Скачать презентацию Single Sign-on at RAL and DLS too Скачать презентацию Single Sign-on at RAL and DLS too

f7beb747859c2b5d2ecc86c26b027adf.ppt

  • Количество слайдов: 28

Single Sign-on at RAL (and DLS too) • Authentication and • Integrated Identity Management Single Sign-on at RAL (and DLS too) • Authentication and • Integrated Identity Management hepsysman Cambridge, 23 Oct 2006 Jens G Jensen CCLRC e-Science

Contents (approximately) • Goals • Current status – Site authentication – Grid authentication – Contents (approximately) • Goals • Current status – Site authentication – Grid authentication – Authorisation • Terminal access Jens G Jensen CCLRC e-Science

The Problem • Integrated Access (Authentication) • Identity management • Implemented locally… • …integrate The Problem • Integrated Access (Authentication) • Identity management • Implemented locally… • …integrate with future national efforts… • …and international Jens G Jensen CCLRC e-Science

What is SSO? • Central password management – Don’t reuse the same password – What is SSO? • Central password management – Don’t reuse the same password – Stored securely in one location • Central account management – ISIS, DLS, CLF – 14500 users – Keep up to date – User office can add new ones Jens G Jensen CCLRC e-Science

What is SSO? • Use account with all resources – cf. Grid – certificate What is SSO? • Use account with all resources – cf. Grid – certificate used with all grids (well, sort of) – Shibboleth, with web resources – Generally requires consistent attribute management (resp. , VOM(S), AAs) Jens G Jensen CCLRC e-Science

Authentication – web based • If on-site, use federal id (Active Directory/Kerberos) • If Authentication – web based • If on-site, use federal id (Active Directory/Kerberos) • If off-site, use certificate – if loaded into browser • Otherwise username/password – Same as fed username/password – Not allowed to store password… • System must know these are the same Jens G Jensen CCLRC e-Science

Account Management • DLS: Vintela for account management – Commercial – Accounts and password Account Management • DLS: Vintela for account management – Commercial – Accounts and password managed across Windows & Linux – PAM module for Linux – Allows users to reset passwords &c Jens G Jensen CCLRC e-Science

Site Authentication • Microsoft Active Directory (2000 2003) – Compatible with Kerberos 5 • Site Authentication • Microsoft Active Directory (2000 2003) – Compatible with Kerberos 5 • As long as server is MS – Publishing data • “Corporate Data Repository” • RFC 2307 Jens G Jensen CCLRC e-Science

Grids • Grid. PP – More complex middleware stack – Plain ol’ ssh login Grids • Grid. PP – More complex middleware stack – Plain ol’ ssh login – Uses VOMS for authorsation • NGS & SCARF – Basic Globus 2. 4 toolkit (VDT dist) – gsissh login (more later) – Basic (Unix group) or no VO mgmt Jens G Jensen CCLRC e-Science

“Data Grids” • i. e. , SRB (new one will be different? ) – “Data Grids” • i. e. , SRB (new one will be different? ) – Can use X. 509 or username/password – Password stored in file in ~ – Not integrated: • in. Q uses username/password only • X. 509 must be compiled in – Integrate with everything else? • Separate db column for SRB ids? Jens G Jensen CCLRC e-Science

Shibboleth • Site password to common web resources • Web-resources – Depends on http Shibboleth • Site password to common web resources • Web-resources – Depends on http proto (eg redirects) • SWITCH in EGEE – Work on Shibifying middleware, starting with gatekeeper • Shib 2 will be less web-specific Jens G Jensen CCLRC e-Science

Shibboleth deployment • SDSS – JISC funded, under core middleware programme – Early deployment Shibboleth deployment • SDSS – JISC funded, under core middleware programme – Early deployment of UK Federation • UK Federation will encompass all HEI and FEI – SDSS will become UK Federation Jens G Jensen CCLRC e-Science

Shibboleth Deployment • CCLRC has Id. P in SDSS – Doesn’t cover all site, Shibboleth Deployment • CCLRC has Id. P in SDSS – Doesn’t cover all site, only Shib. Grid project – Shib. Grid? Shibboleth access to Grid • Collab ‘tween Oxford & CCLRC • Id. P? – SSO (password) and AA (attributes) Jens G Jensen CCLRC e-Science

Shibboleth Deployment • Shibboleth Service Provider: – Portals (for NGS) to access Grid • Shibboleth Deployment • Shibboleth Service Provider: – Portals (for NGS) to access Grid • “Shib. Grid” project – My. Proxy • Used for credential conversion Jens G Jensen CCLRC e-Science

