Advances in Middleware Security
Download
Report
Transcript Advances in Middleware Security
Advances in Middleware Security
- a Globus perspective
International Grid Trust Federation
PKIs for Grids have now
reached world-spanning
size.
http://www.gridpma.org
X509 Delegation and Single
Sign-on Standardized
RFC 3820 defines
format and path
validation for Proxy
Certificates
Allows for single
sign-on and
delegation across
domains
ECC
Single
Sign-on
Proxy
Delegation
Domain A
Proxy
Service
Domain B
Web Services Security Stands
are slowly evolving (Jan ‘04)
WS-Secure
Conversation
WS-Federation
WS-Authorization
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
Web Services Security Stands
are slowly evolving (today)
WS-Policy
WS-Secure
Conversation
WS-Federation
WS-Authorization
XACML
WS-Trust
WS-Privacy
SAML
WS-Security
Evolving
In progress
SOAP Foundation
proposed
promised
Pluggable Authorization
Strong success in developing and
deployment of interfaces for plugable
authorization.
Designed in collaboration (GGF or “back
room”).
Image from Micha Bayer
National Fusion Collaboratory
Image from M. Thompson
Image from OSG
Operational experiences
Security the #1 support errand
Incorrect configuration
Multiple CAs to install
Multiple software layers and distributed systems
make error reporting difficult
CRL handling awkward
Periodic pull requests cause high peak loads
Failed updates cause stalled systems
Users, Trojans, and Attacks
15 months ago: SSH attacks
Attack targeted ~/.ssh/
Password and key sniffing
software on users’ home PCs
By stealing user keys at one
site, they got immediate
access to other sites as well
Weak or no password
protection
Many people keep their
grid keys in ~/.globus/
We learned a lot from this
Incident response
Incident reporting
across organizations
“This Grid stuff is all
too much for me…”
The power of portals
Low learning curve
Can be made domain specific
Can hide “all the X509 stuff” from user
Toolkits for Grid Portals
PURSE, OGCE, GAMA, GridSphere, GridSite, etc.
But, we must also understand the limitations of
portals
An 80/20 solution
Power-users easily get annoyed
Difficult for “tinkering-centric” research
Grid Portal Gateways
The Portal accessed through a
browser or desktop tools
The Required Support Services
Searchable Metadata catalogs
Information Space Management.
Workflow managers
Resource brokers
Application deployment services
Authorization services.
Technical Approach
Workflow Composer
Build standard portals to meet the domain
Grid Resources
requirements of the biology communities
Dev elop f ederated databases to be
replicated and shared across TeraGrid
Builds on NSF & DOE software
Use NMI Portal Framework, GridPort
NMI Grid Tools: Condor, Globus, etc.
OSG, HEP tools: Clarens, MonaLisa
Slide Credit: Nancy Wilkins-Diehr
OGCE
OGCEPortlets
Portlets
with
with Containe
Containerr
Serv
Service
ice
API
API
Apache
Apache Jetspeed
Jetspeed
Internal
Internal Services
Services
Grid
Grid
Serv
Service
ice
Stubs
Stubs
Local
Local
Portal
Portal
Serv
Services
ices
Remote
Remote
Content
Content
Serv
Services
ices
Java
CoG Kit
Provides Grid authentication and access
to services
Provide direct access to TeraGrid hosted
applications as services
OGCE Science Portal
Grid
Protocols
Grid
Serv ice
s
Open Source Tools
HTTP
Remote
Content
Serv ers
MyProxy and LTER Grid
LTER Portal
LDAP
Username
& Password
MyProxy
server
Proxy
PAM
Grid
Services
(e.g. Job
submission)
LTER
LDAP
GridFTP
Creds
Kerberos-CA: Site Authentication
Integration
KCA/Kx509 deployment
at FNAL has shown X509
integration with site
authentication works well
Alternate to traditional
user-managed
credentials
Kerberos
Logon
Kerberos
KCA
X509
MyProxy 3.0
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
GridShib (Simplified)
SAML
Shibboleth
Attrs
Attributes
IdP
IDs
DN
DN
DN
callout
SSL/TLS, WS-Security
GridShib: current status
Beta release since early Sept 2005
Information Provider plugin to Shib 1.3b
