Identity Management

A BonFIRE user (experimenter) should be able to create VMs through utilization of a web interface of the Portal or directly by utilizing the Resource Manager API. A security infrastructure has been set up, providing the following mechanisms: the user authenticates himself at the Portal and Resource Manager through his/her BonFIRE credentials; the user must also have credentials for the testbeds he/she intends to use. The Resource Manager and testbeds use BonFIRE certificates to authenticate each against each other. The Resource Manager matches the BonFIRE and testbed credentials using an LDAP server.

APIs provided

The BonFIRE IDM provides an LDAP API.

APIs used

None.

Message queue use

No interaction with the message queue.

Assumptions

No documented assumptions.

Implementation details

The identity management (IDM) solution adopted by BonFIRE is deliberately simple enough to support a working facility that provides access to the testbeds provided by the BonFIRE partners. This simplicity may be appropriate when federating with testbeds that are managed by other groups. It might be that at a later stage federated single sign-on technologies such as Shibboleth1 and OAuth2 will be used. To secure and restrict the access to the BonFIRE infrastructure, IDM mechanisms are needed for user authentication and user management. The design of the IDM is based on existing state-of-the-art components such as Apache modules and LDAP. To secure the connections between the components of the BonFIRE architecture server certificates are needed. These certificates are issued by the BonFIRE CA. The components behind the Resource Manager validate HTTP requests by using the BonFIRE Asserted ID Header field. These components trust the request from an authenticated user, because of the existing X-BonFIRE-Asserted-ID header field. The LDAP server and the BonFIRE CA are deployed on a VM with private IP address at HLRS. For security reasons access to that server is restricted. The BonFIRE CA has to be secured; especially the private key of the BonFIRE CA has to be protected. Utilizing that key allows to sign server/user certificates. If some unauthorized person gets access to that key, server certificates signed by the BonFIRE CA cannot be trusted anymore. The BonFIRE CA is based on OpenSSL and the LDAP server for storing centralized information based on OpenLDAP. The tree structure of LDAP is called a Data Information Tree (DIT).

../_images/BonFIRE_LDAP_DIT.png

BonFIRE IDM LDAP Data Information Tree

The LDAP server is configured in such a way that no anonymous read access is allowed. Authentication for LDAP database access is required. A new feature for this software release is the introduction of user groups. This notion is also represented in the BonFIRE LDAP database. For each BonFIRE user group a corresponding group entry in the LDAP database is created. The posixGroup LDAP schema is used for that matter. Every member of a group is reflected by a corresponding memberUid attribute on the appropriate posixGroup item. The LDAP DB contains a field for a SSH public key, which is used by an experimenter to access his VMs through the SSH gateway on each site. To fulfil the requirement of the distributed architecture and to avoid a single point of failure, an LDAP slave is deployed on each site where the local SSH gateway gets the user credentials from. The configuration of the IDM at the Portal and Resource Manager is done through a server which is hosted at HLRS. On the Portal and Resource Manager an Apache web server is used. Apache provides a module for securing the connection with SSL. After the connection is established it asks for a username and password. An LDAP Apache module connects to the server and verifies user credentials. In the case of successful authentication, the UID of the BonFIRE user is added to the BonFIRE Asserted ID Header field; this is achieved by an Apache module reusing the environment variable of the LDAP module. The following code excerpt shows the configuration of the Apache server relevant for the IDM.

<VirtualHost _default_:443>
        # General setup for the virtual host, inherited from global configuration
        DocumentRoot "/var/www/html"
        ServerName www.portal.bonfire-project.eu:443

        <Directory /var/www/html/idm/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                #Settings for Basic authentication added by tgu
                Authtype Basic
                AuthName "Secured Area"

                #Settings for LDAP authentication added by tgu
                AuthBasicProvider ldap file
                AuthzLDAPAuthoritative on
                AuthLDAPBindDN "cn=Portal,ou=Hosts,dc=bonfire-project,dc=eu"
                AuthLDAPBindPassword "XXXXX"
                AuthLDAPURL ldap://10.0.0.30/ou=People,dc=bonfire-project,dc=eu?uid

                Require valid-user

                AuthUserFile /var/www/html/idm/htpasswd

                #The following lines extract the value from env REMOTE_USER and add the value to the added RequestHeader X-BonFIRE-Asserted-ID
                RewriteEngine On
                RewriteCond %{REMOTE_USER} (.*)
                RewriteRule .* - [E=R_U:%1]

                #LDAP UID
                RequestHeader add X-BonFIRE-Asserted-ID %{AUTHENTICATE_UID}e
        </Directory>
</VirtualHost>

Table Of Contents

Previous topic

Wellness Enactor Adaptor

Next topic

Collections Cache

This Page