Upload
kaiya-lett
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
GridShib:Campus/Grid RBAC
Integration
GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids
October 3th, 2005
Von Welch
Oct 3rd, 2005 2GGF15
What is GridShib• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,
Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
Oct 3rd, 2005 3GGF15
Motivation• Many Grid VOs are focused on science
or business other than IT support– Don’t have expertise or resources to run
security services
• Allow for leveraging of Shibboleth code and deployments run by campuses
Oct 3rd, 2005 4GGF15
Outline• Overview of Shibboleth
• Overview of Globus/Grid PKI
• Approach
• Status and Future Plans
Oct 3rd, 2005 5GGF15
Campus Infrastructure
Oct 3rd, 2005 6GGF15
Student?
Check out book…
Access student records…
Is student John Smith?
Oct 3rd, 2005 7GGF15
Check out book…
Different protocols
Privacy
Different Schemas
Oct 3rd, 2005 8GGF15
Shibboleth• http://shibboleth.internet2.edu/• Internet2 project• Allows for inter-institutional sharing of web
resources (via browsers)– Provides attributes for authorization between
institutions
• Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’
• Standards-based (SAML)• Being extended to non-web resources
Oct 3rd, 2005 9GGF15
SAMLAuthn/Authz
Uses SAML to expressIdentity and attributes toAllow for interoperability
Uses short-lived identifiersTo protest privacy of users.
Oct 3rd, 2005 10GGF15
Check out book…
PseudonymousIdentifier
Is a studentPseudonymousIdentifier
Oct 3rd, 2005 11GGF15
Shibboleth• Identity Provider composed of single sign-on
(SSO) and attribute authority (AA) services• SSO: authenticates user locally and issues
authentication assertion with Handle– Assertion is short-lived bearer assertion– Handle is also short-lived and non-identifying– Handle is registered with AA
• Attribute Authority responds to queries regarding handle
Oct 3rd, 2005 12GGF15
Shibboleth• Service Provider composed of Assertion
Consumer and Attribute Requestor• Assertion Consumer parses
authentication assertion• Attribute Requestor: request attributes
from AA– Attributes used for authorization
• Where Are You From (WAYF) service determines user’s Identity Provider
Oct 3rd, 2005 13GGF15
Shibboleth (Simplified)
AA
SSO
ShibbolethIdP
Handle
Attributes
SAML
AR
ACS
ShibbolethSP
Handle
LDAP(e.g.)
Oct 3rd, 2005 14GGF15
Globus Toolkit• http://www.globus.org
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates– Maybe from conventional or on-line CAs
• Some initial attribute-based authorization
Oct 3rd, 2005 15GGF15
Grid PKI• Large investment in PKI at the
international level for Grids– TAGPMA, GridPMA, APGridPMA– Dozens of CAs, thousands of users
• Really painful to establish
• But its working…– And it’s not going way easily
Oct 3rd, 2005 16GGF15
Integration Approach• Conceptually, replace Shibboleth’s
handle-based authentication with X509– Provides stronger security for non-web
browser apps– Works with existing PKI install base
• To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible
Oct 3rd, 2005 17GGF15
Use Cases• Project leveraging campus attributes
– Simplest case
• Project-operated Shib service– Project operates own service, conceptually
easy, but not ideal
• Campus-operated, project-administered Shib– Ideal mix, but need mechanisms for
provisioning of attribute administration
Oct 3rd, 2005 18GGF15
GridShib (Simplified)
A
SSO
Shibboleth
DN
Attributes
DN
DN
SAML
SSL/TLS, WS-Security
Oct 3rd, 2005 19GGF15
Authorization• Delivering attributes is half the story…
• Currently have a simple authorization mechanisms– List of attributes required to use service or
container
• Developing finer-grain authorization for GRAM
Oct 3rd, 2005 20GGF15
Authorization Plans• Develop authorization framework in Globus
Toolkit– Siebenlist et. al. at Argonne– Pluggable modules for processing authentication,
gathering and processing attributes and rendering decisions
• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.G. PERMIS
• Convert Attributes (SAML or X509) into common format for policy evaluation– XACML-based
Oct 3rd, 2005 21GGF15
GridShib Status• Beta release publically available
• Drop-in addition to GT 4.0 and Shibboleth 1.3
• Project website:– http://gridshib.globus.org
• Very interested in feedback
Oct 3rd, 2005 22GGF15
Future Plans• Integration of GridShib with MyProxy
Online CA– Allow for use of Grid Resources by users
without long-term X509 credentials– Collaboration with Jim Basney
• Signet/Grouper integration for distributed attribute administration – See Tom Barton’s talk
Oct 3rd, 2005 23GGF15
Questions?• My email:
• Project website:– http://gridshib.globus.org