attribute-based authentication for gateways jim basney terry fleury stuart martin jp navarro tom...
TRANSCRIPT
Attribute-based Authenticationfor Gateways
Jim BasneyTerry FleuryStuart Martin
JP NavarroTom ScavoJon SiwekVon Welch
Nancy Wilkins-Diehr
Gateway Objectives for PY4 and 5
•TeraGrid integration will be straightforward for new and existing gateway developers
•There will be a set of easy to discover general services provided by and for Gateways
•The targeted support program will be well-organized
•We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users
•There will be a funded cross-directorate gateway program at the NSF
Prese
nted
Prese
nted
Decem
ber,
2007
Decem
ber,
2007
We will be able to routinely count end gateway users, who will total 25% of total
TeraGrid users•A unique identifier for each end gateway user per community account must exist in TGCDB
•Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism
•Attribute-based authentication in production and easy to use
Prese
nted
Prese
nted
Decem
ber,
2007
Decem
ber,
2007
How will we meet those goals?
•Attribute-based authentication– In our case, GridShib for Globus– Fantastic documentation and assistance
Thanks Jim Basney, Tom Scavo, Terry Fleury– http://www.teragridforum.org/mediawiki/
index.php?title=Science_Gateway_Credential_with_Attributes
•From the April, 2009 TeraGrid review panel– “The TG has stated the goal of switching to an
attribute-based authentication mechanism for all Gateways by September of 2009. The panel recommends that every effort be made to complete this work on schedule.”
How will this be made available at RP sites?science-gateway CTSS kit, which includes
•commsh– NCSA-developed, PSC-enhanced tool to restrict community
accounts– http://teragridforum.org/mediawiki/index.php?
title=Community_Shell
•GridShib for Globus Toolkit– NCSA-developed tool to collect, process, store and log
attributes•Future TG-specific efforts will store these in the TGCDB
– http://gridshib.globus.org/
• Installation instructions– http://software.teragrid.org/pacman/ctss4/ctss-science-
gateway-registration/README.install
Ambitious, but achievable goal
•By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB
•Next steps– RP testing through Feb 2009– Globus Toolkit 4.0.9 released Feb 2009– Capability Kit V2 released Mar 2009– Production installations of Capability Kit V2– 6-month gateway transition – March through August
•News postings, education process, log analysis to identify who still needs to make the switch, lots of support
– Big party in September!
Prese
nted
Janu
ary,
Prese
nted
Janu
ary,
2009
2009
What’s happened between January and now?
•One word - GRAM5– http://dev.globus.org/wiki/GRAM/GRAM5
•Two words – party delayed•GRAM5 replacing GRAM2 (aka pre-WS GRAM)
– AAAA changes incorporated only in GRAM5 since GRAM2 is being retired
– ssh support only in GRAM5
•So, now we must wait for a production version of GRAM5 before we have attribute support for pre-WS GRAM and ssh
GRAM5 timeline
•Alpha versions installed– QueenBee and Abe, thanks!
•Sept 15, 2009 news posted about GRAM5 availability for testing– http://news.teragrid.org/view-item.php?
item=4266
•Steps to TeraGrid availability– Globus staff completes GT 5.0.0 (December 2009)– VDT patching and verification (Alain Roy, 1-2 wks)– GIG staff completes TeraGrid packaging (1-2 wks)– ADs plan TG-wide deployment
•NOS (and RPs), UFP, software-wg, user services, gateways
Additional info
•Also need site-local accounting scripts to send attributes to TGCDB– RP accounting staff
•Who’s already done?– NICS has installed GT4 with attributes
•Thank you Victor and Rick•Thank you Matthew at NCAR for attribute support in AMP gateway which is running on Kraken
– Early “attribute-enhanced” GT4 install experiences•A novice RP should set aside maybe 1 week to do the entire install (being very generous), and an expert GRAM4 admin should be able to do the entire install in 2 days
•Side note– Jon Siwek replaces Tom Scavo supporting this effort at NCSA
•Thanks for replacing such a key team member promptly
Gateway User Count
Quarterly Meeting
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibfor GT
GridShibfor GT
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
Web Interface
Science Gateways add user attributes to the community credential and deliver those attributes to the Resource
Provider, where they are logged and used for blacklisting.
