Skip to content
Snippets Groups Projects
Normal view Permalink
main.tex 8.47 KiB
Newer Older
  • Learn to ignore specific revisions
    • enricovianello's avatar
    WIP: SD contributions
    enricovianello committed
    1 2 3 4 5 6 7 8 9 10 
    \documentclass[a4paper]{jpconf}

\usepackage{url}
\usepackage{graphicx}
\usepackage{float}

\newcommand{\quotes}[1]{``#1''}

\begin{document}
    Francesco Giacomini's avatar
    review  
    Francesco Giacomini committed
    11 
    \title{Evolving the INDIGO IAM service}
    enricovianello's avatar
    WIP: SD contributions
    enricovianello committed
    12 13 
    
\author{
    Federico Fornari's avatar
    making authors and addresses stylistically uniform  
    Federico Fornari committed
    14 15 
      A.~Ceccanti$^1$,
  E.~Vianello$^1$
    enricovianello's avatar
    WIP: SD contributions
    enricovianello committed
    16 17 
    }
    Federico Fornari's avatar
    making authors and addresses stylistically uniform  
    Federico Fornari committed
    18 
    \address{$^1$ INFN-CNAF, Bologna, IT}
    enricovianello's avatar
    WIP: SD contributions
    enricovianello committed
    19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 
    
\ead{
  andrea.ceccanti@cnaf.infn.it,
  enrico.vianello@cnaf.infn.it
}

\begin{abstract}

  The INDIGO Identity and Access Management (IAM) service has been designed and
  developed at CNAF in the context of the INDIGO Datacloud project. In this
  contribution, we describe the work done in 2018 to evolve and operate the IAM
  service in support of several scientific communities and use cases.

\end{abstract}

\section*{Introduction}
\label{sec:introduction}

The INDIGO IAM service provides an integrated solution for securing access to
an organization resources and services. It supports authentication via Identity
federations (e.g., EduGAIN \cite{edugain}) and social logins (i.e., Google
\cite{google}), a registration service providing moderated access to the
organization, delegation and provisioning APIs and flexible account linking.

During 2018, the main focus of the work on IAM was to enhance its functionalities 
in order to fully support the requirements emerging from the 
WLCG Authorization Working Group, in support of the design of the future WLCG Authorization 
service~\cite{wlcg-authz-wg}.

The following paragraphs summarize the main development and maintenance
activities.

\section*{Support for multiple external OpenID Connect providers}

\begin{figure}
    \begin{minipage}[b]{.45\textwidth}
        \centering
        \includegraphics[width=\textwidth]{mutliple-oidc.png}
        \caption{\label{fig:oidc-providers}The DODAS IAM login page showcasing support for Google, EduGAIN and EGI CheckIn external authentication.}
      \end{minipage}
      \hspace{.1\textwidth}
      \begin{minipage}[b]{.45\textwidth}
        \centering
        \includegraphics[width=\textwidth]{request-cert.png}
        \caption{\label{fig:request-cert}Requesting the on-demand generation of an X.509 certificate from the IAM dashboard.}
      \end{minipage}
\end{figure}

Up to IAM version 1.4.0, IAM supported a single OpenID Connect provider, Google.
The support for authentication and account linking with an external OpenID Connect provider has been extended to
allow multiple providers. 
Each provider can be listed in the IAM login page, and login buttons text and appearance can be customized with 
appropriate  configuration (see Figure ~\ref{fig:oidc-providers}).

\section*{RCAuth.eu integration}

The RCauth.eu~\cite{rcauth} Pilot Certificate Authority (CA) is an online CA operated by NIKHEF~\cite{nikhef}  which 
issues certificates to end-entities based on a successful authentication to a Federated Identity Management System 
(FIMS) operated by an eligible Registration Authority.
The certificates issued by the RCauth Pilot CA are valid for a period of at most 13 months, but may be as short as 11 days.

RCAuth.eu has been integrated with INDIGO IAM in order to provide on-demand X.509 certificates to users without a certificate.
The certificate is obtained using a simple OAuth-based protocol~\cite{oauth4myproxy}.

When the RCAuth.eu integration is enabled, IAM provides users with the ability to request a certificate  on-demand from the IAM dashboard, as shown in Figure~\ref{fig:request-cert}.

