GridShib SAML Tools - Grid Computing at NCSA

Download Report

Transcript GridShib SAML Tools - Grid Computing at NCSA

Birds-of-a-Feather Session:
Attribute-based Auditing and
Authorization for Science Gateways
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
June 11, 2008
http://gridshib.globus.org/
GridShib @ TeraGrid 08
 Tutorial: Science Gateways, Security, and GridShib
 Mon, 8:00am–12:00pm
 Birds-of-a-Feather Session: Attribute-based Auditing
and Authorization for Science Gateways
 Wed, 5:30–6:30pm
 Poster Session: A Federated Identity Model for
Science Gateways
 Wed, 6:30–8:30pm
 Science Gateways Working Group Session
 Thu, 3:00–4:30pm
http://gridshib.globus.org/
Definition of Terms
Shib != GridShib
http://gridshib.globus.org/
The Science Gateway Use Case
A browser user authenticates to a grid
portal. The portal issues a proxy
certificate and initiates a grid request
on behalf of the user
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
A science gateway is a
convenient intermediary
between a browser user and a
grid resource provider.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Each gateway is issued a
community credential that
uniquely identifies the gateway.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Resource providers associate
the community credential with a
local community account.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
To submit a job, a browser user
typically authenticates to the
gateway by presenting a
username and password.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
The gateway then issues a
short-lived proxy credential
signed by its community
credential.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
community
credential
proxy
credential
Key
WS GRAM Service
community
account
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The gateway submits the job on
the user’s behalf, authenticating
as itself to the resource.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The resource authenticates the
gateway and maps the request
to the community account based
on the identity in the proxy
certificate.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
After the job is executed, the
result is returned to the browser
user via the gateway web
interface.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Community Account Model: The Good
 The Community Account Model
 simplifies the user experience
 simplifies gateway implementation and deployment
 simplifies gridmap file management at the RP
 A community credential is issued to each
gateway
 A single community account is created at the RP
 The gateway issues proxy certificates and
makes grid requests on behalf of the user
http://gridshib.globus.org/
Community Account Model: The Bad
 The community account model has some
significant drawbacks, however:
 End user identity is unknown to the RP
 Course-grained access control at the resource (by
design)
 Awkward approach to auditing and incident response
 In the event of an emergency, the RP is forced to
disable all access to the community account
 Less than adequate accounting mechanisms
 All this can be traced to a single problem…
http://gridshib.globus.org/
Community Account Model: The Ugly
All requests look exactly the same
to the resource provider!
If the gateway would only pass
the user’s name and contact information
to the resource provider,
all previously mentioned problems would be solved
http://gridshib.globus.org/
Grid Authorization Model
 We describe a grid authorization model that significantly
increases the information flow between a science
gateway and a resource provider





