single sign-on to the grid
Post on 31-Dec-2015
22 Views
Preview:
DESCRIPTION
TRANSCRIPT
Jens G Jensen
CCLRC e-Science
Single Sign-on to the Grid
Federated Access and
Integrated Identity Management
Jens G Jensen
CCLRC e-Science
The Problem
• Scope: CCLRC– But extending
• CCLRC facilities– DLS, ISIS, CLF, SRD
• Access to Grid– NGS, SCARF– The SRBs– Atlas Tapestore
Jens G Jensen
CCLRC e-Science
What’s in SSO?
• Identity and User Management
• Credential conversions
– Certificates, AD/K5
– Protection of credentials
• Thin clients vs thick clients
• Passwords and -phrases
– Single password to all resources
Jens G Jensen
CCLRC e-Science
Authentication – web based
• If on-site, use federal id
• If off-site, use certificate
– if loaded into browser
• Otherwise username/password
– Same as fed username/password
– Not allowed to store password…
• System must know these are the same
Jens G Jensen
CCLRC e-Science
Web (HTTPS) based SSO
• Easier to implement servers– Apache can do Everything™– Not trivial to integrate with existing Java
portals– Apache vs Tomcat, StringBeans, uPortal,
CHEF, SAKAI,…• Lots of HTTP tools that understand security• Future proof, when UK goes to Shibboleth
Jens G Jensen
CCLRC e-Science
Client Side – from outside CCLRC
P
O
R
T
A
L
VOMS
THE GRID
Certificate
SRB
(old slide)
Jens G Jensen
CCLRC e-Science
Client Side – from within CCLRC
P
O
R
T
A
L
MyProxy VOMSMicrosoft
ActiveDirectory
THE GRID
SRB
(old slide)
Jens G Jensen
CCLRC e-Science
SRB
• SRB provides SSO• But ∫ with everybody
else’s…• S commands can be
used with GSI and with username/password
• inQ doesn’t understand certificates
THE GRID
SRB
THE BEAM
Jens G Jensen
CCLRC e-Science
Detector ADSC
RAID 2TB
ADSC
RAID 2TB
ADSC
RAID 2TB
20TB SRB Vault
20TBSRB Vault
20TB SRB Vault
ADS Resource
ADS Resource
20TBSRB Vault
160TB SRB Vault
SRB space…
…
Proposed DIAMOND Infrastructure
Slide sto borrowedfrom P Berrisford
Jens G Jensen
CCLRC e-Science
Proposed DIAMOND Phase 1Test Infrastructure
‘20 TB’Vault
SRB ADS cache
SRB ADS tape resource
SRB Storage Server
SRB MCAT Server
SRB ADS Server
MCATDatabase
Data Management Group
Data Storage Group
DIAMOND
Slide borrowedfrom P Berrisford
Jens G Jensen
CCLRC e-Science
What’s in a name
• Federal id – jj47@fed.cclrc.ac.uk• DN - /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens g jensen
• SRB username, fed id or based on CN
• Tapestore username – arbitrary: jj47
– or based on VO (via SRM or SRB)
Jens G Jensen
CCLRC e-Science
Status – User Office
• Set up identities
• Maintain identities
• Registration Authority for CA
• Needs user office friendly tools
• Challenge: ensure user offices are consistent
– Namespaces, identities
Jens G Jensen
CCLRC e-Science
Status – Users
• Need certificates for Grid work• Once every year, obtain/renew cert
– Usability of CA improved with upgrade– Will resurrect applets
• Once every week, renew proxy– Upload tool in Java, another in python
• Once every day– Log in to Windows (or Linux kinit)
Jens G Jensen
CCLRC e-Science
Status – software
• Prototype portal (python)
– Thin clients (web browser)
– Fetches proxy from myproxy
– AD/K5 works with IE and certain Linux browsers
• Components for thick clients
– Fetches proxy locally from MyProxy
Jens G Jensen
CCLRC e-Science
Authorisation – VO mgmt
• Agree roles (between facilities)
• Need for tools
– Track project proposal
• Infrastructure
– LDAP/GridMap
– VOMS
– (future things)
Jens G Jensen
CCLRC e-Science
User Information
CDRUser Database
DLS, SRS ISIS
Grid SSTD,CLF,…
e.g. NGS, SCARF,Datastore
Jens G Jensen
CCLRC e-Science
MicrosoftActive
Directory
Authorisation
CDR
LDAP
VOMS
MyProxy?
Gridmapfile
Jens G Jensen
CCLRC e-Science
Combining Grid Authorisation
LDAP
LDAP
LDAP
CCLRC
NGS
LCG
GridAUZ
Jens G Jensen
CCLRC e-Science
Keeping identities
First attempt
Second attempt
Jens G Jensen
CCLRC e-Science
The Who
• CCLRC e-Science/GOSC– D Byard, M Viljoen (code)
• CCLRC e-Science Data Management– SRB work
• CCLRC e-Science Atlas Tapestore• CCLRC BITD
– Database• Facilities – Diamond, ISIS, CLF, SRD
Jens G Jensen
CCLRC e-Science
Future work
• VOMS• Extending collaboration
– Related Shib work with Oxford• Grid access for non-certificate users• DLS & IB very interested
(+BDWorld?)• Ponder credential conversions
– And protection
Jens G Jensen
CCLRC e-Science
Summary
• Prototype SSO access to Grid
• Existing implementations, added glue
• Loads of other minor things that need doing
• Integrating with other SSO efforts
• Facilities’ user offices maintain ids
• More authorisation work req’d
top related