Portal-based access to advanced security infrastructures

Watt, J. , Sinnott, R.O., Doherty, T. and Jiang, J. (2008) Portal-based access to advanced security infrastructures. In: UK e-Science All Hands Meeting, Edinburgh, UK, 8-11 Sept 2008,

[img] Text
7392.pdf

816kB

Publisher's URL: http://www.allhands.org.uk/2008/

Abstract

Security and scalable user management is one of the key challenges facing the e-Research community. The very nature of deploying new Gridenabled services involves the adoption of robust and highly complex underlying technologies such as PKIs. When used correctly, these tools allow many problems in the security domain to be tackled effectively, however in the hands of the inexperienced user, the complexities of building and using these technologies can expose the system to the same weaknesses that the system is trying to mitigate. OMII-UK aims to provide a core toolkit for download which automates the installation and configuration of tools like the Globus Toolkit as much as possible. Under the auspices of the OMII SPAM-GP project, NeSC Glasgow has been investigating providing JSR-168 portlet-based access to several key technologies in the security realm. Most effort in the UK community has been focussed on interfacing these technologies with large-scale resources such as the NGS, but there is still a scarcity of simple tools to allow remote sites to run up their own well-protected grid services. Shibboleth is fast becoming the de-facto solution to federated access management, allowing a user’s home credential, which previously only had meaning at the user’s institution, to be asserted reliably across a federation of trusted sites. SAML is used to transfer further information about a user to Service Providers, usually in the form of text string attributes. However it is normally the case that Services receive more information (from more Identity Provider sites) than they require. The SCAMP (Scoped Attribute Management Portlet) allows an administrator to edit the Service Provider’s Attribute Acceptance Policy (AAP) to only allow specific regular expressions from chosen Identity Providers using a GUI rather than editing raw XML. This protects user confidentiality by only allowing the minimum amount of user information required to access protected services ever being exposed. OMII supplies a GridSphere 2.2 portal infrastructure to deploy portlet services. By default, GridSphere has a fairly coarse-grained access control policy which controls which users see which portlets based on some generic user roles stored in a local database. Yet in a complete federated system, it would be Shibboleth that should be providing this role information. The Content Configuration Portlet (CCP) has solved this problem by developing both a dedicated Shibboleth Authentication plug-in for GridSphere, and a role-mapping portlet for allocating roles asserted by Shibboleth to individual portlets. This means any user logging in via Shibboleth would only see the specific portlets they are authorised to invoke, based on externally provided roles. As a technology for providing a generic authorisation infrastructure for access to a variety of services, PERMIS is an ideal solution. The Attribute Certificate Portlet (ACP) allows an administrator (or delegated user) to issue X.509 Attribute Certificates (ACs) to local users, containing pre-agreed roles for access to local OR external services. An externally hosted PERMIS-protected service would, at the start of a collaboration, be configured to accept the local authority as a trusted signer and search the local attribute authority for ACs assigned to that user. Note that here, Virtual Organisations are being implemented in a de-centralised fashion, meaning that every service in the collaboration is free to configure its PERMIS policy any way it chooses. All the collaboration needs to do is agree the attribute rules that will be used across the sites for access, then individual sites control the issuance of Shibboleth and PERMIS credentials. Using these tools all together, an administrator would be made aware of a new project, and the agreed text string attribute that Shibboleth can assert for user access. Using SCAMP, the service can be configured only to accept forms of this attribute string from the collaborating sites. The CCP can configure the user portal view based on these attributes, then the ACP can issue the required ACs containing the signed attribute string for its local users for any required services. SPAM-GP will be tested in a real use-case scenario supporting the SEE-GEO project, securing portal based access to a geographical and census data linking service, with the backend services protected by PERMIS. This will allow the data centres to set their own access policies, but leave user management to the individual collaborating sites.

Item Type:Conference Proceedings
Keywords:Shibboleth, OMII-UK, PERMIS, gridSphere, PKI, PMI, SPAM-GP
Status:Published
Refereed:No
Glasgow Author(s) Enlighten ID:Jiang, Mr Jipu and Sinnott, Professor Richard and Watt, Dr John
Authors: Watt, J., Sinnott, R.O., Doherty, T., and Jiang, J.
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
College/School:University Services > IT Services > Computing Service
Copyright Holders:Copyright © 2008 The Author
Publisher Policy:Reproduced with the permission of the author.

University Staff: Request a correction | Enlighten Editors: Update this record