myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications.
Download ReportTranscript myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications.
myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications Outline • Introduction: What are we trying to do, and why? • myVocs Overview • GridShib Overview • myVocs-GridShib Integration • Q&A Acknowledgments • myVocs and GridShib are funded by the NSF National Middleware Initiative (NMI awards 0330543, 0438424 and 0438385). • Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. • We would also like to thank: – Serge Aumont, Olivier Salaun (CRU) – – – – Nate Klingenstein Tom Barton Tim Freeman Raj Kettimuthu What’s a Virtual Organization? • A set of collaborators bound together by a project of common interest – very large scale science projects eg: Teragrid – Half a dozen or so collaborators in a funded multidisciplinary project – Physicians at 60 cancer centers wanting to share clinical data to increase N or focus on special subpopulations – An Internet2 Working Group; a conference planning committee. • In general, VO members are from different institutions VO Requirements • Ideally, VO resource access would use cross-domain SSO • What architecture can support this requirement? – For myVocs: web-based applications – For grids: app’s that use grid certificates What Cross-Domain Security Architectures Exist? • GRIDS – Digital Certificates (X.509 / PKI) – Cross-domain trust can be managed scalably thru Bridged CA’s – Carry only a user identifier (DN) • FEDERATIONS (SAML, Shibboleth, WSSecurity) – Digitally signed security assertions – Carry Identity, AuthN method, other attributes Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) • Single Domain solutions inadequate • End-user certificate distribution and management has proven to be troublesome and non-scalable • Essential VO (Group) Membership information not provided consistently by either one • Most collaboration tools accessed by web browser (not client software w. certificate) What does Shibboleth bring to the table? • A large (and growing) installed base • A standards-based, open source implementation • Working SAML 1.1 code • A standard attribute vocabulary (eduPerson) • A well-developed, federated identity management infrastructure has sprung up around Shibboleth Motivation 1 • The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember) – Goal: Leverage existing identity management infrastructure • eduPerson/Shibboleth infrastructure appeared promising for identity management Motivation 2 • Identity-based access control methods are inflexible and do not scale – Goal: Use attribute-based access control • Shibboleth, an attribute transport mechanism linked to identity management, appeared promising Motivation 3 • The most important attribute for VOs is: “member of VO-XYZ” • Who is authoritative for VO attributes? – The enterprise? (No) – The VO? (Yes!) • How are VO attributes created? • Where are VO attributes stored? myVocs Overview A brief introduction to the myVocs system environment myVocs Manages Attributes This point is central to myVocs (and deserves a slide of its own) Virtual Organization Aspects • Virtual Organizations are Collections of Attributes • Virtual Organizations are Collaborations Manifest • Virtual Organizations cross Institutional Boundaries • Virtual Organizations are Autonomous Virtual Organization Realities • Lighten their load and use trusted attributes • Resist complication of inconsistent policies • Influence poor so little hope for attribute sponsors • They are a lot like real organizations myVocs Supports VOs myVocs lets you create and manage VOs and supplies key collaboration tools to the members of the VO A Look Inside myVocs Attributes Users VOs VO Members VO Roles A Look Inside myVocs Attributes Users App1 App App2 VOs VO Membe rs App3 VO Roles AppN A Look Inside myVocs Attributes Users Mail App List Wiki VOs VO Membe rs CMS VO Roles Your App A Look Inside myVocs Attributes Users VOs VO Membe rs VO Roles Shibboleth IdP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs Attributes Users Lists List Membe rs List Roles Shibboleth IdP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App Why myVocs Uses Sympa • Mailing lists are central to Collaborations • Specify a collection of individuals • Define useful member roles • Generally autonomous • Sympa mailing list software supports Shibboleth • Sympa developers were active collaborators Why myVocs Uses Sympa Simply by creating and managing mailing lists with a familiar web interface the end user can manage VOs their membership and privileges A Look Inside myVocs Sympa Users Lists List Membe rs List Roles Shibboleth IdP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs Sympa Users Lists List Membe rs List Roles Shibboleth IdP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs Sympa Users Lists List Membe rs List Roles Shibboleth IdP Shib SP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs VO Attribute Authority Users Lists List Membe rs List Roles Shibboleth IdP Shib SP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs VO Attribute Authority Users VOs VO Membe rs VO Roles Shibboleth IdP Shib SP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs VO Attribute Authority Users VOs VO Membe rs VO Roles VO IdP Shib SP Mail App