Copy of...

35

Transcript of Copy of...

Page 1: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 2: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

OverviewWe describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider

Extends the Community Account ModelAsserts end user identity to the RPPermits fine-grained access control at the RPProvides strong auditing and effective incident responseAllows dynamic blacklisting of problem accounts or runaway processesA lightweight approach that does not require new wire protocols or extensive new middleware infrastructureComplements existing SAML-based middleware infrastructure on today's campuses

Page 3: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

AcknowledgmentsThe Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this presentation are those of the authors and do not necessarily reflect the views of NSF.Internet2 Shibboleth Project

Special mention: Frank Siebenlist, Tim Freeman, Tom Barton, Kate Keahey, Jim Basney, Scott Cantor

See the following paper for more detail:http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

Page 4: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

The Classic Grid Use Case

A non-browser user issues a proxy certificate and initiates a grid request.

Page 5: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 6: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

The Classic Grid Use Case

GSI relies on proxy certificatestransport-level security (SSL/TLS)message-level security (WS-Security)

Authorization based on gridmap filesThe DN bound to the proxy is mapped to a local system account

Course-grained, identity-based access control

Trades off flexibility and scalability for simplicity

Page 7: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

X.509-bound SAML Token

Bind a SAML assertion to a non-critical X.509 v3 certificate extension.

Page 8: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 9: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

X.509-bound SAML Token

Can be used with either transport-level or message-level securityAdvantage: An implementation of WS-Security X.509 Token Profile (such as Globus Secure Message) is automatically an implementation of the X.509-bound SAML Token ProfileBonus: An X.509-bound SAML token can also be used with Globus Secure TransportNo new wire protocols are needed!

Page 10: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

GridShib-enabled GSI

A non-browser user binds a SAML assertion to a proxy certificate and

initiates a grid request.

Page 11: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 12: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

GridShib-enabled GSI

Fine-grained, attribute-based authzBased on X.509-bound SAML tokensNo modifications to GT clients are requiredIf the service is not GridShib-enabled, the X.509-bound SAML token is just ignoredGridShib SAML Tools on the gateway

Includes GridShib Security FrameworkExposes both a command-line interface and a Java API

GridShib for Globus Toolkit on the RPExposes a SAML security context

Page 13: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

The Science Gateway Use Case

A browser user authenticates to a grid portal. The portal issues a

proxy certificate and initiates a grid request on behalf of the user.

Page 14: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 15: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

The Science Gateway Use Case

The Community Account Modelsimplifies the user experiencesimplifies gateway implementation and deploymentsimplifies gridmap file management at the RP

but...

Page 16: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

The Science Gateway Use Case

Problem: All requests from the gateway look the same to the resource provider

End user identity is unknown to the RPExtreme course-grained access control at the resourceResults in a rather convoluted approach to auditingIn the event of an emergency, the RP disables all access to the community accountAccounting is difficult

Page 17: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

GridShib-enabled Science Gateway

A browser user authenticates to a grid portal. The portal binds a self-issued SAML assertion to a proxy

certificate and initiates a grid request on behalf of the user.

Page 18: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 19: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

GridShib-enabled Science Gateway

Simple installation and configuration at the gatewayEnd user identity and contact information (e-mail) transmitted to RPBlacklist an IP address or name identifier on demandThree types of SAML security information:1. Authentication context2. Attributes3. Authorization decisions

Page 20: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Comparison with VOMS

Virtual Organization Membership Service The most successful grid authz model today

VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificatesVOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subjectTherefore, a gateway can not call out to a VOMS server to obtain attributesConclusion: VOMS can not be used as a basis for gateway security

Page 21: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Future Work

Not all are covered by our current SOW:Pluggable Attribute Resolver simplifies integration at the gatewayEnhanced blacklisting based on ranges of IP addresses or user identitySupport for both SAML V1.1 and V2.0Implement Attribute Acceptance PolicySupport the TG Accounting modelIntegrate GridShib with Globus CAS (i.e., support SAML authorization decisions)Support for SAML metadata

Page 22: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Future Directions

A long term goal is to introduce federated identity at the science gatewayShibboleth , an open-source implementation of the SAML Browser Profiles, provides:UbiquityManageabilityUsabilitySecuritySince Shibboleth is based on SAML, our model complements existing campus infrastructure

Page 23: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy
Page 24: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Thank You!

