EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks...
-
Upload
amia-ortega -
Category
Documents
-
view
218 -
download
0
Transcript of EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks...
EGEE-II INFSO-RI-
031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered
trademarks
Interoperability AAI and Grids
Christoph Witzig, SWITCH
NORDUnet Conference April 9, 2008
NORDUnet, Helsinki April 9, 2008 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction to AAIs– Why interoperability AAI - Grids– Authentication and authorization (AA) in Grids and Shibboleth
• Interoperability Shibboleth - Grid within EGEE– Short-lived credential service (SLCS)– Attribute exchange to VOMS– Future developments within EGEE
• Other activities in interoperability Shibboleth - Grids
• Summary
NORDUnet, Helsinki April 9, 2008 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Security Models
• AAI solve the old problem of access control to resources
• There are various technologies in use - their usefulness depends on the underlying infrastructure
1. Crusader Castle2. League of Nations3. Federations
NORDUnet, Helsinki April 9, 2008 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Crusader Castle
Appropriate for few, non-mobile users
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688 5NORDUnet, Helsinki April 9, 2008
University A
Library B
University C
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
e-Journals
Tedious user registration at all resources
Unreliable and outdated user data at resources
Different login processes
Many different passwords
Many resources not protected due to difficulties
Often IP-based authorization
Costly implementation of inter-institutional access
Crusader Castle
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688 6NORDUnet, Helsinki April 9, 2008
University A
University C
League of Nations
Student Admin
Web Mail
e-Learning
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
User registration process with CA
User has one credential to present to resources
authN and authZ at resource
User has to manage credential
Standard use in grids (IGTF)
Delegation mechanism
Standardized Credentials (International Conference on Passports 1920)
PassportIssuer (CA)
X.509 credentials
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688 7NORDUnet, Helsinki April 9, 2008
University A
Library B
University C
Federated IdentityManagement
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
e-Journals
No user registration and user data maintenance at resource needed
Single login process for the users
Many new resources available for the users
Enlarged user communities for resources
Efficient implementation of inter-institutional access
Shibboleth
• open source • internet2
• SAML
• Web-based Single Sign-on• authN at Identity Provider• authZ at Service Provider based on user’s attributes as provided by IdP
• Privacy
Federated Identity Management
NORDUnet, Helsinki April 9, 2008 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Example of an AAI: SWITCHaai
NORDUnet, Helsinki April 9, 2008 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Why Interoperability AAI - Grid ?
For AAI Federations:• Add grid resources to
federation
For Grids:• Add huge user base
(campus network)
For e-Science:• Unified user base• Bring stakeholders
together (NRENs - Grids)
For Users:• Simpler management of
credentials• Easy access to grids
NORDUnet, Helsinki April 9, 2008 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Interoperability Challenges
• authN at grid resource
• Attribute-based authZ
• Federation attributes vs VO attributes
• Delegation
• Renewal of credentials
NORDUnet, Helsinki April 9, 2008 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction to AAIs– Why interoperability AAI - Grids– Authentication and authorization (AA) in Grids and Shibboleth
• Interoperability Shibboleth - Grid within EGEE– Short-lived credential service (SLCS)– Attribute exchange to VOMS– Future developments within EGEE
• Other activities in interoperability Shibboleth - Grids
• Summary
NORDUnet, Helsinki April 9, 2008 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Overview Phase 1 and 2
SLCS = Short lived credential serviceVASH = VOMS attributes from Shibboleth
NORDUnet, Helsinki April 9, 2008 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Design Decisions
• SLCS CA and “VOMS SP” independent of each other– Separate Service Providers – Deployed independently
• SLCS CA independent of the Grid middleware
• VOMS SP only dependent on VOMS
NORDUnet, Helsinki April 9, 2008 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Short Lived Credential Service (SLCS)
NORDUnet, Helsinki April 9, 2008 15
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SLCS Profile
• SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile
• Minimum requirements:
SLCS X.509 Certificate
Certificate is generated based on Identity
Management system
“traditional” Registration Authority (e.g. passport)
Lifetime < 1mio sec Lifetime < 1 year + 1 month
Revocation handling optional
Revocation handling mandatory
NORDUnet, Helsinki April 9, 2008 16
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SLCS Design
• Private key is never transferred• Use commercial CA and only standard
protocols• Modular design such that other people can
use their own components• Shibboleth attributes determine DN
NORDUnet, Helsinki April 9, 2008 17
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SLCS Operation
• For the user:• Command line: slcs-init --idp <providerId>• Part of gLite User Interface (gLite-UI 3.1)
(can also be installed independently)
• For the RA from web-based admin tool:• Can enable or disable individual users (only for his institution)• Requirements formulated in CP/CPS• Can obtain log information (audit)
• SWITCH: • Operates the service for the SWITCHaai federation
NORDUnet, Helsinki April 9, 2008 18
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Status SLCS
• Software development finished in 2006
• SWITCH SLCS Root CA accredited by EuGridPMA in February 2007
• SWITCH SLCS in production since April 2007
• http://www.switch.ch/grid/slcs
NORDUnet, Helsinki April 9, 2008 19
