Transcript Delegation
Enabling Grids for E-sciencE gLite Delegation Mehran Ahsant, PDC, Joni Hahkala, HIP on behalf of JRA3 www.eu-egee.org INFSO-RI-508833 Why Delegation? Enabling Grids for E-sciencE • The Grid is becoming more complex, delegation becomes vital • Delegation provides Single-Sign-On (SSO) – Delegation by means of Proxy certificates allows users to authenticate themselves just once. – No need for mutual authentication between remote sides and end-users. INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 2 Basic Principle Enabling Grids for E-sciencE 1. Initiate delegation 2. Generate Pub & priv keys 3. Return public key 4. Sign public key 5. Return signed certificate 6. Use delegated credentials INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 3 Delegation Background (EDG) Enabling Grids for E-sciencE • G-HTTP(S) delegation – Performs delegation by means of X509 Proxy certificates – G-HTTP(S) proposal extends HTTP by adding methods/headers to HTTP to allow delegation – GridSite (grst-proxy.cgi) has a G-HTTP(S) implementation GET-PROXY-REQ PUT-PROXY – Real work for the above done by the functions in libgridsite. INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 4 Web Service portType v.1 Enabling Grids for E-sciencE • • • • First try Straight transformation of G-HTTPS into a WS WSDL defined GridSite and Java libraries for implementing a standalone service or for integrating into a service INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 5 Interoperability Considerations Enabling Grids for E-sciencE • Client and server sides of both GridSite and Java delegation, need interoperability for a full mesh interaction. • Interoperability between gridSite and Java delegation – Common naming schema. HashOf(DER encoded DN) | ’-’ | HashOf(DelegationID) – Common storing mechanism Configurable location of proxy cache – Set of utility functions to locate proxies in cache INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 6 Harmonizing Delegation Enabling Grids for E-sciencE • Other projects are experimenting delegation – Globus Alliance, EGEE, GridSite, OSG, … • Creating a common WSDL definition for Delegation in order to obtain a single set of syntax and semantics of delegation INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 7 New Approach for Delegation Enabling Grids for E-sciencE • New approach – Describing delegation as a standalone Web Service portType WS-Trust specification defines a mechanism for credential issuance and Delegation. We are trying to make use of WS-Trust as much as possible. – Providing Ready-to-use library implementations of this portType which can be integrated to other services A standalone delegation service INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 8 Current Situation of Delegation Enabling Grids for E-sciencE • A “task force” group was established. • A Strawman document produced in order to obtain a consensus on a common delegation interface. • The idea presented at GGF13 to solicit comments from Grid community. – General interest INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 9 What is next for Delegation? Enabling Grids for E-sciencE • Modeling this new approach based on WS-Trust specification for X.509 proxy certificate delegation. (is still ongoing) • Implementing both standalone (C++/Java) libraries and delegation service of this portType. INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 10 Questions Enabling Grids for E-sciencE Thanks Questions ? INFSO-RI-508833 Data Key Management, Athens April 21st, 2005 11