VOMS Attributes Authority & Shibboleth Authentication
description
Transcript of VOMS Attributes Authority & Shibboleth Authentication
1
VOMS Attributes Authority & Shibboleth Authentication
Thai Thi Thu Thuy
2
Content
Virtual Organization Membership Service (VOMS)
Shibboleth Grid and Shibboleth integration
3
Attribute Authority Infrastructure in Grid Security infrastructure based on X.509 certificates (PKI) Authentication
Needs “trusted third parties”, i.e. Certificate authorities (CAs) Users identified with “identity” certificates signed by CAs Delegation & single sign-on via proxy certificates
Authorization Several entities involved
resource providers Virtual organizations
Authorization cannot be decided only on local site basis but must reflect the service level agreements settled between VOsand resource providers
VOs administer user membership (groups, roles, ...) RPs evaluate attributes granted by VOs to their users and mapthem to local credentials used to access resources
4
Why VOMS?
In a grid environment, VOs tend to be extremely large and change frequently. Hundreds or even thousands of users.
Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies.
It is not scalable to manage them by hand
5
VO Membership Service (VOMS) Virtual Organization Membership Service
an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO)
A VO management service A VO registration service A source of trust for authorization
Extends the X509 AAI with attributes related to VOstructure so that access to resources can be authorized accordingly!
6
VOMS Attributes
Group membership A VO member may be part of several VO
groups Role assignment
A VO member may be assigned roles Generic attributes
(Name,Value) pairs that can be associated with a VO membership
7
Obtaining VOMS attributes The user must have an x.509 certificate signed by a trusted
CA The user must be registered in a VOMS server as a member
of a VO The User contacts the VOMS server for his VO using a
command line client (voms-proxy-init) or VOMS APIs A proxy certificate is created containing the user VO
membership information In particular, VOMS creates a signed Attribute Certificate
(AC) containing this info that is then packed into a proxy certificate
The proxy certificate is used to authenticate and authorize the User at remote services
8
VOMS Architecture
9
VOMS Management and Registration services (Voms Admin) A J2EE Web application that
manages the contents of the VOMS database provides registration services
Used by VO Administrators mainly to add/remove users to the VO, put them in VOMS groups, assign VOMS roles to them manage generic attributes
Provides a WSDL interface to its functions Has a command line client Has a web-based user interface
10
VOMS Management and Registration services (Voms Admin) All Operations on the VOMS Admin are authorized via
ACLs ACLs are (Context, Principal, Permission) triples
The Context is a FQAN The Principal is either
a (DN, CA) couple (i.e., an X509 certificate) a FQAN ANY_AUTHENTICATED_USER
The Permission states what the principal can do in the Context List/Add members to a Group/Role Create subgroups Manage attributes Manage requests/subscriptions pertaining groups/roles
11
VOMS-Admin architecture
12
VOMSd
VOMSd is the component which listens for user requests and creates Attribute Certificates. All communication is secured and mutually
authenticated. Allows high customization of ACs.
Which roles to present, validity length, targeting, etc…
13
VOMS data format
Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate.
The provided clients insert the AC in a non-critical extension of the user proxy
14
VOMS clients
The clients provided are command-line based. But APIs are available in C,C++ and JAVA.
You could write your own client
15
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Proxy’s Subject
16
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Proxy’s issuer
17
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Certificate’s subject
18
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Type of proxy
19
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Proxy’s key strength
20
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Proxy’s Location
21
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Proxy’s validity
22
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
VO Name
23
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Owner’s Data
24
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
Owner’s Group membership
25
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
General-Purpose attributes
26
Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58
AC validity
27
Shibboleth
Many grids are looking for less complex ways to authenticate its users
Shibboleth is being adopted as a top down authentication infrastructure
28
What is Shibboleth? An Internet2/MACE initiative to develop a
standards-based architecture and policy framework supporting the sharing of secured web resources and services
A software project delivering an open source implementation of the architecture and framework
Based on the OASIS SAML standard (http://www.oasis-open.org/)
29
Shibboleth Architecture
IdP/ Original Site SP/ Target Site
Authentication Server
Handle Service
Attribute Authority
ShibAuthZ
SHAR
SHIRE
WAYF
User1
2
3
4a
4b
5
6
7
8
30
Shibboleth Architecture
SHIRE: Shibboleth Indexical Reference Establish
SHAR: Shibboleth Attribute Requester WAYF: Where Are You From
31
Shibboleth & VOMS similarities
Maintain lists of user identities. Add attributes to user identities. Offer a way to distribute such attributes
32
Shibboleth & VOMS differences
Shibboleth IdP VOMS
Has good support for federations Has basic support for federations
Does not support X.509 Supports X.509
Supports SAML SAML support in development
Allows third parties to get information on users Does not allow third parties to get information on users.
Pull model Push model
Mostly geared to website authorization Mostly geared to grid authorization
Delegation of credentials not well supported Delegation of credentials well supported
33
Grid & Shibboleth integration SWITCH AAI http://www.switch.ch/aai/ GridShib http://gridshib.globus.org/ ShibGrid
http://www.oerc.ox.ac.uk/activities/projects/index.xml?ID=ShibGrid
SHEBANGS http://www.mc.manchester.ac.uk/research/projects/shebangs
Has VOMS component: SWITCH and SHEBANGS
34
GridShib (attribute pull)
Certificate(6)
Client
GridShib CA with SAML tools
Shibboleth WAYF
Shibboleth IdP
Grid Resource7
10
2
3
4
5
89
1
35
ShibGrid
36
Shebangs
37
About my thesis
Research and develop single sign-on mechanism through web environment for VN-Grid
38
Approach
Key words: single sign-on, web environment, Shibboleth, GSI, VOMS
How to bridge the gap between Shibboleth and Grid?
39
Reference
www.globus.org www.shibboleth.internet2.edu …
40
Thank you for your attention!