List Shib SP Shib SP Wiki CMS Shib SP Your App A Look Inside myVocs VO Attribute Authority Users VOs VO Membe rs VO Roles VO IdP VO SP Mail App List VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs VO Attribute Authority VO IdP VO SP Mail App List VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs VO Attribute Authority VO IdP VO SP Mail App List VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App This is myVocs myVocs Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App This is myVocs myVocs Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs UAB IdP myVocs Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs UAB IdP myVocs U. Chicago IdP Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs UAB IdP myVocs U. Chicago IdP Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List UIUC IdP VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs UAB IdP myVocs U. Chicago IdP openidp.org IdP Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List UIUC IdP VO IdP VO SP VO SP Wiki CMS VO SP Your App A Look Inside myVocs UAB IdP Identity Space myVocs U. Chicago IdP openidp.org IdP Shibboleth SP VO Attribute Authority VO Space VO SP Mail App List UIUC IdP VO IdP VO SP VO SP Wiki CMS VO SP Your App myVocs Manages Attributes UAB IdP U. Chicago IdP Users Mail App List Wiki VOs UIUC IdP VO Membe rs CMS openidp.org IdP VO Roles Your App myVocs Manages Attributes UAB IdP U. Chicago IdP Users Mail App List Wiki VOs UIUC IdP VO Membe rs CMS openidp.org IdP VO Roles Your App myVocs Manages Attributes UAB IdP U. Chicago IdP Users Mail App List Wiki VOs UIUC IdP VO Membe rs CMS openidp.org IdP VO Roles Your App myVocs Manages Attributes UAB IdP U. Chicago IdP Users Mail App List Wiki VOs UIUC IdP VO Membe rs CMS openidp.org IdP VO Roles Your App Shibboleth Drives myVocs The user accesses a web resource. The browser is guided through any required steps by standard Shibboleth mechanisms. The system components remain invisible. Shibboleth Drives myVocs CMS VO SP VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs CMS VO SP VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs Identity Attributes VO IdP ID SP WAYF Client Web Browser openidp .org Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser Shibboleth Drives myVocs myVocs Shib CMS VO SP Identity Federation Shib VO Attribs VO IdP ID SP openidp .org WAYF Client Web Browser myVocs Visual Experience User Selects VO Resource myVocs Visual Experience User Selects Identity Provider myVocs Visual Experience User Validates Identity myVocs Visual Experience User Accesses VO Resource myVocs User Experience myVocs User Experience myVocs User Experience myVocs User Experience Last Year's Wish Today's Reality Make it possible for a VO to add it's own grid resources A good example: Enable registering a group of desktops owned by film animation students working on different campuses so they can render their animation on their own grid resources Keep up with what GridShib is doing GridShib Overview What is GridShib? • GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions • The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® • GridShib adds attribute-based authorization to Globus Toolkit Some Background • Large scientific projects have spawned Virtual Organizations (VOs) • The cyberinfrastructure and software systems to support VOs are called grids • Globus Toolkit is the de facto standard software solution for grids • Grid Security Infrastructure (GSI) provides basic security services for grids Grid Authentication • Globus Toolkit provides authentication services via X.509 credentials • When requesting a service, the user presents an X.509 certificate, usually a proxy certificate • GridShib leverages the existing authentication mechanisms in GT Grid Authorization • Today, Globus Toolkit provides identitybased authorization mechanisms: – Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) – Community Authorization Service (CAS) • PERMIS and VOMS • GridShib provides attribute-based authorization based on Shibboleth GridShib Project Motivation • VOs are difficult to manage – Goal: Leverage existing identity management infrastructure • Identity-based access control methods are inflexible and do not scale – Goal: Use attribute-based access control • Solution: Integrate GT and Shibboleth! Tale of Two Technologies Existing GSI based on X.509… Grid Security Infrastructure Grid Client Globus Toolkit X.509 Tale of Two Technologies Shibboleth Federation Graft Shib/SAML onto GSI/X.509 Shibboleth SAML Grid Security Infrastructure Grid Client Globus Toolkit X.509 Why Shibboleth? • What does Shibboleth bring to the table? – A large (and growing) installed base on campuses around the world – A standards-based, open source implementation – A standard attribute vocabulary (eduPerson) • A well-developed, federated identity management infrastructure has sprung up around Shibboleth! GridShib Use Cases • Three use cases under consideration: 1. Established grid user (non-browser) 2. New grid user (non-browser) 3. Portal grid user (browser) • • Initial efforts concentrated on the established grid user Current efforts are focused on the new grid user Established Grid User • User possesses an X.509 end entity certificate • User may or may not use MyProxy Server to manage X.509 credentials • User authenticates