Federated Login to Teragrid
Total Page:16
File Type:pdf, Size:1020Kb
Federated Login to TeraGrid Jim Basney Terry Fleury Von Welch [email protected] tfl[email protected] [email protected] National Center for Supercomputing Applications University of Illinois 1205 West Clark Street Urbana, Illinois 61801 ABSTRACT In this article, we present the design and implementation We present a new federated login capability for the Tera- of a new system that enables researchers to use the authenti- cation method of their home organization for access to Tera- Grid, currently the world’s largest and most comprehensive 2 distributed cyberinfrastructure for open scientific research. Grid. Participating in the InCommon Federation enables Federated login enables TeraGrid users to authenticate us- TeraGrid to accept authentication assertions from U.S. in- ing their home organization credentials for secure access to stitutions of higher education, so researchers can use their TeraGrid high performance computers, data resources, and existing campus login to authenticate to TeraGrid resources. high-end experimental facilities. Our novel system design This federated login capability brings multiple benefits: links TeraGrid identities with campus identities and bridges • It mitigates the need for researchers to manage au- from SAML to PKI credentials to meet the requirements of thentication credentials specific to TeraGrid in addi- the TeraGrid environment. tion to their existing campus credentials. Simplifying researchers’ access to TeraGrid helps them to better Categories and Subject Descriptors focus on doing science. K.6.5 [Management of Computing and Information Systems]: Security and Protection—Authentication • Reducing or eliminating the need for a TeraGrid pass- word eases the burden on TeraGrid staff, by reducing the number of helpdesk calls requesting password re- General Terms sets and avoiding the need to distribute passwords to Security researchers in the first place. Keywords • Using the campus login to access TeraGrid helps to in- tegrate campus computing resources with TeraGrid re- PKI, SAML, identity federation, grid computing, TeraGrid, sources. Researchers should be able to easily combine MyProxy, GridShib, Shibboleth resources on campus with resources from TeraGrid and other national cyberinfrastructure. Harmonizing secu- 1. INTRODUCTION rity interfaces across the infrastructure is a positive TeraGrid1 is an open scientific discovery infrastructure step towards this goal. combining leadership class resources at eleven partner sites to create an integrated, persistent computational resource. • Federated login enables the provisioning of TeraGrid TeraGrid serves over 4,500 researchers from over 300 col- resources according to campus-based identity vetting leges, universities, and research institutions in the United and authorization. TeraGrid resources could be allo- States. TeraGrid resources are allocated to researchers by cated to a university class or department, and Tera- peer review. Researchers must authenticate to TeraGrid re- Grid could rely on the university to determine who source providers and charge their usage to project accounts. on their campus is authorized to use the resource al- TeraGrid supports authentication via passwords, SSH public location (e.g., who is enrolled in the class or who is a keys, and X.509 certificates. department member), thereby eliminating the need for per-user accounting by TeraGrid staff and giving the 1http://www.teragrid.org campus greater flexibility and control in managing the TeraGrid allocation. Federated login is being applied in many environments Permission to make digital or hard copies of all or part of this work for to simplify authenticated access to resources and services. personal or classroom use is granted without fee provided that copies are In this article, we focus on the unique challenges we faced not made or distributed for profit or commercial advantage and that copies in implementing federated login for TeraGrid. A primary bear this notice and the full citation on the first page. To copy otherwise, to technical challenge was the need to support multiple usage republish, to post on servers or to redistribute to lists, requires prior specific models, from interactive browser and command-line access permission and/or a fee. IDtrust ’10, April 13-15, 2010, Gaithersburg, MD 2 Copyright 2010 ACM ISBN 978-1-60558-895-7/10/04 ...