Embed Size (px)
Citation preview
Middleware Support for Virtual Organizations
Internet 2 Fall 2006 Member MeetingChicago, Illinois
Stephen [email protected]
Department of Biomedical InformaticsOhio State University
National Cancer Institute’s 2015 Goal
“Relieve suffering and death due to cancer by the year
2015” Need: Enable investigators to leverage
their joint expertise in order to meet NCI 2015 Goal.
Strategy: Create scalable, actively managed organization connecting members of the NCI-supported cancer enterprise by building a Biomedical Informatics Grid
Cancer Biomedical Informatics Grid (caBIGTM)
The cancer Biomedical Informatics Grid (caBIG™), is a voluntary network or grid connecting individuals and institutions to enable the sharing of data and tools, creating a World Wide Web of cancer research. The goal is to speed the delivery of innovative approaches for the prevention and treatment of cancer. The infrastructure and tools created by caBIG™ also have broad utility outside the cancer community. National Cancer Institute Initiative Over 800 Participants Over 80 Organizations Over 70 Projects
VO Related Security Issues
Identity / User Provisioning Hundreds of organizations, Tens of thousands of
users. Varying levels of Identity Management from
Institution to Institution. How do we assign Identity to users, how do we
provision user accounts? Who should assert the identity for a given user?
Trust - How do we decide who to trust? Credential Providers Certificate Authorities Attribute Authorities Group Authorities Other digital signers
VO Related Security Issues
Authorization How do we create, manage, and provision groups of
users/services at the grid level, such that we can build access control policy based on group membership?
How can we share access control policy across the grid?
How can we leverage institution maintained attributes?
caGrid
Grid Infrastructure for caBIG Focuses on providing middleware for enabling
the interoperability between caBIG applications. Open Source Reusable Components caGrid Components
Grid Service Graphical Development Toolkit (Introduce) Metadata / Semantic Services Advertisement and Discovery Data Service Infrastructure Analytical Service Infrastructure Identifiers Workflow Security
Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
The GAARDS Security Infrastructure provides services and tools for the administration and enforcement of security policy in an enterprise Grid.
Developed on top of the Globus Toolkit Extends the Grid Security Infrastructure (GSI) Provide enterprise services and administrative tools for:
Grid User Management Identity Federation Trust management Group/VO management Access Control Policy management and enforcement Integration between existing security domains and the grid security domain.
Security Infrastructure for the Cancer Biomedical Informatics Grid (caBIGTM)
GAARDS
GAARDS Services
Dorian Grid User Account Management Integration point between external security
domains and the grid. Allows accounts managed in external
domains to be federated and managed in the grid.
Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid
Grid Trust Service (GTS) Creation and Management of a federated
trust fabric. Supports applications and services in
deciding whether or not signers of digital credentials/user attributes can be trusted.
Supports the provisioning of trusted certificate authorities and corresponding CRLS.
Grid Grouper Group management service for the grid Provides a group-based authorization
solution for the Grid Enforce authorization policy based on
membership to groups
GAARDS Security Infrastructure
Grid Services
Authentication
Dorian Services
Grid Trust Fabric
Grid Trust Service (GTS)
GTS GTS GTS
Authentication Services
Certificate Authorities
Certificate /
CRLPublshing
Certificate /CRL
Publshing
Registered
TrustedIdentity
Providers
OSUDuke NCI
DorianDorianDorianDorian
...Trust Validate /
Authenticate
Authorization
Access Control Policy
Common Security Module (CSM )
Grid Grouper Services
Grid Grouper
ObtainGrid Credentials
Local
Authentication
Invoke
Authorization
MembershipLookup
Dorian – Grid User Management
Grid User Account Management Administrative interface for account provisioning
and management. Built in Certificate Authority Manages Grid Credentials for each user. Enables users to authenticate and create grid
proxies, which they may use to access the grid.
