A Credential Store for Multi-Tenant Science

GatewaysThejaka Kanewala, Suresh Marru, Jim Basney, Marlon

Pierce.Agenda Terminology Problems / Challenges Solutions proposed

Science Gateways

Computationally expensive experiments are run in resources such as Grids, Clouds.

Science Gateways …Hide complexities in using underlying cyber

infrastructure resources.Provides a domain specific user interface to

scientists.Help scientists to build communities.

Create experiments Share experiments Share data …

Organization of a Science Gateway

Organization of a Science Gateway (contd …)Front end portal

Science domain specificWeb User Interface (UI)

MiddlewareBridges the communication between front end portal

server and backend computational resources. Implements other application logic (provenance data

management, application execution, storing metadata, processing results from execution, etc …)

Backend resources

Challenges

1. Resource Credential Delegation.2. Management of heterogeneous credentials

associated grids, clouds and local resources.3. Management of gateway credentials in an

isolated manner in a middleware that supports multiple gateways.

4. Maintain accountability at the resource.

Problem 1. Resource Credential Delegation

Problem 1. Resource Credential Delegation (Community Account)

Resource Credential Delegation (contd …)How to solve ?

Hand over credentials to gateway user.Hard code resource credentials at the middleware

layer. Each time gateway administrator retrieves credentials

they need to update in the middleware. Hard coding credentials in the file system – Requires to

change configuration files in the middleware, also needs additional mechanisms to secure passwords.

Problem 2. Heterogeneous Credentials The gateway middleware connects various types of

resources.CloudsGridsLocal Clusters

Different resources have different authentication mechanisms.MyProxy based authentication.SSH/Password/Key based authentication.

Incorporating a new authentication mechanism should not incorporate changes to the middleware.

Problem 3. Multi-Tenancy

Multiple science gateways connecting to a single gateway middleware.

Need to make sure the credentials used by one gateway does not interfere with another gateway.

Proper isolation of gateways is needed when it comes to multiple gateways.

Problem 4. Maintain Accountability at the Resource

Maintain comprehensive audit records at the resource. In a disaster the resource should be able to find out

which user is responsible by looking at its own records, without consulting the gateway middleware.

Middleware should supply experiment invoking user’s attributes to resource.

Credential Store

A secure generic data store to maintain heterogeneous authentication data.

Utilities to perform delegation and key generation.A pluggable module to gateway middleware.Involves 3 main operations

Gateway registrationPersisting credentialsQuery credentials during application invocation

Credential Store – Gateway Registration Multiple science gateways need to operate in

isolation to each other.Each gateway portal servers establishes trust with

the gateway middleware using a TLS mutual authentication.

Credential Store – Credential PersistenceCapable of handling different types of credentials.

Each credential type is stored as a serialized byte stream in the store.

Credentials are stored in a secure mannerSecured at 3 layers

Each entry is encrypted using a key derived from the gateway id and a token.

Use database authentication mechanism to restrict access to database records.

Data files are secured with proper Unix file security.Each action on the credential store is recorded in an

audit log

Credential Store – Credential Persistence (contd …)

Credential Store – Credential Persistence (contd …)Different mechanisms to persist credentials.

Delegation based credential persistence.Key generation based credential persistence.Credential persistence by manually invoking

credential store service API.

Delegation based persistenceMainly used for MyProxy credentials.Uses OAuth protocol to delegate credentials into Credential

Store and uses OA4MP.

Key Generation Based PersistenceSome resources only support SSH keys.Most of the time users doesn't want to persist

their SSH keys in a third party store.Generate SSH keys within the Credential Store

and hand over public key to user.One time Manual Step: User needs to store given

public key in the resource.

Raw Credential PersistenceIf there is no support for delegation based

credential persistence we can use direct credential deposit.

Credential RetrievalGiven the token id, read credentials from the Credential

Store.Decorates retrieved credentials (certificates) with actual

user attributes (for MyProxy only).

Credential Renewal

When persisting credentials, lifetime of the credentials are extracted and stored in a separate column.

Credential Store periodically checks for validity of credentials.

Near expiring credentials are notified to owners of the credentials.

MyProxy: Register gateway middleware as a trusted renewer in the MyProxy server. Use gateway middleware credentials to renew other credentials.

SSH Keys does not expire: Provides a mechanism to remove credentials from the Credential Store.

Credential Store – High-level Architecture

Implementation

Implemented as a module in Apache Airavata Gateway Middleware.

Credentials are stored in a relational database.Implemented using Java and related security

packages.Available in Apache Airavata 0.11 release.

Next …Incorporate audit log integrity.Incorporate other delegation mechanisms such as

OpenId,etc …Possible delegation mechanisms for SSH keys.

Thank you !

Q/A