interoperable portal services
Post on 12-Jan-2016
Embed Size (px)
DESCRIPTIONInteroperable Portal Services. Marlon Pierce Community Grids Lab Indiana University. Project: ET011. Goals of the project are to demonstrate interoperability between Portal/PSE projects Mary Thomas (PI), TACC: HotPage Tomasz Haupt, MSU: DMEFS Marlon Pierce, IU: Gateway - PowerPoint PPT Presentation
Interoperable Portal ServicesMarlon PierceCommunity Grids LabIndiana University
Project: ET011Goals of the project are to demonstrate interoperability between Portal/PSE projectsMary Thomas (PI), TACC: HotPageTomasz Haupt, MSU: DMEFSMarlon Pierce, IU: Gateway We are building interoperability at two levels:Web services provide standard interfacesPortlets provide component-based interfaces
Portal SecurityWe are building off Gateways approach for Web-based security for DOD portals.Approved for ARL and ASCUsers kinit to a web server to get a ticket.SSL, MDd sessions, Certificates maintain secure connection.Web server typically located in DMZWeb server manages session IDs, invokes backend requests with Kerberos client utilities.BrowserWebServerHPCHPCHPCDMZHTTPSkrcp, krsh
Portlets and ContainersOne of the problems of previous portal development is that there is no good way to share interface components.How do developers share web interfaces?Also, how can we avoid constantly reinventing things like login services, customization services, page organization, access controls.Answer: use portlets and containers.Becoming a recognized best practice for portal development because it enables distributed portal development.OKC, Alliance Portal, HotPage, QuakeSim, NEESGrid, CHEF, GridLab, many others have adopted approach.
What Is a Portlet?A portlet is a piece of Java code that runs in a Web server inside a container servlet.Portlets can do two things:Perform non-visual operations such as make connections to remote hosts, perform operations.Example: get a list of local files.Create their display The portlet passes its display to its parent, which is responsible for constructing the entire display.Typically this is HTML, with tables uses to organize component displays.Other displays are possible (VoiceXML, WML).
Portlet DevelopmentPortlets may be either abstract types or instances.Abstract types allow extensibilityIn support of this project, we have developed abstract portlets that canMaintain session state and manage multiple cookies.Make secure connectionsPass form parametersRetain navigation of legacy JSP pages.
PortletPortletPortletPortletRSSHTMLJSPWebPagePortletLocal PortletsDataPortletControllerPortletControllerScreen ManagerHTMLPSMLPortletControlECSVM templateECSECSECSECSECSECSECS ECS Root to HTMLECSTurbine Servlet
Portal ServicesWe have several services that we are portletizing as part of this project:Job submissionFile TransferJob MonitoringWe are developing DOD versions of TACCs GPIR servicesWe are extending Jetspeed login to support web kiniting (with SecurID).
Job SubmissionPrimarily based at ARLSupport Fluent, ANSYS, ABAQUSServices construct GRD scripts, allow users to run and archive jobs.We are extending this to support ANSYS at ASC, DMEFS codes at ARL.We need to extend script generators for other queuing systems.PBS, LoadLeveler, LSF
File ManagementFile management services allow you toUpload, download files between desktop and remote HPCDownload entire directories as zipped files.Delete remote files.Navigate remote directories.Unzip/untar remotely.Targetting ASC and ARL initiallyARL is available in production
Job MonitoringWe have web interfaces that will allow to monitor your jobs on various hosts.Constructs an HTML table of your running jobs in a unified format.Allows you to stop jobsWe support GRD in production portal at ARL.Have ported this to PBS, LSF, and LoadLeveler as part of this project.
Access to PortletsObviously not all users have accounts at all centers.An ASC file browser should be accessible only to users with an ASC account.Jetspeed has role based accessed control to portlets.Each user can be assigned to one or more user roles (ERDC, ASC, etc).This controls which portlets a user can add to his or her display.
GridPort Information Repository (GPIR)Developed by TACC group for NPACI resources.Porting this to DOD.Aim is to aggregate and cache grid and portal related data from multiple sources in a uniform way. MDS, NWS, custom data providers
GPIR ApproachGPIR is implemented as a set of Java Web Services, one to handle the input of GPIR data (Ingester WS) and another to facilitate the querying of that data (Query WS) The Ingester WS accepts or "ingests" several types of XML documents and stores them in a relational database (currently MySQL, Postgres). These documents are created by a variety of means, including Java Clients that exist on the resources themselves, http "web scraping" of machine-specific flat-file formats, and queries of additional information providers such and MDS, GMS (Grid Monitor Service), and NWS (Network Weather Service). Persistently stored data can then be queried via the Query Web Service which uses the same XML resources used by the Ingester, in addition to some Query specific documents that can return XML such as Machine Summary data.
