Apache Airavata Credential Store
description
Transcript of Apache Airavata Credential Store
A Credential Store for Multi-Tenant Science
GatewaysThejaka Kanewala, Suresh Marru, Jim Basney, Marlon
Pierce.Agenda Terminology Problems / Challenges Solutions proposed
Science Gateways
Computationally expensive experiments are run in resources such as Grids, Clouds.
Science Gateways …Hide complexities in using underlying cyber
infrastructure resources.Provides a domain specific user interface to
scientists.Help scientists to build communities.
Create experiments Share experiments Share data …
Organization of a Science Gateway
Organization of a Science Gateway (contd …)Front end portal
Science domain specificWeb User Interface (UI)
MiddlewareBridges the communication between front end portal
server and backend computational resources. Implements other application logic (provenance data
management, application execution, storing metadata, processing results from execution, etc …)
Backend resources
Challenges
1. Resource Credential Delegation.2. Management of heterogeneous credentials
associated grids, clouds and local resources.3. Management of gateway credentials in an
isolated manner in a middleware that supports multiple gateways.
4. Maintain accountability at the resource.
Problem 1. Resource Credential Delegation
Problem 1. Resource Credential Delegation (Community Account)
Resource Credential Delegation (contd …)How to solve ?
Hand over credentials to gateway user.Hard code resource credentials at the middleware
layer. Each time gateway administrator retrieves credentials
they need to update in the middleware. Hard coding credentials in the file system – Requires to
change configuration files in the middleware, also needs additional mechanisms to secure passwords.
Problem 2. Heterogeneous Credentials The gateway middleware connects various types of
resources.CloudsGridsLocal Clusters
Different resources have different authentication mechanisms.MyProxy based authentication.SSH/Password/Key based authentication.
Incorporating a new authentication mechanism should not incorporate changes to the middleware.
Problem 3. Multi-Tenancy
Multiple science gateways connecting to a single gateway middleware.
Need to make sure the credentials used by one gateway does not interfere with another gateway.
Proper isolation of gateways is needed when it comes to multiple gateways.
Problem 4. Maintain Accountability at the Resource
Maintain comprehensive audit records at the resource. In a disaster the resource should be able to find out
which user is responsible by looking at its own records, without consulting the gateway middleware.
Middleware should supply experiment invoking user’s attributes to resource.
Credential Store
A secure generic data store to maintain heterogeneous authentication data.
Utilities to perform delegation and key generation.A pluggable module to gateway middleware.Involves 3 main operations
Gateway registrationPersisting credentialsQuery credentials during application invocation
Credential Store – Gateway Registration Multiple science gateways need to operate in
isolation to each other.Each gateway portal servers establishes trust with
the gateway middleware using a TLS mutual authentication.
Credential Store – Credential PersistenceCapable of handling different types of credentials.
Each credential type is stored as a serialized byte stream in the store.
Credentials are stored in a secure mannerSecured at 3 layers
Each entry is encrypted using a key derived from the gateway id and a token.
Use database authentication mechanism to restrict access to database records.
Data files are secured with proper Unix file security.Each action on the credential store is recorded in an
audit log
Credential Store – Credential Persistence (contd …)
Credential Store – Credential Persistence (contd …)Different mechanisms to persist credentials.
Delegation based credential persistence.Key generation based credential persistence.Credential persistence by manually invoking
credential store service API.
Delegation based persistenceMainly used for MyProxy credentials.Uses OAuth protocol to delegate credentials into Credential
Store and uses OA4MP.
Key Generation Based PersistenceSome resources only support SSH keys.Most of the time users doesn't want to persist
their SSH keys in a third party store.Generate SSH keys within the Credential Store
and hand over public key to user.One time Manual Step: User needs to store given
public key in the resource.
Raw Credential PersistenceIf there is no support for delegation based
credential persistence we can use direct credential deposit.
Credential RetrievalGiven the token id, read credentials from the Credential
Store.Decorates retrieved credentials (certificates) with actual
user attributes (for MyProxy only).
Credential Renewal
When persisting credentials, lifetime of the credentials are extracted and stored in a separate column.
Credential Store periodically checks for validity of credentials.
Near expiring credentials are notified to owners of the credentials.
MyProxy: Register gateway middleware as a trusted renewer in the MyProxy server. Use gateway middleware credentials to renew other credentials.
SSH Keys does not expire: Provides a mechanism to remove credentials from the Credential Store.
Credential Store – High-level Architecture
Implementation
Implemented as a module in Apache Airavata Gateway Middleware.
Credentials are stored in a relational database.Implemented using Java and related security
packages.Available in Apache Airavata 0.11 release.
Next …Incorporate audit log integrity.Incorporate other delegation mechanisms such as
OpenId,etc …Possible delegation mechanisms for SSH keys.
Thank you !
Q/A