Globus Toolkit: Authentication and Credential Translation

Transcription

1 Globus Toolkit: Authentication and Credential Translation JET Workshop, April 14, 2004 Frank Siebenlist Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved. This presentation is licensed for use under the terms of the Globus Toolkit Public License. See for the full text of this license.

2 Outline Globus Alliance & Globus Toolkit The Grid problem Globus Security Infrastructure (GSI) Public Key Credentials + Proxy-Certificates SSL, GSSAPI/GSI and Delegation Kx509: Kerberos => PK Pkinit: PK => Kerberos GridLogon: username/password/otp => PK Futures and Conclusion JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 2

3 The Globus Alliance Making Grid computing a reality Argonne, UC, USC/ISI, EPCC, PDC, NCSA Close collaboration with many scientific and commercial Grid application and infrastructure projects Development and promotion of standard Grid protocols to enable interoperability and shared infrastructure Development and promotion of standard Grid software APIs and SDKs to enable portability and code sharing The Globus Toolkit software: Open source software base for building Grid infrastructure and applications JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 3

4 LHC Data Distribution ~PBytes/sec Online System ~100 MBytes/sec 1 TIPS is approximately 25,000 SpecInt95 equivalents Tier 1 There is a bunch crossing every 25 nsecs. There are 100 triggers per second Each triggered event is ~1 MByte in size France Regional Centre ~622 Mbits/sec or Air Freight (deprecated) Germany Regional Centre Tier 0 Offline Processor Farm ~20 TIPS ~100 MBytes/sec Italy Regional Centre CERN Computer Centre FermiLab ~4 TIPS ~622 Mbits/sec ~622 Mbits/sec Tier 2 Caltech ~1 TIPS Tier2 Centre Tier2 Centre Tier2 Centre Tier2 Centre ~1 TIPS ~1 TIPS ~1 TIPS ~1 TIPS Physics data cache Institute Institute ~0.25TIPS Physicist workstations Institute ~1 MBytes/sec Institute Tier 4 Physicists work on analysis channels. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 4

5 Multiple Security Domains Compute Facility Data Source Raw Data Bandwidth Svc Input Data Data Src Svc Compute Facility Svc Output Data Requester Scheduling Svc Bandwidth Svc Each Organization is independent Each Organization has its own AuthN mechanisms Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services Svc X Result Data Post-Processing Facility QoS/QoP Negotiation and multi-level delegation JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 5

6 Grid Security Infrastructure (GSI) Based on standard PKI technologies SSL protocol for authentication, message protection + GSSAPI-mechanism CAs allow one-way, light-weight trust relationships (not just site-to-site) X.509 Certificates for asserting identity for users, services, hosts, etc. Proxy Certificates GSI extension to X.509 certificates for delegation, single sign-on JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 6

7 Grid Security Infrastructure (GSI) Use GSI as a standard mechanism for bridging disparate security mechanisms Doesn t solve trust problem, but now things talk same protocol and understand each other s identity credentials Basic support for delegation, policy distribution Translate from other mechanisms to/from GSI as needed Convert from GSI identity to local identity for authorization JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 7

8 Grid Identity, Local Policy In current model, all Grid entities assigned a PKI identity. User is mapped to local identities to determine local policy.. Grid Identity Map to local name Local Policy Map to local name Local Policy JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 8

9 Use Delegation to Establish Dynamic Distributed System Compute Center Rights Virtual Organization Compute Center JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 9

10 X.509 Proxy Certificates GSI Extension to X.509 Identity Certificates On RFC track Enables single sign-on Allow user to dynamically assign identity and rights to service Can name services created on the fly and give them rights (i.e. set policy) What is effectively happening is the user is creating their own trust domain of services s trust each other with user acting as the trust root JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 10

11 Proxy Certificates Create F1 CN=Jane Doe X.509 Id certificate X.509 Proxy Delegation CN=Jane Doe/9874 Rights: Can access file F1, S1, X.509 Proxy certificate Use delegated rights to access resources. S1 JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 11

12 Goal is to do this with arbitrary mechanisms Compute Center X.509 AC Rights X.509/SSL X.509 AC SAML Attribute Kerberos/ WS-Security Virtual Organization SAML Attribute Compute Center JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 12

13 Kerberos to GSI Gateway To use Kerberos, a Kerberos-to-GSI gateway translates Kerberos credentials to GSI credentials to allow local Kerberos users to authenticate on the Grid. Kx509/KCA is an implementation of one such gateway. Sslk5/pkinit provide the opposite functionality to gateway incoming Grid credentials to local Kerberos credentials. JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 13

14 Local Identity, Grid Identity, Local Policy KCA Map to local name Kerberos Site Grid Identity Local Policy SSLK5 KRB5 Resources JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 14

15 GridLogon: Credential Wallet/Converter GridLogon (MyProxy) allows users to store GSI credentials and retrieve them With username/password or other credential Integration with One-Time-Password (OTP) Systems Can act as a credential translator from username/password to GSI Used by services that can only handle username and pass phrases to authenticate to Grid s limited by client implementations E.g. web portals Also handle credential renewal for long-running tasks JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 15

16 GridLogon: Passphrase-X.509 Federation GSI Realm Username/password Domain GSI Delegation GridLogon Username & pass phrase GSI Delegation Requestor Web Browser request Web Portal/ Server GSI Grid Resource JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 16

17 One Time Passwords and Restricted Delegation GridLogon User OTP Restricted Delegation Grid Identity Restricted Delegation Restricted Delegation Map to local name Local Policy pkinit KRB5 Resources JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 17

18 Authz Callout GSI Implementation SSL/WS-Security with Proxy s (running Certificates on user s behalf) Access Compute Center Rights CAS or VOMS issuing SAML or X.509 ACs Rights VO Users Local Policy on VO identity or attribute authority Virtual Organization Rights GridLogon KCA JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 18

19 Grid Evolution: Open Grid s Architecture Goals Refactor Globus protocol suite to enable common base and expose key capabilities orientation to virtualize resources and unify resources/services/information Embrace key Web services technologies for standard IDL, leverage commercial efforts Result = standard interfaces & behaviors for distributed system management built on Web services Standardization within Global Grid Forum and OASIS Open source & commercial implementations JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 19

20 OGSA Security s Requestor's Domain Provider's Domain Attribute Trust Authorization Authorization Trust Attribute Audit/ Secure-Logging Privacy Privacy Audit/ Secure-Logging Credential Validation Credential Validation Bridge/ Translation Requestor Application WS-Stub Secure Conversation WS-Stub Provider Application Credential Validation Credential Validation Attribute Authorization Authorization Attribute Trust Trust VO Domain JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 20

21 Conclusion The Globus Toolkit is sophisticated, secure middleware De-facto standard for Grid applications Multiple AuthN-mechanism support Plus translation services Secure Delegation of Rights support through use of proxy-certificate Next generation GT based on Web s Standardized in Global Grid Forum & OASIS Globus Toolkit provides a working, evolving implementation for secure Grid protocols Downloaded 100k+ times already ( JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 21