus.org/
Security Tokens
X.509 Token
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
X.509
certificate
SOAP Body
SAML
assertion
SOAP Body
http://gridshib.globus.org/
Security Tokens
X.509 Token
SAML Token
X.509-bound
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
SOAP Header
X.509
certificate
SAML
assertion
X.509
certificate
SAML
assertion
SOAP Body
SOAP Body
http://gridshib.globus.org/
SOAP Body
GridShib-enabled GSI
A non-browser user binds
a SAML assertion to a proxy certificate and
initiates a grid request
on her own behalf
http://gridshib.globus.org/
GridShib for GT
 GridShib for GT (GS4GT) is a plug-in for GT 4.x
 GS4GT is compatible with both GT 4.0 and 4.2
 GS4GT is an implementation of a Grid Service
Provider, which is analogous to a Shibboleth
Service Provider, but for X.509-based grids
 GS4GT is a SAML consumer
 Used together, GridShib SAML Tools and
GridShib for GT enable attribute-based access
control in Globus-based grids
http://gridshib.globus.org/
GS4GT Features
 Introduces attribute-based authorization into GT
 Exposes a single comprehensive policy decision
point called the GridShibPDP
 Implements an attribute push model
 Restricts access based on blacklists of IP
addresses and/or name identifiers
 Provides attribute-based account mapping
 Supports optional gridmap short-circuiting
 Defines an attribute-based authorization policy
language (in XML)
http://gridshib.globus.org/
GridShib-enabled GSI
GT4 Client
GT4 Server
Java WS Container
(with GridShib for GT)
Globus WS
Client
GridShib
SAML PIP
Globus Web
Service
SAML
proxy
certificate
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
end entity
credential
Key
http://gridshib.globus.org/
Blacklist
Policy
Authz
Policy
GS4GT Configuration Files
 The SAML Entity Map maps SAML
issuers to X.509 issuers
 A SAML issuer in this file is trusted
 The SAML Entity Map will be
replaced by SAML Metadata (XML)
 A blacklist is a list of identifiers
(SAML identifiers or subject DNs)
 A user whose identifier is on the
blacklist will be denied access
 The flat file blacklist will be replaced
by a database table
http://gridshib.globus.org/
GridShib
SAML Entity Map
entityID1 DN1
entityID2 DN2
…
GridShib
Blacklist Policy
identifier1
identifier2
…
GS4GT Policy Files
Globus
Gridmap file
DN1
username1
DN2
username2
…
GridShib
Mapping Policy
GridShib
Authz Policy
<XML>
<XML>
http://gridshib.globus.org/
GS4GT Policy Files
 Two separate attribute-based policy files:
1. Authorization Policy
[A0, A1, …, Am-1]
2. Username Mapping Policy
[A0, A1, …, Am1-1] → [user0, user1, …, usern1-1]
[A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] …
 A single XML-based policy file may encapsulate
both types of policies
http://gridshib.globus.org/
Summary
 Fine-grained, attribute-based authorization
 Introduces X.509-bound SAML tokens
 Works at both the transport level or the message level
 No modifications to GT clients are required
 If the service is not GridShib-enabled, the X.509bound SAML token is simply ignored
http://gridshib.globus.org/
A Grid Authorization Model for
Science Gateways
http://gridshib.globus.org/
The Science Gateway Use Case
A browser user authenticates to a grid
portal. The portal issues a proxy
certificate and initiates a grid request
on behalf of the user
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
A science gateway is a
convenient intermediary
between a browser user and a
grid resource provider.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Each gateway is issued a
community credential that
uniquely identifies the gateway.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Resource providers associate
the community credential with a
local community account.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
To submit a job, a browser user
typically authenticates to the
gateway by presenting a
username and password.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
The gateway then issues a
short-lived proxy credential
signed by its community
credential.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
community
credential
proxy
credential
Key
WS GRAM Service
community
account
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The gateway submits the job on
the user’s behalf, authenticating
as itself to the resource.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The resource authenticates the
gateway and maps the request
to the community account based
on the identity in the proxy
certificate.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
After the job is executed, the
result is returned to the browser
user via the gateway web
interface.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Community Account Model: The Good
 The Community Account Model
 simplifies the user experience
 simplifies gateway implementation and deployment
 simplifies gridmap file management at the RP
 A community credential is issued to each
gateway
 A single community account is created at the RP
 The gateway issues proxy certificates and
makes grid requests on behalf of the user
http://gridshib.globus.org/
Community Account Model: The Bad
 The community account model has some
significant drawbacks, however:
 End user identity is unknown to the RP
 Course-grained access control at the resource (by
design)
 Awkward approach to auditing and incident response
 In the event of an emergency, the RP is forced to
disable all access to the community account
 Less than adequate accounting mechanisms
 All this can be traced to a single problem…
http://gridshib.globus.org/
Community Account Model: The Ugly
All requests look exactly the same
to the resource provider!
