Globus Toolkit: Authentication and Credential Translation · 2009-01-29 · JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 6 Grid Security Infrastructure
Post on 13-Apr-2020
1 Views
Preview:
Transcript
Globus Toolkit: Authentication and Credential Translation
JET Workshop, April 14, 2004Frank Siebenlist
franks@mcs.anl.gov
http://www.globus.org/
Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License.
See http://www.globus.org/toolkit/download/license.html for the full text of this license.
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 2
Outline
Globus Alliance & Globus ToolkitThe Grid “problem”Globus Security Infrastructure (GSI)Public Key Credentials + Proxy-CertificatesSSL, GSSAPI/GSI and DelegationKx509: Kerberos => PKPkinit: PK => KerberosGridLogon: username/password/OTP => PKFutures and Conclusion
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 3
The Globus™ AllianceMaking Grid computing a reality
Argonne, UC, USC/ISI, EPCC, PDC, NCSA
Close collaboration with many scientific and commercial Grid application and infrastructure projects
Development and promotion of standard Grid protocols to enable interoperability and shared infrastructure
Development and promotion of standard Grid software APIs and SDKs to enable portability and code sharing
The Globus Toolkit® software: Open source software base for building Grid infrastructure and applications
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 4
LHC Data Distribution
Tier2 Centre ~1 TIPS
Online System
Offline Processor Farm
~20 TIPS
CERN Computer Centre
FermiLab ~4 TIPSFrance Regional Centre
Italy Regional Centre
Germany Regional Centre
InstituteInstituteInstituteInstitute ~0.25TIPS
Physicist workstations
~100 MBytes/sec
~100 MBytes/sec
~622 Mbits/sec
~1 MBytes/sec
There is a “bunch crossing” every 25 nsecs.There are 100 “triggers” per secondEach triggered event is ~1 MByte in size
Physicists work on analysis “channels”.Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server
Physics data cache
~PBytes/sec
~622 Mbits/sec or Air Freight (deprecated)
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Caltech ~1 TIPS
~622 Mbits/sec
Tier 0Tier 0
Tier 1Tier 1
Tier 2Tier 2
Tier 4Tier 4
1 TIPS is approximately 25,000 SpecInt95 equivalents
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 5
Multiple Security Domains
Data Source
Data SrcSvc
Post-ProcessingFacility
InputData
OutputData
ResultData
Requester
Svc X
ComputeFacility
Svc
SchedulingSvc
BandwidthSvc
BandwidthSvc
RawData
Compute Facility
• Each Organization is “independent”
• Each Organization has its own AuthN mechanisms
• Each Organization enforces its own access policy
• User needs to delegate rights to broker which may need to delegate to services
•QoS/QoP Negotiation and multi-level delegation
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 6
Grid Security Infrastructure (GSI)
Based on standard PKI technologiesSSL protocol for authentication, message protection + GSSAPI-mechanism
CAs allow one-way, light-weight trust relationships (not just site-to-site)
X.509 Certificates for asserting identityfor users, services, hosts, etc.
Proxy CertificatesGSI extension to X.509 certificates for delegation, single sign-on
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 7
Grid Security Infrastructure (GSI)
Use GSI as a standard mechanism for bridging disparate security mechanisms
Doesn’t solve trust problem, but now things talk same protocol and understand each other’s identity credentials
Basic support for delegation, policy distribution
Translate from other mechanisms to/from GSI as needed
Convert from GSI identity to local identity for authorization
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 8
Grid Identity, Local Policy
LocalPolicy
LocalPolicy
Map tolocal name
Map tolocal name
GridIdentity
• In current model, all Grid entities assigned a PKI identity.
• User is mapped to local identities to determine local policy.
.
