GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site...

Post on 16-Dec-2015

214 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

transcript

GridShib:Campus/Grid RBAC

Integration

GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids

October 3th, 2005

Von Welch

vwelch@ncsa.uiuc.edu

Oct 3rd, 2005 2GGF15

What is GridShib• NSF NMI project to allow the use of Shibboleth-issued

attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424

• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,

Tom Scavo, Frank Siebenlist, Von Welch

• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

Oct 3rd, 2005 3GGF15

Motivation• Many Grid VOs are focused on science

or business other than IT support– Don’t have expertise or resources to run

security services

• Allow for leveraging of Shibboleth code and deployments run by campuses

Oct 3rd, 2005 4GGF15

Outline• Overview of Shibboleth

• Overview of Globus/Grid PKI

• Approach

• Status and Future Plans

Oct 3rd, 2005 5GGF15

Campus Infrastructure

Oct 3rd, 2005 6GGF15

Student?

Check out book…

Access student records…

Is student John Smith?

Oct 3rd, 2005 7GGF15

Check out book…

Different protocols

Privacy

Different Schemas

Oct 3rd, 2005 8GGF15

Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web

resources (via browsers)– Provides attributes for authorization between

institutions

• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’

• Standards-based (SAML)• Being extended to non-web resources

http://shibboleth.internet2.edu/

Oct 3rd, 2005 9GGF15

SAMLAuthn/Authz

Uses SAML to expressIdentity and attributes toAllow for interoperability

Uses short-lived identifiersTo protest privacy of users.

Oct 3rd, 2005 10GGF15

Check out book…

PseudonymousIdentifier

Is a studentPseudonymousIdentifier

Oct 3rd, 2005 11GGF15

Shibboleth• Identity Provider composed of single sign-on

(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues

authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA

• Attribute Authority responds to queries regarding handle

Oct 3rd, 2005 12GGF15

Shibboleth• Service Provider composed of Assertion

Consumer and Attribute Requestor• Assertion Consumer parses

authentication assertion• Attribute Requestor: request attributes

from AA– Attributes used for authorization

• Where Are You From (WAYF) service determines user’s Identity Provider

Oct 3rd, 2005 13GGF15

Shibboleth (Simplified)

AA

SSO

ShibbolethIdP

Handle

Attributes

SAML

AR

ACS

ShibbolethSP

Handle

LDAP(e.g.)

Oct 3rd, 2005 14GGF15

Globus Toolkit• http://www.globus.org

• Toolkit for Grid computing– Job submission, data movement, data

management, resource management

• Based on Web Services and WSRF

• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs

• Some initial attribute-based authorization

Oct 3rd, 2005 15GGF15

Grid PKI• Large investment in PKI at the

international level for Grids– TAGPMA, GridPMA, APGridPMA– Dozens of CAs, thousands of users

• Really painful to establish

• But its working…– And it’s not going way easily

Oct 3rd, 2005 16GGF15

Integration Approach• Conceptually, replace Shibboleth’s

handle-based authentication with X509– Provides stronger security for non-web

browser apps– Works with existing PKI install base

• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

Oct 3rd, 2005 17GGF15

Use Cases• Project leveraging campus attributes

– Simplest case

• Project-operated Shib service– Project operates own service, conceptually

easy, but not ideal

• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for

provisioning of attribute administration

Oct 3rd, 2005 18GGF15

GridShib (Simplified)

A

SSO

Shibboleth

DN

Attributes

DN

DN

SAML

SSL/TLS, WS-Security

Oct 3rd, 2005 19GGF15

Authorization• Delivering attributes is half the story…

• Currently have a simple authorization mechanisms– List of attributes required to use service or

container

• Developing finer-grain authorization for GRAM

Oct 3rd, 2005 20GGF15

Authorization Plans• Develop authorization framework in Globus

Toolkit– Siebenlist et. al. at Argonne– Pluggable modules for processing authentication,

gathering and processing attributes and rendering decisions

• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.G. PERMIS

• Convert Attributes (SAML or X509) into common format for policy evaluation– XACML-based

Oct 3rd, 2005 21GGF15

GridShib Status• Beta release publically available

• Drop-in addition to GT 4.0 and Shibboleth 1.3

• Project website:– http://gridshib.globus.org

• Very interested in feedback

Oct 3rd, 2005 22GGF15

Future Plans• Integration of GridShib with MyProxy

Online CA– Allow for use of Grid Resources by users

without long-term X509 credentials– Collaboration with Jim Basney

• Signet/Grouper integration for distributed attribute administration – See Tom Barton’s talk

Oct 3rd, 2005 23GGF15

Questions?• My email:

– vwelch@ncsa.uiuc.edu

• Project website:– http://gridshib.globus.org

mailto:vwelch@ncsa.uiuc.edu

Top related

GridShib and PERMIS Integration - sec.cs.kent.ac.uksec.cs.kent.ac.uk/download/gridshibpermis_paper.pdf · Globus Toolkit is designed to enable applications that federate Grid resources
Documents
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Documents
Grid Security: What is it? Where is it going? Why? Von Welch vwelch@ncsa.uiuc.edu National Center for Supercomputing Applications Globus Alliance.
Documents
GridShib and MyProxy Grid Credential Management and Identity Federation
Documents
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diego The Open Science.
Documents
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
Documents
Science Gateway Security Recommendations Jim Basney jbasney@illinois.edu Von Welch vwelch@indiana.edu This material is based upon work supported by the.
Documents
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005
Documents
GridShib CIP Seminar December 6th, 2005 Tom Scavo trscavo@ncsa.uiuc.edu Von Welch vwelch@ncsa.uiuc.edu NCSA.
Documents
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005
Documents
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Documents
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Documents
NSF ACCI Task Force on Campus Bridging CASC Meeting 16 March 2011, Arlington VA Craig Stewart stewart@iu.edu Von Welch vwelch@indiana.edu This material.
Documents
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
Documents
NSF Middleware Initiative: GridShib
Documents
The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Documents
I2/NMI Update: Signet, Grouper, & GridShib
Documents
Grid Authorization Landscape and Futures Von Welch NCSA vwelch@ncsa.uiuc.edu.
Documents
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
Documents
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA.
Documents

Copyright © 2018 DOCUMENTS