The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth

Presenter: Vincenzo Ciaschini8th TF-EMC2 MeetingFirenze, March 2007

What is VOMS

VOMS is… An Attribute Authority. A VO Management System. A source of trust for authorization.

VOMS is not… A policy system. An AuthN/AuthZ framework.

VOMS: The problem

In a grid environment, VOs tend to be extremely large and change frequently. Hundreds or even thousands of users.

Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies.

It is not scalable to manage them by hand

VOMS: The solution

Organize users into groups and grant them roles.Allows for full RBAC authorization.

Also, adds other general-purpose attributes.

Who uses VOMS?

Egee10 VOs, 2 servers

InfnGrid15 VOs, 2 servers

OSG29 VOs, ? servers

VOMS Architecture

VOMS DB

VOMS-ADMINSecure

Secure

What is VOMS-Admin?

A web application that manages the contents of the VOMS database

Used by VO Administrators mainly to add/remove users to the VO, put them in VOMS groups, assign VOMS roles to them

Provides a WSDL interface to its functions Has a command line client Has a web-based user interface

VOMS-Admin architecture

What is VOMSd

VOMSd is the component which listens for user requests and creates Attribute Certificates.All communication is secured and mutually

authenticated.Allows high customization of ACs.

Which roles to present, validity length, targeting, etc…

VOMSd ArchitectureVOMSd

DB

BACKEND

DB

INTERFACE

I/O

INTERFACE

InternalLogic

VOMS data format

Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. The exact profile is described here:

https://forge.gridforum.org/sf/go/doc13797?nav=1 ACs are the natural choice in a X.509 world.

The grid is a X.509 world.

The provided clients insert the AC in a non-critical extension of the user proxy. Immediate compatibility with non-VOMS aware software.

What is a proxy?

A proxy is a short-lived certificate that has as issuer a user certificate.Standardized in RFC 3820.Commonly used throughout the grid for

authentication and authorization purposes.

VOMS clients

The clients provided are command-line based.But APIs are available in C,C++ and JAVA.

You could write your own client.

Example of data:

[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58

Proxy’s Subject

Example of data:


Proxy’s issuer

Example of data:


Certificate’s subject

Example of data:


Type of proxy

Example of data:


Proxy’s key strength

Example of data:


Proxy’s Location

Example of data:


Proxy’s validity

Example of data:


VO Name

Example of data:


Owner’s Data

Example of data:


Owner’s Group membership

Example of data:


General-Purpose attributes

Example of data:


AC validity

Voms & Shibboleth

Shibboleth Structure

IdP SP

WAYF

Shibboleth: Protocol DescriptionUser Service Provider Wayf Identity Provider

A common misconception:

VOMS Shibboleth= ShibbolethIdP

Similarities

VOMS and a Shibboleth IdP both…Maintain lists of user identities.Add attributes to user identities.Offer a way to distribute such attributes.

Differences

Shibboleth IdP VOMS

Has good support for federations Has basic support for federations

Does not support X.509 Supports X.509

Supports SAML SAML support in development

Allows third parties to get information on users Does not allow third parties to get information on users.

Pull model Push model

Mostly geared to website authorization Mostly geared to grid authorization

Delegation of credentials not well supported Delegation of credentials well supported

Shibboleth and Grids: The problem

“The Shibboleth System is NOT usable in non-Browser scenarios (without a lot of hard thinking)”

“Introduction to Shibboleth – Phases of Deployment” Steve Carmody, 2006 Shibboleth Camp

Unfortunately, grid access and usage relies heavily on non-browser access. Implies that some translation mechanism is

necessary for shib users to access a grid.

An example submission

Broker

Execution

Storage

Job

Data

Job

Job

Job

Data

Shibboleth and Grids: The Solution

Insert Shib attributes directly in a VOMS proxy and use said proxy for grid access. Implemented by VASHCollaboration by SWITCH and INFN within

EGEE.Details in my colleague’s presentation.

The VOMS team

Vincenzo [email protected]

Valerio [email protected]

Andrea [email protected]

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

Documents

hand slide

admin architecture slide

null attribute

valerio attribute

admin secure slide

attribute authority

attribute certificates

user proxy