$10.00. http://www.incommonfederation.org to multi-stage, unattended batch workflows. Another chal- TeraGrid lenge was the need to establish trust among campuses, Tera- Kerberos Grid members, and peer grids (such as Open Science Grid3 TeraGrid KDC Central and the Enabling Grids for E-sciencE4) in the mechanisms Database verify and procedures underlying the federated login capability. In look up user password distinguished name the remainder of the article, we discuss these and other chal- TeraGrid UI lenges and present our solution in detail. TeraGrid MyProxy CA obtain user User Portal User certificate 2. BACKGROUND access Before presenting the federated login capability we devel- TeraGrid TeraGrid oped for TeraGrid, we first provide background information Client Toolkit Resources about the previously existing TeraGrid authentication ar- chitecture and the InCommon Federation. 2.1 TeraGrid Authentication Architecture Figure 1: TeraGrid single sign-on provides certifi- cates for secure access to TeraGrid resources. The TeraGrid allocations process provisions TeraGrid user accounts and assigns TeraGrid-wide usernames and pass- words, which grant single sign-on access to TeraGrid re- name and initial password to the researcher, and send the sources. Our work, which we describe subsequently, lever- username and password via postal mail to the researcher. ages this existing architecture without modifying it in order The letter distributed with the initial password instructs not to disrupt access for existing users. the researcher to change the password and store the letter in a secure place. If the researcher forgets the password, 2.1.1 TeraGrid Allocations he or she can call the helpdesk and request that the pass- As described in the Introduction, TeraGrid resources are word be reset to the initial value. If the researcher has lost allocated to researchers by peer review. Principal Investi- the letter with the initial password, he or she can call the gators (PIs) submit proposals for resource allocations to a helpdesk and request that a new letter be sent to their postal resource allocations committee, which consists of volunteers address on record. Alternatively, a researcher can reset his selected from the faculty and staff of U.S. universities, labo- or her password via the TeraGrid User Portal, which au- ratories, and other research institutions. All members serve thenticates the request via the researcher’s registered email a term of 2–5 years and have expertise in computational address. In the future, TeraGrid researchers will be able science or engineering. Each proposal is assigned to two to set their username and password when they request an committee members for review. The committee members account, eliminating the need for passwords to be sent via can also solicit an external review. After several weeks of postal mail. review, the entire committee convenes to discuss the relative The process of enrolling a new user into the TeraGrid merits of each proposal and award time based on availabil- Central Database also assigns a unique certificate subject ity of resources. To apply, the PI must be a researcher or distinguished name to the user. The distinguished name educator at a U.S. academic or non-profit research institu- includes the user’s first and last names, with an optionally tion. Proposals are judged on scientific merit, potential for appended serial number in case of name conflicts. The data- progress, numerical approach, and justification for resources. base management system ensures that distinguished names Allocations are typically awarded for one year, though multi- are uniquely assigned and are never re-assigned to a different year allocations may be granted for well-known PIs. PIs can user. submit renewal or supplemental proposals to the committee As described later, our federated login solution relies on to extend their allocation. the fact that the TeraGrid Central Database contains a re- PIs are instructed not to share their accounts with others. cord for every TeraGrid user, as well as the fact that every Instead, they use the Add User Form on the TeraGrid User TeraGrid user has a TeraGrid-wide username and password. Portal5 to request accounts for their project members. PIs can also use this form to remove project members. PIs sub- 2.1.2 TeraGrid Single Sign-On mit name, telephone, email, and postal address information The researcher’s TeraGrid-wide username and password for the users on their project. For users on multiple projects, enables single sign-on access to all TeraGrid resources. Re- each project PI must complete the required information sep- searchers can use TeraGrid single sign-on from the TeraGrid arately for each user to request the user to have access to the User Portal (TGUP) and from the command-line (via the project’s resources. The PI is notified by postal mail when- TeraGrid Client Toolkit). Upon entering their username and ever a user is added to their project. All users are required to password, researchers obtain a short-lived certificate from sign the TeraGrid User Responsibility Form, which educates a MyProxy6 Certificate Authority (CA) [1, 6] operated by users about secure and appropriate