Transcript Delegation
Enabling Grids for E-sciencE
gLite Delegation
Mehran Ahsant, PDC,
Joni Hahkala, HIP on behalf of JRA3
www.eu-egee.org
INFSO-RI-508833
Why Delegation?
Enabling Grids for E-sciencE
• The Grid is becoming more complex, delegation
becomes vital
• Delegation provides Single-Sign-On (SSO)
– Delegation by means of Proxy certificates allows users to
authenticate themselves just once.
– No need for mutual authentication between remote sides and
end-users.
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
2
Basic Principle
Enabling Grids for E-sciencE
1. Initiate delegation
2. Generate
Pub & priv keys
3. Return public key
4. Sign public key
5. Return signed certificate
6. Use delegated
credentials
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
3
Delegation Background (EDG)
Enabling Grids for E-sciencE
• G-HTTP(S) delegation
– Performs delegation by means of X509 Proxy certificates
– G-HTTP(S) proposal extends HTTP by adding
methods/headers to HTTP to allow delegation
– GridSite (grst-proxy.cgi) has a G-HTTP(S) implementation
GET-PROXY-REQ
PUT-PROXY
– Real work for the above done by the functions in libgridsite.
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
4
Web Service portType v.1
Enabling Grids for E-sciencE
•
•
•
•
First try
Straight transformation of G-HTTPS into a WS
WSDL defined
GridSite and Java libraries for implementing a
standalone service or for integrating into a service
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
5
Interoperability Considerations
Enabling Grids for E-sciencE
• Client and server sides of both GridSite and Java
delegation, need interoperability for a full mesh
interaction.
• Interoperability between gridSite and Java delegation
– Common naming schema.
HashOf(DER encoded DN) | ’-’ | HashOf(DelegationID)
– Common storing mechanism
Configurable location of proxy cache
– Set of utility functions to locate proxies in cache
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
6
Harmonizing Delegation
Enabling Grids for E-sciencE
• Other projects are experimenting delegation
–
Globus Alliance, EGEE, GridSite, OSG, …
• Creating a common WSDL definition for Delegation in order
to obtain a single set of syntax and semantics of delegation
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
7
New Approach for Delegation
Enabling Grids for E-sciencE
• New approach
– Describing delegation as a standalone Web Service portType
WS-Trust specification defines a mechanism for credential issuance and
Delegation. We are trying to make use of WS-Trust as much as possible.
– Providing
Ready-to-use library implementations of this portType which can
be integrated to other services
A standalone delegation service
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
8
Current Situation of Delegation
Enabling Grids for E-sciencE
• A “task force” group was established.
• A Strawman document produced in order to obtain a
consensus on a common delegation interface.
• The idea presented at GGF13 to solicit comments from
Grid community.
– General interest
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
9
What is next for Delegation?
Enabling Grids for E-sciencE
• Modeling this new approach based on WS-Trust
specification for X.509 proxy certificate delegation.
(is still ongoing)
• Implementing both standalone (C++/Java) libraries and
delegation service of this portType.
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
10
Questions
Enabling Grids for E-sciencE
Thanks
Questions ?
INFSO-RI-508833
Data Key Management, Athens April 21st, 2005
11