Identity Management and Federation Integration point between external security
domains and the grid. User may use existing credentials to obtain a grid
proxy. User’s authenticate to IdP, obtain a SAML
assertion (proof) which is then given to Dorian to facilitate the creation of a grid proxy.
Automated Account Creation and Provisioning
Complete WSRF Compliant Grid Service Can be accessed and administered over the
grid. Complete Administrative UI
Manage all aspects of DorianAddresses Identity Management and User Provisioning Issues
Dorian
Grid
1. Certif icate
2. SAML
Assertion
3. SAML
Assertion
4. Proxy Cert
Grid Service
Grid Service
5. Proxy Cert
1. Username/Password
2. SAM LAssertion5. Proxy Cert
3. SAM
L
Assertio
n
4. Prox
y Cert
5. P roxy Cert
1. Fi nger Print
2. SAML
Assertion
5. P roxy Cert
3. SAML
Assertion
4. Proxy Cert
Trust Relationship
Dorian
Trust Relationship
Dorian
4. Proxy Cert
3. SAML Ass
ertion
2. S
AML
Ass
ertion
1. U
sern
ame/Pass
word
UnaffiliatedUser
(Uses DorianIdP)
OSU User
Georgetown User Duke User
Authentication ServiceOhio State UniversityCertificate Authority
Authentication ServiceGeorgetown
Basic Authentication
Authentication ServiceDuke
Finger Print Authentication
Grid Trust Service (GTS)
The Grid Trust Service (GTS) is a federated grid infrastructure enabling the provisioning and management of a grid trust fabric.
GTS Features Provisioning of Trust Roots
CA certificates and CRLs Administration of Trust Levels
CAs may be grouped and discovered by the level of trust that is acceptable to the consumer.
Facilitates the curation of numerous independent trust overlays across the same physical Grid.
Validation Service, which allows for the centralized enforcement of certificate verification and validation policies.
Administrative UI for administrating the trust fabric.
N
S
EW
Trust Group ATrust Group B
Trust Group C
Trust Group D
Addresses Trust Related Issues
Grid Grouper
Grid Grouper provides a group based authorization solution for the grid.
Groups are defined and managed at the grid level. Grid services/applications enforce authorization policy based on
membership to groups.Grid Grouper
Grid Grouper
Grouper Object Model
Group
Group
Stem
Stem
Grid Grouper Web/Grid Service
Interface
GrouperHibernateDatabase
Grid Grouper Object Model
Stem
Stem
Stem
Group
Group
Group
Grid
Grid Grouper Admin UI
Grid Applications /Services
Built on top of Grouper Internet2 initiative.
Grid enables Grouper, WSRF Compliant Web service.
Grid Grouper Object Model Java API for accessing and
managing groups over the grid. Similar to Grouper’s Object
Model Grid Grouper Admin UI
Addresses Authorization Related Issues
caGrid / GAARDS Status
Release Schedule Beta Release was Summer 2006 Official Release December 15, 2006
Focus on Quality Automated Continuous and Nightly
Builds and Unit, System, and Integration Testing
“Quality at a glance” dashboards and archive of all build and test results
Giving Back to the Community GAARDS is a Globus Incubator
Project More Information
caBIG https://cabig.nci.nih.gov/
caGrid http://gforge.nci.nih.gov/projects/cagrid-1
-0/ GAARDS Globus Project
Information to be posted shortly after release
http://dev.globus.org/wiki/Incubator/GAARDS
GAARDS Team
Ohio State University Stephen Langella Shannon Hastings Scott Oster David Ervin Tahsin Kurc Joel Saltz
NCICB Avinash Shanbhag
Argonne National Labs Frank Siebenlist
Semantic Bits Joshua Phillips Vinay Kumar
Booze Allen Hamilton Arumani Manisundaram
Special Thanks
caBIGTM
Internet 2 Grouper Team Tom Barton, University at Chicago Frank Manion, Fox Chase
Questions?
