ESGF IdEA: Iden-ty, En-tlement and Access Management

Transcription

1 ESGF IdEA: Iden-ty, En-tlement and Access Management ESGF UV- CDAT Conference December 2014 Philip Kershaw, Centre for Environmental Data Archival, RAL Space, STFC Rachana Ananthakrishnan, Argonne NaKonal Laboratory

2 With Apologies to Sco= Adams (credit Jennifer Adams)

3 ESGF- IdEA Working Team h=ps://acme- climate.atlassian.net/wiki/display/esgf/iden-ty +En-tlement+Access+Working+Team+Members Luca Cinquini Aashish Chaudhary Antonio Cofino Katharina Berger Carsten Ehbrecht Georgi Kostov Kleanthis Tsaousis James McEnerney Mark Greenslade Philip Kershaw Rachana Ananthakrishnan Sandro Fiore Stephen Pascoe Dean N. Williams We need more people a) non- security experts to give user feedback b) developers to get involved

4 Overview Requirements recap Opera-ons Roadmap Implemented features of roadmap

5 Requirements Review Access control is an opkonal component which can be u-lised or ley out as fits the need of an individual project in the federa-on For projects using access control it should be straigh[orward to configure an access policy which makes some data restricted and some public as needed A low Level of Assurance (LoA) has been needed with projects to date. Some future projects may need higher LoA Projects which exploit ESGF Project 1 Project 2 Project 3 Project 4 ESGF Services Federated Search Federated Iden-ty Management and Access En-tlement

6 Opera-ons Maintainability Some of the code base has become bri=le Difficult to configure some elements Support Security s-ll figures large in help queries Security responses Assessment of risk of vulnerability vs. upset to stability of the federa-on brought by change Up -me + fixes do we need SLAs? A federa-on is inter- dependent on each ins-tu-on s services IdEA services are cri-cal to the opera-on of the whole federa-on

7 Roadmap Simplify trust roots Replace MyProxyCA and integrate OAuth Create an A=ribute Registra-on web service interface Improve usability for browser- based sign- in Simplify security for Wget Integrate OpenID Connect to simplify sign- in and user asribute release Provide support for external IDs to the federa-on Review the use of central Virtual Organisa-on- wide a=ribute services Provide support for mul-ple Levels of Assurance (LoA)

8 OpenID Sign- in Enhancement

9 Wget Improvement Wget scripts provide a means for bulk data download for the web frontend Why was user cer-ficate based authen-ca-on implemented in the first place? United HTTP and GridFTP download services with one authen-ca-on method The problem: the cer-ficate- based authen-ca-on process has been a major usability issue Need for custom desktop soyware: Java plugin SSL and PKI issues Solu-on: remove the need for user cer-ficates Wget scripts authen-cate by means of HTTP redirects to user s IdP IdP has a new HTTP Basic Auth interface for login suitable for scripts Cookies maintain session state Demo: shown for data transfer talk Eric Blau, ANL

10 Future for Cer-ficate- based Authen-ca-on + path for delega-on support It is important to retain cer-ficate- based authen-ca-on capability for more advanced use cases: advance scripted tools, power users Inter- ins-tu-on transfer User delega-on A sec-on of the roadmap deals with this future: Remove the dependency on MyProxy Providing a new Short- Lived Creden-al Service Which can be extended to support user delega-on with OAuth 2.0 Provide a range of client tools: bash scripts, Python and Java clients This leads to delega-on support and OpenID Connect. This must align with efforts in the US and Europe (EUDAT) to standardise Next slides explain...

11 Evolu-on of Short- Lived Creden-al Services: 1) MyProxyCA Client App MyProxy Protocol MyProxyCA Cer-ficate Authority The baseline service for ESGF User Database

12 Evolu-on of Short- Lived Creden-al Services: 2) MyProxy Web Service Interface Client App MyProxy Protocol MyProxyCA Cer-ficate Authority Client App HTTPS Interface MyProxy Web Service Interface User Database The MetOffice and some other users in the community used CEDA s MyProxy web service

13 Evolu-on of Short- Lived Creden-al Services: 3) Dispense with MyProxy altogether MyProxy can be dispensed with completely Cer-ficate Authority Client App HTTPS Interface Short- lived Creden-al Service User Database

14 Evolu-on of Short- Lived Creden-al Services: 4) Add OAuth to provide delega-on Cer-ficate Authority Client App HTTPS Interface Short- lived MyProxy Web Creden-al Service Interface Service User Database Client App HTTPS / OAuth MyProxy OAuth Web Delega-on Service Interface Service Client App such as a portal needing delegated creden-als to access resources on behalf of the user

15 How does OAuth 2.0 work? 1. The user visits a website 2. The site needs to access data on the user s behalf with a cer-ficate Access Token Website OAuth Client OAuth Authorisa-on Server 3. It redirects the user to an Authorisa-on server in order to get their permission to obtain a cer-ficate 4. The user logs in with the authorisa-on server and grants permission OAuth Resource Server Short- lived Creden-al Service 5. The website can now get a token permiing it to get a cer-ficate on the user s behalf

16 Service Discovery: which IdP? Overlaying OpenID Connect WebFinger OpenID Relying Party OAuth Client Access Token OpenID Provider OAuth Authorisa-on Server OAuth Resource Server Short- lived Creden-al Service OpenID Connect is built on top of OAuth 2.0 adding: Single sign- on Service discovery replacing Yadis with WebFinger First Name Last Name address