myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications.
Download
Report
Transcript myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications.
myVocs and GridShib:
Integrated VO Management
Jill Gemmill, John-Paul Robinson
University of Alabama at Birmingham
Tom Scavo, Von Welch
National Center for Supercomputing Applications
Outline
• Introduction: What are we trying to do,
and why?
• myVocs Overview
• GridShib Overview
• myVocs-GridShib Integration
• Q&A
Acknowledgments
• myVocs and GridShib are funded by the NSF National
Middleware Initiative (NMI awards 0330543, 0438424 and
0438385).
• Opinions and recommendations are those of the authors and do
not necessarily reflect the views of the National Science
Foundation.
• We would also like to thank:
– Serge Aumont, Olivier Salaun (CRU)
–
–
–
–
Nate Klingenstein
Tom Barton
Tim Freeman
Raj Kettimuthu
What’s a Virtual Organization?
• A set of collaborators bound together by a
project of common interest
– very large scale science projects eg: Teragrid
– Half a dozen or so collaborators in a funded
multidisciplinary project
– Physicians at 60 cancer centers wanting to share
clinical data to increase N or focus on special subpopulations
– An Internet2 Working Group; a conference planning
committee.
• In general, VO members are from different
institutions
VO Requirements
• Ideally, VO resource access would use
cross-domain SSO
• What architecture can support this
requirement?
– For myVocs: web-based applications
– For grids: app’s that use grid certificates
What Cross-Domain Security
Architectures Exist?
• GRIDS
– Digital Certificates (X.509 / PKI)
– Cross-domain trust can be managed scalably thru
Bridged CA’s
– Carry only a user identifier (DN)
• FEDERATIONS (SAML, Shibboleth, WSSecurity)
– Digitally signed security assertions
– Carry Identity, AuthN method, other attributes
Don’t Existing Solutions Provide
What Is Needed by VO’s? (No!)
• Single Domain solutions inadequate
• End-user certificate distribution and
management has proven to be troublesome
and non-scalable
• Essential VO (Group) Membership
information not provided consistently by
either one
• Most collaboration tools accessed by web
browser (not client software w. certificate)
What does Shibboleth bring to
the table?
• A large (and growing) installed base
• A standards-based, open source
implementation
• Working SAML 1.1 code
• A standard attribute vocabulary
(eduPerson)
• A well-developed, federated identity
management infrastructure has sprung
up around Shibboleth
Motivation 1
• The size and vast number of VOs
makes it difficult for administrators to
manage the identity of each user in the
VO (and VO members don’t want more
passwords to remember)
– Goal: Leverage existing identity
management infrastructure
• eduPerson/Shibboleth infrastructure
appeared promising for identity
management
Motivation 2
• Identity-based access control
methods are inflexible and do not
scale
– Goal: Use attribute-based access
control
• Shibboleth, an attribute transport
mechanism linked to identity
management, appeared promising
Motivation 3
• The most important attribute for VOs is:
“member of VO-XYZ”
• Who is authoritative for VO attributes?
– The enterprise? (No)
– The VO? (Yes!)
• How are VO attributes created?
• Where are VO attributes stored?
