Introduction to SciTokens

Similar documents
The SciTokens Authorization Model: JSON Web Tokens & OAuth

Bootstrapping a (New?) LHC Data Transfer Ecosystem

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Integrating with ClearPass HTTP APIs

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Guidelines on non-browser access

WSO2 Identity Management

GLOBUS TOOLKIT SECURITY

SSH with Globus Auth

[GSoC Proposal] Securing Airavata API

Technical Overview. Version March 2018 Author: Vittorio Bertola

API Gateway. Version 7.5.1

Tutorial: Building the Services Ecosystem

Authentication in the Cloud. Stefan Seelmann

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

Building the Modern Research Data Portal. Developer Tutorial

Securing APIs and Microservices with OAuth and OpenID Connect

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Federated AAI and the World of Tomorrow. Rion Dooley

Salesforce1 Mobile Security White Paper. Revised: April 2014

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

INDIGO-Datacloud Identity and Access Management Service

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

INDIGO AAI An overview and status update!

Grid Security Infrastructure

Advanced API Security

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Using the MyProxy Online Credential Repository

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

WHITE PAPER. OAuth A new era in Identity Management and its Applications. Abstract

A VO-friendly, Community-based Authorization Framework

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Liferay Security Features Overview. How Liferay Approaches Security

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Singularity in CMS. Over a million containers served

Authentication with OAuth 2.0

Partner Center: Secure application model

Network Security Essentials

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Troubleshooting Grid authentication from the client side

W H IT E P A P E R. Salesforce Security for the IT Executive

Single Sign-On for PCF. User's Guide

PAS for OpenEdge Support for JWT and OAuth Samples -

CS November 2018

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Federated Services for Scientists Thursday, December 9, p.m. EST

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

5 OAuth Essentials for API Access Control

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Leveraging Globus Identity for the Grid. Suchandra Thapa GlobusWorld, April 22, 2016 Chicago

Using the Horizon vrealize Orchestrator Plug-In

5 OAuth EssEntiAls for APi AccEss control layer7.com

UFED Cloud Analyzer. Traces and changes. February Version 6.0

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Check to enable generation of refresh tokens when refreshing access tokens

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

openid connect all the things

Using OAuth 2.0 to Access ionbiz APIs

glideinwms architecture by Igor Sfiligoi, Jeff Dost (UCSD)

Securing MQTT. #javaland

NIELSEN API PORTAL USER REGISTRATION GUIDE

Credentials Management for Authentication in a Grid-Based E-Learning Platform

MediaAUTH Draft Proposal

Authorization and Authentication

Using a dynamic data federation for running Belle-II simulation applications in a distributed cloud environment

SLCS and VASH Service Interoperability of Shibboleth and glite

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

DreamFactory Security Guide

Security in the CernVM File System and the Frontier Distributed Database Caching System

CILogon Project

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

DIRAC Distributed Secure Framework

Connect. explained. Vladimir Dzhuvinov. :

Stateless Microservice Security via JWT, TomEE and MicroProfile

SAP Security in a Hybrid World. Kiran Kola

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Grid Computing Security hack.lu 2006 :: Security in Grid Computing :: Lisa Thalheim 1

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

API Security Management SENTINET

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Mastering OAuth 2.0. Mastering OAuth 2.0. Charles Bihis. Mastering OAuth 2.0

SA1 CILogon pilot - motivation and setup

Evolution of the ATLAS PanDA Workload Management System for Exascale Computational Science

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

Your Auth is open! Oversharing with OpenAuth & SAML

Real-world security analyses of OAuth 2.0 and OpenID Connect

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

Transcription:

Introduction to SciTokens Brian Bockelman, On Behalf of the SciTokens Team https://scitokens.org This material is based upon work supported by the National Science Foundation under Grant No. 1738962. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

SciTokens: Federated Authorization Ecosystem for Distributed Scientific Computing The SciTokens project, starting July 2017, aims to: Introduce a capabilities-based authorization infrastructure for distributed scientific computing, provide a reference platform, combining CILogon, HTCondor, CVMFS, and Xrootd, AND Implement an instance to help our science stakeholders (LIGO and LSST) better achieve their scientific aims. In this presentation, I d like to unpack what this means, give a short demo, and outline possible use cases for the WLCG.

Capabilities-based Auth Infrastructure At the core of today s AAI is the concept of identity and impersonation. A grid certificate provides you with a globally-recognized identification. The grid proxy allows a third party to impersonate you, (ideally) on your behalf. The remote service maps your identity to some set of locallydefined authorizations. We believe this approach is fundamentally wrong because it exposes too much global state: identity and policy should be kept locally!

Capabilities-based Auth Infrastructure We want to change the infrastructure to focus on capabilities! The tokens passed to the remote service describe what authorizations the bearer has. For traceability purposes, there may be an identifier that allows tracing of the token bearer back to an identity. Identifier!= identity. It may be privacy-preserving, requiring the issuer (VO) to provide help in mapping. Example: The bearer of this piece of paper is entitled to write into /castor/cern.ch/cms".

Capabilities versus Identities If GSI took over the world, an attacker could use a stolen grid proxy to make withdrawals from your bank account. With capabilities, a stolen token only gets you access to a specific authorization ( stageout to /store/user at Nebraska ).

