This document provides an illustration on how to integrate attribute-based authentication in science gateway portal code, based on experiences gained in developing GISolve and SimpleGrid. We assume the service which issues a gateway Grid proxy is written in Java. The implementation uses the GridShib SAML Tools recommended by TeraGird. The GridShib SAML Tools (Java-based), developed by NCSA, is a SAML toolkit tailored for supporting the integration of attribute-based authentication on TeraGrid science gateways.
TeraGrid requires science gateways to send gateway user attributes (user id, email, timestamp of authentication, remote IP ) along with gateway entity. Gateway user attributes are collected and used for resource provider-side accounting and auditing. The general process of attribute-based authentication can be described as below:
- A gateway user logs into a science gateway. The gateway server remembers user id, email, remote address, and login time
- A gateway user submits a job to TeraGrid GRAM server. The gateway must issue a Grid proxy with user attributes embedded as SAML attributes for job submission
- The Gatekeeper daemon on GRAM server captures the Grid proxy associated with the job submission and extracts user attributes into RP-side GRAM auditing database
- Collected user attributes are used for accounting, auditing, and gateway user-specific job statistics (combined with job data)
The following practice is based on proxy management mechanisms provided in GISolve and SimpleGrid.
GISolve and SimpleGrid use TeraGrid community account. Grid proxy is created on-demand. Whenever a Grid proxy is needed (e.g., data transfer, job submission and monitoring, querying TeraGrid information services), gateway portal checks proxy store (in portal memory) for a valid proxy. If there is no valid proxy available, a new proxy is created with default lifetime (one week). Proxy creation can be done in two ways: contacting TeraGrid myproxy server or loading local credentials. To support attribute-based authentication, proxy creation is extended to create and store GatewayCredential, instead of the usual GlobusCredential.
GridShib SAML Tools needs three configuration files: gridshib-tg-gateway-config.properties, gridshib-log4j.properties, cog.properties. The first two have templates in GridShib SAML Tools package and can be modified to fit gateway needs. For example, GISolve's gridshib-tg-gateway-config.properties looks like this:
# gridshib-tg-gateway-config.properties IdP.entityID=https://saml.teragrid.org/gateway/gisolve NameID.Format=urn:oid:126.96.36.199.4.1.59188.8.131.52.6 NameID.Format.template=%PRINCIPALemail@example.com Attribute.isMemberOf.Name=urn:oid:184.108.40.206.4.1.59220.127.116.11.1 Attribute.isMemberOf.Value=group://gisolve.org/gateway
cog.properties tells Globus Java library where to find certificate directory:
# cog.properties cacert=/home/gisolve/.globus/certificates
CA certificates recognized by TeraGrid can be downloaded at: http://software.teragrid.org/security/teragrid-certs.tar.gz
You can put gridshib-tg-gateway-config.properties and gridshib-log4j.properties at a place that your portal knows. cog.properties is usually stored at $HOME/.globus/ because jglobus also counts on this file to work properly.
Portal needs to include the following GridShib SAML jars in classpath in order to use it (they can directly copied from GridShib package's library directory):
Other library issues on deploying GridShib with portal containers are described at here.
import org.globus.gridshib.config.BootstrapConfigLoader; import org.globus.gridshib.config.SAMLToolsConfigLoader; import org.globus.opensaml11.saml.SAMLAuthenticationStatement; import org.teragrid.ncsa.gridshib.security.x509.GatewayCredential;
// grishib enhancement: initialize gridshib saml tool with SimpleGrid identity info. String gridshibConfigPath = portlet.getPortletContext().getRealPath("gridshib-tg-gateway-config.properties"); SAMLToolsConfigLoader.load(new File(gridshibConfigPath)); // cog.properties is required by GridShib SAML String gridshibCogPath = System.getProperty("user.home") + File.separator + ".globus"+File.separator+"cog.properties"; BootstrapConfigLoader.setCoGConfigPathDefault(gridshibCogPath); // GridShib log4j properties String gridshibLoggingPath = portlet.getPortletContext().getRealPath("gridshib-log4j.properties"); BootstrapConfigLoader.setLogConfigPathDefault(gridshibLoggingPath);
// create a GatewayCredential, initialized with user name GatewayCredential samlcred = new GatewayCredential(user.getUserName()); // add user email address String email = user.getEmailAddress(); if (email==null || email.equals("")) email = uid+"@gisolve.org"; samlcred.addEmailAddress(email); // add remote address of user client String ipAddress = ((org.gridsphere.portlet.impl.PortletRequestImpl)req).getRemoteAddr(); if (ipAddress==null || ipAddress.equals("")) ipAddress="not.available"; // timestamp of user login time Date authnInstant = new Date(user.getLastLoginTime()); // other attributes String authnMethod = SAMLAuthenticationStatement.AuthenticationMethod_Password; samlcred.setAuthnContext(authnMethod, authnInstant, ipAddress); // manage gateway credential using SimpleCred mycred = new SimpleCred(server, port, uname, password, proxyfile); mycred.setGatewayCredential(samlcred); mycred.setRemainingTime(7 * 24 * 3600); // one week // convert gateway cred to GSSCredential: usually called before job submission // samlcred is a GatewayCredential; samlcred.issue() returns a GlobusCredential // Globus GRAM requires a GSSCredential GSIUtil.toGSSCredential(samlcred.issue());