GridShib SAML Tools - Grid Computing at NCSA
Download
Report
Transcript GridShib SAML Tools - Grid Computing at NCSA
Birds-of-a-Feather Session:
Attribute-based Auditing and
Authorization for Science Gateways
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
June 11, 2008
http://gridshib.globus.org/
GridShib @ TeraGrid 08
Tutorial: Science Gateways, Security, and GridShib
Mon, 8:00am–12:00pm
Birds-of-a-Feather Session: Attribute-based Auditing
and Authorization for Science Gateways
Wed, 5:30–6:30pm
Poster Session: A Federated Identity Model for
Science Gateways
Wed, 6:30–8:30pm
Science Gateways Working Group Session
Thu, 3:00–4:30pm
http://gridshib.globus.org/
Definition of Terms
Shib != GridShib
http://gridshib.globus.org/
The Science Gateway Use Case
A browser user authenticates to a grid
portal. The portal issues a proxy
certificate and initiates a grid request
on behalf of the user
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
A science gateway is a
convenient intermediary
between a browser user and a
grid resource provider.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Each gateway is issued a
community credential that
uniquely identifies the gateway.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Resource providers associate
the community credential with a
local community account.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
To submit a job, a browser user
typically authenticates to the
gateway by presenting a
username and password.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
community
account
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
The gateway then issues a
short-lived proxy credential
signed by its community
credential.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
community
credential
proxy
credential
Key
WS GRAM Service
community
account
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The gateway submits the job on
the user’s behalf, authenticating
as itself to the resource.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
The resource authenticates the
gateway and maps the request
to the community account based
on the identity in the proxy
certificate.
Web Browser
Web
Authn
Web Interface
Webapp
Java WS Container
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Classic Science Gateway
Web Browser
After the job is executed, the
result is returned to the browser
user via the gateway web
interface.
Web Interface
Java WS Container
Web
Authn
Webapp
WS GRAM
Client
WS GRAM Service
proxy
certificate
community
credential
community
account
proxy
credential
Key
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Community Account Model: The Good
The Community Account Model
simplifies the user experience
simplifies gateway implementation and deployment
simplifies gridmap file management at the RP
A community credential is issued to each
gateway
A single community account is created at the RP
The gateway issues proxy certificates and
makes grid requests on behalf of the user
http://gridshib.globus.org/
Community Account Model: The Bad
The community account model has some
significant drawbacks, however:
End user identity is unknown to the RP
Course-grained access control at the resource (by
design)
Awkward approach to auditing and incident response
In the event of an emergency, the RP is forced to
disable all access to the community account
Less than adequate accounting mechanisms
All this can be traced to a single problem…
http://gridshib.globus.org/
Community Account Model: The Ugly
All requests look exactly the same
to the resource provider!
If the gateway would only pass
the user’s name and contact information
to the resource provider,
all previously mentioned problems would be solved
http://gridshib.globus.org/
Grid Authorization Model
We describe a grid authorization model that significantly
increases the information flow between a science
gateway and a resource provider
Extends the Community Account Model
Asserts end user identity to the RP
Permits fine-grained access control at the RP
Provides strong auditing and effective incident response
Allows dynamic blacklisting of problem accounts or runaway
processes
A lightweight approach that does not require new wire protocols
or extensive new middleware infrastructure
Complements existing SAML-based middleware infrastructure
on today's campuses
http://gridshib.globus.org/
Grid Authorization Model
The proposed model incorporates GridShib
SAML Tools at the gateway and GridShib for
GT at the resource provider
Using GridShib SAML Tools, the gateway
1. issues a SAML assertion containing the user's
authentication context and attributes
2. binds the SAML assertion to a proxy certificate
signed by the community credential
3. authenticates to the resource by presenting the
SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
http://gridshib.globus.org/
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
+
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
X.509 Proxy Credential
Issuer: Science Gateway
Subject: Science Gateway+
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
=
GridShib-enabled Science Gateway
A browser user authenticates to
a grid portal. The portal binds a
self-issued SAML assertion to
a proxy certificate and initiates a grid
request on behalf of the user.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
An enhancement to the
community account model
increases the information flow
between the gateway and the
resource provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
A software component called
GridShib SAML Tools is
integrated into the gateway
portal environment.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Another software component
called GridShib for GT is
deployed at the resource
provider.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
These two GridShib software
components produce and
consume Security Assertion
Markup Language (SAML)
tokens.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
Again the browser user
authenticates to the gateway by
presenting a username and
password.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
This time the gateway uses the
GridShib SAML Tools to issue an
X.509-bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The SAML token bound to the
proxy certificate contains the
name of the end user and other
user attributes (e.g., e-mail).
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
username
GridShib
SAML Tools
X.509SAML
Proxy Credential
Issuer:
proxy Science Gateway
Key
Subject:
Gateway+
credential Science
X509v3 extension:
1.3.6.1.4.1.3536.1.1.1.12:
community
credential
Key
Science Gateway
<saml:Assertion>
<saml:NameID>
trscavo
</saml:NameID>
</saml:Assertion>
Key
http://gridshib.globus.org/
Resource Provider
Grid Authorization Model for Gateways
The gateway authenticates as
itself to the resource provider,
presenting the proxy certificate
with bound SAML token.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The GridShib for GT extracts the
SAML token from the proxy
certificate, parses it, and writes
the information to a log file.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The security information in the
SAML token is also used to
populate a SAML security
context within the container.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service compares the
information in the security
context to the blacklist, denying
access if any request info is on
the blacklist.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Grid Authorization Model for Gateways
The service combines the
information in the security
context with its access control
policy, allowing access if and
only if policy is satisfied.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
Grid Authorization Model for Gateways
As before, after the service
executes the job, the result is
returned to the browser user via
the gateway web interface.