GPIR Schema TypesStatic: static data for a machine. Load: load data for a machine. Status: machine status (up, down, unavailable). Downtime: downtime data for a machine. Jobs: job data for a machine. MOTD: Message of the Day data for a machine. Nodes: Nodes data for a machine. Services: represents the status of grid software running on a system. NWS: This returns bandwidth and latency measurements of the type returned by NWS.
More InformationContact: firstname.lastname@example.orgGPIR: http://www.tacc.utexas.edu/grid/gpir/Gateway: http://www.gatewayportal.org.DMEFS: http://www.erc.msstate.edu/~haupt/DMEFS/
Secure Web servicesChoonhan Youn, Marlon Pierce and Geoffrey FoxEECS, Syracuse University and Community Grids Lab, IU
Security Requirements for Web ServicesNeed mutual authentication between clients and User Interface serverClients are browsers: understand SSL but not Kerberos.tunnel http requests through a secure CORBA connection.provide a browser interface that will create a Kerberos TGT on the server for the user.Need secure SOAP messages between user interface server and the repository and the service provider.Examples of problems if you have no security?Web BrowserUser Interface ServerSecurity ?SOAPSOAPSOAP
Security Problems with Web ServicesHow can I support single sign on?How do I authenticate the sender of the SOAP message?How do I control access to resources?How do I verify the message has arrived unaltered?How do I keep the contents of the message secret?How can I do this in a transparent way with a number of different mechanisms (Kerberos, PKI, GSI)?How do I find out all the above attributes for a particular SOAP message?
Integration of Security into Web ServicesAuthentication through single sign-on.Kerberos, PKIDistributed ticket systemGetting assertions about authentication, authorization, user attributeSOAP security should be provided through standard interfaces to specific mechanisms.General methods areMessage signing.Message integrity.Message encryption.Kerberos, PKI are specific mechanisms.Assertion is an XML document describing the information about authentication acts performed by subjects, attributes of subjects and authorization decisions, Created with a specific mechanism.UsersSecurity MechanismWeb ServiceWeb ServiceWeb ServiceAssertionsSigningEncryptionAuthenticateGenerating AssertionsHTTPHTTPHTTP
Security AssertionsSAML is a standard security assertion markup language.SAML assertions can be added to SOAP messages.Assertions containAuthentication infoAttributesAuthorization DecisionsHTTPSOAP EnvelopSOAP BodySOAP MessageSOAP HeaderSAML Assertion
The client-side processConvert SAML schema to Java classesCastor can be used to easily convert between XML and Java data objects.Develop utility classes for creating assertions, marshalling them back and forth between Java and SAML.Assertion attributes filled in by the appropriate mechanism.Login process: the authentication and getting the Kerberos ticket.Establish the security context with the server for getting the shared key.Generate users SAML security assertion.Sign the user assertion and SOAP Body messages.Rebuild the SOAP messages.
YIIIYwYJKoZIhvcSAQICAgEAAAAA//9a+0MDxeg14f8T5vf0o7jm9z4ml2Fj azlhwxyd/kZz8pgWbREMMZF2ELm9G+MFojzGKt0F6B91gBuJ1QL+QN5kM .. .. n8cdEhjskpcEYP2MvnRwxJmei9U5m3IToiHDI3foZ2TjhwPn Kerberos gateway@CG.INDIANA.EDU YIIBawYJKoZIhvcSAQICAgEAAAAA//9NPq5TRhFcyfMdAYFS1XHlBzI3JhN+c15 z0MncshbXb9zQ3Z8b6QkJHCmWZuVBXvyVSaDZ4GVgbwnicAJSGEj6OJVTxqQfH YFKg/LQJ0oleULSsP2k9HQY+MxD64IYaw9lSVOX9IHtc+uZyQ==
The message structure of the SOAP request on the client-side.
http://www.gatewayportal.org/agreement.xml urn:ietf:rfc:1510 A Kerberos Ticket urn:ietf:rfc:1510 A Kerberos Ticket 5
The server-side processEstablish the security context with client for getting the shared key.Handle the SOAP message.Secure assertion message.Secure body message.Security mechanism name such as Kerberos, PKI.Message format such as SAML, WS-security.Unwrap the secure assertionIt checks the validity of the assertions.Issuer nameConditions time limitSubject nameAuthorization for accessing resourcesUnwrap SO