Attribute-based Authenticationfor Gateways

Jim BasneyTerry FleuryStuart Martin

JP NavarroTom ScavoJon SiwekVon Welch

Nancy Wilkins-Diehr

Gateway Objectives for PY4 and 5

•TeraGrid integration will be straightforward for new and existing gateway developers

•There will be a set of easy to discover general services provided by and for Gateways

•The targeted support program will be well-organized

•We will be able to routinely count end gateway users, who will total 25% of total TeraGrid users

•There will be a funded cross-directorate gateway program at the NSF

Prese

nted

Prese

nted

Decem

ber,

2007

Decem

ber,

2007

We will be able to routinely count end gateway users, who will total 25% of total

TeraGrid users•A unique identifier for each end gateway user per community account must exist in TGCDB

•Gateways will need to transmit and TGCDB will need to receive this additional identifier through any job submission mechanism

•Attribute-based authentication in production and easy to use

Prese

nted

Prese

nted

Decem

ber,

2007

Decem

ber,

2007

How will we meet those goals?

•Attribute-based authentication– In our case, GridShib for Globus– Fantastic documentation and assistance

Thanks Jim Basney, Tom Scavo, Terry Fleury– http://www.teragridforum.org/mediawiki/

index.php?title=Science_Gateway_Credential_with_Attributes

•From the April, 2009 TeraGrid review panel– “The TG has stated the goal of switching to an

attribute-based authentication mechanism for all Gateways by September of 2009. The panel recommends that every effort be made to complete this work on schedule.”

How will this be made available at RP sites?science-gateway CTSS kit, which includes

•commsh– NCSA-developed, PSC-enhanced tool to restrict community

accounts– http://teragridforum.org/mediawiki/index.php?

title=Community_Shell

•GridShib for Globus Toolkit– NCSA-developed tool to collect, process, store and log

attributes•Future TG-specific efforts will store these in the TGCDB

– http://gridshib.globus.org/

• Installation instructions– http://software.teragrid.org/pacman/ctss4/ctss-science-

gateway-registration/README.install

Ambitious, but achievable goal

•By September, 2009 all jobs submitted by community accounts will include attributes with unique user identifiers to be stored in the TGCDB

•Next steps– RP testing through Feb 2009– Globus Toolkit 4.0.9 released Feb 2009– Capability Kit V2 released Mar 2009– Production installations of Capability Kit V2– 6-month gateway transition – March through August

•News postings, education process, log analysis to identify who still needs to make the switch, lots of support

– Big party in September!

Prese

nted

Janu

ary,

Prese

nted

Janu

ary,

2009

2009

What’s happened between January and now?

•One word - GRAM5– http://dev.globus.org/wiki/GRAM/GRAM5

•Two words – party delayed•GRAM5 replacing GRAM2 (aka pre-WS GRAM)

– AAAA changes incorporated only in GRAM5 since GRAM2 is being retired

– ssh support only in GRAM5

•So, now we must wait for a production version of GRAM5 before we have attribute support for pre-WS GRAM and ssh

GRAM5 timeline

•Alpha versions installed– QueenBee and Abe, thanks!

•Sept 15, 2009 news posted about GRAM5 availability for testing– http://news.teragrid.org/view-item.php?

item=4266

•Steps to TeraGrid availability– Globus staff completes GT 5.0.0 (December 2009)– VDT patching and verification (Alain Roy, 1-2 wks)– GIG staff completes TeraGrid packaging (1-2 wks)– ADs plan TG-wide deployment

•NOS (and RPs), UFP, software-wg, user services, gateways

Additional info

•Also need site-local accounting scripts to send attributes to TGCDB– RP accounting staff

•Who’s already done?– NICS has installed GT4 with attributes

•Thank you Victor and Rick•Thank you Matthew at NCAR for attribute support in AMP gateway which is running on Kraken

– Early “attribute-enhanced” GT4 install experiences•A novice RP should set aside maybe 1 week to do the entire install (being very generous), and an expert GRAM4 admin should be able to do the entire install in 2 days

•Side note– Jon Siwek replaces Tom Scavo supporting this effort at NCSA

•Thanks for replacing such a key team member promptly

Gateway User Count

Quarterly Meeting

WebAuthn

Resource ProviderScience Gateway

WS GRAM Client

WS GRAM Client

GridShibfor GT

GridShibfor GT

proxy certificate

GridShib SAML Tools

GridShib SAML Tools

community credential

Key

SAML

WS GRAM Service

WS GRAM Service

Logs

Java WS Container(with GridShib for GT)

Security Context

WebappWebappattributes

Web Browser

username

proxy credential

SAML

Key

BlacklistPolicy

Web Interface

Science Gateways add user attributes to the community credential and deliver those attributes to the Resource

Provider, where they are logged and used for blacklisting.

