Identity Management, PKI and Grids - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Identity Management, PKI and Grids

Description:

... Collaboration Tools for Virtual Organizations' (Jill Gemmill, John-Paul Robinson) ... Details: Robinson, J.-P., Gemmill, J., et al. (2005) ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 48
Provided by: jil131
Learn more at: https://net.educause.edu
Category:

less

Transcript and Presenter's Notes

Title: Identity Management, PKI and Grids


1
Identity Management, PKI and Grids
  • Jill Gemmill, PhD
  • University of Alabama at Birmingham

2
Acknowledgments
  • NSF ANI-0330543 NMI Enabled Open Source
    Collaboration Tools for Virtual Organizations
    (Jill Gemmill, John-Paul Robinson)
  • N01-LM-3-3513 Advanced Network Infrastructure for
    Health Disaster Management (Orthner, Terndrup,
    Grimes, Gemmill)
  • Office of the VPIT and IT Academic Computing
  • Von Welch, Tom Scavo- NCSA/UIUC
  • Internet2 MACE and MLIST Working Group members
  • Serge Aumont, Olivier Salaun, CRU
  • Members of MACE-MLIST Working Group

3
A little background
  • UAB history in centralized identity management
    early interest in PKI but is today LDAP-based
    username/password
  • UAB participation in NMI Testbed
  • Met Shibboleth and Globus Toolkit
  • What would it take to integrate these tools with
    applications in a manner useful to research
    collaborations? (ie, VOs)
  • UAB entering High-Performance Computing community
    via faculty acquisitions an application focused
    group and a computing research group.

4
Whats a Virtual Organization?
  • A set of collaborators bound together by a
    project of common interest
  • very large scale science projects eg Teragrid
  • Half a dozen or so collaborators in a funded
    multidisciplinary project
  • Physicians at 60 cancer centers wanting to share
    clinical data to increase N or focus on special
    sub-populations
  • An Internet2 Working Group a conference planning
    committee.
  • In general, VO members are from different
    institutions

5
About Grid Security Infrastructure (GSI)
  • Grids (Foster, Kesselman)
  • Purpose to support research VOs
  • Implementation NMI GRIDS Globus Toolkit
  • Keys distributed to each end user client-server,
    non-web requirements
  • PKI based security infrastructure uses X.509
    Certificate
  • Surely global PKI is almost here
  • Authorization to be dealt with later
  • KEY INSIGHT separation of identity from
    system-specific account.

6
Grid Authorization
  • Today, Globus Toolkit provides identity-based
    authorization mechanisms
  • Access control lists (called grid-mapfiles) map
    DNs to local identity (e.g., Unix logins)
  • Community Authorization Service (CAS)
  • PERMIS and VOMS

7
Early UAB NMI Testbed work
  • Using pubcookie (web-enabled single sign on) for
    grid authentication similar to UVa
  • Components
  • Web-based grid portal (OGCE)
  • Web-based CA (PHPKI)
  • Secure end-user certificate repository
  • Details Robinson, J.-P., Gemmill, J., et al.
    (2005). Web-Enabled Grid Authentication in a
    Non-Kerberos Environment. In 6th IEEE/ACM
    International Workshop on Grid Computing. 6th
    IEEE/ACM International Workshop on Grid Computing.

8
Central Challenges
  • Authorization based on VO-membership requires
  • Cross-domain authentication (leverage distributed
    identity management)
  • Certainly member of VO XYZ attribute central
    for access control
  • VO is authoritative for its own membership
    assignment roles
  • Should work for both web and non-web applications

9
What Cross-Domain Security Architectures Exist?
  • GRIDS
  • Digital Certificates (X.509 / PKI)
  • Cross-domain trust can be managed scalably thru
    Bridged CAs
  • Carry only a user identifier (DN)
  • FEDERATIONS (SAML, Shibboleth, WS-Security)
  • Digitally signed security assertions
  • Carry Identity, AuthN method, other attributes

10
Dont Existing Solutions Provide What Is Needed
by VOs? (No!)
  • Single Domain solutions inadequate
  • End-user certificate distribution and management
    has proven to be troublesome and non-scalable
  • Essential VO (Group) Membership information not
    provided consistently by either one
  • Most collaboration tools accessed by web browser
    (not client software w. certificate)

11
Observation 1
  • The size and vast number of VOs makes it
    difficult for administrators to manage the
    identity of each user in the VO (and VO members
    dont want more passwords to remember)
  • Goal Leverage existing identity management
    infrastructure
  • eduPerson/Shibboleth infrastructure appeared
    promising for identity management

12
Observation 2
  • Identity-based access control methods are
    inflexible and do not scale
  • Goal Use attribute-based access control
  • Shibboleth, an attribute transport mechanism
    linked to identity management, appeared promising

13
Observation 3
  • The most important attribute for VOs is member
    of VO-XYZ
  • Who is authoritative for VO attributes?
  • The enterprise? (No)
  • The VO? (Yes!)
  • How are VO attributes created?
  • Where are VO attributes stored?