What happens under the hood is that the user is redirected to the RCAuth.eu
instance to be authenticated and give consent to the generation of an X.509 certificate and that such certificate is accesible by IAM. 
Once the user has given its consent, IAM fetches the generated certificate from RCAuth.eu and 
creates a proxy certificate out of it that is then stored in the IAM database and linked to the user membership.

A certificate provisioning API has also been implemented that allows users/agents with the appropriate privileges to 
obtain the proxy certificate stored in the IAM database.

\section*{CERN HR DB API service and integration}

Identity vetting for the LHC VOs deployed at CERN rely on the VOMS Admin~\cite{voms-admin} CERN Human Resource database 
integration~\cite{voms-convergence}, in order to verify that a VOMS applicant has a 
valid LHC experiment membership while registered in VOMS.

In order to expose HR database identity vetting also the IAM, the logic 
of the HR database querying has been extracted from the VOMS Admin codebase and adapted to schema changes planned for GDPR compliance.

A Spring boot microservice has been developed to provide a convenient REST API to query information about LHC experiment membership~\cite{hr-db-api-service}. This microservice has been deployed at CERN and integrated in IAM to demonstrate identity-vetting based on HR information, supporting a registration flow similar to the one implemented in production by VOMS Admin and that would satisfy the requirements expressed by the WLCG authorization working group.

\section*{VOMS provisioning}

A VOMS~\cite{VOMS} Attribute Authority (AA) microservice has been developed to expose IAM VO membership attributes in the form of VOMS attribute certificates. The VOMS microservice talks to the IAM DB and leverages IAM support for x.509 authentication.
The service is compatible with existing voms clients.

Since IAM does not provide a role abstraction, and that VOMS roles are 
equivalent to group membership asserted on request, a mechanism based on labels has been developed to flag some IAM groups as VOMS roles.
These groups are not automatically included in generated VOMS ACs, but are instead returned using the VOMS role syntax only on explicit request from client, preserving the original VOMS role semantics.

With this work, IAM can support a gradual and seamless migration from WLCG legacy AAI based on X.509 and VOMS to a token-based AAI.

\section*{Labels and Attribute API}

A generic Labels API, inspired by the Kubernetes~\cite{kubernetes-labels} labels API, has been introduced in IAM that allows privileged users/agents to attach labels to groups and users.

These labels can be used internally by IAM (e.g., to provide additional metadata about users/groups status, to implement VOMS role semantics on top of IAM groups) or by external applications. A URI-based namespace mechanism
is supported to avoid name clashes on attributes managed by different applications.

A generic Attribute API has been introduced to allow to link key-value pairs to users and groups. This information is meant to provide additional authentication/authorization information related to users and groups that can be included, if requested by the configuration, in tokens issued by IAM,
providing a mechanism very similar to VOMS generic attributes.

\section*{Flexible notification dispatching}

A more flexible notification dispatching mechanism has been added to IAM.
which provides the ability to target VO users, admnistrators or group
administrators individually for email notifications. Previously, and up to IAM version 1.4.0, all administrator-targeted notifications were dispatched to an email address (typically, a mailing list) provided in configuration.

\section*{Group managers and group request support}

IAM now supports group managers, which are privileged users that can approve
group membership requests or add users to a the managed group.
Users can now request to join a group from the IAM dashboard home page.

\section*{Improved SAML support}

Significant work has been put in improving SAML support and integration
with identity federations such as EduGAIN or SAML identity providers (e.g., the CERN Single Sign-On~\cite{cern-sso} and the italian Sistema Pubblico per l'Identit\`a digitale (SPID)~\cite{spid}).

\section*{Operations and support}

Several IAM instances have been deployed and operated on our Kubernetes~\cite{kubernetes} infrastructure in support of scientific communities and projects (DODAS, CHNet, Dariah, Deep Hybrid Datacloud, ICCU, Virgo).

An IAM instance dedicated to WLCG authorization WG demonstration and integration activities has been deployed on the CERN Openshift~\cite{cern-openshift} and Openstack ~\cite{openstack} infrastructures.

\section*{Conclusions and future work}

We have described the main development and maintenance activities performed on the IAM service during 2018. In the future we will focus on further
enhancements to the service and on the migration of the core authentication module to Keycloak~\cite{keycloak}, in order to reduce maintenance costs and improve IAM integration flexibility.

\bibliographystyle{iopart-num}
\section*{References}
\bibliography{biblio}

\end{document}