25
A Credential Store for Multi-Tenant Science Gateways Thejaka Kanewala, Suresh Marru, Jim Basney, Marlon Pierce. Agenda Terminology Problems / Challenges Solutions proposed

Apache Airavata Credential Store

  • Upload
    smarru

  • View
    92

  • Download
    1

Embed Size (px)

DESCRIPTION

Airavata Credential Store paper presentation by Amila Jayasekara at the Cluster Cloud and Grid Computing Conference - CCGrid 2014.

Citation preview

Page 1: Apache Airavata Credential Store

A Credential Store for Multi-Tenant Science

GatewaysThejaka Kanewala, Suresh Marru, Jim Basney, Marlon

Pierce.Agenda Terminology Problems / Challenges Solutions proposed

Page 2: Apache Airavata Credential Store

Science Gateways

Computationally expensive experiments are run in resources such as Grids, Clouds.

Science Gateways …Hide complexities in using underlying cyber

infrastructure resources.Provides a domain specific user interface to

scientists.Help scientists to build communities.

Create experiments Share experiments Share data …

Page 3: Apache Airavata Credential Store

Organization of a Science Gateway

Page 4: Apache Airavata Credential Store

Organization of a Science Gateway (contd …)Front end portal

Science domain specificWeb User Interface (UI)

MiddlewareBridges the communication between front end portal

server and backend computational resources. Implements other application logic (provenance data

management, application execution, storing metadata, processing results from execution, etc …)

Backend resources

Page 5: Apache Airavata Credential Store

Challenges

1. Resource Credential Delegation.2. Management of heterogeneous credentials

associated grids, clouds and local resources.3. Management of gateway credentials in an

isolated manner in a middleware that supports multiple gateways.

4. Maintain accountability at the resource.

Page 6: Apache Airavata Credential Store

Problem 1. Resource Credential Delegation

Page 7: Apache Airavata Credential Store

Problem 1. Resource Credential Delegation (Community Account)

Page 8: Apache Airavata Credential Store

Resource Credential Delegation (contd …)How to solve ?

Hand over credentials to gateway user.Hard code resource credentials at the middleware

layer. Each time gateway administrator retrieves credentials

they need to update in the middleware. Hard coding credentials in the file system – Requires to

change configuration files in the middleware, also needs additional mechanisms to secure passwords.

Page 9: Apache Airavata Credential Store

Problem 2. Heterogeneous Credentials The gateway middleware connects various types of

resources.CloudsGridsLocal Clusters

Different resources have different authentication mechanisms.MyProxy based authentication.SSH/Password/Key based authentication.

Incorporating a new authentication mechanism should not incorporate changes to the middleware.

Page 10: Apache Airavata Credential Store

Problem 3. Multi-Tenancy

Multiple science gateways connecting to a single gateway middleware.

Need to make sure the credentials used by one gateway does not interfere with another gateway.

Proper isolation of gateways is needed when it comes to multiple gateways.

Page 11: Apache Airavata Credential Store

Problem 4. Maintain Accountability at the Resource

Maintain comprehensive audit records at the resource. In a disaster the resource should be able to find out

which user is responsible by looking at its own records, without consulting the gateway middleware.

Middleware should supply experiment invoking user’s attributes to resource.

Page 12: Apache Airavata Credential Store

Credential Store

A secure generic data store to maintain heterogeneous authentication data.

Utilities to perform delegation and key generation.A pluggable module to gateway middleware.Involves 3 main operations

Gateway registrationPersisting credentialsQuery credentials during application invocation

Page 13: Apache Airavata Credential Store

Credential Store – Gateway Registration Multiple science gateways need to operate in

isolation to each other.Each gateway portal servers establishes trust with

the gateway middleware using a TLS mutual authentication.

Page 14: Apache Airavata Credential Store

Credential Store – Credential PersistenceCapable of handling different types of credentials.

Each credential type is stored as a serialized byte stream in the store.

Credentials are stored in a secure mannerSecured at 3 layers

Each entry is encrypted using a key derived from the gateway id and a token.

Use database authentication mechanism to restrict access to database records.

Data files are secured with proper Unix file security.Each action on the credential store is recorded in an

audit log

Page 15: Apache Airavata Credential Store

Credential Store – Credential Persistence (contd …)

Page 16: Apache Airavata Credential Store

Credential Store – Credential Persistence (contd …)Different mechanisms to persist credentials.

Delegation based credential persistence.Key generation based credential persistence.Credential persistence by manually invoking

credential store service API.

Page 17: Apache Airavata Credential Store

Delegation based persistenceMainly used for MyProxy credentials.Uses OAuth protocol to delegate credentials into Credential

Store and uses OA4MP.

Page 18: Apache Airavata Credential Store

Key Generation Based PersistenceSome resources only support SSH keys.Most of the time users doesn't want to persist

their SSH keys in a third party store.Generate SSH keys within the Credential Store

and hand over public key to user.One time Manual Step: User needs to store given

public key in the resource.

Page 19: Apache Airavata Credential Store

Raw Credential PersistenceIf there is no support for delegation based

credential persistence we can use direct credential deposit.

Page 20: Apache Airavata Credential Store

Credential RetrievalGiven the token id, read credentials from the Credential

Store.Decorates retrieved credentials (certificates) with actual

user attributes (for MyProxy only).

Page 21: Apache Airavata Credential Store

Credential Renewal

When persisting credentials, lifetime of the credentials are extracted and stored in a separate column.

Credential Store periodically checks for validity of credentials.

Near expiring credentials are notified to owners of the credentials.

MyProxy: Register gateway middleware as a trusted renewer in the MyProxy server. Use gateway middleware credentials to renew other credentials.

SSH Keys does not expire: Provides a mechanism to remove credentials from the Credential Store.

Page 22: Apache Airavata Credential Store

Credential Store – High-level Architecture

Page 23: Apache Airavata Credential Store

Implementation

Implemented as a module in Apache Airavata Gateway Middleware.

Credentials are stored in a relational database.Implemented using Java and related security

packages.Available in Apache Airavata 0.11 release.

Page 24: Apache Airavata Credential Store

Next …Incorporate audit log integrity.Incorporate other delegation mechanisms such as

OpenId,etc …Possible delegation mechanisms for SSH keys.

Page 25: Apache Airavata Credential Store

Thank you !

Q/A