Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute http://www.globus.org/ Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved.
58
Embed
Grid Security Infrastructure Globus Toolkit™ Developer Tutorial The Globus Project™ Argonne National Laboratory USC Information Sciences Institute
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Grid Security Infrastructure
Globus Toolkit™ Developer Tutorial
The Globus Project™Argonne National Laboratory
USC Information Sciences Institute
http://www.globus.org/
Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License.See http://www.globus.org/toolkit/download/license.html for the full text of this license.
April 18, 2023 29Globus Toolkit™ Developer Tutorial: Security
ExampleSecure Remote Startup
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file
3. Lookup service
4. Run service program (e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
April 18, 2023 30Globus Toolkit™ Developer Tutorial: Security
Simple job submission
globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]
Job submission will be covered in more detail later
April 18, 2023 31Globus Toolkit™ Developer Tutorial: Security
Delegation
Delegation = remote creation of a (second level) proxy credential– New key pair generated remotely on server
– Proxy cert and public key sent to client
– Clients signs proxy cert and returns it
– Server (usually) puts proxy in /tmp Allows remote process to authenticate on
behalf of the user– Remote process “impersonates” the user
April 18, 2023 32Globus Toolkit™ Developer Tutorial: Security
Limited Proxy
During delegation, the client can elect to delegate only a “limited proxy”, rather than a “full” proxy– GRAM (job submission) client does this
Each service decides whether it will allow authentication with a limited proxy– Job manager service requires a full proxy
– GridFTP server allows either full or limited proxy to be used
April 18, 2023 33Globus Toolkit™ Developer Tutorial: Security
Restricted Proxies
A generalization of the simple limited proxies– Desirable to have fine-grained restrictions
– Reduces exposure from compromised proxies Embed restriction policy in proxy cert
– Policy is evaluated by resource upon proxy use
– Reduces rights available to the proxy to a subset of those held by the user
> A proxy no longer grants full impersonation rights
– Extensible to support any policy language Will be in future version > GT 2.0
April 18, 2023 34Globus Toolkit™ Developer Tutorial: Security
ExerciseSign-On & Remote Process Creation
Use grid-cert-info to examine your cert:% grid-cert-info -all
Use grid-proxy-init to create a proxy certificate:% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++
Use grid-proxy-info to query proxy:% grid-proxy-info -subject
Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
April 18, 2023 35Globus Toolkit™ Developer Tutorial: Security
Generic Security Service API The GSS-API is the IETF draft standard for adding
authentication, delegation, message integrity, and message confidentiality to apps– For secure communication between two parties over a
reliable channel (e.g. TCP) GSS-API separates security from communication, which
allows security to be easily added to existing communication code.– Filters on each end of the communications link
GSS-API Extensions defined in GGF draft Globus Toolkit components all use GSS-API
April 18, 2023 36Globus Toolkit™ Developer Tutorial: Security
gss_acquire_cred()
Loads security credentials into program User proxy certificate and private key are
loaded at this point
gss_release_cred()
Removes security credentials into programUser proxy certificate and private key remain on disk for later use
April 18, 2023 37Globus Toolkit™ Developer Tutorial: Security
gss_inquire_cred()
Extract information (e.g. the subject name) from a credential
gss_inquire_cred_by_oid()
Extract information associated with a OID from a credential (e.g. information in certificate extensions)Will be in future version > GT 2.0
April 18, 2023 38Globus Toolkit™ Developer Tutorial: Security
gss_export_cred()
Export a credential either to a opaque buffer or to a file
New in GT 2.0
gss_import_cred()
Import a credential in either one of the formats used by gss_export_credNew in GT 2.0
April 18, 2023 39Globus Toolkit™ Developer Tutorial: Security
gss_init_sec_context()gss_accept_sec_context()
Establish a security context between two processes– Tokens are fed into and out of these routine
– Application can pass tokens between processes in any way desired
– One side calls init, the other accept
while (!done)
gss_init_sec_context(
in_t, &out_t, &done);
if (out_t) send(out_t);
if (!done) receive(&in_t);
while (!done)
receive(&in_t);
gss_accept_sec_context(
in_t, &out_t, &done);
if (out_t) send(out_t);
April 18, 2023 40Globus Toolkit™ Developer Tutorial: Security
gss_delete_sec_context()
Discard a security context
gss_context_time()
Determine how long a context will remain valid
April 18, 2023 41Globus Toolkit™ Developer Tutorial: Security