myVocs Overview
A brief introduction to the
myVocs system environment
myVocs Manages Attributes
This point is central to myVocs
(and deserves a slide of its own)
Virtual Organization Aspects
• Virtual Organizations are Collections of
Attributes
• Virtual Organizations are Collaborations
Manifest
• Virtual Organizations cross Institutional
Boundaries
• Virtual Organizations are Autonomous
Virtual Organization Realities
• Lighten their load and use trusted
attributes
• Resist complication of inconsistent
policies
• Influence poor so little hope for attribute
sponsors
• They are a lot like real organizations
myVocs Supports VOs
myVocs lets you
create and manage VOs
and
supplies key collaboration tools to the
members of the VO
A Look Inside myVocs
Attributes
Users
VOs
VO
Members
VO
Roles
A Look Inside myVocs
Attributes
Users
App1
App
App2
VOs
VO
Membe
rs
App3
VO
Roles
AppN
A Look Inside myVocs
Attributes
Users
Mail
App
List
Wiki
VOs
VO
Membe
rs
CMS
VO
Roles
Your
App
A Look Inside myVocs
Attributes
Users
VOs
VO
Membe
rs
VO
Roles
Shibboleth IdP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
Attributes
Users
Lists
List
Membe
rs
List
Roles
Shibboleth IdP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
Why myVocs Uses Sympa
• Mailing lists are central to Collaborations
• Specify a collection of individuals
• Define useful member roles
• Generally autonomous
• Sympa mailing list software supports
Shibboleth
• Sympa developers were active
collaborators
Why myVocs Uses Sympa
Simply by creating and managing
mailing lists
with a familiar web interface
the end user can manage VOs
their membership
and privileges
A Look Inside myVocs
Sympa
Users
Lists
List
Membe
rs
List
Roles
Shibboleth IdP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
Sympa
Users
Lists
List
Membe
rs
List
Roles
Shibboleth IdP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
Sympa
Users
Lists
List
Membe
rs
List
Roles
Shibboleth IdP
Shib SP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
VO Attribute Authority
Users
Lists
List
Membe
rs
List
Roles
Shibboleth IdP
Shib SP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
VO Attribute Authority
Users
VOs
VO
Membe
rs
VO
Roles
Shibboleth IdP
Shib SP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
VO Attribute Authority
Users
VOs
VO
Membe
rs
VO
Roles
VO IdP
Shib SP
Mail
App
List
Shib SP
Shib SP
Wiki
CMS
Shib SP
Your
App
A Look Inside myVocs
VO Attribute Authority
Users
VOs
VO
Membe
rs
VO
Roles
VO IdP
VO SP
Mail
App
List
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
VO Attribute Authority
VO IdP
VO SP
Mail
App
List
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
VO Attribute Authority
VO IdP
VO SP
Mail
App
List
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
This is myVocs
myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
This is myVocs
myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
UAB
IdP
myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
UAB
IdP
myVocs
U. Chicago
IdP
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
UAB
IdP
myVocs
U. Chicago
IdP
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
UIUC
IdP
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
UAB
IdP
myVocs
U. Chicago
IdP
openidp.org
IdP
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
UIUC
IdP
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
A Look Inside myVocs
UAB
IdP
Identity
Space
myVocs
U. Chicago
IdP
openidp.org
IdP
Shibboleth SP
VO Attribute Authority
VO Space
VO SP
Mail
App
List
UIUC
IdP
VO IdP
VO SP
VO SP
Wiki
CMS
VO SP
Your
App
myVocs Manages Attributes
UAB
IdP
U. Chicago
IdP
Users
Mail
App
List
Wiki
VOs
UIUC
IdP
VO
Membe
rs
CMS
openidp.org
IdP
VO
Roles
Your
App
myVocs Manages Attributes
UAB
IdP
U. Chicago
IdP
Users
Mail
App
List
Wiki
VOs
UIUC
IdP
VO
Membe
rs
CMS
openidp.org
IdP
VO
Roles
Your
App
myVocs Manages Attributes
UAB
IdP
U. Chicago
IdP
Users
Mail
App
List
Wiki
VOs
UIUC
IdP
VO
Membe
rs
CMS
openidp.org
IdP
VO
Roles
Your
App
myVocs Manages Attributes
UAB
IdP
U. Chicago
IdP
Users
Mail
App
List
Wiki
VOs
UIUC
IdP
VO
Membe
rs
CMS
openidp.org
IdP
VO
Roles
Your
App
Shibboleth Drives myVocs
The user accesses a web resource.
The browser is guided
through any required steps
by standard Shibboleth mechanisms.
The system components
remain invisible.
Shibboleth Drives myVocs
CMS
VO SP
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
CMS
VO SP
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
Identity
Attributes
VO IdP
ID SP
WAYF
Client Web Browser
openidp
.org
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
Shibboleth Drives myVocs
myVocs Shib
CMS
VO SP
Identity Federation Shib
VO
Attribs
VO IdP
ID SP
openidp
.org
WAYF
Client Web Browser
myVocs Visual Experience
User Selects
VO Resource
myVocs Visual Experience
User Selects
Identity Provider
myVocs Visual Experience
User Validates
Identity
myVocs Visual Experience
User Accesses
VO Resource
myVocs User Experience
myVocs User Experience
myVocs User Experience
myVocs User Experience
Last Year's Wish
Today's Reality
Make it possible for a VO to add it's own
grid resources
A good example:
Enable registering a group of desktops owned
by film animation students working on different
campuses so they can render their animation
on their own grid resources
Keep up with what GridShib is doing
GridShib Overview
What is GridShib?
