Attribute-based Authenticationfor Gateways

Jim BasneyTerry FleuryStuart Martin

JP NavarroTom Scavo

Nancy Wilkins-Diehr

Gateway Objectives for PY4 and 5

•TeraGrid integration will be straightforward for new and existing gateway developers

•There will be a set of easy to discover general services provided by and for Gateways

•The targeted support program will be well-organized

•We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users

•There will be a funded cross-directorate gateway program at the NSF

Prese

nted

Prese

nted

Decem

ber,

2007

Decem

ber,

2007

We will be able to routinely count end gateway users, who will total 25% of total

TeraGrid users•A unique identifier for each end gateway user per community account must exist in TGCDB

•Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism

•Attribute-based authentication in production and easy to use

Prese

nted

Prese

nted

Decem

ber,

2007

Decem

ber,

2007

How will we meet those goals?

•Attribute-based authentication– In our case, GridShib for Globus– Fantastic documentation and assistance

Thanks Jim Basney, Tom Scavo, Terry Fleury– http://www.teragridforum.org/mediawiki/

index.php?title=Science_Gateway_Credential_with_Attributes

How have we been moving toward those goals in 2008?

• Q108– GridShib SAML Tools released for gateways with documentation– Successfully tested VOMS/SAML for OSG/TG interop– GridShib for Globus Toolkit released for RPs

• Q208– TeraGrid 08

•Tutorial, poster, BoF, demo for gateways at working group meeting

– GridShib SAML integrated into SimpleGrid

• Q308– Provided a testing mechanism for Science Gateways to verify they are including

attributes correctly (http://gstest.ncsa.uiuc.edu/)– Provided documentation for CTSS Gateway Capability Kit to GIG Packaging Team– Published GridShib configuration file for TG RPs

• Q408– Rollout CTSS Gateway Capability Kit for preliminary testing at TG RPs– Engage with additional Science Gateways to incorporate attributes into their job

submissions– Update GT GRAM Audit capabilities to support recording of gateway job

attributes

How will this be made available at RP sites?

science-gateway CTSS kit, which includes•commsh

– NCSA-developed, PSC-enhanced tool to restrict community accounts

– http://security.ncsa.uiuc.edu/research/commaccts/docs/howto.php

•GridShib for Globus Toolkit– NCSA-developed tool to collect, process, store and log attributes

•Future TG-specific efforts will store these in the TGCDB

– http://gridshib.globus.org/

•Kit name for information services lookup at http://info.teragrid.org– science-gateway.teragrid.org

• Installation instructions– http://software.teragrid.org/pacman/ctss4/ctss-science-gateway-

registration/README.install

Who’s expressed interest in deploying the gateway kit in PY4?

Resource SGW Support

IU BigRed X

IU Quarry

LONI QueenBee X

NCAR Frost

NCSA Abe X

NCSA Cobalt X

NCSA Mercury X

NICS Kraken  

ORNL NSTG X

PSC BigBen X

PSC Pople X

Purdue Condor X

Purdue Steele X

SDSC DTF X

TACC LoneStar X

TACC Maverick X

TACC Ranger X

UC/ANL DTF X

UC/ANL Vis X

Results of survey conducted by Lee Liming and team, sent to tg-leads 8/13/08

Who’s expressed interest in testing the gateway kit in PY4?

Resource SGW Support

TACC LoneStar X

NCSA Mercury X

This talk is to remind the TeraGrid team of the higher level goalsand the importance of the work

and generate interest in testing so we can meet our goals!

Ambitious, but achievable goal

•By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB

•Next steps– RP testing through Feb 2009– Globus Toolkit 4.0.9 released Feb 2009– Capability Kit V2 released Mar 2009– Production installations of Capability Kit V2– 6-month gateway transition – March through August

•News postings, education process, log analysis to identify who still needs to make the switch, lots of support

– Big party in September!

What would we like to happen next?

•More RPs for testing– What does testing mean? (identify a node, install Capability Kit

V1, work one-on-one with NCSA to test)– What’s the impact on a site? (admin needed to install and test

GT 4.0.8 + GridShib for GT)– What’s the impact on Globus performance? (negligible)– Real focus on this through February

•More gateways for testing– GISolve, nanoHUB and SimpleGrid have done some tests already

•Nancy, Stu can identify gateways

– Real focus on this, increasing over the summer

•Where do you sign up?– Email jbasney@ncsa.uiuc.edu (RPs) or wilkinsn@sdsc.edu

(gateways)– Help is available!

Community Account Usage by Sitein 2008

Over 2M CPU hours used by community accounts in 2008