1 / 22

Single Sign-on to the Grid

Single Sign-on to the Grid. Federated Access and Integrated Identity Management. The Problem. Scope: CCLRC But extending CCLRC facilities DLS, ISIS, CLF, SRD Access to Grid NGS, SCARF The SRBs Atlas Tapestore. What’s in SSO?. Identity and User Management Credential conversions

mateo
Download Presentation

Single Sign-on to the Grid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-on to the Grid Federated Access and Integrated Identity Management

  2. The Problem • Scope: CCLRC • But extending • CCLRC facilities • DLS, ISIS, CLF, SRD • Access to Grid • NGS, SCARF • The SRBs • Atlas Tapestore

  3. What’s in SSO? • Identity and User Management • Credential conversions • Certificates, AD/K5 • Protection of credentials • Thin clients vs thick clients • Passwords and -phrases • Single password to all resources

  4. Authentication – web based • If on-site, use federal id • If off-site, use certificate • if loaded into browser • Otherwise username/password • Same as fed username/password • Not allowed to store password… • System must know these are the same

  5. Web (HTTPS) based SSO • Easier to implement servers • Apache can do Everything™ • Not trivial to integrate with existing Java portals • Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,… • Lots of HTTP tools that understand security • Future proof, when UK goes to Shibboleth

  6. Client Side – from outside CCLRC P O R T A L THE GRID Certificate SRB VOMS (old slide)

  7. Client Side – from within CCLRC P O R T A L THE GRID SRB Microsoft Active Directory MyProxy VOMS (old slide)

  8. SRB provides SSO But ∫ with everybody else’s… S commands can be used with GSI and with username/password inQ doesn’t understand certificates SRB THE GRID THE BEAM SRB

  9. Proposed DIAMOND Infrastructure Detector … ADSC ADSC ADSC RAID 2TB RAID 2TB RAID 2TB SRB space 20TBSRB Vault 20TBSRB Vault 20TB SRB Vault 20TB SRB Vault … 160TB SRB Vault Slide sto borrowed from P Berrisford ADS Resource

  10. ‘20 TB’Vault MCATDatabase Proposed DIAMOND Phase 1Test Infrastructure SRB Storage Server Data Management Group DIAMOND SRB MCAT Server Data Storage Group SRB ADS cache SRB ADS Server Slide borrowed from P Berrisford SRB ADS tape resource

  11. What’s in a name • Federal id – jj47@fed.cclrc.ac.uk • DN - /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens g jensen • SRB username, fed id or based on CN • Tapestore username – arbitrary: jj47 • or based on VO (via SRM or SRB)

  12. Status – User Office • Set up identities • Maintain identities • Registration Authority for CA • Needs user office friendly tools • Challenge: ensure user offices are consistent • Namespaces, identities

  13. Status – Users • Need certificates for Grid work • Once every year, obtain/renew cert • Usability of CA improved with upgrade • Will resurrect applets • Once every week, renew proxy • Upload tool in Java, another in python • Once every day • Log in to Windows (or Linux kinit)

  14. Status – software • Prototype portal (python) • Thin clients (web browser) • Fetches proxy from myproxy • AD/K5 works with IE and certain Linux browsers • Components for thick clients • Fetches proxy locally from MyProxy

  15. Authorisation – VO mgmt • Agree roles (between facilities) • Need for tools • Track project proposal • Infrastructure • LDAP/GridMap • VOMS • (future things)

  16. User Information DLS, SRS ISIS SSTD, CLF,… Grid e.g. NGS, SCARF, Datastore CDR User Database

  17. Authorisation Gridmap file L D A P Microsoft Active Directory MyProxy? VOMS CDR

  18. Combining Grid Authorisation Grid AUZ L D A P L D A P CCLRC L D A P NGS LCG

  19. Keeping identities  First attempt  Second attempt

  20. The Who • CCLRC e-Science/GOSC • D Byard, M Viljoen (code) • CCLRC e-Science Data Management • SRB work • CCLRC e-Science Atlas Tapestore • CCLRC BITD • Database • Facilities – Diamond, ISIS, CLF, SRD

  21. Future work • VOMS • Extending collaboration • Related Shib work with Oxford • Grid access for non-certificate users • DLS & IB very interested (+BDWorld?) • Ponder credential conversions • And protection

  22. Summary • Prototype SSO access to Grid • Existing implementations, added glue • Loads of other minor things that need doing • Integrating with other SSO efforts • Facilities’ user offices maintain ids • More authorisation work req’d

More Related