OpenID for Science Community

Conveners: Dhivakaran Murugananatham & Michael Helm

Notes-taker: Michael Helm

Tags: Openid, authorization, legacy

Discussion notes:

Intro to OpenID – Dhiva’s slides

Discussion about Grid computing in a nutshell

X.509 based, but also other tools like ssh & ftp used in distributed computing

Questions about how we register people to get X.509 certs (technology embedded in grids)

How do we authorize jobs?
 * Privileges &tc in a database
 * Gridmap file the core of how job privileges are managed, ultimately
 * Here is a subject name (DN) – here you can recognize it
 * hen there is a separate access control system that manages

How do we bring OpenID into grids

Or, why do we wnat to do this?

We could simplify user registration & access experience

Want to minimize other kinds of expenses – heavy crypto authentication operations, browser support issues

Q: Is this a case where ppl want to use browsers but not certs  A: Can be script based and have the same problem!

We have:
 * We have web portals for distributeed computing
 * We have browser-based ssj & ftp tools in Java Start
 * We have a way to bridge between existing X.509 infrastructure & OpenID service (eg our Esnet Openid provider)

We don’t have: (definitely not in Grid context)
 * OpenID outside web browser context to START WITH
 * Science community doesn’t social networking tech (yet!)
 * Our complex use case:
 * Delegation using proxy certs
 * Need scheduling, batch jobs, scripting, reporting, monitoring
 * OpenID for services as well as people
 * Support for authoriztion

NPE non person entity

How do I support legacy apps

Alan Karp: How do I know I should I honor this request? I need to present an authorization’

CAS was almost right – but the root of trust is wrong

Bob Morgan: You are trying to have a unified policy space, make the identity processes work across those spaces

When I get a DN, I can map to the user id in accounts database Perhpas manage keys

HP product provided wrappers & proxies for users for legacy services

Can we simplify the management burden? For the case where People get shell access w/ ssh or do scriptring w/ X.509?

AK: PI gets contract & gets grant of authorization right

Use the X.509 certs locally instead

Grid is reaching its user scalability problem m users at n hosts. Need to simplify this.

Key insite: user interface including management interface can’t change much (or slowly)

What are the LBL problems? They are maybe harder & maybe on a smaller scale Wedging openid into a problem it doesn’t fit into – it’s a web convenience protocol

What can we do for legacy apps?

Is there a PAM/ssh we can develop?

Somebody at google has mentioned using XMPP with Google.

Protocols expect user name & password scenarios

Conclusions:
 * Need to look more at longer range alternatives
 * Look at PAM and external selectors
 * OpenID is problematic here