Extends the Community Account Model
Asserts end user identity to the RP
Permits fine-grained access control at the RP
Provides strong auditing and effective incident response
Allows dynamic blacklisting of problem accounts or runaway
processes
 A lightweight approach that does not require new wire protocols
or extensive new middleware infrastructure
 Complements existing SAML-based middleware infrastructure
on today's campuses
http://gridshib.globus.org/
Grid Authorization Model
 The proposed model incorporates GridShib
SAML Tools at the gateway and GridShib for
GT at the resource provider
 Using GridShib SAML Tools, the gateway
1. issues a SAML assertion containing the user's
authentication context and attributes
2. binds the SAML assertion to a proxy certificate
signed by the community credential
3. authenticates to the resource by presenting the
SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
http://gridshib.globus.org/
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
+
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
=
GridShib-enabled Science Gateway
A browser user authenticates to
a grid portal. The portal binds a
self-issued SAML assertion to
a proxy certificate and initiates a grid
request on behalf of the user.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
An enhancement to the
community account model
increases the information flow
between the gateway and the
resource provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
A software component called
GridShib SAML Tools is
integrated into the gateway
portal environment.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Another software component
called GridShib for GT is
deployed at the resource
provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
These two GridShib software
components produce and
consume Security Assertion
Markup Language (SAML)
tokens.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Again the browser user
authenticates to the gateway by
presenting a username and
password.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
This time the gateway uses the
GridShib SAML Tools to issue an
X.509-bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The SAML token bound to the
proxy certificate contains the
name of the end user and other
user attributes (e.g., e-mail).
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
X.509SAML
Proxy Credential
Issuer:
proxy Science Gateway
Key
Subject:
Gateway+
credential Science
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
community
credential
Key
Science Gateway
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
Resource Provider
Grid Authorization Model for Gateways
The gateway authenticates as
itself to the resource provider,
presenting the proxy certificate
with bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The GridShib for GT extracts the
SAML token from the proxy
certificate, parses it, and writes
the information to a log file.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The security information in the
SAML token is also used to
populate a SAML security
context within the container.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service compares the
information in the security
context to the blacklist, denying
access if any request info is on
the blacklist.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service combines the
information in the security
context with its access control
policy, allowing access if and
only if policy is satisfied.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
Grid Authorization Model for Gateways
As before, after the service
executes the job, the result is
returned to the browser user via
the gateway web interface.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
GridShib-enabled Science Gateway
 Simple installation and configuration of GridShib
SAML Tools at the gateway
 Includes GridShib Security Framework
 Exposes both a command-line interface and a Java
API
 End user identity and contact information (e.g.,
e-mail) transmitted to RP
 Push much of the responsibility for auditing and
incident response back onto the RP
 Big Advantage: No need to shut down the
entire gateway in the event of an incident!
http://gridshib.globus.org/
User Attributes
 Gateway entityID:
 https://gridshib.gisolve.org/idp
 Subject name identifier:
 [email protected]
 Authentication statement
 authentication method:
urn:oasis:names:tc:SAML:1.0:am:password
 authentication instant: 2007-08-02T12:10:34-0400
 IP address: 10.81.193.244
 Attribute statement
 isMemberOf attribute: group://gisolve.org/gisolve
 mail attribute: [email protected]
http://gridshib.globus.org/
Configuring GridShib SAML Tools
 Some information in the SAML token is static
 Each gateway provides a configuration file that
customizes the static content of each token
 http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
IdP.entityID=https://gridshib.gisolve.org/idp
NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
NameID.Format.template=%PRINCIPAL%@gisolve.org
Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Attribute.isMemberOf.Value=group://gisolve.org/gisolve
http://gridshib.globus.org/
JAR Dependencies
 Java developers have the following JAR
dependencies
 Copy these JARs to WEB-INF/lib
cog-jglobus.jar
commons-codec-1.3.jar
commons-logging.jar
globus-opensaml-1.1.jar
gridshib-common-0_4_2.jar
jce-jdk13-131.jar
log4j-1.2.8.jar
xalan.jar
Endorse!
xercesImpl.jar
xml-apis.jar
xmlsec-1.2.1.jar
http://gridshib.globus.org/
Creating the X.509-bound SAML Token
 Other content in the SAML token is dynamic
 GridShib SAML Tools provides a Java API that a
gateway developer can use to issue SAML
tokens with dynamic content
 http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
GlobusCredential issuingCredential = ...;
GatewayCredential gc = new GatewayCredential("trscavo");
gc.setCredential(issuingCredential);
gc.addEmailAddress("[email protected]");
// compute authnMethod, authnInstant, and ipAddress...
gc.setAuthnContext(authnMethod, authnInstant, ipAddress);
GlobusCredential proxy = gc.issue();
http://gridshib.globus.org/
GridShib-enabled Resource Provider
 The end user and the end user’s contact
information (and other attributes) are logged
 Effective auditing and incident response
 Blacklist an IP address or name identifier on
demand
 Exposes a SAML security context
 Fine-grained, attribute-based access control
http://gridshib.globus.org/
Discussion Topic #1
 Is your gateway infrastructure built on a JEE
portal framework?
 If so, which one?
 If not, what application server do you use?
http://gridshib.globus.org/
Discussion Topic #2
 Is your gateway security framework built on the
community credential model?
 If not, describe your security framework.
http://gridshib.globus.org/
Discussion Topic #3
 Do you use MyProxy?
 If not, is the community credential stored in the
file system?
http://gridshib.globus.org/
Discussion Topic #4
 In your application server environment, how
easy is it to obtain the following information:




Username
Authentication instant
IP address
E-mail address
 Does your portal framework provide an API to
obtain this information or do you have to query a
database?
http://gridshib.globus.org/
Discussion Topic #5
 Does your gateway control its own DNS
domain?
 If not, what is the URL of your gateway?
http://gridshib.globus.org/
Summary
 Using GridShib SAML Tools, science gateways
send user attributes to resource providers
 Using GridShib for GT, resource providers use
these attributes to perform auditing, incident
response, and attribute-based access control
 The TeraGrid central database captures
TeraGrid-wide accounting data
http://gridshib.globus.org/
Acknowledgments
 GridShib Project PIs
 Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
 GridShib Developers
 Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim
Freeman, Raj Kettimuthu, Tom Scavo
 The GridShib work was funded by the NSF National Middleware
Initiative (NMI awards 0438424 and 0438385). Opinions and
recommendations in this paper are those of the authors and do not
necessarily reflect the views of NSF.
 The Science Gateway integration work is funded by the NSF
TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank You!
http://gridshib.globus.org/