Java SSH Term • Written in Java (no, really) – Standalone – untar and Java SSH Term • Written in Java (no, really) – Standalone – untar and run – Applet • xterm – Understands (most) ANSI control seqs Jens G Jensen CCLRC e-Science

Java SSH Term • Took open source terminal (in sf. net) • And GSISSH Java SSH Term • Took open source terminal (in sf. net) • And GSISSH plugin contrib’d from Canada • Authenticate: – With site AD/K 5 magic biscuit (see later) – Via My. Proxy (username/password) – Via certificate (private key passphrase) Jens G Jensen CCLRC e-Science

Java SSH Term • Picks up magic AD/K 5 biscuit – Integrated with site Java SSH Term • Picks up magic AD/K 5 biscuit – Integrated with site Active Directory – Callout, no naughty storing passwords • Works! • But only with Java 1. 6 for this – Available in beta Jens G Jensen CCLRC e-Science

Java SSH Term SRB > echo hello world User Interface WN WN My. Proxy Java SSH Term SRB > echo hello world User Interface WN WN My. Proxy ID database SRM VOMS Jens G Jensen CCLRC e-Science

Java SSH Term – User view • Use “proper” Grid (X. 509) cert – Java SSH Term – User view • Use “proper” Grid (X. 509) cert – Upload a proxy to myproxy once a week – Terminal gets proxies where you need them • Or use a proxy from the built-in CA • No need for PKCS#12 PEM conv – Or even no need for understanding certs Jens G Jensen CCLRC e-Science

Java SSH Term – Admin view • • Can shut down vanilla ssh Key Java SSH Term – Admin view • • Can shut down vanilla ssh Key mgmt is Somebody Else’s Problem™ Decreased support load…(potentially) Must trust a My. Proxy CA – UK: Tie into CA hierarchy – Separate hierarchy for NGS Jens G Jensen CCLRC e-Science

(planned) UK hierarchy Trusted CA (Explicit Trust) Accredited CA e-Science CA Institutional CC CA (planned) UK hierarchy Trusted CA (Explicit Trust) Accredited CA e-Science CA Institutional CC CA e-Science ROOT Credential conversion top level Institutional CC CA NGS Training and Monitoring Institutional CC CA G Jensen Jens CCLRC e-Science

Java SSH Term • Try it! • http: //www. grid-support. ac. uk/ • Public Java SSH Term • Try it! • http: //www. grid-support. ac. uk/ • Public link may be for the non-AD/K 5 one – Secret link for the Java 1. 6 version – Until Java 1. 6 is out – Email me Jens G Jensen CCLRC e-Science

User Management • DLS and ISIS have 14 -15000 users • Already ~6 -7000 User Management • DLS and ISIS have 14 -15000 users • Already ~6 -7000 unique users in DB – How to establish – and maintain – uniqueness? • Users get accounts locally – Accounts set up by User Office – Give them Unix UID? • RFIO and NFS use 16 bit UID… Jens G Jensen CCLRC e-Science

Vintela • Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL • Vintela • Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL • Commercial • Manage user accounts across Linux and Windows • Uses RFC 2307 -with-extensions – “Make more scalable” • Caching daemon makes system scalable Jens G Jensen CCLRC e-Science

Vintela • “Active Roles” • Users can unlock their own accounts – Questions • Vintela • “Active Roles” • Users can unlock their own accounts – Questions • Scriptable user creation • NSS module for NIS • PAM module calls out to Active Directory • Suport for RH, Su. Se, Solaris, HPUX, AIX Jens G Jensen CCLRC e-Science

Future work • Better database integration ( edu. Person) – Identity management (next slide) Future work • Better database integration ( edu. Person) – Identity management (next slide) – Users may have different ids in different contexts? • Authorisation needed – VOMS integration – Site attributes, maybe? VO attributes! – Combined? Jens G Jensen CCLRC e-Science

Identity Management – TODO • Tie together all the identities in central DB – Identity Management – TODO • Tie together all the identities in central DB – Grid certificates – Low assurance (credential conversion) certificates – SRB identities – Tapestore ids – Unix user ids • How to populate with initial data… Jens G Jensen CCLRC e-Science

Summary • Terminal access to Grid – In production – Non-certificate access via myproxy Summary • Terminal access to Grid – In production – Non-certificate access via myproxy • To integrate with CA rollover – Handles all grid-proxy-init • Much of account mgmt solved • Integrating with future SSO efforts Jens G Jensen CCLRC e-Science