Gateway User Count

Quarterly Meeting

GridShibfor GT

GridShibfor GT

WS GRAM Service

WS GRAM Service

Logs

Java WS Container(with GridShib for GT)

Security Context

BlacklistPolicy

Resource Provider

The GridShib-enhanced community account model permits fine-grained access

control and effective incident response at the resource.

Security table

GRAM audit table

TGCDB

AMIEupload

Since each request is now associated with a unique end

user, we push job info to TeraGrid Central for improved

auditing and accounting.

Gateway kit installed at 4 sites todayhttp://www.teragrid.org/userinfo/software/ctss_results.php

•Installed on–Abe–Lonestar–NCSA IA64

(testing)–Kraken–QueenBee–Condor (testing)–Steele (testing)

•Not installed on–Lincoln–Cobalt–Big Red–Ranch–Spur–Pople–BigBen–ORNL cluster–Frost

Sites to target

•Sites available after 3/31/10–Lincoln–Cobalt–Big Red–Ranch–Spur–Pople–BigBen–ORNL cluster–Frost

•New systems– Track 2 C, D– XD vis/data systems

at NICS, TACC– Others?

Community Account Usage by Sitein 2008

Over 2M CPU hours used by community accounts in 2008

Over 8M CPU hours used by community accounts in 2009, 4x that of 2008!

Community Account Usage by Sitein 2009

New gold star in 2009 for TACC69% of all communityaccount usage

2009 TeraGrid staff activities for reference

• Apr-Jun 2009 Accomplishments– Completed GridShib SAML Tools support for accounting integration

•Obtains gateway user attributes from GRAM Audit DB for inclusion in AMIE packets

– Demonstrated attribute delivery from GISolve to NCSA GRAM Audit DB

– Verified attribute integration in RENCI Gateway– CTSS Science Gateway Kit deployed in production at LONI and

TACC

• Jul-Sep 2009 Plans– Develop support for SSH-based gateways– Assist with testing GRAM2/GRAM5 attribute support– Improve test site (http://gstest.ncsa.uiuc.edu/) to support

GRAM2/GRAM5 submissions and test GRAM Audit– Support gateway delivery of attributes to RPs– Support deployment of Science Gateway Kit at RPs– Support AMIE integration by RP accounting administrators

Quarterly Meeting

• Jul-Sep 2009 Accomplishments– Developed and documented support for SSH-based gateways

•http://teragridforum.org/mediawiki/index.php?title=Gateway-Submit-Attributes

– Assisted with testing GRAM5 deployment with gateway attribute support on QueenBee

– Supported AMIE integration of gateway attribute support by RP accounting administrators on account-wg conference call and email list

– Updated test site (http://gstest.ncsa.uiuc.edu/) to support gateway tests using GRAM5 and provide clearer test results to gateway developers

• Oct-Dec 2009 Plans– Assist with inclusion of GRAM5 and SSH support for gateway attributes in

CTSS– Support gateway delivery of attributes to RPs (19 of 24 gateways

remain)•Current status at:

http://teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status

– Support deployment of Science Gateway Kit at RPs•Current status at:

http://info.teragrid.org/web-apps/html/kit-reg-v1/science-gateway.teragrid.org-4.2.0/

– Support AMIE integration by RP accounting administrators• NICS in progress; integration at other RPs pending

Quarterly Meeting

Next steps

•Planning for GT 5.0.0 update on TeraGrid– Area directors

•Continued work on site-local accounting scripts to send attributes to TGCDB– RP accounting staff

•After GT5 install, continue to work with gateways on attribute incorporation– Nancy, Jon

•PY6 plans include nifty accounting tools from TACC to allow gateways to monitor per-user usage