Copy of...
Transcript of Copy of...
OverviewWe describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider
Extends the Community Account ModelAsserts end user identity to the RPPermits fine-grained access control at the RPProvides strong auditing and effective incident responseAllows dynamic blacklisting of problem accounts or runaway processesA lightweight approach that does not require new wire protocols or extensive new middleware infrastructureComplements existing SAML-based middleware infrastructure on today's campuses
AcknowledgmentsThe Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this presentation are those of the authors and do not necessarily reflect the views of NSF.Internet2 Shibboleth Project
Special mention: Frank Siebenlist, Tim Freeman, Tom Barton, Kate Keahey, Jim Basney, Scott Cantor
See the following paper for more detail:http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
The Classic Grid Use Case
A non-browser user issues a proxy certificate and initiates a grid request.
The Classic Grid Use Case
GSI relies on proxy certificatestransport-level security (SSL/TLS)message-level security (WS-Security)
Authorization based on gridmap filesThe DN bound to the proxy is mapped to a local system account
Course-grained, identity-based access control
Trades off flexibility and scalability for simplicity
X.509-bound SAML Token
Bind a SAML assertion to a non-critical X.509 v3 certificate extension.
X.509-bound SAML Token
Can be used with either transport-level or message-level securityAdvantage: An implementation of WS-Security X.509 Token Profile (such as Globus Secure Message) is automatically an implementation of the X.509-bound SAML Token ProfileBonus: An X.509-bound SAML token can also be used with Globus Secure TransportNo new wire protocols are needed!
GridShib-enabled GSI
A non-browser user binds a SAML assertion to a proxy certificate and
initiates a grid request.
GridShib-enabled GSI
Fine-grained, attribute-based authzBased on X.509-bound SAML tokensNo modifications to GT clients are requiredIf the service is not GridShib-enabled, the X.509-bound SAML token is just ignoredGridShib SAML Tools on the gateway
Includes GridShib Security FrameworkExposes both a command-line interface and a Java API
GridShib for Globus Toolkit on the RPExposes a SAML security context
The Science Gateway Use Case
A browser user authenticates to a grid portal. The portal issues a
proxy certificate and initiates a grid request on behalf of the user.
The Science Gateway Use Case
The Community Account Modelsimplifies the user experiencesimplifies gateway implementation and deploymentsimplifies gridmap file management at the RP
but...
The Science Gateway Use Case
Problem: All requests from the gateway look the same to the resource provider
End user identity is unknown to the RPExtreme course-grained access control at the resourceResults in a rather convoluted approach to auditingIn the event of an emergency, the RP disables all access to the community accountAccounting is difficult
GridShib-enabled Science Gateway
A browser user authenticates to a grid portal. The portal binds a self-issued SAML assertion to a proxy
certificate and initiates a grid request on behalf of the user.
GridShib-enabled Science Gateway
Simple installation and configuration at the gatewayEnd user identity and contact information (e-mail) transmitted to RPBlacklist an IP address or name identifier on demandThree types of SAML security information:1. Authentication context2. Attributes3. Authorization decisions
Comparison with VOMS
Virtual Organization Membership Service The most successful grid authz model today
VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificatesVOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subjectTherefore, a gateway can not call out to a VOMS server to obtain attributesConclusion: VOMS can not be used as a basis for gateway security
Future Work
Not all are covered by our current SOW:Pluggable Attribute Resolver simplifies integration at the gatewayEnhanced blacklisting based on ranges of IP addresses or user identitySupport for both SAML V1.1 and V2.0Implement Attribute Acceptance PolicySupport the TG Accounting modelIntegrate GridShib with Globus CAS (i.e., support SAML authorization decisions)Support for SAML metadata
Future Directions
A long term goal is to introduce federated identity at the science gatewayShibboleth , an open-source implementation of the SAML Browser Profiles, provides:UbiquityManageabilityUsabilitySecuritySince Shibboleth is based on SAML, our model complements existing campus infrastructure
Thank You!
An Example
1. A simple example of a GridShib SAML Tools command line
2. Using the Java API3. A more realistic example of a
GridShib SAML Tools command line4. A GridShib SAML Tools config file5. A self-issued assertion6. A two-step policy declaration7. Two GridShib for GT policy files
Using the Command-line Interface I
A simple GridShib SAML Tools command line:
$ gridshib-saml-issuer \ --user trscavo --x509 --authn
the argument to the --user option is the portal userid (becomes the SAML Subject)the --x509 option indicates output should be an X.509 proxy credentialthe --authn option indicates a SAML AuthenticationStatement is desire
Using the Java APISelfIssuedAssertion assertion = new SelfIssuedAssertion( issueInstant, entityID, lifetime, nameid, nameQualifier, format);assertion.addAuthnStatement(authnMethod, authnInstant, subjectIP);assertion.addAttributeStatement(attributeList);GlobusCredential proxy = assertion.bindToX509Proxy(credential);
Using the Command-line Interface II
A more realistic GridShib SAML Tools command line:
$ gridshib-saml-issuer \ --user trscavo --x509 --authn \ --address 127.0.0.1 \ --properties \ Attribute.role.Name= \ urn:mace:dir:attribute-def:eduPersonEntitlement \ Attribute.role.Value= \ http://www.teragrid.org/names/roles/guest
Note the SAML attribute name-value pair.
A Configuration File
# GridShib SAML Tools config properties# Identity Provider entityIDIdP.entityID=https://gridshib.gisolve.org/idp# SAML AttributeAttribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1Attribute.isMemberOf.Value=http://www.gisolve.org# X.509 Issuing CredentialcertLocation=file:///etc/grid-security/community-cert.pemkeyLocation=file:///etc/grid-security/community-key.pem
A Self-issued SAML Assertion
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_3f89fecd323e4f1fa0f897b0ebb5f81c" IssueInstant="2007-10-29T16:46:35.673Z" Issuer="https://gridshib.gisolve.org/idp" MajorVersion="1" MinorVersion="1"> <!-- statements go here --></saml:Assertion>
A SAML Authentication Statement
<saml:AuthenticationStatement AuthenticationInstant="2007-10-29T16:46:34.872Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> trscavo </saml:NameIdentifier> </saml:Subject> <saml:SubjectLocality IPAddress="127.0.0.1"/></saml:AuthenticationStatement>
A SAML Attribute Statement<saml:AttributeStatement> <!-- redundant SAML Subject goes here --> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue ...> http://www.gisolve.org </saml:AttributeValue> </saml:Attribute> <!-- additional attributes go here --></saml:AttributeStatement>
RP Policy Declaration
Suppose an RP declares the following two-step policy:1. Access is limited to a user who is a
member of a recognized community.2. Access is further limited to a user
acting in an acceptable role.Two policy files are needed in this case.
RP Policy File I<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue> http://www.gisolve.org</saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>gisolve</username> </listOfUsernames> </entry> <!-- additional entries go here --></attributePolicy>
RP Policy File II<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute ... AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement"> <saml:AttributeValue> http://www.teragrid.org/names/roles/guest </saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>tg-guest</username> </listOfUsernames> </entry> ...</attributePolicy>