Page 25: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

An Example

1. A simple example of a GridShib SAML Tools command line

2. Using the Java API3. A more realistic example of a

GridShib SAML Tools command line4. A GridShib SAML Tools config file5. A self-issued assertion6. A two-step policy declaration7. Two GridShib for GT policy files

Page 26: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Using the Command-line Interface I

A simple GridShib SAML Tools command line:

$ gridshib-saml-issuer \ --user trscavo --x509 --authn

the argument to the --user option is the portal userid (becomes the SAML Subject)the --x509 option indicates output should be an X.509 proxy credentialthe --authn option indicates a SAML AuthenticationStatement is desire

Page 27: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Using the Java APISelfIssuedAssertion assertion = new SelfIssuedAssertion( issueInstant, entityID, lifetime, nameid, nameQualifier, format);assertion.addAuthnStatement(authnMethod, authnInstant, subjectIP);assertion.addAttributeStatement(attributeList);GlobusCredential proxy = assertion.bindToX509Proxy(credential);

Page 28: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

Using the Command-line Interface II

A more realistic GridShib SAML Tools command line:

$ gridshib-saml-issuer \ --user trscavo --x509 --authn \ --address 127.0.0.1 \ --properties \ Attribute.role.Name= \ urn:mace:dir:attribute-def:eduPersonEntitlement \ Attribute.role.Value= \ http://www.teragrid.org/names/roles/guest

Note the SAML attribute name-value pair.

Page 29: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

A Configuration File

# GridShib SAML Tools config properties# Identity Provider entityIDIdP.entityID=https://gridshib.gisolve.org/idp# SAML AttributeAttribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1Attribute.isMemberOf.Value=http://www.gisolve.org# X.509 Issuing CredentialcertLocation=file:///etc/grid-security/community-cert.pemkeyLocation=file:///etc/grid-security/community-key.pem

Page 30: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

A Self-issued SAML Assertion

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_3f89fecd323e4f1fa0f897b0ebb5f81c" IssueInstant="2007-10-29T16:46:35.673Z" Issuer="https://gridshib.gisolve.org/idp" MajorVersion="1" MinorVersion="1"> <!-- statements go here --></saml:Assertion>

Page 31: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

A SAML Authentication Statement

<saml:AuthenticationStatement AuthenticationInstant="2007-10-29T16:46:34.872Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> trscavo </saml:NameIdentifier> </saml:Subject> <saml:SubjectLocality IPAddress="127.0.0.1"/></saml:AuthenticationStatement>

Page 32: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

A SAML Attribute Statement<saml:AttributeStatement> <!-- redundant SAML Subject goes here --> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue ...> http://www.gisolve.org </saml:AttributeValue> </saml:Attribute> <!-- additional attributes go here --></saml:AttributeStatement>

Page 33: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

RP Policy Declaration

Suppose an RP declares the following two-step policy:1. Access is limited to a user who is a

member of a recognized community.2. Access is further limited to a user

acting in an acceptable role.Two policy files are needed in this case.

Page 34: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

RP Policy File I<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue> http://www.gisolve.org</saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>gisolve</username> </listOfUsernames> </entry> <!-- additional entries go here --></attributePolicy>

Page 35: Copy of GridAuthzModel4SGWs-20080501grid.ncsa.illinois.edu/presentations/GridAuthzModel4SGWs-2008050… · 2008-05-01  · The Classic Grid Use Case A non-browser user issues a proxy

RP Policy File II<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute ... AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement"> <saml:AttributeValue> http://www.teragrid.org/names/roles/guest </saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>tg-guest</username> </listOfUsernames> </entry> ...</attributePolicy>