Web Browser
Web
Authn
Web Interface
attributes
Webapp
Java WS Container
(with GridShib for GT)
WS GRAM
Client
GridShib
for GT
WS GRAM
Service
SAML
proxy
certificate
username
GridShib
SAML Tools
Security
Context
SAML
proxy
credential
Key
Logs
community
credential
Blacklist
Policy
Key
Science Gateway
Resource Provider
http://gridshib.globus.org/
Authz
Policy
GridShib-enabled Science Gateway
Simple installation and configuration of GridShib
SAML Tools at the gateway
Includes GridShib Security Framework
Exposes both a command-line interface and a Java
API
End user identity and contact information (e.g.,
e-mail) transmitted to RP
Push much of the responsibility for auditing and
incident response back onto the RP
Big Advantage: No need to shut down the
entire gateway in the event of an incident!
http://gridshib.globus.org/
User Attributes
Gateway entityID:
https://gridshib.gisolve.org/idp
Subject name identifier:
[email protected]
Authentication statement
authentication method:
urn:oasis:names:tc:SAML:1.0:am:password
authentication instant: 2007-08-02T12:10:34-0400
IP address: 10.81.193.244
Attribute statement
isMemberOf attribute: group://gisolve.org/gisolve
mail attribute: [email protected]
http://gridshib.globus.org/
Configuring GridShib SAML Tools
Some information in the SAML token is static
Each gateway provides a configuration file that
customizes the static content of each token
http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
IdP.entityID=https://gridshib.gisolve.org/idp
NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
NameID.Format.template=%PRINCIPAL%@gisolve.org
Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Attribute.isMemberOf.Value=group://gisolve.org/gisolve
http://gridshib.globus.org/
JAR Dependencies
Java developers have the following JAR
dependencies
Copy these JARs to WEB-INF/lib
cog-jglobus.jar
commons-codec-1.3.jar
commons-logging.jar
globus-opensaml-1.1.jar
gridshib-common-0_4_2.jar
jce-jdk13-131.jar
log4j-1.2.8.jar
xalan.jar
Endorse!
xercesImpl.jar
xml-apis.jar
xmlsec-1.2.1.jar
http://gridshib.globus.org/
Creating the X.509-bound SAML Token
Other content in the SAML token is dynamic
GridShib SAML Tools provides a Java API that a
gateway developer can use to issue SAML
tokens with dynamic content
http://www.teragridforum.org/mediawiki/index.php?title=S
cience_Gateway_Credential_with_Attributes
GlobusCredential issuingCredential = ...;
GatewayCredential gc = new GatewayCredential("trscavo");
gc.setCredential(issuingCredential);
gc.addEmailAddress("[email protected]");
// compute authnMethod, authnInstant, and ipAddress...
gc.setAuthnContext(authnMethod, authnInstant, ipAddress);
GlobusCredential proxy = gc.issue();
http://gridshib.globus.org/
GridShib-enabled Resource Provider
The end user and the end user’s contact
information (and other attributes) are logged
Effective auditing and incident response
Blacklist an IP address or name identifier on
demand
Exposes a SAML security context
Fine-grained, attribute-based access control
http://gridshib.globus.org/
Discussion Topic #1
Is your gateway infrastructure built on a JEE
portal framework?
If so, which one?
If not, what application server do you use?
http://gridshib.globus.org/
Discussion Topic #2
Is your gateway security framework built on the
community credential model?
If not, describe your security framework.
http://gridshib.globus.org/
Discussion Topic #3
Do you use MyProxy?
If not, is the community credential stored in the
file system?
http://gridshib.globus.org/
Discussion Topic #4
In your application server environment, how
easy is it to obtain the following information:
Username
Authentication instant
IP address
E-mail address
Does your portal framework provide an API to
obtain this information or do you have to query a
database?
http://gridshib.globus.org/
Discussion Topic #5
Does your gateway control its own DNS
domain?
If not, what is the URL of your gateway?
http://gridshib.globus.org/
Summary
Using GridShib SAML Tools, science gateways
send user attributes to resource providers
Using GridShib for GT, resource providers use
these attributes to perform auditing, incident
response, and attribute-based access control
The TeraGrid central database captures
TeraGrid-wide accounting data
http://gridshib.globus.org/
Acknowledgments
GridShib Project PIs
Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
GridShib Developers
Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim
Freeman, Raj Kettimuthu, Tom Scavo
The GridShib work was funded by the NSF National Middleware
Initiative (NMI awards 0438424 and 0438385). Opinions and
recommendations in this paper are those of the authors and do not
necessarily reflect the views of NSF.
The Science Gateway integration work is funded by the NSF
TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank You!
http://gridshib.globus.org/