Tutorial: Building Science Gateways

1
TutorialBuilding Science Gateways

• TeraGrid 08
• Tom Scavo, Jim Basney , Terry Fleury, Von Welch
• National Center for Supercomputing Applications
• June 9, 2008

2
GridShib _at_ TeraGrid 08

• Tutorial Building Science Gateways
• Mon, 800am1200pm
• Birds-of-a-Feather Session Attribute-based
  Auditing and Authorization for Science Gateways
• Wed, 530630pm
• Poster Session A Federated Identity Model for
  Science Gateways
• Wed, 630830pm
• Science Gateways Working Group Session
• Thu, 300430pm

3
The Science Gateway Use Case

• A browser user authenticates to a grid portal. 
  The portal issues a proxy certificate and
  initiates a grid request on behalf of the user

4
Classic Science Gateway
A science gateway is a convenient intermediary
between a browser user and a grid resource
provider.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
5
Classic Science Gateway
Each gateway is issued a community credential
that uniquely identifies the gateway.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
6
Classic Science Gateway
Resource providers associate the community
credential with a local community account.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
7
Classic Science Gateway
To submit a job, a browser user typically
authenticates to the gateway by presenting a
username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
8
Classic Science Gateway
The gateway then issues a short-lived proxy
credential signed by its community credential.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
9
Classic Science Gateway
The gateway submits the job on the users behalf,
authenticating as itself to the resource.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
10
Classic Science Gateway
The resource authenticates the gateway and maps
the request to the community account based on the
identity in the proxy certificate.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
11
Classic Science Gateway
After the job is executed, the result is returned
to the browser user via the gateway web
interface.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
12
Community Account Model The Good

• The Community Account Model
• simplifies the user experience
• simplifies gateway implementation and deployment
• simplifies gridmap file management at the RP
• A community credential is issued to each gateway
• A single community account is created at the RP
• The gateway issues proxy certificates and makes
  grid requests on behalf of the user

13
Community Account Model The Bad

• The community account model has some significant
  drawbacks, however
• End user identity is unknown to the RP
• Course-grained access control at the resource (by
  design)
• Awkward approach to auditing and incident
  response
• In the event of an emergency, the RP is forced to
  disable all access to the community account
• Less than adequate accounting mechanisms
• All this can be traced to a single problem

14
Community Account Model The Ugly
All requests look exactly the same to the
resource provider!
If the gateway would only pass the users name
and contact information to the resource provider,
all previously mentioned problems would be solved
15
Grid Authorization Model

• We describe a grid authorization model that
  significantly increases the information flow
  between a science gateway and a resource provider
• Extends the Community Account Model
• Asserts end user identity to the RP
• Permits fine-grained access control at the RP
• Provides strong auditing and effective incident
  response
• Allows dynamic blacklisting of problem accounts
  or runaway processes
• A lightweight approach that does not require new
  wire protocols or extensive new middleware
  infrastructure
• Complements existing SAML-based middleware
  infrastructure on today's campuses

16
Grid Authorization Model

• The proposed model incorporates GridShib SAML
  Tools at the gateway and GridShib for GT at the
  resource provider
• Using GridShib SAML Tools, the gateway
• issues a SAML assertion containing the user's
  authentication context and attributes
• binds the SAML assertion to a proxy certificate
  signed by the community credential
• authenticates to the resource by presenting the
  SAML-laden proxy certificate
• http//gridfarm007.ucs.indiana.edu/gce07/images/e/
  e4/Scavo.pdf

17
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt


Key
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
18
GridShib-enabled Science Gateway

• A browser user authenticates to
• a grid portal.  The portal binds a
• self-issued SAML assertion to
• a proxy certificate and initiates a grid request
  on behalf of the user.

19
Grid Authorization Model for Gateways
An enhancement to the community account model
increases the information flow between the
gateway and the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
20
Grid Authorization Model for Gateways
A software component called GridShib SAML Tools
is integrated into the gateway portal environment.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
21
Grid Authorization Model for Gateways
Another software component called GridShib for GT
is deployed at the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
22
Grid Authorization Model for Gateways
These two GridShib software components produce
and consume Security Assertion Markup Language
(SAML) tokens.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
23
Grid Authorization Model for Gateways
Again the browser user authenticates to the
gateway by presenting a username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
24
Grid Authorization Model for Gateways
This time the gateway uses the GridShib SAML
Tools to issue an X.509-bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
25
Grid Authorization Model for Gateways
The SAML token bound to the proxy certificate
contains the name of the end user and other user
attributes (e.g., e-mail).
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
Resource Provider
Science Gateway
Key
26
Grid Authorization Model for Gateways
The gateway authenticates as itself to the
resource provider, presenting the proxy
certificate with bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
27
Grid Authorization Model for Gateways
The GridShib SAML policy information point (PIP)
extracts the SAML token from the proxy
certificate, parses it, and writes the
information to a log file.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
28
Grid Authorization Model for Gateways
The security information in the SAML token is
also used to populate a SAML security context
within the container.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
29
Grid Authorization Model for Gateways
The service compares the information in the
security context to the blacklist, denying access
if any request info is on the blacklist.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
30
Grid Authorization Model for Gateways
The service combines the information in the
security context with its access control policy,
allowing access if and only if policy is
satisfied.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
31
Grid Authorization Model for Gateways
As before, after the service executes the job,
the result is returned to the browser user via
the gateway web interface.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
32
GridShib-enabled Science Gateway

• Simple installation and configuration of GridShib
  SAML Tools at the gateway
• Includes GridShib Security Framework
• Exposes both a command-line interface and a Java
  API
• End user identity and contact information (e.g.,
  e-mail) transmitted to RP
• Push much of the responsibility for auditing and
  incident response back onto the RP
• Big Advantage No need to shut down the entire
  gateway in the event of an incident!

33
User Attributes

• Gateway entityID
• https//gridshib.gisolve.org/idp
• Subject name identifier
• trscavo_at_gisolve.org
• Authentication statement
• authentication method urnoasisnamestcSAML1.0
  ampassword
• authentication instant 2007-08-02T121034-0400
• IP address 10.81.193.244
• Attribute statement
• isMemberOf attribute group//gisolve.org/gisolve
• mail attribute trscavo_at_gmail.com

34
GridShib-enabled Resource Provider

• The end user and the end users contact
  information (and other attributes) are logged
• Effective auditing and incident response
• Blacklist an IP address or name identifier on
  demand
• Exposes a SAML security context
• Fine-grained, attribute-based access control

35
Acknowledgments

• Original Project PIs
• Von Welch, Tom Barton, Kate Keahey, Frank
  Siebenlist
• Developers
• Rachana Ananthakrishnan, Jim Basney, Tim Freeman,
  Raj Kettimuthu, Terry Fleury, Tom Scavo
• The GridShib work was funded by the NSF National
  Middleware Initiative (NMI awards 0438424 and
  0438385). Opinions and recommendations in this
  paper are those of the authors and do not
  necessarily reflect the views of NSF.
• The Science Gateway integration work is funded by
  the NSF TeraGrid Grid Integration Group through a
  sub-award to NCSA.

36
Thank you!

• GridShib
• http//gridshib.globus.org/