14
myVocs Overview(my Virtual Organization
Collaboration System)
  • myVocs Manages Attributes

15
A look inside myVocs
Attributes
Users
VO Roles
VO Members
VOs
16
A Look Inside myVocs
VO Attribute Authority
Users
VO Roles
VO Members
VOs
VO IdP
App
MailList
Your App
CMS
Wiki
VO SP
VO SP
VO SP
VO SP
17
A Look Inside myVocs
VO Attribute Authority
VO Space
VO IdP
App
MailList
Your App
CMS
Wiki
VO SP
VO SP
VO SP
VO SP
18
A Look Inside myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO IdP
App
MailList
Your App
CMS
Wiki
VO SP
VO SP
VO SP
VO SP
19
A Look Inside myVocs
UAB IdP
UIUC IdP
openidp.org IdP
U. Chicago IdP
myVocs
Shibboleth SP
VO Attribute Authority
VO Space
VO IdP
App
MailList
Your App
CMS
Wiki
VO SP
VO SP
VO SP
VO SP
20
myVocs Membership Management Tool Sympa
  • Mailing lists are central to Collaborations
  • Specify a collection of individuals
  • Define useful member roles
  • Generally autonomous
  • Sympa mailing list software supports Shibboleth
  • Sympa has an excellent web-based user interface
  • Sympa developers were active collaborators

21
Shibboleth Drives myVocs
CMS
Some IdP
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
22
Shibboleth Drives myVocs
myVocs Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
23
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
24
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
25
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
26
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
27
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
28
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
29
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
30
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
31
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
Identity Attributes
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
32
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
33
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
34
Shibboleth Drives myVocs
myVocs Shib
Identity Federation Shib
CMS
openidp.org
VO Attribs
VO SP
VO IdP
WAYF
ID SP
Client Web Browser
35
myVocs automatically provisons
  • Application Instances
  • (one set per VO)
  • Accounts
  • Based on VO membership and roles

36
What is GridShib?
  • Authentication GridShib leverages the existing
    authentication mechanisms in GT
  • GridShib provides attribute-based authorization
    based on Shibboleth
  • GridShib adds attribute-based authorization to
    Globus Toolkit

37
Software Components
  • GridShib for Globus Toolkit
  • A plugin for GT 4.0
  • GridShib for Shibboleth
  • A plugin for Shibboleth 1.3 IdP
  • GridShib CA
  • A web-based CA for new grid users
  • Visit the GridShib Downloads pagehttp//gridshib
    .globus.org/download.html

38
GridShib CA
  • The GridShib Certificate Authority is a web-based
    CA for new grid usershttps//authdev.it.ohio-sta
    te.edu/twiki/bin/view/GridShib/GridShibCertificate
    Authority
  • The GridShib CA is protected by a Shib SP and
    backended by the MyProxy Online CA
  • The CA issues short-term credentials suitable for
    authentication to a Grid SP
  • Credentials are downloaded to the desktop via
    Java Web Start

39
Results of Integration
40
What we have enabled
  • Turn-key Grid VO creation through the integration
    of GridShib and myVocs
  • myVocs used to create and manage VOs
  • GridShib allows myVocs users to create Grid
    credentials and access Grid resources
  • Grid resources obtains, and allows access, based
    on attributes from myVocs

41
(No Transcript)
42
User Registers with myVocs
Identity
Auth
43
VO Admin Adds User to VO
44
Grid Logon
Identity
Identity
Grid Id
Auth
Grid Creds.
45
Grid Service Invocation
VO Attributes
Grid Id
Grid Creds.
46
Remaining Challenges
  • Name binding on global scale
  • Attribute Aggregation
  • Defining VO membership, roles and attributes
  • Group and role management
  • UAB Currently working on Shibbolized, GridShibCA
    integrated version of GridSphere Portal (also in
    Australia)

47
Questions?
  • For more information
  • GridShib http//gridshib.globus.org/
  • myVocs http//www.myvocs.org/
  • Email

jgemmill_at_uab.edu
jpr_at_uab.edu
tscavo_at_ncsa.uiuc.edu
vwelch_at_ncsa.uiuc.edu
Write a Comment
User Comments (0)
About PowerShow.com