The World Uses Capabilities! The rest of the world uses capabilities for distributed services. The authorization service creates a token that describes a certain capability or authorization. Any bearer of that token may present it to a resource service and utilize the authorization. The primary way this is implemented is through OAuth2. When you click allow access on the right, the client at OAuth2 Test will receive a token. This token will permit it to access the listed subset of Google services for your account. OAuth2 is used by Microsoft, Facebook, Google, Dropbox, Box, Twitter, Amazon, GitHub, Salesforce (and more) to allow distributed access to their identity services.

Three-Legged Authorization In OAuth2, there are three abstract entities involved in the authorization workflow: Authorization server (identity provider) issues capabilities. Identity Provider Resource Owner The resource owner (end-user) approves authorizations. Client The client receives tokens. Often, this is the third-party website or smartphone app. Once the token is issued, it can be used at the resource server to access some protected resource. In the Google example, Google runs both the authorization and resource servers.

SciTokens The SciTokens team is working to integrate an OAuth2 client into the HTCondor submit host. OAuth2 support at CILogon is being enhanced with VO-defined scopes. HTCondor is being enhanced to manage the token lifetime (refreshing as needed), possibly attenuating it, and delivering it to the job. Data services (CVMFS, Xrootd) are being enhanced to allow read/writes utilizing tokens instead of grid proxies.

End-Goal The end-goal is this -> The first time you use HTCondor, you navigate to a web interface and setup your desired permissions. On every subsequent condor_submit, HTCondor will transparently create the access token for you. User sees nothing. Replace CERN, usernames, and authorization as desired. Goal: our first use of OAuth will be to stageout from payload jobs to Box. CERN HTCondor Stage Output CMS user @ cern.ch

USER MANAGEMENT OF FILES PASSWORD IN TERMINAL SCITOKENS- PROXY-INIT COPY/ PASTE

Tokens for Distributed Infrastructures Distributed science infrastructures are distinct from a resource server like Google because they are not run by a single central entity. Hence, unlike Google, we can t use opaque random strings for the token. We need something that allows for distributed verification. Given a token, a storage service can determine it is valid. Analogously, given a proxy chain and a set of trust roots, you can determine the GSI proxy is valid. Goal: Sites set aside some area for each VO; VOs manage the authorizations within these VO home areas.

demo.scitokens.org Free tokens! Navigate to https://demo.scitokens.org to get your free tokens! This demo illustrates the access token format we re working on. Utilizes JSON Web Tokens (JWT) as the access token format. Various RFCs provide clear guidance on how to verify token integrity. Adds a few domain-specific claims for receiving access to storage. The tokens are base64-encoded and can be used as part of a curl command to use protected resources.

Example Token, Decoded The decoded token contains multiple scopes - basically filesystem authorizations. The audience narrows who the token is intended for. The issuer identifies who created the token; value used to locate the public keys needed to validate signature. The subject is an opaque identifier for the resource owner. In this case, it also happens to be the identity. The expiration is a Unix timestamp when the token expires. A typical lifetime is 10 minutes.

OSG Demo We have been able to get a basic endto-end token-based auth{z,n} workflow working for the OSG VO submit service. This includes patches to Xrootd to validate tokens presented via HTTP and to write files out with the correct Unix user permissions. Cheats: instead of using OAuth2 to generate the token, we keep a signing key on the submit host. only one token needed. submit host and storage server owned by OSG.

Wait, I ve seen this before! If you re from ALICE and getting a sense of déjà vu you re right! The capability-based infrastructure is precisely the authorization infrastructure used by ALICE for the past decade. SciTokens takes this successful model, recasts it using modern web protocols, and utilizes OAuth2 workflows to issue the tokens. The use of common protocols and workflows means that we have a large number of battle-tested libraries we can leverage (spend our time doing other stuff besides writing the basics!). Using JWT-formatted access tokens is somewhat-commonplace among web companies. I think SciTokens is unique in using JWT access tokens for distributed verification in a federated infrastructure.

Implications for WLCG As CMS uses a very similar technology stack as the SciTokens project, this would provide a mechanism to begin removing CMS user proxies from the worker node. Proxies were required for glexec, but this is already phased out at some sites. Working on a token exchange service - given a valid VOMS-based authentication, will issue a corresponding SciToken. An entity - think, FTS3 - with a delegated user proxy could then do a HTTPS transfer without the client cert. Combined with the WebDAV COPY command (already supported by FTS3), FTS3 could do a HTTPS 3rd-party-copy without needing GSI credentials at either end. At the site level, this would be a completely Globus free transfer both in terms of concepts (GSI) and implementation (Globus Toolkit). Significant impact! Toward this end, have a prototype implementation of WebDAV COPY working with Xrootd. With some small FTS3 / GFAL / DAVIX plumbing work, could demonstrate this between a Xrootd host and a DPM or dcache host.

Near-Term Goals By the end of the calendar year, we aim to: Have version 1.0 of python and Java libraries. Simple HTCondor OAuth client implementation. Release XRootD token validation plugins. Demonstrate token-based CVMFS access. Demonstrate X509-to-SciToken translation service. Within the next 12 months: Use Java library for a dcache authorization plugin. Release plugin for CVMFS support. More fine-grained token management in HTCondor. Integration with LIGO LDAP. Demonstrate 3rd-party HTTPS FTS transfers authorized with SciTokens.

Questions? (I left out many technical details!)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback