Upload
elaine-tucker
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
Jens G Jensen
CCLRC e-Science
Single Sign-on to the Grid
Federated Access and
Integrated Identity Management
Jens G Jensen
CCLRC e-Science
The Problem
• Integrated Access (Authentication)
• Identity management
• Implemented locally…
• …integrate with future national efforts…
• …and international
Jens G Jensen
CCLRC e-Science
What’s in SSO?
• Identity mgmt, User mgmt
• Credential conversions
– Certificates, AD/K5
– Protection of credentials
• Thin clients vs thick clients
• Passwords and -phrases
– Single password to all resources
Jens G Jensen
CCLRC e-Science
What’s in SSO?
Portals
MyProxy
VOMS
Java gsissh terminal
SDSC SRB
SRM
Tapestore
Active DirectoryKerberos
Challenge: get distinct components to talk together
Jens G Jensen
CCLRC e-Science
Authentication – web based
• If on-site, use federal id (Active Directory/Kerberos)
• If off-site, use certificate
– if loaded into browser
• Otherwise username/password
– Same as fed username/password
– Not allowed to store password…
• System must know these are the same
Jens G Jensen
CCLRC e-Science
Web (HTTPS) based SSO
• Easier to implement servers– Apache can do Everything™– Not trivial to integrate with existing Java
portals– Apache vs Tomcat, StringBeans, uPortal,
CHEF, SAKAI,…• Lots of HTTP tools that understand security• Future proof, when UK goes to Shibboleth
Jens G Jensen
CCLRC e-Science
Client Side – from outside CCLRC
P
O
R
T
A
L
VOMS
THE GRID
Certificate
SRB
(old slide)
Jens G Jensen
CCLRC e-Science
Client Side – from within CCLRC
P
O
R
T
A
L
MyProxy VOMSMicrosoft
ActiveDirectory
THE GRID
SRB
(old slide)
Jens G Jensen
CCLRC e-Science
SRB
• SRB provides SSO• But ∫ with everybody
else’s…• S commands can be
used with GSI and with username/password
• inQ doesn’t understand certificates
THE GRID
SRB
THE BEAM
Jens G Jensen
CCLRC e-Science
MyProxy
• MyProxy essential to SSO to Grid
– Because Grid requires X.509 certs
• Call out to site authentication
– For username/password maintenance
• Investigating new MyProxy+PAM
Jens G Jensen
CCLRC e-Science
Status – Users
• Need certificates for Grid work• Once every year, obtain/renew cert
– Usability of CA improved with upgrade– Will resurrect applets
• Once every week, renew proxy– Upload tool in Java, another in python
• Once every day– Log in to Windows (or Linux kinit)
Jens G Jensen
CCLRC e-Science
Status – software
• Prototype portal (python)
– Thin clients (web browser)
– Fetches proxy from myproxy
– AD/K5 works with IE and certain Linux browsers
• Components for thick clients
– Fetches proxy locally from MyProxy
Jens G Jensen
CCLRC e-Science
MicrosoftActive
Directory
Authorisation
CorporateData Repository
LDAP
VOMS
MyProxy
Gridmapfile
Jens G Jensen
CCLRC e-Science
Combining Grid Authorisation
LDAP
LDAP
LDAP
CCLRC
NGS
LCG
GridAUZ
Jens G Jensen
CCLRC e-Science
Future work
• VOMS• Extending collaboration
– Related Shib work with Oxford• Grid access for non-certificate users• DLS & IB very interested
(+BDWorld?)• Ponder credential conversions/protection
– Work on-going between CAs in IGTF
Jens G Jensen
CCLRC e-Science
Summary
• Prototype SSO access to Grid
• Existing implementations, added glue
• Loads of other minor things that need doing
• Integrating with other SSO efforts
• Facilities’ user offices maintain ids
• More authorisation work req’d