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 9
Use Delegation toEstablish Dynamic Distributed System
ComputeCenter
VirtualOrganization
Rights
ComputeCenter
Service
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 10
X.509 Proxy Certificates
GSI Extension to X.509 Identity CertificatesOn RFC track
Enables single sign-on
Allow user to dynamically assign identity and rights to service
Can name services created on the fly and give them rights (i.e. set policy)
What is effectively happening is the user is creating their own trust domain of services
Services trust each other with user acting as the trust root
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 11
Proxy Certificates
Service
CN=Jane Doe/9874Rights:
Can access file F1,Service S1,
…
CN=Jane Doe
X.509 ProxyDelegation
S1
F1
Use delegatedrights to accessresources.
X.509 Idcertificate X.509 Proxy
certificate
Create
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 12
Goal is to do thiswith arbitrary mechanisms
ComputeCenter
VirtualOrganization
Rights
ComputeCenter
ServiceKerberos/
WS-Security
X.509/SSL
SAMLAttribute
X.509AC
SAMLAttribute
X.509AC
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 13
Kerberos to GSI Gateway
To use Kerberos, a Kerberos-to-GSI gateway translates Kerberos credentials to GSI credentials to allow local Kerberos users to authenticate on the Grid.
Kx509/KCA is an implementation of one such gateway.
Sslk5/pkinit provide the opposite functionality to gateway incoming Grid credentials to local Kerberos credentials.
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 14
Local Identity,Grid Identity, Local Policy
LocalPolicy
Map tolocal name
GridIdentity
KerberosSite
KCA
SSLK5
KRB5Resources
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 15
GridLogon:Credential Wallet/Converter
GridLogon (MyProxy) allows users to store GSI credentials and retrieve them
With username/password or other credential
Integration with One-Time-Password (OTP) Systems
Can act as a credential translator from username/password to GSI
Used by services that can only handle username and pass phrases to authenticate to Grid
Services limited by client implementationsE.g. web portals
Also handle credential renewal for long-running tasks
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 16
GridLogon: Passphrase-X.509 Federation Service
GSI Realm
Requestor
Username/passwordDomain
GridLogonGSI
Delegation
Web Portal/Server
Username &pass phrase
GSIDelegation
Grid Resource
GSI
Web Browser request
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 17
One Time Passwordsand Restricted Delegation
LocalPolicy
Map tolocal name
GridIdentity
User
GridLogon
pkinit
KRB5Resources
OTP
RestrictedDelegation
RestrictedDelegation
RestrictedDelegation
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 18
GSI Implementation
ComputeCenter
VirtualOrganization
RightsVO
Users
Services (runningon user’s behalf)
Rights’’
Rights’
Access
Local Policyon VO identityor attributeauthority
CAS or VOMSissuing SAMLor X.509 ACs
SSL/WS-Securitywith ProxyCertificates
Authz Callout
KCA
GridLogon
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 19
Grid Evolution:Open Grid Services ArchitectureGoals
Refactor Globus protocol suite to enable common base and expose key capabilities Service orientation to virtualize resources and unify resources/services/informationEmbrace key Web services technologies for standard IDL, leverage commercial efforts
Result = standard interfaces & behaviors for distributed system management built on Web services
Standardization within Global Grid Forum and OASISOpen source & commercial implementations
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 20
OGSA Security Services
RequestorApplication
VODomain
CredentialValidation
Service
AuthorizationService
Requestor'sDomain
Service Provider'sDomain
Audit/Secure-Logging
Service
AttributeService
TrustService
ServiceProvider
Application
Bridge/Translation
Service
PrivacyService
CredentialValidation
Service
AuthorizationService
Audit/Secure-Logging
Service
AttributeService
TrustService
PrivacyService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
WS-StubWS-Stub Secure Conversation
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 21
Conclusion
The Globus Toolkit is sophisticated, secure middlewareDe-facto standard for Grid applications
Multiple AuthN-mechanism supportPlus “translation” services
Secure Delegation of Rights supportthrough use of proxy-certificate
Next generation GT based on Web ServicesStandardized in Global Grid Forum & OASIS
Globus Toolkit provides a working, evolving implementation for “secure” Grid protocols
Downloaded 100k+ times already (www.globus.org)
top related