Advances%20in%20Middleware%20Security%20-%20a%20Globus%20perspective

1
Advances in Middleware Security- a Globus
perspective
2
International Grid Trust Federation

• PKIs for Grids have now reached world-spanning
  size.
• http//www.gridpma.org

3
X509 Delegation and SingleSign-on Standardized

• RFC 3820 defines format and path validation for
  Proxy Certificates
• Allows for single sign-on and delegation across
  domains

ECC
Single Sign-on
Proxy
Delegation
Domain A
Proxy
Service
Domain B
4
Web Services Security Standsare slowly evolving
(Jan 04)
WS-Secure Conversation
WS-Authorization
WS-Federation
WS-Policy
WS-Trust
WS-Privacy
WS-Security
In progress
SOAP Foundation
proposed
promised
5
Web Services Security Standsare slowly evolving
(today)
WS-Policy
WS-Authorization
WS-Federation
XACML
WS-Trust
WS-Privacy
WS-Secure Conversation
SAML
WS-Security
Evolving
In progress
SOAP Foundation
proposed
promised
6
Pluggable Authorization
Strong success in developing and deployment of
interfaces for plugable authorization. Designed
in collaboration (GGF or backroom).
Image from Micha Bayer
Image from OSG
National Fusion Collaboratory Image from M.
Thompson
7
Operational experiences

• Security the 1 support errand
• Incorrect configuration
• Multiple CAs to install
• Multiple software layers and distributed systems
  make error reporting difficult
• CRL handling awkward
• Periodic pull requests cause high peak loads
• Failed updates cause stalled systems

8
Users, Trojans, and Attacks

• 15 months ago SSH attacks
• Password and key sniffingsoftware on users home
  PCs
• By stealing user keys at onesite, they got
  immediateaccess to other sites as well
• Attack targeted /.ssh/
• Weak or no passwordprotection
• Many people keep theirgrid keys in /.globus/
• We learned a lot from this
• Incident response
• Incident reportingacross organizations

9
This Grid stuff is alltoo much for me

• The power of portals
• Low learning curve
• Can be made domain specific
• Can hide all the X509 stuff from user
• Toolkits for Grid Portals
• PURSE, OGCE, GAMA, GridSphere, GridSite, etc.
• But, we must also understand the limitations of
  portals
• An 80/20 solution
• Power-users easily get annoyed
• Difficult for tinkering-centric research

10
Grid Portal Gateways

• The Portal accessed through a browser or desktop
  tools
• Provides Grid authentication and access to
  services
• Provide direct access to TeraGrid hosted
  applications as services
• The Required Support Services
• Searchable Metadata catalogs
• Information Space Management.
• Workflow managers
• Resource brokers
• Application deployment services
• Authorization services.
• Builds on NSF DOE software
• Use NMI Portal Framework, GridPort
• NMI Grid Tools Condor, Globus, etc.
• OSG, HEP tools Clarens, MonaLisa

Slide Credit Nancy Wilkins-Diehr
11
MyProxy and LTER Grid
LTER Portal
MyProxy server
LDAP Username Password
Creds
Proxy
PAM
LTER LDAP
Grid Services (e.g. Job submission)
GridFTP
12
Kerberos-CA Site Authentication Integration

• KCA/Kx509 deployment at FNAL has shown X509
  integration with site authentication works well
• Alternate to traditional user-managed credentials

Kerberos
Logon
KCA
Kerberos
X509
13
MyProxy 3.0
14
GridShib (Simplified)
SAML
Shibboleth
Attrs
Attributes
IdP
call-out
DN
Grid
IDs
DN
SSL/TLS, WS-Security
DN
15
GridShib current status

• Beta release since early Sept 2005
• Information Provider plugin to Shib 1.3b
• Authorization callout to GT4.0.1
• Attributes-only for now

16
GridShib and MyProxy Integration
SAML
Shibboleth
Attrs
Attributes
IdP
call-out
DN
Grid
IDs
DN
SSL/TLS, WS-Security
DN
17
Its not SAML vs PKI

• Legacy deployments
• SAML Web Browers authentication today
• Very short-lived bearer credentials
• Lots of redirection in protocol - assumes web
  browser
• SAML seems to be good source of attributes
• Used for GGF OGSA-Authz Authorization Interface

18
GT4s Use of Security Standards
Supported, Supported, Fastest,
but slow but insecure so default
19
GT-XACML Integration

• eXtensible Access Control Markup Language
• OASIS standard, open source implementations
• XACML sophisticated policy language
• Globus Toolkit ships with XACML runtime
• Included in every client and server built on GT
• Turned-on through configuration
• that can be called transparently from runtime
  and/or explicitly from application
• and we use the XACML-model for our Authz
  Processing Framework

20
GT Authorization Framework
21
GT Authorization Framework
PERMIS
VOMS
Shibboleth
LDAP

Authorization Decision
Attributes
PDP
PIP
PIP
PIP
GT4 Client
GT4 Server
22
GT4 WS GRAM

• 2nd-generation WS implementation optimized for
  performance, flexibility, stability, scalability
• Streamlined critical path
• Use only what you need
• Leverage SUDO for critical code
• Flexible credential management
• Credential cache delegation service
• GridFTP RFT used for data operations
• Data staging streaming output
• Eliminates redundant GASS code

23
GT4 WS GRAM Architecture
Service host(s) and compute element(s)
SEG
Job events
GT4 Java Container
Compute element
GRAM services
Local job control
GRAM services
Local scheduler
Job functions
sudo
GRAM adapter
Delegate
Transfer request
Client
Delegation
Delegate
GridFTP
User job
RFT File Transfer
FTP control
FTP data
Remote storage element(s)
GridFTP
24
More user requirements

• Installation of special software
• and updates thereof
• Prestaging of datasets
• and updates thereof
• Operating additional services
• and debugging when they fall over
• There is a need for VO services

25
VO services needto be managed

• Ensure they dont consume more resources than
  allocated
• Provide persistency and management functions
  (start, stop, suspend, resume)
• Adhere to site security, auditing, and accounting
  policies
• All that could be done by site admins but it
  would be favorable to have infrastructure
  services taking care of that

26
Example current gLite CE
InfrastructureServices
VOServices
VOadmin
Grid
CEMon
Notifications
Condor-C
Blahpd
CE
Should evolve into a VO scheduler
Localbatchsystem
LSF
PBS/Torque
Condor
27
Workspace ServiceThe Hosted Activity
Policy
Negotiate access Initiate activity Monitor
activity Control activity
Activity
Client
Environment
Resource provider
Interface
28
Activities Can Be Nested
Client
Policy
Client

Client


Environment

Resource provider
Interface
29
For Example
Provisioning, management, and monitoring at all
levels
30
The Future

• We now have a solid and extremely powerful Web
  services base
• Next, we will build an expanded open source Grid
  infrastructure
• Virtualization
• New services for provisioning, data management,
  security, VO management
• End-user tools for application development
• Etc., etc.
• And of course responding to user requests for
  other short-term needs

31
Short-Term Priorities Security

• Improve GSI error reporting diagnostics
• Trust root provisioning, GridLogon/MyProxy
• Identity/attribute assertions in GT auth.
  callouts (e.g., Shib, PERMIS, VOMS, SAML)
• Extend CAS admin policy support
• Security logging with management control for
  audit purposes
• MyProxy integration with Shibboleth

32
Integration of all the pieces
Were close
33
And for Portals too
34
Thank you

• Questions?
• Von Welch (vwelch_at_ncsa.uiuc.edu)