Globus Toolkit: Authentication And Credential Translation
Globus Toolkit: Authenticationand Credential TranslationJET Workshop, April 14, 2004Frank Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved.presentation is licensed for use under the terms of the Globus Toolkit Public License.See l for the full text of this license.This
OutlinezzzzzzzzzGlobus Alliance & Globus ToolkitThe Grid “problem”Globus Security Infrastructure (GSI)Public Key Credentials Proxy-CertificatesSSL, GSSAPI/GSI and DelegationKx509: Kerberos PKPkinit: PK KerberosGridLogon: username/password/OTP PKFutures and ConclusionJET Workshop 2004Globus Toolkit: Authentication and Credential Translation2
The Globus AllianceMaking Grid computing a realityzzzzzArgonne, UC, USC/ISI, EPCC, PDC, NCSAClose collaboration with many scientific and commercialGrid application and infrastructure projectsDevelopment and promotion of standard Grid protocolsto enable interoperability and shared infrastructureDevelopment and promotion of standard Grid softwareAPIs and SDKs to enable portability and code sharingThe Globus Toolkit software: Open source softwarebase for building Grid infrastructure and applicationsJET Workshop 2004Globus Toolkit: Authentication and Credential Translation3
LHC Data Distribution PBytes/secOnline System 100 MBytes/sec 20 TIPSThere are 100 “triggers” per secondEach triggered event is 1 MByte in size 622 Mbits/secor Air Freight (deprecated)France RegionalCentreSpecInt95 equivalentsOffline Processor FarmThere is a “bunch crossing” every 25 nsecs.Tier 11 TIPS is approximately 25,000Tier 0Germany RegionalCentreItaly RegionalCentre 100 MBytes/secCERN Computer CentreFermiLab 4 TIPS 622 Mbits/secTier 2 622 Mbits/secInstituteInstitute Institute 0.25TIPSPhysics data cacheInstituteCaltech 1 TIPSTier2 CentreTier2 CentreTier2 CentreTier2 Centre 1 TIPS 1 TIPS 1 TIPS 1 TIPSPhysicists work on analysis “channels”.Each institute will have 10 physicists working on one or morechannels; data for these channels should be cached by theinstitute server 1 MBytes/secTier 4Physicist workstationsJET Workshop 2004Globus Toolkit: Authentication and Credential Translation4
Multiple Security DomainsCompute FacilityRawDataData SourceInputDataBandwidthSvcComputeFacilitySvcData SrcSvcOutputDataSchedulingSvcBandwidthSvcRequester Each Organization is “independent” Each Organization has its own AuthN mechanismsResultData Each Organization enforces its own access policy User needs to delegate rights to broker which mayneed to delegate to servicesSvc XPost-ProcessingFacility QoS/QoP Negotiation and multi-level delegationJET Workshop 2004Globus Toolkit: Authentication and Credential Translation5
Grid Security Infrastructure (GSI)zBased on standard PKI technologies zCAs allow one-way, light-weight trustrelationships (not just site-to-site)X.509 Certificates for asserting identity zSSL protocol for authentication,message protection GSSAPI-mechanismfor users, services, hosts, etc.Proxy Certificates GSI extension to X.509 certificates fordelegation, single sign-onJET Workshop 2004Globus Toolkit: Authentication and Credential Translation6
Grid Security Infrastructure (GSI)zUse GSI as a standard mechanism for bridgingdisparate security mechanisms zzDoesn’t solve trust problem, but now things talksame protocol and understand each other’sidentity credentialsBasic support for delegation, policy distributionTranslate from other mechanismsto/from GSI as neededConvert from GSI identity to local identityfor authorizationJET Workshop 2004Globus Toolkit: Authentication and Credential Translation7
Grid Identity, Local PolicyMap tolocal name In current model,all Grid entitiesassigned a PKIidentity. User is mapped tolocal identities todetermine localpolicy.GridIdentityLocalPolicyMap tolocal name.LocalPolicyJET Workshop 2004Globus Toolkit: Authentication and Credential Translation8
Use Delegation toEstablish Dynamic Distributed nJET Workshop 2004ComputeCenterGlobus Toolkit: Authentication and Credential Translation9
X.509 Proxy CertificateszGSI Extension to X.509 Identity Certificates zzEnables single sign-onAllow user to dynamically assign identityand rights to service zOn RFC trackCan name services created on the fly andgive them rights (i.e. set policy)What is effectively happening is the user iscreating their own trust domain of services Services trust each other with user acting asthe trust rootJET Workshop 2004Globus Toolkit: Authentication and Credential Translation10
Proxy CertificatesCreateF1ServiceCN Jane DoeX.509 IdcertificateX.509 ProxyDelegationCN Jane Doe/9874Rights:Can access file F1,Service S1, X.509 ProxycertificateUse delegatedrights to accessresources.S1JET Workshop 2004Globus Toolkit: Authentication and Credential Translation11
Goal is to do thiswith arbitrary tionSAMLAttributeJET Workshop 2004X.509ACComputeCenterGlobus Toolkit: Authentication and Credential Translation12
Kerberos to GSI GatewayzTo use Kerberos, a Kerberos-to-GSIgateway translates Kerberos credentials toGSI credentials to allow local Kerberosusers to authenticate on the Grid. zKx509/KCA is an implementation of onesuch gateway.Sslk5/pkinit provide the oppositefunctionality to gateway incoming Gridcredentials to local Kerberos credentials.JET Workshop 2004Globus Toolkit: Authentication and Credential Translation13
Local Identity,Grid Identity, Local PolicyMap tolocal 5ResourcesJET Workshop 2004Globus Toolkit: Authentication and Credential Translation14