Authorization callout to GT4.0.1
Attributes-only for now
GridShib and MyProxy Integration
SAML
Shibboleth
Attrs
Attributes
IdP
IDs
DN
callout
MyProxy
w/ online CA
DN
DN
SSL/TLS, WS-Security
It’s not SAML vs PKI …
Legacy deployments
SAML == Web Browers authentication today
Very short-lived bearer credentials
Lots of redirection in protocol - assumes web
browser
SAML seems to be good source of attributes
Used for GGF OGSA-Authz Authorization Interface
GT4’s Use of Security Standards
Supported,
but slow
Supported,
but insecure
Fastest,
so default
GT-XACML Integration
eXtensible Access Control Markup Language
OASIS standard, open source implementations
XACML: sophisticated policy language
Globus Toolkit ships with XACML runtime
Included in every client and server built on GT
Turned-on through configuration
… that can be called transparently from runtime
and/or explicitly from application …
… and we use the XACML-”model” for
our Authz Processing Framework
GT Authorization Framework
GT Authorization Framework
VOMS
Shibboleth
LDAP
PERMIS
…
Authorization
Decision
Attributes
PIP
PIP
PIP
GT4 Client
GT4 Server
PDP
GT4 WS GRAM
2nd-generation WS implementation optimized for
performance, flexibility, stability, scalability
Streamlined critical path
Use only what you need
Leverage SUDO for critical code
Flexible credential management
Credential cache & delegation service
GridFTP & RFT used for data operations
Data staging & streaming output
Eliminates redundant GASS code
GT4 WS GRAM Architecture
Service host(s) and compute element(s)
Job events
Client
Delegate
Delegation
Transfer
request
RFT File
Transfer
SEG
Compute element
Local job control
sudo
GT4 Java Container
GRAM
GRAM
services
services
GRAM
adapter
GridFTP
FTP
control
Local
scheduler
User
job
FTP data
GridFTP
Remote
storage
element(s)
More user requirements
Installation of special software
Prestaging of datasets
… and updates thereof
Operating additional services
… and updates thereof
… and debugging when they fall over
There is a need for “VO services”
VO services need
to be managed
Ensure they don’t consume more resources than
allocated
Provide persistency and management functions (start,
stop, suspend, resume)
Adhere to site security, auditing, and accounting policies
All that could be done by site admins but it would be
favorable to have infrastructure services taking care of
that
Example: current gLite CE
Enabling Grids for E-sciencE
Infrastructure
Services
VO
admin
VO
Services
Submit
job
Grid
GT GRAM
LCAS
LCMAPS
CEMon
WSS
Notificat
ions
Launch
Condor-C
Blahpd
LSF
INFSO-RI-508833
CE
Condor-C
PBS/
Torque
Should evolve
into a VO
scheduler
Condor
Local
batch
system
Workspace Service:
The Hosted Activity
Policy
Client
Negotiate access
Initiate activity
Monitor activity
Control activity
Activity
Environment
Interface
Resource provider
Activities Can Be Nested
Client
Policy
Client
Client
Environment
Interface
Resource provider
For Example …
Deploy service
Deploy container
Deploy virtual machine
Deploy hypervisor/OS
Procure hardware
JVM
JVM
VM
VM
Hypervisor/OS
Physical machine
Provisioning, management, and monitoring at all levels
The Future
We now have a solid and extremely powerful Web
services base
Next, we will build an expanded open source Grid
infrastructure
Virtualization
New services for provisioning, data management,
security, VO management
End-user tools for application development
Etc., etc.
And of course responding to user requests for
other short-term needs
Short-Term Priorities:
Security
Improve GSI error reporting & diagnostics
Trust root provisioning, GridLogon/MyProxy
Identity/attribute assertions in GT auth.
callouts (e.g., Shib, PERMIS, VOMS, SAML)
Extend CAS admin & policy support
Security logging with management control
for audit purposes
MyProxy integration with Shibboleth
Integration of all the pieces
We’re close…
And for Portals too…
Thank you
Questions?
Von Welch ([email protected])