Embed Size (px)
DESCRIPTION
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005. Von Welch [email protected] http://grid.ncsa.uiuc.edu/GridShib/. What is GridShib?. - PowerPoint PPT Presentation
Citation preview
GridShib:Grid-Shibboleth Integration
(Identity Federation and Grids)April 11, 2005
Von Welch
http://grid.ncsa.uiuc.edu/GridShib/
April 11, 2005 2GridShib: UK eScience Security Workshop
What is GridShib?• NSF NMI project to allow the use of
Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF award SCI-0438424
• Goal: GT 4.2 & Shibboleth 1.3• GridShib team: NCSA, U. Chicago, ANL
– Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
April 11, 2005 3GridShib: UK eScience Security Workshop
Why? Someone else…• Leverage Shibboleth code base
– Someone else is writing and debugging it
• Leverage Shibboleth deployments– Someone else is supporting them
• Leverage larger issues going on in Identity Federation world– Someone else is helping to write them– Even more someone else’s will be writing and
deploying them– SAML standard, profiles
• Leverage someone else’s attributes?– Are campus attributes useful to Grids?
April 11, 2005 4GridShib: UK eScience Security Workshop
Outline• Low-level technical discussion
– Shibboleth– GridShib
• Higher-level discussion of Identity Federation for Grids– How do sites federate to support a VO?
April 11, 2005 5GridShib: UK eScience Security Workshop
Shibboleth Federation Model
Attrs
IDs
Attrs
IDs
SAML
April 11, 2005 6GridShib: UK eScience Security Workshop
Shibboleth (Simplified)
Attrs
IDs
Shibboleth
Handle
Handle
Attributes
SAML
April 11, 2005 7GridShib: UK eScience Security Workshop
GridShib (Simplified)
Attrs
IDs
Shibboleth
DN
Attributes
DN
DN
SAML
SSL/TLS, WS-Security
April 11, 2005 8GridShib: UK eScience Security Workshop
GridShib Goals• Work with others to standardize X509
profile for Shibboleth/SAML AA
• Change as little as possible on Shibboleth side– Limit to installation of new NameMapper
plug-in for Shibboleth to recognize and map DNs to local identities
• Privacy– In “V2”
April 11, 2005 9GridShib: UK eScience Security Workshop
GridShib Goals (cont)• Modifications to GT to request, receive
and parse SAML attributes from Shib– Frank Siebenlist’s earlier talk
• General PDP functionality– Grid uses cases can be very complicated
and varied in terms of authz policy– Try to support union of many “simple”
cases– Allow for deployment of custom PDPs
April 11, 2005 10GridShib: UK eScience Security Workshop
Higher-level Issues• How does Identity federation apply to
Grids?
• Shibboleth model is very good for allowing a single site to federate their user’s attributes
• If the site attributes are all the matter, then this is all you need– E.g. a “campus grid” for campus users
April 11, 2005 11GridShib: UK eScience Security Workshop
VO Attributes• However, most VOs have their own
attributes– Domain-specific, VO-organization, etc.
• This means multiple attribute authorities for the same set of user
• How do these multiple attributes get served up?
April 11, 2005 12GridShib: UK eScience Security Workshop
VO runs Shibboleth Server• Requires a large, resourced VO
– Must have skills, support staff, time
• Requires more complexity in authorization– Need to map attributes to authority
• To some extend defeats the purpose
April 11, 2005 13GridShib: UK eScience Security Workshop
Campus runs Shibboleth• Puts services in the right place
– Campuses are good at running production services
• Requires campus to somehow outsource administration of attributes
• Two sub-models:– One campus for VO attributes for all VO
users– Each campus handles VO attributes for
own users
April 11, 2005 14GridShib: UK eScience Security Workshop
Prediction• Arranging for administration of each VO
user’s attributes will be hard at first– Significant social issues with campuses
• Initially, we will be finding one campus to serve attributes for each VO– That campus out sources administration for
a VO attribute space to that VO– Allows remote administration by VO– They still run services
April 11, 2005 15GridShib: UK eScience Security Workshop
Questions?• Project website:
– http://grid.ncsa.uiuc.edu/GridShib/
• Or contact:– [email protected]
• For more information on NMI:– http://www.nsf-middleware.org/
April 11, 2005 16GridShib: UK eScience Security Workshop
Extra Slides
April 11, 2005 17GridShib: UK eScience Security Workshop
Shibboleth• http://shibboleth.internet2.edu/
• Internet2 project
• Allows for inter-institutional sharing of web resources (via browsers)– Federation of identities and attributes– Uses attribute-based authorization– Standards-based (SAML)
• Being extended to non-web resources
April 11, 2005 18GridShib: UK eScience Security Workshop
Globus Toolkit• http://www.globus.org
• Collaborative work from the Globus Alliance
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates
April 11, 2005 19GridShib: UK eScience Security Workshop
Campus Grid Use Case• Campus running Grid, Shibboleth
service
• Users with campus-issued certificates– Maybe a few outside users
• Desires to use campus attributes to authorize use of campus grid
• E.g. USC
April 11, 2005 20GridShib: UK eScience Security Workshop
Grid Deployment Use Case• Multi-site Grid based around a virtual organization• Users have certificates from one or more Grid CAs,
probably not run by VO• Grid wishes to establish attributes for their users to
do role-based authorization• Grid is either large enough to establish and run their
own Shibboleth AA or someone is willing to do it for them
• E.g. TeraGrid, OSG
April 11, 2005 21GridShib: UK eScience Security Workshop
Hybrid Use Case• Grid based on virtual organization but wants to make
resources available to larger community– E.g. Allow all chemists to access some dataset
• Users have certificates from one or more Grid CAs, probably not run by VO
• Want to use campus-asserted attributes, from campus-run Shibboleth services to authorize access to VO resources
• Currently done by issuing light-weight Grid credentials to users via a portal
• E.g. ESG
April 11, 2005 22GridShib: UK eScience Security Workshop
GridShib Integration Goals• Use Shibboleth 1.3 out of box
– With additional NameMapper module to handle mapping X.509 identities to local names
– Work with Shib identity provider metadata– Working with Shib developers to achieve
• Don’t require modification to typical grid client applications for simple use cases
• Most of work going into Grid services
April 11, 2005 23GridShib: UK eScience Security Workshop
Project objectives• Priority 1: Pull mode operation
– Globus services contact Shibboleth to obtain attributes about identified user
• Priority 2: Push mode operation– User obtains Shib attributes and push to
service• Allows role selection
• Priority 3: Pseudonymous access with MyProxy/GridLogon