to Grid SP with proxy certificate obtained from MyProxy • The current GridShib implementation addresses this use case New Grid User • User does not possess an X.509 end entity certificate • User relies on GridShib CA to issue shortlived X.509 certificates • User authenticates to Grid SP using shortlived X.509 credential • The myVocs-GridShib integration addresses this use case Software Components • GridShib for Globus Toolkit – A plugin for GT 4.0 • GridShib for Shibboleth – A plugin for Shibboleth 1.3 IdP • GridShib CA – A web-based CA for new grid users • Visit the GridShib Downloads page: http://gridshib.globus.org/download.html GridShib for Globus Toolkit • GridShib for Globus Toolkit is a plugin for GT4 • Features: – Standalone attribute requester – SAML attribute consumption – Attribute-based access control – Attribute-based local account mapping – SAML metadata consumption Standalone Attribute Requester • A standalone attribute requester will query a Shib AA for attributes – By “standalone” we mean a query separate from a Shib browser profile • The attribute query is based on – The Subject DN of the proxy cert or – A SAML authn assertion embedded in an end-entity cert GridShib for Shibboleth • GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) • Features: – Name Mapper – SAML name identifier implementations • X509SubjectName, emailAddress, etc. – Certificate Registry GridShib Name Mapper • The Name Mapper is a container for name mappings • Multiple name mappings are supported: – File-based name mappings – DB-based name mappings NameMapper NameMapFile NameMapTable GridShib Certificate Registry • A Certificate Registry is integrated into GridShib for Shibboleth: https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry • An established grid user authenticates and registers an X.509 end-entity cert • The Registry binds the cert to the principal name and persists the binding in a database • On the backend, GridShib maps the DN in a query to a principal name in the DB GridShib CA • The GridShib Certificate Authority is a web-based CA for new grid users: https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority • The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA • The CA issues short-term credentials suitable for authentication to a Grid SP • Credentials are downloaded to the desktop via Java Web Start GridShib Attribute Pull Profile • In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP • The Client is assumed to have an account (i.e., local principal name) at the IdP • The Grid SP and the IdP have been assigned a unique identifier (providerId) IdP C L I E N T 2 3 1 Grid SP 4 GridShib Attribute Pull Step 1 • The Grid Client requests a service at the Grid SP • The Client presents a X.509 certificate to the Grid SP • The Client also provides a pointer to its preferred IdP – This is the so-called IdP Discovery problem IdP C L I E N T 1 Grid SP GridShib Attribute Pull Step 2 • The Grid SP authenticates the Client and extracts the DN from the proxy cert • The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier IdP C L I E N T 2 1 Grid SP GridShib Attribute Pull Step 3 • The AA authenticates the requester and maps the DN to a local principal name • The AA returns an attribute assertion to the Grid SP – The assertion is subject to Attribute Release Policy (ARP) at the IdP IdP C L I E N T 2 3 1 Grid SP GridShib Attribute Pull Step 4 • The Grid SP parses the attribute assertion and performs the requested service • The attributes are cached as necessary • A response is returned to the Grid Client IdP C L I E N T 2 3 1 Grid SP 4 Future Work • Solve IdP discovery problem for grids • Provide name mapping maintenance tools (for administrators) • Implement a profile for attribute push • Produce SAML metadata • Design metadata repositories and tools Results of Integration Motivation Review • myVocs allows for VOs based on Shibboleth identities • GridShib authorizes use of Grid Services based on Shibboleth identities • Goal of Integration: Creation and Management of Grid VOs based on Shibboleth Identities What we have enabled • Turn-key Grid VO creation through the integration of GridShib and myVocs • myVocs used to create and manage VOs • GridShib allows myVocs users to create Grid credentials and access Grid resources • Grid resources obtains, and allows access, based on attributes from myVocs Key Components • myVocs – VO creation and management • GridShib CA • creates Grid credentials from Shibboleth identities • GridShib Certificate Registry and IdP Plugin • maps Grid identities to Shibboleth identities • GridShib GT plugin • issues SAML attributes queries from GT to myVocs/Shibboleth System Walk-through • A quick tour of the integrated system • Architecture view on these slides • User view on the other projector User Registers with myVocs Identity Auth VO Admin Adds User to VO Grid Logon Identity Identity Grid Id Auth Grid Creds. Grid Service Invocation VO Attributes Grid Creds. Grid Id Remaining Challenges • Name binding on global scale • Attribute Aggregation • Defining VO membership, roles and attributes • Group and role management Questions? For more information: • GridShib: http://gridshib.globus.org/ • myVocs: http://www.myvocs.org/ • Email: [email protected] [email protected] [email protected] [email protected]