• GridShib enables secure attribute
sharing among Grid virtual
organizations and higher-educational
institutions
• The goal of GridShib is to integrate
the Globus Toolkit® with Shibboleth®
• GridShib adds attribute-based
authorization to Globus Toolkit
Some Background
• Large scientific projects have spawned
Virtual Organizations (VOs)
• The cyberinfrastructure and software
systems to support VOs are called grids
• Globus Toolkit is the de facto standard
software solution for grids
• Grid Security Infrastructure (GSI) provides
basic security services for grids
Grid Authentication
• Globus Toolkit provides authentication
services via X.509 credentials
• When requesting a service, the user
presents an X.509 certificate, usually a
proxy certificate
• GridShib leverages the existing
authentication mechanisms in GT
Grid Authorization
• Today, Globus Toolkit provides identitybased authorization mechanisms:
– Access control lists (called grid-mapfiles)
map DNs to local identity (e.g., Unix logins)
– Community Authorization Service (CAS)
• PERMIS and VOMS
• GridShib provides attribute-based
authorization based on Shibboleth
GridShib Project Motivation
• VOs are difficult to manage
– Goal: Leverage existing identity
management infrastructure
• Identity-based access control methods
are inflexible and do not scale
– Goal: Use attribute-based access control
• Solution: Integrate GT and
Shibboleth!
Tale of Two Technologies
Existing GSI based
on X.509…
Grid Security Infrastructure
Grid
Client
Globus
Toolkit
X.509
Tale of Two Technologies
Shibboleth Federation
Graft Shib/SAML
onto GSI/X.509
Shibboleth
SAML
Grid Security Infrastructure
Grid
Client
Globus
Toolkit
X.509
Why Shibboleth?
• What does Shibboleth bring to the table?
– A large (and growing) installed base on
campuses around the world
– A standards-based, open source implementation
– A standard attribute vocabulary (eduPerson)
• A well-developed, federated identity
management infrastructure has sprung up
around Shibboleth!
GridShib Use Cases
•
Three use cases under consideration:
1. Established grid user (non-browser)
2. New grid user (non-browser)
3. Portal grid user (browser)
•
•
Initial efforts concentrated on the
established grid user
Current efforts are focused on the new
grid user
Established Grid User
• User possesses an X.509 end entity
certificate
• User may or may not use MyProxy Server to
manage X.509 credentials
• User authenticates to Grid SP with proxy
certificate obtained from MyProxy
• The current GridShib implementation
addresses this use case
New Grid User
• User does not possess an X.509 end entity
certificate
• User relies on GridShib CA to issue shortlived X.509 certificates
• User authenticates to Grid SP using shortlived X.509 credential
• The myVocs-GridShib integration addresses
this use case
Software Components
• GridShib for Globus Toolkit
– A plugin for GT 4.0
• GridShib for Shibboleth
– A plugin for Shibboleth 1.3 IdP
• GridShib CA
– A web-based CA for new grid users
• Visit the GridShib Downloads page:
http://gridshib.globus.org/download.html
GridShib for Globus Toolkit
• GridShib for Globus Toolkit is a plugin
for GT4
• Features:
– Standalone attribute requester
– SAML attribute consumption
– Attribute-based access control
– Attribute-based local account mapping
– SAML metadata consumption
Standalone Attribute Requester
• A standalone attribute requester will
query a Shib AA for attributes
– By “standalone” we mean a query separate
from a Shib browser profile
• The attribute query is based on
– The Subject DN of the proxy cert or
– A SAML authn assertion embedded in an
end-entity cert
GridShib for Shibboleth
• GridShib for Shibboleth is a plugin for a
Shibboleth IdP v1.3 (or later)
• Features:
– Name Mapper
– SAML name identifier implementations
• X509SubjectName, emailAddress, etc.
