OpenID for Science Community
Conveners: Dhivakaran Murugananatham & Michael Helm
Notes-taker: Michael Helm
Tags: Openid, authorization, legacy
Discussion notes:
Intro to OpenID – Dhiva’s slides
Discussion about Grid computing in a nutshell
X.509 based, but also other tools like ssh & ftp used in distributed computing
Questions about how we register people to get X.509 certs (technology embedded in grids)
How do we authorize jobs?
- Privileges &tc in a database
- Gridmap file the core of how job privileges are managed, ultimately
- Here is a subject name (DN) – here you can recognize it
- hen there is a separate access control system that manages
How do we bring OpenID into grids
Or, why do we wnat to do this?
We could simplify user registration & access experience
Want to minimize other kinds of expenses – heavy crypto authentication operations, browser support issues
Q: Is this a case where ppl want to use browsers but not certs A: Can be script based and have the same problem!
We have:
- We have web portals for distributeed computing
- We have browser-based ssj & ftp tools in Java Start
- We have a way to bridge between existing X.509 infrastructure & OpenID service (eg our Esnet Openid provider)
We don’t have:
- OpenID outside web browser context to START WITH
- Science community doesn’t social networking tech (yet!)
(definitely not in Grid context)
- Our complex use case:
- Delegation using proxy certs
- Need scheduling, batch jobs, scripting, reporting, monitoring
- OpenID for services as well as people
- Support for authoriztion
NPE non person entity
How do I support legacy apps
Alan Karp: How do I know I should I honor this request? I need to present an authorization’
CAS was almost right – but the root of trust is wrong
Bob Morgan: You are trying to have a unified policy space, make the identity processes work across those spaces
When I get a DN, I can map to the user id in accounts database Perhpas manage keys
HP product provided wrappers & proxies for users for legacy services
Can we simplify the management burden? For the case where People get shell access w/ ssh or do scriptring w/ X.509?
AK: PI gets contract & gets grant of authorization right
Use the X.509 certs locally instead
Grid is reaching its user scalability problem m users at n hosts. Need to simplify this.
Key insite: user interface including management interface can’t change much (or slowly)
What are the LBL problems? They are maybe harder & maybe on a smaller scale Wedging openid into a problem it doesn’t fit into – it’s a web convenience protocol
What can we do for legacy apps?
Is there a PAM/ssh we can develop?
Somebody at google has mentioned using XMPP with Google.
Protocols expect user name & password scenarios
Conclusions:
- Need to look more at longer range alternatives
- Look at PAM and external selectors
- OpenID is problematic here