gss_inquire_context()
Extract information (e.g. the target subject name) from a security context
gss_inquire_sec_context_by_oid()
Extract information associated with a OID from a security context (e.g. information in certificate extensions) Will be in future version > GT 2.0
April 18, 2023 42Globus Toolkit™ Developer Tutorial: Security
gss_export_context()
Export a security context to a opaque buffer
gss_import_context()
Import a opaque buffer containing a security context exported by gss_export_context
April 18, 2023 43Globus Toolkit™ Developer Tutorial: Security
gss_set_sec_context_option()
Set options on a security context prior to establishing it
Will be in future version > GT 2.0
gss_wrap_size_limit()
Returns the maximum token size gss_wrap can deal with
April 18, 2023 44Globus Toolkit™ Developer Tutorial: Security
gss_wrap()gss_unwrap()
gss_wrap()– consumes an user input buffer
– performs cryptographic checksum and/or encryption on it
– produces a token, which application sends gss_unwrap()
– consumes a token produced by gss_wrap()
– decrypts and/or verifies the checksum
– produces a user output buffer
April 18, 2023 45Globus Toolkit™ Developer Tutorial: Security
gss_get_mic()gss_verify_mic()
gss_get_mic()– Produces a cryptographic checksum on a
user input buffer gss_verify_mic()
– Verifies a cryptographic checksum on a user buffer
April 18, 2023 46Globus Toolkit™ Developer Tutorial: Security
gss_import_name()
Import a subject name into GSS
gss_export_name()
Export a GSS name into a buffer
April 18, 2023 47Globus Toolkit™ Developer Tutorial: Security
gss_display_name()
Convert GSS name to text
gss_compare_name()
Compare two GSS names
April 18, 2023 48Globus Toolkit™ Developer Tutorial: Security
gss_release_name()
Discard a GSS name
April 18, 2023 49Globus Toolkit™ Developer Tutorial: Security
gss_add_oid_set_member() Add a OID to a OID set
gss_test_oid_set_member()Checks whether a OID is in a OID set
gss_create_empty_oid_set() Creates a empty OID set
gss_release_oid_set()Discard a OID set
April 18, 2023 50Globus Toolkit™ Developer Tutorial: Security
gss_indicate_mech()
Determine available underlying security mechanisms
April 18, 2023 51Globus Toolkit™ Developer Tutorial: Security
gss_release_buffer()
Discard a GSS buffer
gss_release_buffer_set()
Discard a GSS buffer setWill be in future version > GT 2.0
April 18, 2023 52Globus Toolkit™ Developer Tutorial: Security
gss_init_delegation()gss_accept_delegation()
Delegate a credential and optionally add restrictions to the delegated credential– One side calls init, the other accept
> Can be in either direction, relative to gss_{init,accept}_sec_context()
– Tokens are fed into and come out of these routines
> Similar use to gss_{init,accept}_sec_context()
– It is up to the application to pass the tokens from one function to the other
– Will be in future version > GT 2.0
April 18, 2023 53Globus Toolkit™ Developer Tutorial: Security
GSSAPI exercises
Go to the “gssapi” subdirectory Documentation
– http://www.globus.org/security Follow instructions in the file README
April 18, 2023 54Globus Toolkit™ Developer Tutorial: Security
What’s Wrong with GSS-API
The GSS-API works, but it is not pretty!– GSS-API accomplishes its goal of providing
an API that is independent of any specific security implementation, or communication mechanism
– Same application can use either Globus Toolkit GSS-API or Kerberos 5 GSS-API with almost no change
– It has rich feature support
– But it is not easy to use
April 18, 2023 55Globus Toolkit™ Developer Tutorial: Security
globus_gss_assist
The globus_gss_assist module is a Globus Toolkit specific wrapper around GSS-API which makes it easier to use– Hides some of the gross details of GSS-API
– Conforms to Globus Toolkit conventions
– Still maintains separation from communication method
April 18, 2023 56Globus Toolkit™ Developer Tutorial: Security
globus_io and security
For even easier security integration with socket code, use the globus_io module– Simple to add authentication and
authorization to TCP socket code
– But looses separation of security from communication method
Will be discussed more later...
April 18, 2023 57Globus Toolkit™ Developer Tutorial: Security
Authorization
GSI handles authentication, but authorization is a separate issue
Authorization issues:– Management of authorization on a multi-
organization grid is still an interesting problem.– The grid-mapfile doesn’t scale well, and works
only at the resource level, not the collective level.
– Large communities that share resources exacerbates authorization issues, which has led us to CAS…
April 18, 2023 58Globus Toolkit™ Developer Tutorial: Security
Security Summary
Programs for credential management– grid-cert-info, grid-proxy-init, grid-proxy-
destroy, grid-proxy-info GSS-API: The Globus Toolkit Grid Security
Infrastructure (GSI) uses this API, which allows programs to easily add security
globus_gss_assist: This is a simple wrapper around GSS-API, making it easier to use