1 / 26

XSEDE Authentication Infrastructure

XSEDE Authentication Infrastructure. Derek Simmel <dsimmel@psc.edu> Pittsburgh Supercomputing Center. XSEDE Authentication Infrastructure. Topics Introduction to XSEDE XSEDE Authentication Objectives XSEDE Authentication Services Authentication via External Services

hilde
Download Presentation

XSEDE Authentication Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. XSEDE Authentication Infrastructure Derek Simmel <dsimmel@psc.edu>Pittsburgh Supercomputing Center

  2. XSEDE Authentication Infrastructure • Topics • Introduction to XSEDE • XSEDE Authentication Objectives • XSEDE Authentication Services • Authentication via External Services • Summary & Future Directions

  3. What is XSEDE? XSEDE (Extreme Science and Engineering Discovery Environment) is a large e-Science cyberinfrastructure project funded by the U.S. National Science Foundation (NSF). XSEDE includes HPC resources and services provided by Georgia Tech U., Indiana U., NCAR, NCSA, NICS, PSC, Purdue U., SDSC, and TACC. Other partners include U. of Chicago, U. of Virginia and Juelich Supercomputing Centre (Germany)

  4. XSEDE Network

  5. XSEDE Authentication Objectives • Reduce the burden of managing user credentials • Reduce the number of things users have to manage and secure • Provide an easy way to obtain short-term credentials • Single Sign-On • Users should be able to authenticate to XSEDE resources at different sites using a single credential

  6. XSEDE Authentication Services • XSEDE Kerberos Realm (TERAGRID.ORG) • X.509 Certificate Authorities (CAs) • XSEDE MyProxy CA • International Grid Trust Federation (IGTF)-accredited CAs • OAuth service for External Services

  7. XSEDE Projects, Allocations and Users • Principal Investigators (PIs) apply for grants of CPU time and storage on XSEDE HPC resources via the XSEDE allocations process • Grant applications are peer-reviewed • PIs of projects awarded designate users permitted to use their grant allocation • New users are added to the XSEDE Central Database • Each new user gets a unique XSEDE username (Kerberos principal) and a unique X.509 certificate subject (DN) for certificates to be issued by the XSEDE MyProxy CA

  8. XSEDE User Portal Login

  9. XSEDE User Portal Login Process User logs into the XSEDE User Portal (XUP) using their XSEDE (Kerberos) username and password The XUP automatically retrieves an X.509 credential from the XSEDE MyProxy CA for the user to authenticate to GSI-enabled portal services Users use the same XSEDE username and password to authenticate to the XSEDE MyProxy CA directly from XSEDE HPC system login nodes or their local workstation to retrieve certificates used with Grid services (GSI-OpenSSH, globus-url-copy, UNICORE,…)

  10. XSEDE User Portal - Allocations

  11. XSEDE User Portal - Resources

  12. XSEDE Command-line authentication

  13. XSEDE-accepted Certificate Authorities /C=IT/O=INFN/CN=INFN CA /C=JP/O=KEK/OU=CRC/CN=KEK GRID Certificate Authority /C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2A /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root /C=US/O=DigiCert Grid/OU=www.digicert.com/CN=DigiCert Grid Trust CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy /C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=Two Factor CA /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA /C=US/O=SDSC/OU=SDSC-CA/CN=Certificate Authority/UID=certman /CN=Purdue TeraGrid RA/OU=Purdue TeraGrid/O=Purdue University/ST=Indiana/C=US /CN=PurdueCA/O=Purdue University/ST=Indiana/C=US /DC=EDU/DC=TENNESSEE/DC=NICS/O=National Institute for Computational Sciences/CN=MyProxy /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Classic CA /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC MICS CA /DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Root CA /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1 /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid Root CA /DC=es/DC=irisgrid/CN=IRISGridCA /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 /DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Silver CA 1

  14. Authentication via External Services • Example: Globus Online File Transfer • www.globusonline.org, www.globusonline.eu • Globus Online is a popular file transfer service used by many XSEDE and other users • To transfer data to/from XSEDE sites, users must authenticate using their XSEDE credentials • We need a way to supply credentials to the external service (Globus Online) without revealing the user’s private authentication information • OAuth

  15. Endpoint Selection: xsede#pscdata

  16. Redirect to XSEDE Portal MyProxy OAuth

  17. Authentication at XSEDE User Portal

  18. OAuth provides user credential to GO

  19. Endpoint Selection: psc#dsc-cilogon

  20. Redirect to CILogon Service

  21. Authentication at User’s Identity Provider

  22. OAuth provides user credential to GO

  23. Authentication via External Services External services like Globus Online are valuable to users but require secure methods to obtain and manage user credentials XSEDE requires Globus Online to obtain user credentials via MyProxy OAuth service on the XSEDE User Portal This method also works with other authentication services like CILogon

  24. XSEDE Authentication Infrastructure • Summary • XSEDE uses a combination of Kerberos and X.509 certificate services to provide Single Sign-On authentication across XSEDE Grid Services, HPC Service Providers and external services • XSEDE accepts X.509 certificates issued by IGTF-accredited Certificate Authorities • OAuth enables external services to obtain user authentication credentials in cooperation with users’ organizations & local identity providers

  25. XSEDE Authentication Infrastructure • Future Directions • Reducing the number of Certificate Authorities operated by XSEDE Service Providers • Operating your own CA is now more expensive than buying CA services from an external/commercial CA • One-Time Password technologies and services to replace reusable passwords • Reusable passwords continue to be the most common security risk due to theft and fast, automated cracking • Extending Trust to users’ local Identity Providers

  26. XSEDE Authentication Infrastructure • For additional information, see: • XSEDE • http://www.xsede.org • Kerberos • http://web.mit.edu/kerberos/, http://www.h5l.org • MyProxy credential management service • http://grid.ncsa.illinois.edu/myproxy/ • International Grid Trust Federation • http://www.igtf.net • OAuth community site • http://oauth.net

More Related