If the gateway would only pass
the user’s name and contact information
to the resource provider,
all previously mentioned problems would be solved
http://gridshib.globus.org/
Grid Authorization Model
 We describe a grid authorization model that significantly
increases the information flow between a science
gateway and a resource provider





Extends the Community Account Model
Asserts end user identity to the RP
Permits fine-grained access control at the RP
Provides strong auditing and effective incident response
Allows dynamic blacklisting of problem accounts or runaway
processes
 A lightweight approach that does not require new wire protocols
or extensive new middleware infrastructure
 Complements existing SAML-based middleware infrastructure
on today's campuses
http://gridshib.globus.org/
Grid Authorization Model
 The proposed model incorporates GridShib
SAML Tools at the gateway and GridShib for
GT at the resource provider
 Using GridShib SAML Tools, the gateway
1. issues a SAML assertion containing the user's
authentication context and attributes
2. binds the SAML assertion to a proxy certificate
signed by the community credential
3. authenticates to the resource by presenting the
SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
http://gridshib.globus.org/
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
+
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
=
GridShib-enabled Science Gateway
A browser user authenticates to
a grid portal. The portal binds a
self-issued SAML assertion to
a proxy certificate and initiates a grid
request on behalf of the user.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
An enhancement to the
community account model
increases the information flow
between the gateway and the
resource provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
A software component called
GridShib SAML Tools is
integrated into the gateway
portal environment.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Another software component
called GridShib for GT is
deployed at the resource
provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
These two GridShib software
components produce and
consume Security Assertion
Markup Language (SAML)
tokens.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Again the browser user
authenticates to the gateway by
presenting a username and
password.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
This time the gateway uses the
GridShib SAML Tools to issue an
X.509-bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The SAML token bound to the
proxy certificate contains the
name of the end user and other
user attributes (e.g., e-mail).
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
X.509SAML
Proxy Credential
Issuer:
proxy Science Gateway
Key
Subject:
Gateway+
credential Science
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
community
credential
Key
Science Gateway
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
Resource Provider
Grid Authorization Model for Gateways
The gateway authenticates as
itself to the resource provider,
presenting the proxy certificate
with bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The GridShib for GT extracts the
SAML token from the proxy
certificate, parses it, and writes
the information to a log file.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The security information in the
SAML token is also used to
populate a SAML security
context within the container.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service compares the
information in the security
context to the blacklist, denying
access if any request info is on
the blacklist.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service combines the
information in the security
context with its access control
policy, allowing access if and
only if policy is satisfied.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
Grid Authorization Model for Gateways
As before, after the service
executes the job, the result is
returned to the browser user via
the gateway web interface.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
GridShib-enabled Science Gateway
 Simple installation and configuration of GridShib
SAML Tools at the gateway
 Includes GridShib Security Framework
 Exposes both a command-line interface and a Java
API
 End user identity and contact information (e.g.,
e-mail) transmitted to RP
 Push much of the responsibility for auditing and
incident response back onto the RP
 Big Advantage: No need to shut down the
entire gateway in the event of an incident!
http://gridshib.globus.org/
User Attributes
 Gateway entityID:
 https://gridshib.gisolve.org/idp
 Subject name identifier:
 [email protected]
 Authentication statement
 authentication method:
urn:oasis:names:tc:SAML:1.0:am:password
 authentication instant: 2007-08-02T12:10:34-0400
 IP address: 10.81.193.244
 Attribute statement
 isMemberOf attribute: group://gisolve.org/gisolve
 mail attribute: [email protected]
http://gridshib.globus.org/
Configuring GridShib SAML Tools
 Some information in the SAML token is static
 Each gateway provides a configuration file that
customizes the static content of each token
 http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
IdP.entityID=https://gridshib.gisolve.org/idp
NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
NameID.Format.template=%PRINCIPAL%@gisolve.org
Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Attribute.isMemberOf.Value=group://gisolve.org/gisolve
http://gridshib.globus.org/
JAR Dependencies
 Java developers have the following JAR
dependencies
 Copy these JARs to WEB-INF/lib
cog-jglobus.jar
commons-codec-1.3.jar
commons-logging.jar
globus-opensaml-1.1.jar
gridshib-common-0_4_2.jar
jce-jdk13-131.jar
log4j-1.2.8.jar
xalan.jar
Endorse!
