...
Does any of this make sense?
Daivd
...
From: Kejian Jin <kjin@ats.ucla.edu>
To: David H Walker <dhwalker@ucdavis.edu>
Cc: Prakashan Korambath <ppk@ats.ucla.edu>, Arlene Allen <arlene.allen@isc.ucsb.edu>, Labate, Bill <labate@ats.ucla.edu>, Wu, Albert <albertwu@ucla.edu>, Russ Hobby <rdhobby@ucdavis.edu>
Subject: Re: UC-wide authentication for UC Grid
Date: Tue, 10 Feb 2009 16:40:41 -0800
Hi,
Shibbolizing Gridsphere already exists. People had changed the
gridsphere so that it allows the shibboleth as a PAM for gridsphere.
That project is from Australia: https://mams.melcoe.mq.edu.au/zope/mams/kb/all/GridSphere%20Wink%20demo.zip/view
I have their source code.
Basically, the shibboleth IdP has to pass userName, surName, givenName,
Organization, email, IDP, Role to gridsphere which internally create a
User Object for gridsphere at real time. It modified the login of
gridsphere by doing that.
I am more insterested to discuss how we could create a short live
credential for user that will authorize the user to use certain resources.
(authorization) I will really like to tell the meaning of
"single-Sign-On". Most people uses that shibbolized gridsphere for
portal authentication of portal sign-in, but it is never used for
authorization of resources.
I have worked on a project before. That project will
create the Unix virtual workspace and create a certificate (once) and
generate proxy at real time and submit job and application
to the cluster as pool user.
please see https://research.ucgrid.org
anyone with UCLA ID will be able to have a virtual desktop and submit
job, or run some grid applications...
I hope the discuss we planed will help us to generate some ideas about
how to do that in a secure way and easy-to-deploy way. There are many ways
of doing the same thing, but we really like to have your input:
The following are my thought for doing that:
Method 1: IdP gets the username and password, it used the username and
password to retrieve a proxy from myproxy.ucgrid.org. It is just a command
something like this: get-myproxy -h myproxy.ucgrid.org username password.
it will include that delegated and short live credential in Assertion.
Method 2: IdP passes a unique string (like the one in openldap) to
SP, SP
understand
that and lookup some sort database to figure out the username and password
and generate user proxy and use that for job submission.
.......
more input and discussion is needed!
Thank you very much for your time...
Regards,
Kejian Jin
UCLA Grid Team
UCLA Web: http://grid.ucla.edu
UC Web: http://portal.ucgrid.org
University Of California, Los Angeles
...
From: David Walker <DHWalker@ucdavis.edu>
To: Kejian Jin <kjin@ats.ucla.edu>
Cc: Prakashan Korambath <ppk@ats.ucla.edu>, Arlene Allen <arlene.allen@isc.ucsb.edu>, Labate, Bill <labate@ats.ucla.edu>, Wu, Albert <albertwu@ucla.edu>, Russ Hobby <rdhobby@ucdavis.edu>, ...
Subject: Re: UC-wide authentication for UC Grid
Date: Tue, 17 Feb 2009 11:50:59 -0800
Keijian,
Good news about the software from Australia. Looking over their demo, it seems to me that their "guest" user would correspond to our "pool" users. Does that sound right to you? I'm not sure that all of our campuses would have all of the attributes that the Australians plan to use, but that may not be a big issue. The user could also be prompted for the missing information during registration.
I also like your ideas about using UCTrust to pass authorization, as well as authentication, although that's probably a longer-term (phase 2?) issue. It strikes me, also, that it will probably apply only to clusters that have given authorization controls to the grid; many will not.
FYI, I've created an area within the UCTrust wiki space for us at:
https://spaces.ais.ucla.edu//x/SA43AQ
See you tomorrow.
David