Implementing Attribute-based Authentication on TeraGrid Science Gateway

This document provides an illustration on how to integrate attribute-based authentication in science gateway portal code, based on experiences gained in developing GISolve and SimpleGrid. We assume the service which issues a gateway Grid proxy is written in Java. The implementation uses the GridShib SAML Tools recommended by TeraGird. The GridShib SAML Tools (Java-based), developed by NCSA, is a SAML toolkit tailored for supporting the integration of attribute-based authentication on TeraGrid science gateways.

Requirements

TeraGrid requires science gateways to send gateway user attributes (user id, email, timestamp of authentication, remote IP ) along with gateway entity. Gateway user attributes are collected and used for resource provider-side accounting and auditing. The general process of attribute-based authentication can be described as below:

  1. A gateway user logs into a science gateway. The gateway server remembers user id, email, remote address, and login time
  2. A gateway user submits a job to TeraGrid GRAM server. The gateway must issue a Grid proxy with user attributes embedded as SAML attributes for job submission
  3. The Gatekeeper daemon on GRAM server captures the Grid proxy associated with the job submission and extracts user attributes into RP-side GRAM auditing database
  4. Collected user attributes are used for accounting, auditing, and gateway user-specific job statistics (combined with job data)

Portal coding

The following practice is based on proxy management mechanisms provided in GISolve and SimpleGrid.

Proxy management

GISolve and SimpleGrid use TeraGrid community account. Grid proxy is created on-demand. Whenever a Grid proxy is needed (e.g., data transfer, job submission and monitoring, querying TeraGrid information services), gateway portal checks proxy store (in portal memory) for a valid proxy. If there is no valid proxy available, a new proxy is created with default lifetime (one week). Proxy creation can be done in two ways: contacting TeraGrid myproxy server or loading local credentials. To support attribute-based authentication, proxy creation is extended to create and store GatewayCredential, instead of the usual GlobusCredential.

Setting up GridShib configuration and environment

GridShib SAML Tools needs three configuration files: gridshib-tg-gateway-config.properties, gridshib-log4j.properties, cog.properties. The first two have templates in GridShib SAML Tools package and can be modified to fit gateway needs. For example, GISolve's gridshib-tg-gateway-config.properties looks like this:

# gridshib-tg-gateway-config.properties
IdP.entityID=https://saml.teragrid.org/gateway/gisolve
NameID.Format=urn:oid:1.3.6.1.4.1.5923.1.1.1.6
NameID.Format.template=%PRINCIPAL%@gisolve.org
Attribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
Attribute.isMemberOf.Value=group://gisolve.org/gateway

cog.properties tells Globus Java library where to find certificate directory:

# cog.properties
cacert=/home/gisolve/.globus/certificates

CA certificates recognized by TeraGrid can be downloaded at: http://software.teragrid.org/security/teragrid-certs.tar.gz
You can put gridshib-tg-gateway-config.properties and gridshib-log4j.properties at a place that your portal knows. cog.properties is usually stored at $HOME/.globus/ because jglobus also counts on this file to work properly.

Including GridShib SAML library

Portal needs to include the following GridShib SAML jars in classpath in order to use it (they can directly copied from GridShib package's library directory):

  1. commons-codec-1.3.jar
  2. globus-opensaml-1.1.jar
  3. gridshib-common-0_5_0.jar

Other library issues on deploying GridShib with portal containers are described at here.

Importing GridShib SAML classes

import org.globus.gridshib.config.BootstrapConfigLoader;
import org.globus.gridshib.config.SAMLToolsConfigLoader;
import org.globus.opensaml11.saml.SAMLAuthenticationStatement;
import org.teragrid.ncsa.gridshib.security.x509.GatewayCredential;

Loading GridShib SAML configuration in portal

// grishib enhancement: initialize gridshib saml tool with SimpleGrid identity info.
String gridshibConfigPath = portlet.getPortletContext().getRealPath("gridshib-tg-gateway-config.properties");
SAMLToolsConfigLoader.load(new File(gridshibConfigPath));
// cog.properties is required by GridShib SAML
String gridshibCogPath = System.getProperty("user.home") + File.separator + ".globus"+File.separator+"cog.properties";
BootstrapConfigLoader.setCoGConfigPathDefault(gridshibCogPath);
// GridShib log4j properties
String gridshibLoggingPath = portlet.getPortletContext().getRealPath("gridshib-log4j.properties");      
BootstrapConfigLoader.setLogConfigPathDefault(gridshibLoggingPath);

Creating gateway proxy with user attributes

// create a GatewayCredential, initialized with user name
GatewayCredential samlcred = new GatewayCredential(user.getUserName());
// add user email address
String email = user.getEmailAddress();
if (email==null || email.equals("")) email = uid+"@gisolve.org";
samlcred.addEmailAddress(email);
// add remote address of user client
String ipAddress = ((org.gridsphere.portlet.impl.PortletRequestImpl)req).getRemoteAddr();
if (ipAddress==null || ipAddress.equals("")) ipAddress="not.available";
// timestamp of user login time
Date authnInstant = new Date(user.getLastLoginTime());
// other attributes
String authnMethod = SAMLAuthenticationStatement.AuthenticationMethod_Password;
samlcred.setAuthnContext(authnMethod, authnInstant, ipAddress);
// manage gateway credential using SimpleCred
mycred = new SimpleCred(server, port, uname, password, proxyfile);
mycred.setGatewayCredential(samlcred);
mycred.setRemainingTime(7 * 24 * 3600); // one week
 
// convert gateway cred to GSSCredential: usually called before job submission
// samlcred is a GatewayCredential; samlcred.issue() returns a GlobusCredential
// Globus GRAM requires a GSSCredential
GSIUtil.toGSSCredential(samlcred.issue()); 

References