OpenID for Science Community

From IIW

Conveners: Dhivakaran Murugananatham & Michael Helm

Notes-taker: Michael Helm

Tags: Openid, authorization, legacy

Discussion notes:


Intro to OpenID – Dhiva’s slides

Discussion about Grid computing in a nutshell

X.509 based, but also other tools like ssh & ftp used in distributed computing

Questions about how we register people to get X.509 certs (technology embedded in grids)

How do we authorize jobs?

  • Privileges &tc in a database
  • Gridmap file the core of how job privileges are managed, ultimately
  • Here is a subject name (DN) – here you can recognize it
    • hen there is a separate access control system that manages

How do we bring OpenID into grids

Or, why do we wnat to do this?

We could simplify user registration & access experience

Want to minimize other kinds of expenses – heavy crypto authentication operations, browser support issues

Q: Is this a case where ppl want to use browsers but not certs A: Can be script based and have the same problem!

We have:

  • We have web portals for distributeed computing
  • We have browser-based ssj & ftp tools in Java Start
  • We have a way to bridge between existing X.509 infrastructure & OpenID service (eg our Esnet Openid provider)

We don’t have:

  • OpenID outside web browser context to START WITH
  • Science community doesn’t social networking tech (yet!)

(definitely not in Grid context)

  • Our complex use case:
    • Delegation using proxy certs
    • Need scheduling, batch jobs, scripting, reporting, monitoring
    • OpenID for services as well as people
    • Support for authoriztion

NPE non person entity

How do I support legacy apps

Alan Karp: How do I know I should I honor this request? I need to present an authorization’

CAS was almost right – but the root of trust is wrong

Bob Morgan:
You are trying to have a unified policy space, make the identity processes work across those spaces

When I get a DN, I can map to the user id in accounts database Perhpas manage keys

HP product provided wrappers & proxies for users for legacy services

Can we simplify the management burden? For the case where People get shell access w/ ssh or do scriptring w/ X.509?

AK: PI gets contract & gets grant of authorization right

Use the X.509 certs locally instead

Grid is reaching its user scalability problem m users at n hosts. Need to simplify this.

Key insite: user interface including management interface can’t change much (or slowly)

What are the LBL problems?
They are maybe harder & maybe on a smaller scale Wedging openid into a problem it doesn’t fit into – it’s a web convenience protocol

What can we do for legacy apps?

Is there a PAM/ssh we can develop?

Somebody at google has mentioned using XMPP with Google.

Protocols expect user name & password scenarios

Conclusions:

  • Need to look more at longer range alternatives
  • Look at PAM and external selectors
  • OpenID is problematic here