Experiences in Building Secure
Grid Infrastructures at
NeSC Glasgow
Jipu Jiang
Portals & Portlets, 18 July 2006
GLASS Project Engineer
National e-Science Centre, University of Glasgow
Portals & Portlets, July 18 2006
Overview
•
•
•
•
•
•
•
Introduction to GLASS project
Shibboleth
Choosing A Grid Portals
The working process of Shibboleth + Grid Portal
Demo
Conclusion
Future plans
Portals & Portlets, July 18 2006
GLASS Project
GLASgow university early adoption of Shibboleth
• 1 year JISC funded project starts March 2006
• Exploring early adoption of Shibboleth
• Scenarios based upon
– teaching
– access to NHS resources/data
• looking at secure access to and usage of brain trauma patient
data at Glasgow Southern General Hospital
• Glasgow is rolling out Shibboleth for campus resource
authentication (based on Novell nSure technology)
Portals & Portlets, July 18 2006
• A standards-based framework (SAML)
• Federated Authentication system, institutions in a
federation should trust one another.
• For Single-Sign-On (SSO) across or within
organizational boundaries.
• Distributed accounts management
– Each organization manage their own user accounts.
– No centralized architecture
• Authentication is done by the user’s home institution
– Identity Provider (Origin)
• Authorisation (and access) is done by the resource
– Service Provider (Target)
• We have V1.2 operating as part of SDSS
Portals & Portlets, July 18 2006
• Scenario:
– UK Universities decide to share library resources
– Students from the University of Glasgow don’t have web
accounts to access protected resources located in
Edinburgh
• Solution:
– Edinburgh & Glasgow university join the Shibboleth
federation
– If the scenario occurs, the access from a Glasgow student
will be directed back to Glasgow to Authenticate (the
origin/identity provider).
– If authentication is successful, students will be able to
access Edinburgh resources. (Edinburgh trust Glasgow)
– Furthermore, Edinburgh could ask for more information from
Glasgow about this student for Authorization, such as the
role this user holds, student or lecture.
Portals & Portlets, July 18 2006
Apply to Grid Portal
• Problem is Shibboleth is an Apache module on the Target side.
It protects only static directory
– E.g. folder /var/www/html/private can be protect directly
• But the Grid portals are based on dynamic pages.
• To make Shibboleth protect the dynamic pages, we have
investigated several methods for deployment
• key point:
– Need to establish link between Tomcat Portal and Shibboleth
Apache module
• HTTP redirect from separate resources?
– Too risky
– Shibboleth attributes cannot be transferred
• Mod_jk/Mod_jk2 Apache module
– Secure solution
– firewall rules more sane
Portals & Portlets, July 18 2006
Configuration
• In Mod_jk2,
[uri:/secure/*]
worker=ajp13:localhost:8009
group=lb
– This will redirect any request for http://localhost/secure directory
goes to http://localhost:8080/secure
• In Shibboleth,
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
– Shibboleth is now protecting the /secure directory.
• In this way, dynamic pages can also be protected by Shibboleth
Portals & Portlets, July 18 2006
Grid Portal Frameworks
• Grid Portal frameworks
– GridSphere
– WebSphere Portal
– uPortal
– Apache Portals
– Liferay Portal
– etc.
• At NeSC Glasgow, we have previous experience in 2
Portal frameworks, WebSphere Portal and
GridSphere
• I did a comparison study about the 2 frameworks:
– GridSphere wins.
Portals & Portlets, July 18 2006
GridSphere vs WebSphere
Features
Gridsphere
Websphere
Open Source
Commercial Product
Low
High
Good – deploys into Apache
Tomcat and uses log4j
Poor – proprietary implementations of
application server, logging package and http
server
Good – about the right
amount
Almost too much – things are hard to find
Easy & Quick
Cumbersome
No
At least 1 GB memory per processor and At
least 4GB disk space
Easy – log4j can be used
Hard: in-code debugging statements need to
be changed to support IBM logging
mechanism
Not very stable in previous
versions, but getting better.