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Attribute exchange
to VOMS VOMS attributes
from Shibboleth (VASH)
NORDUnet, Helsinki April 9, 2008 20
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Problem
• SLCS ties – AAI authentication to issuance of X.509 certificate– AAI attributes are used to construct the DN
• SLCS intends to make AAI attributes available to grid resources for authorization decisions– Which AAI attributes are of interest to grid resource?– How does resource obtain attributes? (pull vs push)– Relation to VO attributes– Deployment issues
NORDUnet, Helsinki April 9, 2008 21
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VASH Design (1)
• VASH: – VOMS Attributes
from Shibboleth
• Shibboleth SP– Browser-based– Specific for
Federation VO
• “lightweight” SP– No administrator
duties– No management of
attributes– Simply transfers
attributes upon user request
NORDUnet, Helsinki April 9, 2008 22
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VASH Design (2)
• X.509 and proxy X.509 with VOMS AC unchanged
• No change in VOMS– Requires VOMS version 1.7.10 or higher
• VO registration not changed
• Administrative domain between Shibboleth federation and VOMS fully decoupled
• User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509)
NORDUnet, Helsinki April 9, 2008 23
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Deployment Options
• Option 1:– As an add-on to an existing VOMS-based VO
• Option 2:– As a registration tool which allows the member of a Shibboleth
IdP become a member of a VOMS-based VO Suitable for production VOs as well as temporary VOs (e.g. summer
schools, grid classes)
NORDUnet, Helsinki April 9, 2008 24
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Status VASH
• Software implementation done
• MJRA1.5 document: https://edms.cern.ch/document/807849/1
• Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available– Access to VOMS AC– LCAS/LCMAPS plugin
• http://www.switch.ch/grid/vash
NORDUnet, Helsinki April 9, 2008 25
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Future developments
within EGEE
SAML Support in Grids
NORDUnet, Helsinki April 9, 2008 26
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SAML Support
• Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH)
• Benefits:– (Average) User has no certificates anymore– Introduce SAML gently beyond phase 1 and 2, gain experience– Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust
STS implementation– Options open for future
• Requires: A mean for service to transform a security tokens it has into a security token it needs
NORDUnet, Helsinki April 9, 2008 27
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Security Token Service
• WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS)
• The Security Token Service have a trust relationship with both the client and the service.
NORDUnet, Helsinki April 9, 2008 28
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Use Cases
• Grid: – Shibboleth user wants to access a Grid resource (e.g. WMS, File
Catalogue, Storage Element…)– He needs to obtains security token that the Grid services understand
(X.509)
• Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username,
password)– User agent receives SAML assertion to be sent to a Shibboleth SP
NORDUnet, Helsinki April 9, 2008 29
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction to AAIs– Why interoperability AAI - Grids– Authentication and authorization (AA) in Grids and Shibboleth
• Interoperability Shibboleth - Grid within EGEE– Short-lived credential service (SLCS)– Attribute exchange to VOMS– Future developments within EGEE
• Other activities in interoperability Shibboleth - Grids
• Summary
NORDUnet, Helsinki April 9, 2008 30
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Other Activities
• GridShib– Globus – Community Access to TeraGrid through gateways
• Activities in UK– Shebangs and ShibGrid– Shintau: attribute aggregation from multiple IdPs
• OMII-Europe:– SAML assertions from VOMS
NORDUnet, Helsinki April 9, 2008 31
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
GridShib Software Components
• GridShib for Globus Toolkit– A plugin for GT 4.0
• GridShib for Shibboleth– A plugin for Shibboleth 1.3 IdP
• GridShib CA– A web-based CA for new grid users
• GridShib SAML Tools– Tools for portals and users to embed attributes into X.509
credentials• All at: http://gridshib.globus.org/
Slide: Courtesy of Von Welch, NCSA
NORDUnet, Helsinki April 9, 2008 32
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
GridShibSAML Tools
Attributes
Web Portal
Authenticate
Grid Requests
Community Access via Science Gateway
GridShibfor GT
LocalAttributes(may bedynamic)
GridShibfor Shib
GridShibfor Shib
Slide: Courtesy of Von Welch, NCSA
NORDUnet, Helsinki April 9, 2008 33
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Summary
• Interoperability AAI - Grids makes the Grid accessible for a large user community
• Interoperability Grid - Shibboleth in EGEE:– SLCS service
Online CA issuing X.509 certificates based upon authN at Shibboleth IdP
– VASH service Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC
– SLCS and VASH can be used independent of gLite– SAML support in Grids through Security Token Service (STS)
• Other Interoperability Efforts– GridShib– UK e-Science: ShibGrid, Shintau,
NORDUnet, Helsinki April 9, 2008 34
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Q & A
NORDUnet, Helsinki April 9, 2008 35
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SWITCH SLCS Setup
• 3 separate servers in increasingly secure environment (network and physical access)
• Front End– Shibboleth SP
• SLCS Server– Tomcat web app
• Online CA– Microsoft Certificate Server– Hardware Security Module (HSM)
• Offline CA– Sign the Online CA– Stored in a bank safe
NORDUnet, Helsinki April 9, 2008 36
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Web Interface VASH Service
NORDUnet, Helsinki April 9, 2008 37
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Multiple Security Domains
• A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509)
• Multiple STS can be used in a trust chain across security domains (delegated trust)