Embed Size (px)
DESCRIPTION
A Grid Authorization Model for Science Gateways. Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing Applications University of Illinois at Urbana-Champaign June 11, 2008. Classic Science Gateway. - PowerPoint PPT Presentation
Citation preview
A Grid Authorization Model for Science Gateways
Tom Scavo, Jim Basney, Terry Fleury, Von WelchNational Center for Supercomputing Applications
University of Illinois at Urbana-ChampaignJune 11, 2008
http://gridshib.globus.org/ Slide 2 of 25
Classic Science Gateway
WebAuthn
Resource Provider
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
A science gateway is a convenient intermediary
between a browser user and a grid resource provider.
Science Gateway
http://gridshib.globus.org/ Slide 3 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Each gateway is issued a community credential that
uniquely identifies the gateway.
http://gridshib.globus.org/ Slide 4 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Resource providers associate the community credential with a local community account.
http://gridshib.globus.org/ Slide 5 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.
http://gridshib.globus.org/ Slide 6 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway then issues a short-lived proxy credential
signed by its community credential.
proxy credential
Key
http://gridshib.globus.org/ Slide 7 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway submits the job on the user’s behalf,
authenticating as itself to the resource.
http://gridshib.globus.org/ Slide 8 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The resource authenticates the gateway and maps the request
to the community account based on the identity in the
proxy certificate.
http://gridshib.globus.org/ Slide 9 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Browser
community credential
Key
community account
After the job is executed, the result is returned to the
browser user via the gateway web interface.
Web Interface
http://gridshib.globus.org/ Slide 10 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
So what’s wrong with this classic science gateway
scenario
?
http://gridshib.globus.org/ Slide 11 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
All requests look exactly the same to the resource
provider
!
jsmith
commacct
mjones
http://gridshib.globus.org/ Slide 12 of 25
Classic Science Gateway
Resource Providers needgateway user information
for accounting and incident response.
http://gridshib.globus.org/ Slide 13 of 25
Grid Authorization Model for Gateways
Resource ProviderScience Gateway
community credential
Key
Java WS Container(with GridShib for GT)
Web Browser
An enhancement to the community account model
increases the information flow between the gateway and the
resource provider.Web
Authn
WS GRAM Service
WS GRAM Service
WebappWebapp WS GRAM Client
WS GRAM Client
Web Interface
GridShib SAML Tools
GridShib SAML Tools
attributes
username
GridShibfor GT
GridShibfor GT
http://gridshib.globus.org/ Slide 14 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
Two new GridShib software components produce and
consume Security Assertion Markup Language (SAML)
tokens.
http://gridshib.globus.org/ Slide 15 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Browser
username
Again the browser user authenticates to the gateway
by presenting a username and password.
Web Interface
http://gridshib.globus.org/ Slide 16 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential Key
This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.
SAML
http://gridshib.globus.org/ Slide 17 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
The SAML token bound to the proxy certificate contains the
name of the end user and other user attributes (e.g., e-mail).
http://gridshib.globus.org/ Slide 18 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
proxy certificate
SAML
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
The gateway authenticates as itself to the resource provider, presenting the proxy certificate
with bound SAML token.
http://gridshib.globus.org/ Slide 19 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
GridShib for GT extracts the SAML token from the proxy
certificate and writes the information to a log file.
Security Context
http://gridshib.globus.org/ Slide 20 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
GridShib for GT compares the information in the security context to the blacklist,
denying access if any request info is on the blacklist.
http://gridshib.globus.org/ Slide 21 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
As before, after the service executes the job, the result is returned to the browser user
via the gateway web interface.
Web Interface
http://gridshib.globus.org/ Slide 22 of 25
Grid Authorization Model for Gateways
As before, after the service executes the job, the result is returned to the browser user
via the gateway web interface.
WebAuthn
Science Gateway
WS GRAM Client
WS GRAM Client
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WebappWebappattributes
Web Browser
username
proxy credential
SAML
Key
Web Interface
Resource Provider
GridShibfor GT
GridShibfor GT
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
BlacklistPolicy
http://gridshib.globus.org/ Slide 23 of 25
GridShibfor GT
GridShibfor GT
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
BlacklistPolicy
Integration with TeraGrid Central Database
Resource Provider
Security table
GRAM audit table
TGCDB
AMIEupload
The GridShib-enhanced community account model
permits fine-grained access control and effective incident
response at the resource.
Since each request is now associated with a unique end
user, we push job info to TeraGrid Central for
improved auditing and accounting.
http://gridshib.globus.org/ Slide 24 of 25
Summary
Using GridShib SAML Tools, science gateways send user attributes to resource providers
Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control
The TeraGrid central database captures TeraGrid-wide accounting data
http://gridshib.globus.org/ Slide 25 of 25
Acknowledgments
GridShib Project PIs Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
GridShib Developers Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim
Freeman, Raj Kettimuthu, Tom Scavo
The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.
The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank You!
