1 / 47

Identity Management, PKI and Grids

Identity Management, PKI and Grids. Jill Gemmill, PhD University of Alabama at Birmingham. Acknowledgments. NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-Paul Robinson )

uri
Télécharger la présentation

Identity Management, PKI and Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham

  2. Acknowledgments • NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-PaulRobinson) • N01-LM-3-3513 Advanced Network Infrastructure for Health & Disaster Management (Orthner, Terndrup, Grimes, Gemmill) • Office of the VPIT and IT Academic Computing • Von Welch, Tom Scavo-NCSA/UIUC • Internet2 MACE and MLIST Working Group members • Serge Aumont, Olivier Salaun, CRU • Members of MACE-MLIST Working Group

  3. A little background • UAB history in centralized identity management & early interest in PKI but is today LDAP-based username/password • UAB participation in NMI Testbed • Met Shibboleth and Globus Toolkit • What would it take to integrate these tools with applications in a manner useful to research collaborations? (ie, VO’s) • UAB entering High-Performance Computing community via faculty acquisitions: an application focused group and a computing research group.

  4. What’s a Virtual Organization? • A set of collaborators bound together by a project of common interest • very large scale science projects eg: Teragrid • Half a dozen or so collaborators in a funded multidisciplinary project • Physicians at 60 cancer centers wanting to share clinical data to increase N or focus on special sub-populations • An Internet2 Working Group; a conference planning committee. • In general, VO members are from different institutions

  5. About Grid Security Infrastructure (GSI) • Grids (Foster, Kesselman) • Purpose: to support research VO’s • Implementation: NMI GRIDS Globus Toolkit • Keys distributed to each end user; client-server, non-web requirements • PKI based security infrastructure uses X.509 Certificate • Surely global PKI is almost here • Authorization to be dealt with later • KEY INSIGHT: separation of identity from system-specific account.

  6. Grid Authorization • Today, Globus Toolkit provides identity-based authorization mechanisms: • Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) • Community Authorization Service (CAS) • PERMIS and VOMS

  7. Early UAB NMI Testbed work: • Using pubcookie (web-enabled single sign on) for grid authentication – similar to UVa • Components: • Web-based grid portal (OGCE) • Web-based CA (PHPKI) • Secure end-user certificate repository • Details: Robinson, J.-P., Gemmill, J., et al. (2005). Web-Enabled Grid Authentication in a Non-Kerberos Environment. In 6th IEEE/ACM International Workshop on Grid Computing. 6th IEEE/ACM International Workshop on Grid Computing.

  8. Central Challenges: • Authorization based on VO-membership requires: • Cross-domain authentication (leverage distributed identity management) • Certainly “member of VO XYZ” attribute central for access control • VO is authoritative for its own membership assignment & roles • Should work for both web and non-web applications

  9. What Cross-Domain Security Architectures Exist? • GRIDS • Digital Certificates (X.509 / PKI) • Cross-domain trust can be managed scalably thru Bridged CA’s • Carry only a user identifier (DN) • FEDERATIONS (SAML, Shibboleth, WS-Security) • Digitally signed security assertions • Carry Identity, AuthN method, other attributes

  10. Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) • Single Domain solutions inadequate • End-user certificate distribution and management has proven to be troublesome and non-scalable • Essential VO (Group) Membership information not provided consistently by either one • Most collaboration tools accessed by web browser (not client software w. certificate)

  11. Observation 1 • The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember) • Goal: Leverage existing identity management infrastructure • eduPerson/Shibboleth infrastructure appeared promising for identity management

  12. Observation 2 • Identity-based access control methods are inflexible and do not scale • Goal: Use attribute-based access control • Shibboleth, an attribute transport mechanism linked to identity management, appeared promising

  13. Observation 3 • The most important attribute for VOs is: “member of VO-XYZ” • Who is authoritative for VO attributes? • The enterprise? (No) • The VO? (Yes!) • How are VO attributes created? • Where are VO attributes stored?

  14. myVocs Overview(my Virtual Organization Collaboration System) myVocs Manages Attributes

  15. A look inside myVocs Attributes Users VOs VO Members VO Roles

  16. A Look Inside myVocs VO Attribute Authority Users VOs VO Members VO Roles VO IdP VO SP VO SP VO SP VO SP App MailList Wiki CMS Your App

  17. A Look Inside myVocs VO Attribute Authority VO Space VO IdP VO SP VO SP VO SP VO SP App MailList Wiki CMS Your App

  18. A Look Inside myVocs Shibboleth SP VO Attribute Authority VO Space VO IdP VO SP VO SP VO SP VO SP App MailList Wiki CMS Your App

  19. A Look Inside myVocs UAB IdP U. Chicago IdP UIUC IdP openidp.org IdP myVocs Shibboleth SP VO Attribute Authority VO Space VO IdP VO SP VO SP VO SP VO SP MailList App Wiki CMS Your App

  20. myVocs Membership Management Tool: Sympa • Mailing lists are central to Collaborations • Specify a collection of individuals • Define useful member roles • Generally autonomous • Sympa mailing list software supports Shibboleth • Sympa has an excellent web-based user interface • Sympa developers were active collaborators

  21. Shibboleth Drives myVocs CMS VO Attribs Some IdP VO SP VO IdP WAYF ID SP Client Web Browser

  22. Shibboleth Drives myVocs myVocs Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  23. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  24. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  25. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  26. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  27. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  28. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  29. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  30. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  31. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs Identity Attributes openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  32. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  33. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO Attribs VO SP VO IdP WAYF ID SP Client Web Browser

  34. Shibboleth Drives myVocs myVocs Shib Identity Federation Shib CMS VO Attribs openidp.org VO SP VO IdP WAYF ID SP Client Web Browser

  35. myVocs automatically provisons • Application Instances • (one set per VO) • Accounts • Based on VO membership and roles

  36. What is GridShib? • Authentication: GridShib leverages the existing authentication mechanisms in GT • GridShib provides attribute-based authorization based on Shibboleth • GridShib adds attribute-based authorization to Globus Toolkit

  37. Software Components • GridShib for Globus Toolkit • A plugin for GT 4.0 • GridShib for Shibboleth • A plugin for Shibboleth 1.3 IdP • GridShib CA • A web-based CA for new grid users • Visit the GridShib Downloads page:http://gridshib.globus.org/download.html

  38. GridShib CA • The GridShib Certificate Authority is a web-based CA for new grid users:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority • The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA • The CA issues short-term credentials suitable for authentication to a Grid SP • Credentials are downloaded to the desktop via Java Web Start

  39. Results of Integration

  40. What we have enabled • Turn-key Grid VO creation through the integration of GridShib and myVocs • myVocs used to create and manage VOs • GridShib allows myVocs users to create Grid credentials and access Grid resources • Grid resources obtains, and allows access, based on attributes from myVocs

  41. GridShib CA

  42. GridShib CA User Registers with myVocs Identity Auth

  43. GridShib CA VO Admin Adds User to VO

  44. GridShib CA Grid Logon Identity Identity Grid Id Auth Grid Creds.

  45. GridShib CA Grid Service Invocation VO Attributes Grid Id Grid Creds.

  46. Remaining Challenges • Name binding on global scale • Attribute Aggregation • Defining VO membership, roles and attributes • Group and role management • UAB Currently working on Shibbolized, GridShibCA integrated version of GridSphere Portal (also in Australia)

  47. Questions? For more information: • GridShib: http://gridshib.globus.org/ • myVocs: http://www.myvocs.org/ • Email: jgemmill@uab.edu jpr@uab.edu tscavo@ncsa.uiuc.edu vwelch@ncsa.uiuc.edu

More Related