1 / 18

Von Welch, James Barlow, James Basney, Doru Marcusiu

A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005. Von Welch, James Barlow, James Basney, Doru Marcusiu. AAAA Model. Authentication Authorization Auditing Accounting. Outline. Motivation Traditional AAAA Computing Model

cara-ramirez
Download Presentation

Von Welch, James Barlow, James Basney, Doru Marcusiu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A AAAA Model to Support Science Gateways with Community AccountsGGF-14 Science Gateways WorkshopJune 28, 2005 Von Welch, James Barlow, James Basney, Doru Marcusiu

  2. AAAA Model • Authentication • Authorization • Auditing • Accounting GSI Credential Management AAAA Science Gateway Model

  3. Outline • Motivation • Traditional AAAA Computing Model • Proposed AAAA Model • Current work and Future Challenges GSI Credential Management AAAA Science Gateway Model

  4. Traditional AAAA Model • All user have accounts at each site/resource • NxN matrix • Users access resources through low-level interfaces • E.g. Unix Shells, FTP session • Resource takes care of all the A’s GSI Credential Management AAAA Science Gateway Model

  5. % ls % foo Traditional HPC Usage A U T H n Audit Accounting OS (Authz) GSI Credential Management AAAA Science Gateway Model

  6. % ls % foo % ls % foo % ls % foo % ls % foo % ls % foo Traditional HPC Usage GSI Credential Management AAAA Science Gateway Model

  7. Motivation • Shell-level access to resources is great for power users, but has steep learning curve • Many SG users just need domain-specific interface, e.g. they are not developing or deploying application codes • Each resource/site has to maintain state about every user • Scalability problems for large/dynamic user communities • No abstraction - users must adapt to all changes in resources GSI Credential Management AAAA Science Gateway Model

  8. Our AAAA Model • SG acts as a interface between the community and its resources • Much like a traditional ‘Grid Portal’, it provides a domain-specific interface • However, unlike portals, it exists as a trusted entity in its own right, allowing the resource to “outsource” AAAA functionality to the SG • Resources runs all commands in a community account, which constrains what community can do - account can be constrained to a few community applications GSI Credential Management AAAA Science Gateway Model

  9. % ls % foo % ls % foo % ls % foo Conceptual Model GSI Credential Management AAAA Science Gateway Model

  10. Model is primarily about how one splits the AAAA responsibility between the SG and the resource In general, resource must trust the SG to some degree to provide this functionality in exchange for offload of effort Goals of Model GSI Credential Management AAAA Science Gateway Model

  11. Two Modes: Simple and Authorization Credential Both allow SG to manage user community Authorization Credentials is more complex to deploy, but provides more information to resource Authentication and Authorization GSI Credential Management AAAA Science Gateway Model

  12. % ls % foo Simple Auth[nz] Model Authn • Authentication becomes the role of the SG • Users known only to the SG • Resource trusts SG to do authentication • SG authenticates to resource with its own credential • Portal enforces authorization by constraining what actions user can perform GSI Credential Management AAAA Science Gateway Model

  13. % ls % foo Authz Credential Model Authn Authz Cred • Authentication still role of the SG • Users known only to the SG • SG augments user credentials with authz credentials • E.g. CAS, GAMA, Shibboleth, IU LEAD work • Resource trusts SG to do authentication and authz credentials from SG • Doesn’t know user, but trusts what SG says about user • Resource knows user “identifier” (may not be that useful, more later) GSI Credential Management AAAA Science Gateway Model

  14. % ls % foo Auditing Model Auditing • Site still keeps details of what each job does • Site have want to contact user • Suspicious activity, job running amuck • SG is only way to map a particular job to a user • SG has all the contact information for the user • Resource may know user identifier, but needs contact information only in SG user database GSI Credential Management AAAA Science Gateway Model

  15. % ls % foo Accounting Model Accounting • Site has all the details of what resources each job consumes • May know user who launched them (in authz cred mode) • SG needs this information • For reporting, authorization, catch mistakes • Need a mechanism to allow resource to report back to SG regularly • And allow SG to make usage back to a job back to a user GSI Credential Management AAAA Science Gateway Model

  16. Outstanding Challenges • How to identify a job between SG and resource? • “/bin/foo run at 15:38:13 (my time)” not very accurate • Standard template for resource/SG agreement • Akin to certificate policy • Acceptance of group accounts • Convince folks its ok to outsource GSI Credential Management AAAA Science Gateway Model

  17. Outstanding Challenges (cont) • Restricted accounts • Cookbook to restrict account to certain applications • Sandboxing of users from each others • Community administrators • Those who set up group account GSI Credential Management AAAA Science Gateway Model

  18. The obligatory last slide… • NCSA is working on real-world deployment with GridChem community • Acknowledgements to the TeraGrid Science Gateway RAT and all the interviewed Portals • Complaints to vwelch@ncsa.uiuc.edu GSI Credential Management AAAA Science Gateway Model

More Related