xercesImpl.jar
xml-apis.jar
xmlsec-1.2.1.jar
http://gridshib.globus.org/
Creating the X.509-bound SAML Token
 Other content in the SAML token is dynamic
 GridShib SAML Tools provides a Java API that a
gateway developer can use to issue SAML
tokens with dynamic content
 http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
GlobusCredential issuingCredential = ...;
GatewayCredential gc = new GatewayCredential("trscavo");
gc.setCredential(issuingCredential);
gc.addEmailAddress("[email protected]");
// compute authnMethod, authnInstant, and ipAddress...
gc.setAuthnContext(authnMethod, authnInstant, ipAddress);
GlobusCredential proxy = gc.issue();
http://gridshib.globus.org/
GridShib-enabled Resource Provider
 The end user and the end user’s contact
information (and other attributes) are logged
 Effective auditing and incident response
 Blacklist an IP address or name identifier on
demand
 Exposes a SAML security context
 Fine-grained, attribute-based access control
http://gridshib.globus.org/
Comparison with VOMS
 Virtual Organization Membership Service
 The most successful grid authorization model today
 VOMS binds X.509 attribute certificates (instead
of SAML) to proxy certificates
 VOMS requires the requester to be the subject;
VOMS will not issue an AC to a requester acting
on behalf of the subject
 Therefore, a gateway can not call out to a VOMS
server to obtain attributes for a user
 Conclusion: VOMS can not be used as a basis
for gateway security
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
The GridShib-enhanced
community account model
permits fine-grained access
control and effective incident
response at the resource.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
Since each request is now
associated with a unique end
user, we push job info to
TeraGrid Central for improved
auditing and accounting.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
First, the security context
associated with each incoming
request is captured in a
security table.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
Likewise the disposition of
every job request is captured
in an enhanced GRAM audit
table.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
An AMIE process joins these
two tables and pushes an
information packet to the
TeraGrid Central Database.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
A gateway can query the
TGCDB for individual
accounting records, permitting
fine-grained accounting at
the gateway.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
Java WS Container
(with GridShib for GT)
TeraGrid adminstrators can
query the TGCDB for
aggregate accounting data
for the purposes of NSF
reporting and planning.
GridShib
SAML PIP
WS GRAM
Service
Security
Context
Logs
Security
table
Policy
AMIE
upload
GRAM
audit table
TGCDB
http://gridshib.globus.org/
Gateway Job Accounting
TeraGrid Resource Provider (RP)
GT4 Java Container
Delegation
Deleg Audit
Table
RFT
RFT Audit
Table
Diagram courtesy
of Stu Martin
sudo
Client /
Gateway
**
Core
Core Audit
Table
-No Changes required to AMIE
-DAI provides virtualization
for audit and accounting DBs
Create Job
Get EPR
Control Job
with EPR
- Query Using
Grid JID
RM
adapter
MJFS
SEG
MEJS **
GRAM Audit
Table
- Reply with
Accounting record
OGSA DAI
Resource
Manager
RM log
User
Job(s)
RM
Accounting
GET UNIQUE
USER ID +
** Locally convert
EPR to Grid JID
AMIE upload
Central TG
Accounting
DB
http://gridshib.globus.org/
Local AMIE
Accounting
Benefits of TGCDB Integration
 The gateway can query the TGCDB (via OGSADAI) and implement local, fine-grained
accounting mechanisms
 TeraGrid administrators can obtain aggregate
accounting data for NSF reporting and planning
http://gridshib.globus.org/
TeraGrid Deployment Strategy
1. GridShib SAML Tools at the Gateway
•
http://www.teragridforum.org/mediawiki/index.php?title=Scienc
e_Gateway_Credential_with_Attributes
2. GridShib for GT at the RP
•
Integrate GS4GT into CTSS4
3. Integrate with TeraGrid Central Database
•
•
Retrofit GRAM 4.0 Audit with end user identity
Assist with the design and implementation of GRAM
4.2 Audit (in particular, the security table)
http://gridshib.globus.org/
A Federated Identity Model for
Science Gateways
http://gridshib.globus.org/
Federated Identity
 The long term vision is to introduce federated
identity at the science gateway
 Shibboleth, an open-source implementation of
the SAML Browser Profiles, provides:




Ubiquity
Manageability
Usability
Security
 Since Shibboleth is based on SAML, our model
complements existing campus infrastructure
http://gridshib.globus.org/
It is well-known that password
management at the gateway is a
significant administrative burden
for both the gateway and the
end user.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
To avoid having to manage
passwords at the gateway, we
propose a federated identity
solution on the browser-facing
side of the gateway.
