A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,

A AAAA Model to Support Science Gateways with Community Accounts

GGF-14 Science Gateways WorkshopJune 28, 2005

Von Welch, James Barlow,

James Basney, Doru Marcusiu

6/28/2005 2GSI Credential Management AAAA Science Gateway Model

AAAA Model• Authentication

• Authorization

• Auditing

• Accounting

6/28/2005 3GSI Credential Management AAAA Science Gateway Model

Outline• Motivation

– Traditional AAAA Computing Model

• Proposed AAAA Model

• Current work and Future Challenges

6/28/2005 4GSI Credential Management AAAA Science Gateway Model

Traditional AAAA Model• All user have accounts at each

site/resource– NxN matrix

• Users access resources through low-level interfaces– E.g. Unix Shells, FTP session

• Resource takes care of all the A’s

6/28/2005 5GSI Credential Management AAAA Science Gateway Model

Traditional HPC Usage

% ls% foo

AUTHn

OS(Authz)

AuditAccounting

6/28/2005 6GSI Credential Management AAAA Science Gateway Model

Traditional HPC Usage

% ls% foo

% ls% foo

% ls% foo

% ls% foo

% ls% foo

6/28/2005 7GSI Credential Management AAAA Science Gateway Model

Motivation• Shell-level access to resources is great for

power users, but has steep learning curve– Many SG users just need domain-specific

interface, e.g. they are not developing or deploying application codes

• Each resource/site has to maintain state about every user– Scalability problems for large/dynamic user

communities

• No abstraction - users must adapt to all changes in resources

6/28/2005 8GSI Credential Management AAAA Science Gateway Model

Our AAAA Model• SG acts as a interface between the

community and its resources• Much like a traditional ‘Grid Portal’, it provides

a domain-specific interface• However, unlike portals, it exists as a trusted

entity in its own right, allowing the resource to “outsource” AAAA functionality to the SG

• Resources runs all commands in a community account, which constrains what community can do - account can be constrained to a few community applications

6/28/2005 9GSI Credential Management AAAA Science Gateway Model

Conceptual Model

% ls% foo

% ls% foo

% ls% foo

6/28/2005 10GSI Credential Management AAAA Science Gateway Model

Goals of Model• Model is primarily about how one splits

the AAAA responsibility between the SG and the resource

• In general, resource must trust the SG to some degree to provide this functionality in exchange for offload of effort

6/28/2005 11GSI Credential Management AAAA Science Gateway Model

Authentication and Authorization• Two Modes: Simple and Authorization

Credential

• Both allow SG to manage user community

• Authorization Credentials is more complex to deploy, but provides more information to resource

6/28/2005 12GSI Credential Management AAAA Science Gateway Model

Simple Auth[nz] Model

% ls% foo

• Authentication becomes the role of the SG– Users known only to the SG

• Resource trusts SG to do authentication• SG authenticates to resource with its own credential• Portal enforces authorization by constraining what

actions user can perform

Authn

6/28/2005 13GSI Credential Management AAAA Science Gateway Model

Authz Credential Model

% ls% foo

• Authentication still role of the SG– Users known only to the SG

• SG augments user credentials with authz credentials– E.g. CAS, GAMA, Shibboleth, IU LEAD work

• Resource trusts SG to do authentication and authz credentials from SG– Doesn’t know user, but trusts what SG says about user

• Resource knows user “identifier” (may not be that useful, more later)

Authn

Authz Cred

6/28/2005 14GSI Credential Management AAAA Science Gateway Model

Auditing Model

% ls% foo

• Site still keeps details of what each job does• Site have want to contact user

– Suspicious activity, job running amuck

• SG is only way to map a particular job to a user• SG has all the contact information for the user• Resource may know user identifier, but needs contact information

only in SG user database

Auditing

6/28/2005 15GSI Credential Management AAAA Science Gateway Model

Accounting Model

% ls% foo

• Site has all the details of what resources each job consumes– May know user who launched them (in authz cred mode)

• SG needs this information– For reporting, authorization, catch mistakes

• Need a mechanism to allow resource to report back to SG regularly– And allow SG to make usage back to a job back to a user

Accounting

6/28/2005 16GSI Credential Management AAAA Science Gateway Model

Outstanding Challenges• How to identify a job between SG and

resource?– “/bin/foo run at 15:38:13 (my time)” not

very accurate

• Standard template for resource/SG agreement– Akin to certificate policy

• Acceptance of group accounts– Convince folks its ok to outsource

6/28/2005 17GSI Credential Management AAAA Science Gateway Model

Outstanding Challenges (cont)• Restricted accounts

– Cookbook to restrict account to certain applications

• Sandboxing of users from each others

• Community administrators– Those who set up group account

6/28/2005 18GSI Credential Management AAAA Science Gateway Model

The obligatory last slide…• NCSA is working on real-world

deployment with GridChem community

• Acknowledgements to the TeraGrid Science Gateway RAT and all the interviewed Portals

• Complaints to [email protected]