Fairly stable
JSR168 Compliance
Full
Full from version 5.1 onwards
WSRP Compliance
No
Yes
Basic Login & RBAC
Fairly strong
Lightweight, easy-to-use,
basic
Complex, monolithic, feature-rich
License
Complexity
Re-use of Publicly
Available Components
Documentation
Installation/Configuration
Special Hardware
Requirements
Debugging Your Own
Portlets
stability
Security
Overall Impression
Portals & Portlets, July 18 2006
Why GridSphere
• We Choose GridSphere Portal Framework for
Shibbolizing Grid, because:
– Not only
•
•
•
•
•
Open source, easy interfaces
Easy customization
Standardized, JSR-168
Powerful visual beans and the User Interface (UI) tag library
Grid Toolkit: GridPortlets
– But also
• Can factor out Authn/Authz to other applications (PERMIS,
Shibboleth)
• Can engineer portlets based on user privilege
Portals & Portlets, July 18 2006
Grid Portal + Shibboleth = …
• Portal Authentication by
Shibboleth
• Grid Services deployed
in GridSphere
• Grid Services or
GridSphere enable
Authorization
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
Home Institution
Federation
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
Home Institution
Federation
Authz
WAYF
Point browser to portal
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
Home Institution
Federation
Shibboleth
redirects
user
to W.A.Y.F
service
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
Home Institution
Federation
User selects their
home institution
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
AUTHENTICATE
Home Institution
Home confirms user
ID in local LDAP and
pushes attributes to
the service provider
Federation
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
Home Institution
Federation
Portal logs
user in and
presents
attributes
to
authorisation
function
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
Identity Provider
Service Provider
AUTHORISE
Home Institution
Portal passes
attributes
to AuthZ function to
make final access
control decision
Federation
Authz
WAYF
User
Grid Portal
Portals & Portlets, July 18 2006
DEMO
• Grid portlets that have been Shibbolized:
– DyVOSE project: Search/sort service that students
built.
• http://www.nesc.gla.ac.uk/hub/projects/dyvose
– BRIDGES project: GridBLAST service
• http://www.nesc.gla.ac.uk/hub/projects/bridges
– VOTES project: VOTES portal
• http://www.nesc.gla.ac.uk/hub/projects/votes
Portals & Portlets, July 18 2006
DyVOSE Project
•
•
•
DyVOSE is a 2-year project funded by the JISC
intention is to explore the establishment of scalable Virtual
Organisations (VOs) in the domain of e-Science education.
Applied existing PERMIS technology to establish static Privilege
Management Infrastructure at GU
• Students used PERMIS Policy Editor to develop security policy
for use in their assignment
–
–
–
–
Sorting/searching “complete works of Shakespeare”
… using training lab Condor pool,
… * as GT3.3/Condor service,
… as GT3.3 service using GSI,
• To see how authorisation at service level achieved
– Service should be accessible by themselves and lecturing staff only
– … using * for GT3.3-PERMIS authorised service
• To see how authorisation at method level achieved
– Students split into groups (studentteam1, studentteam2)
» Sort method available to their group and lecturers only
» Search method available to all
Portals & Portlets, July 18 2006
Portals & Portlets, July 18 2006
BRIDGES projects
• Biomedical Research Informatics Delivered by Grid Enabled
Services
• delivering a Grid infrastructure offering secure access to and
usage of highly distributed, evolving biomedical data sets.
• WebSphere Portal as the front-end to easy the end users.
• Both OGSA-DAI and IBM Information Integrator technology are
being employed
• PERMIS for Authorization
– The more powerful role you have, the more computational power you can
get.
Portals & Portlets, July 18 2006
Portals & Portlets, July 18 2006
VOTES project
•
•
•
Virtual Organisations for Trials
and Epidemiological Studies
3 year MRC (£2.8M) funded
project started October 2005
Plans to develop Grid
infrastructure to address key
components of clinical
trial/observational study
– Recruitment of potentially
eligible participants
– Data collection during the study
– Study administration and
coordination
Clinical Virtual Organisation Framework
Used to realise
CVO-1
(e.g. for data
collection)
CVO-2
(e.g. for
recruitment)
LeiNott
GLA
Disease
registries
Hospital
databases
Transfer
Grid
GPs
OX
IMP
Clinical trial
data sets
• Involves Glasgow, Oxford,
Leicester, Nottingham,
Manchester
Portals & Portlets, July 18 2006
Portals & Portlets, July 18 2006
Conclusions
• Benefits:
–
–
–
–
–
SSO
Facilitate creation of dynamic VOs
Non-centralized account management
Securely exchange registration information
Clearly distinguish AuthN and AuthZ
• AuthZ should be the job of services
• Shortcomings:
– For AuthZ, The role names may get confused
• Institute A: “Staff” = lecturer
• Institute B: “Staff” = cleaner
– Cannot pass certificate in the current picture
– More difficulties for accounting in the portal
Portals & Portlets, July 18 2006
Future Plans
• Extending our security infrastructure: put MyProxy into the
scenario
– Shibboleth in the Grid Service Level, e.g. ShibGrid, is under
construction
– Shibboleth in the Portal Level. N-tire problem
– How to integrate portal level MyProxy delegation with Shibboleth?
Especially in different complicated scenarios
• Optimize the Grid Portal: deeper integration with GridSphere,
e.g.
– Localization, Personalization, Layout customization,etc.
– User group selection
• Working with Glasgow Southern General Hospital, build the
secure portal to access and use brain trauma patient data (Brain
Images)
Portals & Portlets, July 18 2006
Further Information
• Email: j.jiangj@nesc.gla.ac.uk
• GLASS Project website:
http://www.nesc.ac.uk/hub/projects/glass
Portals & Portlets, July 18 2006