Embed Size (px)
Citation preview
Identity Management, PKI and Grids
Jill Gemmill, PhD
University of Alabama at Birmingham
Acknowledgments
NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-Paul Robinson)
N01-LM-3-3513 Advanced Network Infrastructure for Health & Disaster Management (Orthner, Terndrup, Grimes, Gemmill)
Office of the VPIT and IT Academic Computing
Von Welch, Tom Scavo- NCSA/UIUC Internet2 MACE and MLIST Working Group members Serge Aumont, Olivier Salaun, CRU Members of MACE-MLIST Working Group
A little background
UAB history in centralized identity management & early interest in PKI but is today LDAP-based username/password
UAB participation in NMI Testbed Met Shibboleth and Globus Toolkit What would it take to integrate these tools
with applications in a manner useful to research collaborations? (ie, VO’s)
UAB entering High-Performance Computing community via faculty acquisitions: an application focused group and a computing research group.
What’s a Virtual Organization?
A set of collaborators bound together by a project of common interest very large scale science projects eg: Teragrid Half a dozen or so collaborators in a funded
multidisciplinary project Physicians at 60 cancer centers wanting to share
clinical data to increase N or focus on special sub-populations
An Internet2 Working Group; a conference planning committee.
In general, VO members are from different institutions
About Grid Security Infrastructure (GSI) Grids (Foster, Kesselman)
Purpose: to support research VO’s Implementation: NMI GRIDS Globus Toolkit
• Keys distributed to each end user; client-server, non-web requirements
PKI based security infrastructure uses X.509 Certificate
• Surely global PKI is almost here• Authorization to be dealt with later
KEY INSIGHT: separation of identity from system-specific account.
Grid Authorization
Today, Globus Toolkit provides identity-based authorization mechanisms:Access control lists (called grid-
mapfiles) map DNs to local identity (e.g., Unix logins)
Community Authorization Service (CAS)
PERMIS and VOMS
Early UAB NMI Testbed work: Using pubcookie (web-enabled single sign
on) for grid authentication – similar to UVa Components:
Web-based grid portal (OGCE) Web-based CA (PHPKI) Secure end-user certificate repository
Details: Robinson, J.-P., Gemmill, J., et al. (2005). Web-Enabled Grid Authentication in a Non-Kerberos Environment. In 6th IEEE/ACM International Workshop on Grid Computing. 6th IEEE/ACM International Workshop on Grid Computing.
Central Challenges:
Authorization based on VO-membership requires: Cross-domain authentication (leverage
distributed identity management) Certainly “member of VO XYZ” attribute
central for access control VO is authoritative for its own membership
assignment & roles Should work for both web and non-web
applications
What Cross-Domain Security Architectures Exist?
GRIDS Digital Certificates (X.509 / PKI) Cross-domain trust can be managed scalably
thru Bridged CA’s Carry only a user identifier (DN)
FEDERATIONS (SAML, Shibboleth, WS-Security) Digitally signed security assertions Carry Identity, AuthN method, other attributes
Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) Single Domain solutions inadequate End-user certificate distribution and
management has proven to be troublesome and non-scalable
Essential VO (Group) Membership information not provided consistently by either one
Most collaboration tools accessed by web browser (not client software w. certificate)
Observation 1
The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember)Goal: Leverage existing identity
management infrastructure eduPerson/Shibboleth infrastructure
appeared promising for identity management
Observation 2
Identity-based access control methods are inflexible and do not scaleGoal: Use attribute-based access
control Shibboleth, an attribute transport
mechanism linked to identity management, appeared promising
Observation 3
The most important attribute for VOs is: “member of VO-XYZ”
Who is authoritative for VO attributes?The enterprise? (No)The VO? (Yes!)
How are VO attributes created? Where are VO attributes stored?
myVocs Overview(my Virtual Organization Collaboration System)
myVocs Manages Attributes
A look inside myVocs
Attributes
Users VORoles
VOMembersVOs
A Look Inside myVocs
VO Attribute Authority
Users VORoles
VOMembe
rsVOs
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
Shibboleth SP
myVocs
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
Shibboleth SP
UABIdP
UIUCIdP
openidp.orgIdP
U. ChicagoIdP
myVocs Membership Management Tool: Sympa
Mailing lists are central to Collaborations
• Specify a collection of individuals• Define useful member roles• Generally autonomous
Sympa mailing list software supports Shibboleth
Sympa has an excellent web-based user interface
Sympa developers were active collaborators
Shibboleth Drives myVocs
Client Web Browser
CMS Some IdP
VOAttribs
WAYFVO SP VO IdP
ID SP
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
IdentityAttributes
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
VOAttribs
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
myVocs automatically provisons
Application Instances (one set per VO)
Accounts Based on VO membership and roles
What is GridShib?
Authentication: GridShib leverages the existing authentication mechanisms in GT
GridShib provides attribute-based authorization based on Shibboleth
GridShib adds attribute-based authorization to Globus Toolkit
Software Components
GridShib for Globus Toolkit A plugin for GT 4.0
GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP
GridShib CA A web-based CA for new grid users
Visit the GridShib Downloads page:http://gridshib.globus.org/download.html
GridShib CA
The GridShib Certificate Authority is a web-based CA for new grid users:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority
The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA
The CA issues short-term credentials suitable for authentication to a Grid SP
Credentials are downloaded to the desktop via Java Web Start
Results of Integration
What we have enabled
Turn-key Grid VO creation through the integration of GridShib and myVocs
myVocs used to create and manage VOs GridShib allows myVocs users to create
Grid credentials and access Grid resources Grid resources obtains, and allows access,
based on attributes from myVocs
User Registers with myVocs
Identity
Auth
VO Admin Adds User to VO
Grid Logon
Identity
Auth
Identity
Grid Creds.
Grid Id
Grid Service Invocation
VOAttributes
Grid Creds.
Grid Id
Remaining Challenges
Name binding on global scale Attribute Aggregation Defining VO membership, roles and
attributes Group and role management
UAB Currently working on Shibbolized, GridShibCA integrated version of GridSphere Portal (also in Australia)
Questions?
For more information: GridShib: http://gridshib.globus.org/ myVocs: http://www.myvocs.org/ Email:
![Fraunhofer Competence Center PKI - contacts.pki.fraunhofer.decontacts.pki.fraunhofer.de/general/PKI-Contacts_CertPolicy_EN.pdf · Folgenden als PKI-Contacts bezeichnet, [PKI-Contacts])](https://img.dokumen.tips/doc/110x75/6063124d64defb5787251686/fraunhofer-competence-center-pki-folgenden-als-pki-contacts-bezeichnet-pki-contacts.jpg)