Web
Authn
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
A third-party Identity Provider
on each campus manages user
identity and credentials.
Web
Authn
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
The gateway, which is protected
by a Service Provider, trusts
the Identity Provider to
authenticate the browser user.
Web
Authn
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
Since we’re already invested in
SAML on the back end, we
prefer an implementation of the
standard SAML browser profiles
(such as Shibboleth).
Web
Authn
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
Web
Authn
A browser user authenticates to
their preferred campus Identity
Provider instead of the science
gateway.
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
The SAML Identity Provider
issues a SAML token that the
user transmits to the gateway
via the browser.
Web Browser
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
The SAML Service Provider
protecting the gateway
consumes the SAML token in
lieu of a username/password.
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
The gateway issues a
combined SAML token
containing both campus
attributes and local attributes.
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
username
GridShib
SAML Tools
SAML+
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
The gateway authenticates as
itself to the resource provider,
presenting the combined X.509bound SAML token.
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
SAML+
proxy
certificate
username
GridShib
SAML Tools
SAML+
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
Since the gateway did not
authenticate the end user
directly, the resource provider
must decide if it trusts the
combined SAML token.
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
SAML+
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML+
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
SAML Identity Provider
SAML
Assertion
Web
Authn
In the case of federated identity,
access control policy at the
resource provider is more
complex since a third security
domain is involved.
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
SAML+
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML+
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
SAML Identity Provider
SAML
Assertion
Web
Authn
SAML Web Browser SSO closes
the loop for complete end-to-end
flow of security information
Web Browser
SAML
Assertion
SAML Service Provider
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
SAML PIP
WS GRAM
Service
SAML+
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML+
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
Federated Identity Model for Gateways
TeraGrid Science Gateway
B
SAML
Assertion
response
C
X.509 SAML
proxy
credential Key
Shib-enabled
Grid Portal
GridShib-enabled
Grid Client
X.509 SAML
proxy
certificate
response
X.509
end entity
credential Key
GridShibenabled
Grid SP
Browser
A
X.509
SAML
Request
SAML
Request
Shibboleth
SSO Service
GridShib-enabled
Attribute Service
SAML
Assertion
SAML
Assertion
Shibboleth Identity Provider
http://gridshib.globus.org/
D
Birds-of-a-Feather Session
http://gridshib.globus.org/
Discussion Topic #1
 Is your gateway infrastructure built on a JEE
portal framework?
 If so, which one?
 If not, what application server do you use?
http://gridshib.globus.org/
Discussion Topic #2
 Is your gateway security framework built on the
community credential model?
 If not, describe your security framework.
http://gridshib.globus.org/
Discussion Topic #3
 Do you use MyProxy?
 If not, is the community credential stored in the
file system?
http://gridshib.globus.org/
Discussion Topic #4
 In your application server environment, how
easy is it to obtain the following information:




Username
Authentication instant
IP address
E-mail address
 Does your portal framework provide an API to
obtain this information or do you have to query a
database?
http://gridshib.globus.org/
Discussion Topic #5
 Does your gateway control its own DNS
domain?
 If not, what is the URL of your gateway?
http://gridshib.globus.org/
Summary
 Using GridShib SAML Tools, science gateways
send user attributes to resource providers
 Using GridShib for GT, resource providers use
these attributes to perform auditing, incident
response, and attribute-based access control
 The TeraGrid central database captures
TeraGrid-wide accounting data
http://gridshib.globus.org/
Acknowledgments
 GridShib Project PIs
 Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
 GridShib Developers
 Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim
Freeman, Raj Kettimuthu, Tom Scavo
 The GridShib work was funded by the NSF National Middleware
Initiative (NMI awards 0438424 and 0438385). Opinions and
recommendations in this paper are those of the authors and do not
necessarily reflect the views of NSF.
 The Science Gateway integration work is funded by the NSF
TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank You!
http://gridshib.globus.org/