– Certificate Registry
GridShib Name Mapper
• The Name Mapper is
a container for name
mappings
• Multiple name
mappings are
supported:
– File-based name
mappings
– DB-based name
mappings
NameMapper
NameMapFile
NameMapTable
GridShib Certificate Registry
• A Certificate Registry is integrated into
GridShib for Shibboleth:
https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry
• An established grid user authenticates and
registers an X.509 end-entity cert
• The Registry binds the cert to the principal
name and persists the binding in a database
• On the backend, GridShib maps the DN in a
query to a principal name in the DB
GridShib CA
• The GridShib Certificate Authority is a web-based CA
for new grid users:
https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority
• The GridShib CA is protected by a Shib SP and
backended by the MyProxy Online CA
• The CA issues short-term credentials suitable for
authentication to a Grid SP
• Credentials are downloaded to the desktop via Java
Web Start
GridShib Attribute Pull Profile
• In the “Classic GridShib” profile, a
Grid SP “pulls” attributes from a
Shib IdP
• The Client is assumed to have an
account (i.e., local principal
name) at the IdP
• The Grid SP and the IdP have
been assigned a unique identifier
(providerId)
IdP
C
L
I
E
N
T
2
3
1
Grid SP
4
GridShib Attribute Pull Step 1
• The Grid Client requests a
service at the Grid SP
• The Client presents a X.509
certificate to the Grid SP
• The Client also provides a
pointer to its preferred IdP
– This is the so-called IdP
Discovery problem
IdP
C
L
I
E
N
T
1
Grid SP
GridShib Attribute Pull Step 2
• The Grid SP authenticates
the Client and extracts the
DN from the proxy cert
• The Grid SP queries the
Attribute Authority (AA) at
the IdP using the DN as a
SAML name identifier
IdP
C
L
I
E
N
T
2
1
Grid SP
GridShib Attribute Pull Step 3
• The AA authenticates the
requester and maps the DN
to a local principal name
• The AA returns an attribute
assertion to the Grid SP
– The assertion is subject to
Attribute Release Policy
(ARP) at the IdP
IdP
C
L
I
E
N
T
2
3
1
Grid SP
GridShib Attribute Pull Step 4
• The Grid SP parses the
attribute assertion and
performs the requested
service
• The attributes are cached
as necessary
• A response is returned to
the Grid Client
IdP
C
L
I
E
N
T
2
3
1
Grid SP
4
Future Work
• Solve IdP discovery problem for grids
• Provide name mapping maintenance
tools (for administrators)
• Implement a profile for attribute push
• Produce SAML metadata
• Design metadata repositories and tools
Results of Integration
Motivation Review
• myVocs allows for VOs based on
Shibboleth identities
• GridShib authorizes use of Grid
Services based on Shibboleth identities
• Goal of Integration:
Creation and Management of Grid VOs
based on Shibboleth Identities
What we have enabled
• Turn-key Grid VO creation through the
integration of GridShib and myVocs
• myVocs used to create and manage VOs
• GridShib allows myVocs users to create Grid
credentials and access Grid resources
• Grid resources obtains, and allows access,
based on attributes from myVocs
Key Components
• myVocs
– VO creation and management
• GridShib CA
• creates Grid credentials from Shibboleth identities
• GridShib Certificate Registry and IdP Plugin
• maps Grid identities to Shibboleth identities
• GridShib GT plugin
• issues SAML attributes queries from GT to
myVocs/Shibboleth
System Walk-through
• A quick tour of the integrated system
• Architecture view on these slides
• User view on the other projector
User Registers with myVocs
Identity
Auth
VO Admin Adds User to VO
Grid Logon
Identity
Identity
Grid Id
Auth
Grid Creds.
Grid Service Invocation
VO
Attributes
Grid Creds.
Grid Id
Remaining Challenges
• Name binding on global scale
• Attribute Aggregation
• Defining VO membership, roles and
attributes
• Group and role management
Questions?
For more information:
• GridShib: http://gridshib.globus.org/
• myVocs: http://www.myvocs.org/
• Email:
[email protected]
[email protected]
[email protected]
[email protected]