Thebes

A letter to readers. The following letter was sent to the thebes-l mailing list on 1/25/2010. This is an open solicitation for participation in a grant request due in mid February for anyone who is interested in pushing the Thebes Security Token Service into production. We need broad support immediately in the form of participants, collaborators, and letters of interest. Contact Arnie Miles directly with ideas and discussion.

All,

I haven't posted much recently, so it seems like a good time for an update.

Thebes has been moving forward with the assistance of funding from Sun which enabled us to bring developer Tim Bornholtz in. Tim has been posting code regularly, and we are testing an HPC implementation of the Thebes security middleware on a small Beowulf cluster with Gaussian jobs.

This particular project leverages the Thebes Security Token Service, an HPC client, an HPC service, rudimentary policies, and DRMAA to carry an HPC service request from a user's desktop to an HPC device. The user is able to authenticate via the local identity store, import data from a remote location, and submit a Gaussian job to an HPC cluster. The Thebes HPC service filters the SAML, checks authentication, compares the user's assertion against a policy, and submits work via DRMAA to the master node of the cluster.

The key to all of this is the Thebes Security Token Service, and this is what the bulk of our infrastructure development is going to continue to focus on. When we are 'through', the STS will be able to accept any token a user has and return whatever token the user needs. One of the initial keys to this effort was web services enabling SAML access, and this work has been successful so far.

So, the STS is rudimentary but working, and has a lot of room for growth. The HPC service is also rudimentary but working in a very specific environment.

We now need compelling use cases that involve "a broad set of science and engineering applications" to move forward on a proposal for NSF 10-508, Software Development for Cyberinfrastructure. Some of you are eligible for NSF support, and we would welcome you as co-PIs, senior personnel, and participants with funding. Others on this list are not eligible for NSF funding, and from you we would hope to get strong letters of support specifying how you might use the Thebes STS (or components built from the STS) and indicating an intention to actually install the middleware should NSF fund it and we build it.

The time is short. The deadline is February 26, and you might as well say February 16th once you factor in the paperwork.

Please help us make a completely compelling story for NSF. Call me directly, email me directly, or email the list.

--
Arnie Miles
Middleware Architect; Office of the Principal Technologist
Adjunct Assistant Professor of Computer Science
Georgetown University
3300 Whitehaven Street NW
Washington, DC 20007
202.687.9379
http://thebes.middleware.georgetown.edu

"One must still have chaos in oneself to be able to give birth to a dancing star."
Friedrich Nietzsche

Connecting the various players in any inter-process communications require that the processes be able to:

• Discover each other
• Authenticate themselves
• Evaluate authentication to make authorization decisions based upon policies.

This is the glue that connects resources; authentication, authorization, and discovery. Solving these problems in a scalable manner allows the creation of broadly distributed trustworthy systems capable of sharing any sort of resources.

However, scalability has been lacking to date. The Thebes project was created initially to solve these problems in the grid and high performance computing arena. Grid computing died primarily because no one was able to accomplish scalable solutions to these problems. Now the magic word is cloud computing. Unfortunately, the use cases that brought about interest in grids still remain unsolved, and carry over to cloud computing.

Thebes has expanded in scope to include any problem where security and discovery middleware is relevant. Project completion will facilitate the eventual construction a global general-purpose infrastructure by enabling connections between existing diverse users and critical resources. New middleware eases the burden on resource owners by divesting them of knowledge of specific user organization memberships, thus improving grid security and particularly scalability, encouraging resource contributions.

Widespread adoption will ease access to a vast aggregate of diverse resources for users with widely differing levels of expertise. Decentralizing databases will ease the burden on system owners, encouraging them to make resources available while maintaining the highest degree of data accuracy. By connecting users to and across existing grids and to new installations, regardless of the underlying technology or size this middleware should benefit existing projects. A

Philosophically, the Thebes Consortium believes the following statements are true and must be considered when designing a new grid infrastructure:

• With some exceptions, resource owners generally do not care about the identities of the user.
• Resource owners should not require advanced, or pre-negotiated knowledge of remote users.
• Every resource must be able to enforce policy.
• Resource owners must be protected from execution of dangerous applications.
• Every resource must be able to track usage.
• Users prefer there be no distinction between local and grid resources in their ease of use.
• Users seldom care where their job is executing.
• Users should have automatic access to all resources whose policies they satisfy.

Membership gives you the option to post comments and add content.

Arnie Miles

I'm attending the Postsecondary Electronic Standards Council (PESC) meeting launching their EdUnify Task Force. I'm moved to record my observations that they are attempting to address the same sorts of problems Thebes is aimed at.

Resource publication and discovery, attributed based authentication and authorization, and distributed policy publication and enforcement are becoming mandatory in a wide variety of scenarios.

Thebes requires SAML2 assertions. Because Rampart doesn't support SAML2 out of the box some code modification were required.

Please rename rahas-1.4-thebes.zip to rahas-1.4-thebes.mar

This document reports the status of the Thebes project as of October 2009, as well as describing the short term development and deployment roadmap.

The Thebes project is on the verge of releasing it's first set of beta software that can provide a complete secure attribute-based infrastructure. This includes the security token service, resource tools and client tools.

This first release is aimed at distributed high performance computing, but the security token service is a huge advance towards the creation of a general purpose security infrastructure. Look at some of my most recent blog posts or in the "Use Case" section of this site for some generic examples of ways this can be used.

Now is the time to join the mailing list and get your membership to the Thebes portal, so you can track and more importantly comment on events as they unfold. We need all the input we can get from our members, so the products we publish are valuable to you.

Arnie Miles

When working from home on personal computers doing personal business, many persons will use their Internet service provider as the repository of basic attributes. When a person has logged into their Internet account, they will receive a fresh attribute assertion that they will bring with them to use as they need and dictate. If they visit a site that requires registration, with the user’s permission much of the work will be automated. The user will reap the benefits of single sign-on, and no additional usernames and passwords will be generated. Subsequent visits to the site will be authorized transparently and effortlessly, as a freshly obtained attribute assertion will be passed to the web site. Imagine a “Log In” button with no fields attached to it, clicking it will allow a user’s computer to pass the assertion to the remote site.