Gateway User Count
Quarterly Meeting
GridShibfor GT
GridShibfor GT
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
BlacklistPolicy
Resource Provider
The GridShib-enhanced community account model permits fine-grained access
control and effective incident response at the resource.
Security table
GRAM audit table
TGCDB
AMIEupload
Since each request is now associated with a unique end
user, we push job info to TeraGrid Central for improved
auditing and accounting.
Gateway kit installed at 4 sites todayhttp://www.teragrid.org/userinfo/software/ctss_results.php
•Installed on–Abe–Lonestar–NCSA IA64
(testing)–Kraken–QueenBee–Condor (testing)–Steele (testing)
•Not installed on–Lincoln–Cobalt–Big Red–Ranch–Spur–Pople–BigBen–ORNL cluster–Frost
Sites to target
•Sites available after 3/31/10–Lincoln–Cobalt–Big Red–Ranch–Spur–Pople–BigBen–ORNL cluster–Frost
•New systems– Track 2 C, D– XD vis/data systems
at NICS, TACC– Others?
Community Account Usage by Sitein 2008
Over 2M CPU hours used by community accounts in 2008
Over 8M CPU hours used by community accounts in 2009, 4x that of 2008!
Community Account Usage by Sitein 2009
New gold star in 2009 for TACC69% of all communityaccount usage
2009 TeraGrid staff activities for reference
• Apr-Jun 2009 Accomplishments– Completed GridShib SAML Tools support for accounting integration
•Obtains gateway user attributes from GRAM Audit DB for inclusion in AMIE packets
– Demonstrated attribute delivery from GISolve to NCSA GRAM Audit DB
– Verified attribute integration in RENCI Gateway– CTSS Science Gateway Kit deployed in production at LONI and
TACC
• Jul-Sep 2009 Plans– Develop support for SSH-based gateways– Assist with testing GRAM2/GRAM5 attribute support– Improve test site (http://gstest.ncsa.uiuc.edu/) to support
GRAM2/GRAM5 submissions and test GRAM Audit– Support gateway delivery of attributes to RPs– Support deployment of Science Gateway Kit at RPs– Support AMIE integration by RP accounting administrators
Quarterly Meeting
• Jul-Sep 2009 Accomplishments– Developed and documented support for SSH-based gateways
•http://teragridforum.org/mediawiki/index.php?title=Gateway-Submit-Attributes
– Assisted with testing GRAM5 deployment with gateway attribute support on QueenBee
– Supported AMIE integration of gateway attribute support by RP accounting administrators on account-wg conference call and email list
– Updated test site (http://gstest.ncsa.uiuc.edu/) to support gateway tests using GRAM5 and provide clearer test results to gateway developers
• Oct-Dec 2009 Plans– Assist with inclusion of GRAM5 and SSH support for gateway attributes in
CTSS– Support gateway delivery of attributes to RPs (19 of 24 gateways
remain)•Current status at:
http://teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
– Support deployment of Science Gateway Kit at RPs•Current status at:
http://info.teragrid.org/web-apps/html/kit-reg-v1/science-gateway.teragrid.org-4.2.0/
– Support AMIE integration by RP accounting administrators• NICS in progress; integration at other RPs pending
Quarterly Meeting
Next steps
•Planning for GT 5.0.0 update on TeraGrid– Area directors
•Continued work on site-local accounting scripts to send attributes to TGCDB– RP accounting staff
•After GT5 install, continue to work with gateways on attribute incorporation– Nancy, Jon
•PY6 plans include nifty accounting tools from TACC to allow gateways to monitor per-user usage