Advances in Middleware Security - a Globus perspective
advertisement
Advances in Middleware Security - a Globus perspective International Grid Trust Federation PKIs for Grids have now reached world-spanning size. http://www.gridpma.org X509 Delegation and Single Sign-on Standardized RFC 3820 defines format and path validation for Proxy Certificates Allows for single sign-on and delegation across domains ECC Single Sign-on Proxy Delegation Domain A Proxy Service Domain B Web Services Security Stands are slowly evolving (Jan ‘04) WS-Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy WS-Security In progress SOAP Foundation proposed promised Web Services Security Stands are slowly evolving (today) WS-Policy WS-Secure Conversation WS-Federation WS-Authorization XACML WS-Trust WS-Privacy SAML WS-Security Evolving In progress SOAP Foundation proposed promised Pluggable Authorization Strong success in developing and deployment of interfaces for plugable authorization. Designed in collaboration (GGF or “back room”). Image from Micha Bayer National Fusion Collaboratory Image from M. Thompson Image from OSG Operational experiences Security the #1 support errand Incorrect configuration Multiple CAs to install Multiple software layers and distributed systems make error reporting difficult CRL handling awkward Periodic pull requests cause high peak loads Failed updates cause stalled systems Users, Trojans, and Attacks 15 months ago: SSH attacks Attack targeted ~/.ssh/ Password and key sniffing software on users’ home PCs By stealing user keys at one site, they got immediate access to other sites as well Weak or no password protection Many people keep their grid keys in ~/.globus/ We learned a lot from this Incident response Incident reporting across organizations “This Grid stuff is all too much for me…” The power of portals Low learning curve Can be made domain specific Can hide “all the X509 stuff” from user Toolkits for Grid Portals PURSE, OGCE, GAMA, GridSphere, GridSite, etc. But, we must also understand the limitations of portals An 80/20 solution Power-users easily get annoyed Difficult for “tinkering-centric” research Grid Portal Gateways The Portal accessed through a browser or desktop tools The Required Support Services Searchable Metadata catalogs Information Space Management. Workflow managers Resource brokers Application deployment services Authorization services. Technical Approach Build standard portals to meet the domain requirements of the biology communities Develop federated databases to be replicated and shared across TeraGrid Builds on NSF & DOE software Use NMI Portal Framework, GridPort NMI Grid Tools: Condor, Globus, etc. OSG, HEP tools: Clarens, MonaLisa Slide Credit: Nancy Wilkins-Diehr OGCE OGCE Portlets Portlets with with Container Container Service Service API API Apache Apache Jetspeed Jetspeed Internal Internal Services Services Grid Grid Service Service Stubs Stubs Local Local Portal Portal Services Services Rem Remote ote Content Content Services Services Workflow Composer Grid Resources Grid Protocols Java CoG Kit Provides Grid authentication and access to services Provide direct access to TeraGrid hosted applications as services OGCE Science Portal Grid Service s Open Source Tools HTTP Rem ote Content Servers MyProxy and LTER Grid LTER Portal LDAP Username & Password MyProxy server Proxy PAM Grid Services (e.g. Job submission) LTER LDAP GridFTP Creds Kerberos-CA: Site Authentication Integration KCA/Kx509 deployment at FNAL has shown X509 integration with site authentication works well Alternate to traditional user-managed credentials Kerberos Logon Kerberos KCA X509 MyProxy 3.0 QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. GridShib (Simplified) SAML Shibboleth Attrs Attributes IdP IDs DN DN DN callout SSL/TLS, WS-Security GridShib: current status Beta release since early Sept 2005 Information Provider plugin to Shib 1.3b Authorization callout to GT4.0.1 Attributes-only for now GridShib and MyProxy Integration SAML Shibboleth Attrs Attributes IdP IDs DN callout MyProxy w/ online CA DN DN SSL/TLS, WS-Security It’s not SAML vs PKI … Legacy deployments SAML == Web Browers authentication today Very short-lived bearer credentials Lots of redirection in protocol - assumes web browser SAML seems to be good source of attributes Used for GGF OGSA-Authz Authorization Interface GT4’s Use of Security Standards Supported, but slow Supported, but insecure Fastest, so default GT-XACML Integration eXtensible Access Control Markup Language OASIS standard, open source implementations XACML: sophisticated policy language Globus Toolkit ships with XACML runtime Included in every client and server built on GT Turned-on through configuration … that can be called transparently from runtime and/or explicitly from application … … and we use the XACML-”model” for our Authz Processing Framework GT Authorization Framework GT Authorization Framework VOMS Shibboleth LDAP PERMIS … Authorization Decision Attributes PIP PIP PIP GT4 Client GT4 Server PDP GT4 WS GRAM 2nd-generation WS implementation optimized for performance, flexibility, stability, scalability Streamlined critical path Use only what you need Leverage SUDO for critical code Flexible credential management Credential cache & delegation service GridFTP & RFT used for data operations Data staging & streaming output Eliminates redundant GASS code GT4 WS GRAM Architecture Service host(s) and compute element(s) Job events Client Delegate Delegation Transfer request RFT File Transfer SEG Compute element Local job control sudo GT4 Java Container GRAM GRAM services services GRAM adapter GridFTP FTP control Local scheduler User job FTP data GridFTP Remote storage element(s) More user requirements Installation of special software Prestaging of datasets … and updates thereof Operating additional services … and updates thereof … and debugging when they fall over There is a need for “VO services” VO services need to be managed Ensure they don’t consume more resources than allocated Provide persistency and management functions (start, stop, suspend, resume) Adhere to site security, auditing, and accounting policies All that could be done by site admins but it would be favorable to have infrastructure services taking care of that Example: current gLite CE Enabling Grids for E-sciencE Infrastructure Services VO admin VO Services Submit job Grid GT GRAM LCAS LCMAPS CEMon WSS Notificat ions Launch Condor-C Blahpd LSF INFSO-RI-508833 CE Condor-C PBS/ Torque Should evolve into a VO scheduler Condor Local batch system Workspace Service: The Hosted Activity Policy Client Negotiate access Initiate activity Monitor activity Control activity Activity Environment Interface Resource provider Activities Can Be Nested Client Policy Client Client Environment Interface Resource provider For Example … Deploy service Deploy container Deploy virtual machine Deploy hypervisor/OS Procure hardware JVM JVM VM VM Hypervisor/OS Physical machine Provisioning, management, and monitoring at all levels The Future We now have a solid and extremely powerful Web services base Next, we will build an expanded open source Grid infrastructure Virtualization New services for provisioning, data management, security, VO management End-user tools for application development Etc., etc. And of course responding to user requests for other short-term needs Short-Term Priorities: Security Improve GSI error reporting & diagnostics Trust root provisioning, GridLogon/MyProxy Identity/attribute assertions in GT auth. callouts (e.g., Shib, PERMIS, VOMS, SAML) Extend CAS admin & policy support Security logging with management control for audit purposes MyProxy integration with Shibboleth Integration of all the pieces We’re close… And for Portals too… Thank you Questions? Von Welch (vwelch@ncsa.uiuc.edu)
