A Grid Authorization Model for Science Gateways
-
Upload
svetlana-velika -
Category
Documents
-
view
19 -
download
0
description
Transcript of A Grid Authorization Model for Science Gateways
![Page 1: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/1.jpg)
A Grid Authorization Model for Science Gateways
Tom Scavo, Jim Basney, Terry Fleury, Von WelchNational Center for Supercomputing Applications
University of Illinois at Urbana-ChampaignJune 11, 2008
![Page 2: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/2.jpg)
http://gridshib.globus.org/ Slide 2 of 25
Classic Science Gateway
WebAuthn
Resource Provider
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
A science gateway is a convenient intermediary
between a browser user and a grid resource provider.
Science Gateway
![Page 3: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/3.jpg)
http://gridshib.globus.org/ Slide 3 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Each gateway is issued a community credential that
uniquely identifies the gateway.
![Page 4: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/4.jpg)
http://gridshib.globus.org/ Slide 4 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Resource providers associate the community credential with a local community account.
![Page 5: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/5.jpg)
http://gridshib.globus.org/ Slide 5 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.
![Page 6: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/6.jpg)
http://gridshib.globus.org/ Slide 6 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway then issues a short-lived proxy credential
signed by its community credential.
proxy credential
Key
![Page 7: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/7.jpg)
http://gridshib.globus.org/ Slide 7 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway submits the job on the user’s behalf,
authenticating as itself to the resource.
![Page 8: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/8.jpg)
http://gridshib.globus.org/ Slide 8 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The resource authenticates the gateway and maps the request
to the community account based on the identity in the
proxy certificate.
![Page 9: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/9.jpg)
http://gridshib.globus.org/ Slide 9 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Browser
community credential
Key
community account
After the job is executed, the result is returned to the
browser user via the gateway web interface.
Web Interface
![Page 10: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/10.jpg)
http://gridshib.globus.org/ Slide 10 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
So what’s wrong with this classic science gateway
scenario
?
![Page 11: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/11.jpg)
http://gridshib.globus.org/ Slide 11 of 25
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
All requests look exactly the same to the resource
provider
!
jsmith
commacct
mjones
![Page 12: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/12.jpg)
http://gridshib.globus.org/ Slide 12 of 25
Classic Science Gateway
Resource Providers needgateway user information
for accounting and incident response.
![Page 13: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/13.jpg)
http://gridshib.globus.org/ Slide 13 of 25
Grid Authorization Model for Gateways
Resource ProviderScience Gateway
community credential
Key
Java WS Container(with GridShib for GT)
Web Browser
An enhancement to the community account model
increases the information flow between the gateway and the
resource provider.Web
Authn
WS GRAM Service
WS GRAM Service
WebappWebapp WS GRAM Client
WS GRAM Client
Web Interface
GridShib SAML Tools
GridShib SAML Tools
attributes
username
GridShibfor GT
GridShibfor GT
![Page 14: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/14.jpg)
http://gridshib.globus.org/ Slide 14 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
Two new GridShib software components produce and
consume Security Assertion Markup Language (SAML)
tokens.
![Page 15: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/15.jpg)
http://gridshib.globus.org/ Slide 15 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Browser
username
Again the browser user authenticates to the gateway
by presenting a username and password.
Web Interface
![Page 16: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/16.jpg)
http://gridshib.globus.org/ Slide 16 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential Key
This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.
SAML
![Page 17: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/17.jpg)
http://gridshib.globus.org/ Slide 17 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
The SAML token bound to the proxy certificate contains the
name of the end user and other user attributes (e.g., e-mail).
![Page 18: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/18.jpg)
http://gridshib.globus.org/ Slide 18 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
proxy certificate
SAML
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
The gateway authenticates as itself to the resource provider, presenting the proxy certificate
with bound SAML token.
![Page 19: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/19.jpg)
http://gridshib.globus.org/ Slide 19 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
GridShib for GT extracts the SAML token from the proxy
certificate and writes the information to a log file.
Security Context
![Page 20: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/20.jpg)
http://gridshib.globus.org/ Slide 20 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
GridShib for GT compares the information in the security context to the blacklist,
denying access if any request info is on the blacklist.
![Page 21: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/21.jpg)
http://gridshib.globus.org/ Slide 21 of 25
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
As before, after the service executes the job, the result is returned to the browser user
via the gateway web interface.
Web Interface
![Page 22: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/22.jpg)
http://gridshib.globus.org/ Slide 22 of 25
Grid Authorization Model for Gateways
As before, after the service executes the job, the result is returned to the browser user
via the gateway web interface.
WebAuthn
Science Gateway
WS GRAM Client
WS GRAM Client
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WebappWebappattributes
Web Browser
username
proxy credential
SAML
Key
Web Interface
Resource Provider
GridShibfor GT
GridShibfor GT
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
BlacklistPolicy
![Page 23: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/23.jpg)
http://gridshib.globus.org/ Slide 23 of 25
GridShibfor GT
GridShibfor GT
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
BlacklistPolicy
Integration with TeraGrid Central Database
Resource Provider
Security table
GRAM audit table
TGCDB
AMIEupload
The GridShib-enhanced community account model
permits fine-grained access control and effective incident
response at the resource.
Since each request is now associated with a unique end
user, we push job info to TeraGrid Central for
improved auditing and accounting.
![Page 24: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/24.jpg)
http://gridshib.globus.org/ Slide 24 of 25
Summary
Using GridShib SAML Tools, science gateways send user attributes to resource providers
Using GridShib for GT, resource providers use these attributes to perform auditing, incident response, and attribute-based access control
The TeraGrid central database captures TeraGrid-wide accounting data
![Page 25: A Grid Authorization Model for Science Gateways](https://reader030.fdocuments.in/reader030/viewer/2022033105/56812e46550346895d93d654/html5/thumbnails/25.jpg)
http://gridshib.globus.org/ Slide 25 of 25
Acknowledgments
GridShib Project PIs Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
GridShib Developers Rachana Ananthakrishnan, Jim Basney, Terry Fleury, Tim
Freeman, Raj Kettimuthu, Tom Scavo
The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.
The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.
Thank You!