GridLogon:Credential Wallet/ConverterzGridLogon (MyProxy) allows users to store GSIcredentials and retrieve them With username/password or other credential Integration with One-Time-Password (OTP) Systems zCan act as a credential translator fromusername/password to GSIUsed by services that can only handle username andpass phrases to authenticate to Grid Services limited by client implementationszzE.g. web portalsAlso handle credential renewal for long-running tasksJET Workshop 2004Globus Toolkit: Authentication and Credential Translation15
GridLogon: Passphrase-X.509Federation ServiceGSI GSIDelegationUsername &pass phraseRequestorWeb Browser requestWeb Portal/ServerGSIGrid ResourceJET Workshop 2004Globus Toolkit: Authentication and Credential Translation16
One Time Passwordsand Restricted elegationMap tolocal DelegationKRB5ResourcesJET Workshop 2004Globus Toolkit: Authentication and Credential Translation17
GSI ImplementationSSL/WS-Securitywith ProxyServices (runningCertificatesAuthz Callouton user’s behalf)AccessComputeCenterRights’’CAS or VOMSissuing SAMLor X.509 ACsVOUsersRightsLocal Policyon VO identityor attributeauthorityJET Workshop 2004VirtualOrganizationGridLogonRights’Globus Toolkit: Authentication and Credential TranslationKCA18
Grid Evolution:Open Grid Services ArchitecturezGoals zRefactor Globus protocol suite to enable common baseand expose key capabilitiesService orientation to virtualize resources and unifyresources/services/informationEmbrace key Web services technologies for standardIDL, leverage commercial effortsResult standard interfaces & behaviors fordistributed system management built on Webservices Standardization within Global Grid Forum and OASISOpen source & commercial implementationsJET Workshop 2004Globus Toolkit: Authentication and Credential Translation19
OGSA Security iceAudit/Secure-LoggingServiceService e ainJET Workshop 2004Globus Toolkit: Authentication and Credential Translation20
ConclusionzThe Globus Toolkit is sophisticated, secure middleware zMultiple AuthN-mechanism support zthrough use of proxy-certificateNext generation GT based on Web Services zPlus “translation” servicesSecure Delegation of Rights support zDe-facto standard for Grid applicationsStandardized in Global Grid Forum & OASISGlobus Toolkit provides a working, evolvingimplementation for “secure” Grid protocols Downloaded 100k times already (www.globus.org)JET Workshop 2004Globus Toolkit: Authentication and Credential Translation21
JET Workshop 2004 Globus Toolkit: Authentication and Credential Translation 2 Outline zGlobus Alliance & Globus Toolkit zThe Grid “problem” zGlobus Security Infrastructure (GSI) zPublic Key Credentials Proxy-Certificates zSSL, GSSAPI/GSI and Delegation zKx509: Kerberos PK zPkinit: PK Kerberos zGridLogo
Ali Ozturk, MD Consulting Fee: Depuy Synthes Charles Sansur, MD Consulting Fee: Globus, Medtronic and Stryker Honoraria: K2M Daniel Sciubba, MD Consulting Fee: Depuy Synthes, Globus, K2M, Medtronic, Nuvasive, Stryker Nicholas Theodore, MD Ryalty: o Depuy Synthes, Globus Medical Consulting Fee: Depuy Synthes, Globus Medical, Medicolegal Case Review
Globus Globus is a research data management service, built on top of gridftp. It can be used to transfer files for your own computations or share files with the community. For every transfer request Globus creates logs containing transfer statistics, such as: Request an
Option B – PMP credential and PgMP credential will share PDUs including those earned for the PgMP before obtaining the PMP and any PDUs earned after receiving the PMP. The PMP renewal date will be set equal to the existing PgMP renewal date. Therefore, renewal of the PMP credential will need to occur with the renewal of the PgMP credential.File Size: 549KBPage Count: 9Explore furtherHow to fill PMP Application form: Here's PMP Sample .www.izenbridge.comYour PMP Application Checklist - Project Management Institutewww.pmi.orgAre you stressing out over completing the application to .www.margaretmeloni.comRecommended to you b
CLEAR CREDENTIAL 2 years job embedded coaching Inquiry Project Online Preliminary Credential 15, 750 Clear Credential 7,500. We are an INTERN program . Program Elements You will earn a CLEAR Education Specialist Credential Hybrid of Online and Face to Face Classes
Your Credential Document. SB 2042 . Preliminary Single Subject Teaching Credential includes: ELAS, SDAIE and ELD within content being taught. If asked for additional documents indicating these requirements, reiterate that you hold an . SB 2042 . Credential (or attach an additional copy of your credential).
As a result of successful completion of the credential program, Teacher-Candidates will earn a Preliminary Teaching Credential. Within five years of receiving a Preliminary Teaching Credential, new teachers must complete additional work in order to obtain a Professional Clear Teaching Credential. SDSU offers such a
CLEAR CREDENTIAL To earn a Clear Credential, completion of an induction program is required Induction programs are offered by: Districts County Offices of Education Universities When completed, you apply for the Clear Credential through the induction program sponsor You are earning 2 credentials, but you only need to do 1
5 I. Academic Writing & Process . 2. 1 Prepare . 2. 1. 1 What is the assignment asking you to do? What kind of assignment is it? (E.g. essay, research report, case study, reflective
