Thebes

The Thebes project is on the verge of releasing it's first set of beta software that can provide a complete secure attribute-based infrastructure. This includes the security token service, resource tools and client tools.

This first release is aimed at distributed high performance computing, but the security token service is a huge advance towards the creation of a general purpose security infrastructure. Look at some of my most recent blog posts or in the "Use Case" section of this site for some generic examples of ways this can be used.

Now is the time to join the mailing list and get your membership to the Thebes portal, so you can track and more importantly comment on events as they unfold. We need all the input we can get from our members, so the products we publish are valuable to you.

Arnie Miles

When working from home on personal computers doing personal business, many persons will use their Internet service provider as the repository of basic attributes. When a person has logged into their Internet account, they will receive a fresh attribute assertion that they will bring with them to use as they need and dictate. If they visit a site that requires registration, with the user’s permission much of the work will be automated. The user will reap the benefits of single sign-on, and no additional usernames and passwords will be generated. Subsequent visits to the site will be authorized transparently and effortlessly, as a freshly obtained attribute assertion will be passed to the web site. Imagine a “Log In” button with no fields attached to it, clicking it will allow a user’s computer to pass the assertion to the remote site.

Sensor networks can be as simple as temperature sensors on a building’s air ducts to control the air conditioning to the multitude of sensors on a satellite in space. Aircraft, automobiles, weather, climate changes, seismic instruments; the list is endless. Any sensor that is programmable and network aware can be connected to this infrastructure. Suddenly the owner of a sensor resource has ultimate control over who can and who cannot access that sensor, making sweeping changes quickly and easily. As mentioned before, this system will allow for accounting of usage, so funding agencies can understand who is using the sensors they paid for, and private industry can bill for usage of the sensors.

There are too many definitions of cloud computing to clearly address them all. However, it is apparent that attribute based security addresses most variants. In the public cloud, the enterprise can use this infrastructure to control the creation of and access to virtual machines in the cloud. This controls costs, gives the enterprise an opportunity to exert control over security of machines that represent it, and allows for centralized oversight of what are essentially the enterprise’s resources. In high performance computing examples, this infrastructure can allow for the creation and destruction of virtual machines to attach to a local high performance cluster, either manually or automatically based upon load. In the enterprise cloud, using virtual machines that have the proper client software installed eliminates the need for separate security implementations on each virtual machine. For example, leveraging attribute-based infrastructure allows for instantiating 1 or 100 or 10000 virtual machines can make provisioning security a matter of implementing policies across the machines, with all authentication issues already handled.

Application and license sharing is sometimes called an application grid. This class of examples has many different variations. Once a plug-in allows access to an application or license server based upon supplied attribute assertions, license management and application load sharing become much simpler.

If an organization has a certain number of licenses for an application, these are often controlled with a license server, where the application goes to look for available licenses. No matter how many instances of an application there are, only a certain number can be in use at any given time. Attribute based authorization to a license server can facilitate access to available licenses. Applications can be included in basic install images, available on every desktop, with users checking out a license for local use by offering their assertion to the license server. This has applications in cloud computing, allowing large numbers of virtual machines in the cloud with the enterprise’s entire suite of offerings available. This arrangement allows the enterprise to not only control access to licenses, but also offers load balancing via the cloud. Combining this power with the ability to use local file systems with the same credentials will then improve security. A user can sign on once, gain access to a virtual machine with the required application on it, access a license for this application, and store work on a local file system, all with a single sign-on.

Applications that maintain their own licensing controls can still benefit from this infrastructure, by leveraging policy controls and application plug-ins. Whether the application is installed on the user’s machine or shared on a larger server, the attributes offered to the application will be verified against the policies in place for the application. This provides the same level of license and load balancing as the previous example.

Finally, for applications in high demand, enterprises can take advantage of batch scheduling software commonly used in the high performance computing world to queue work and control load on each individual resource. Since the plug-ins for batch schedulers already exist, this solution can make access to expensive and popular resources more equitably available.

Background:

Distributed high performance computing was the initial impetus for the Thebes consortium, and continues to be the most developed. In this model we add the complexity of job schedulers at each high performance compute (HPC) devices as well as the transport of data sets in and out of the HPC devices. Users locate available resources via the resource discovery network, but in the HPC example there is a dynamic aspect to the metadata in the RDN, as how busy a resource is plays a key component in the decision to use a resource or not. The Thebes service installed on the resources will filter SAML (Cantor, Hodges, Morgan) assertions, check them against the policy enforcement point, and pass appropriate work to the local job submission tool.

Actors:

Systems administrators: Administrators at each enterprise will connect the identity provider to the local identity store and install a local resource discovery network node. This node will be introduced to one or more external RDN nodes. They will also optionally establish an enterprise level policy administration point. As resource administrators connect compute or file system resources to the network, they will install the Thebes service on each resource, create policies, and publish their resource to the RDN. Each client computer at each shop and corporate offices needs custom client software that plugs into the Thebes infrastructure. User authentication will be accomplished via the Thebes plug-in. This is equally true of local users and remote queries.

Researchers: The submit tool for Thebes is a simple Java installation, and will accept a username and password and perform the necessary work to obtain a signed assertion from the enterprise identity provider. Additionally, this tool will accept from the user a detailed description of the job in a format that is well understood by the popular job schedulers, as well as all the requirements of the job. When the researcher submits the job, it is sent to a high level scheduler that continuously collects dynamic data from all HPC resources known to the resource discovery network. It can either return an ordered set of resources to the user to choose from, or it can automatically select the most appropriate resource to submit the work to.

Local Management: In this case, local management can represent the various division and departments heads that lie between the upper management and the researcher. In some cases, it may be appropriate for these positions to assign policies to the resources that fall in their domain that are more stringent then the overall enterprise policies. In some cases, this layer of policy control might relieve the resource owners of the need for additional policies. If the system is set up to collect accounting information, management can use the data collected to cost share or invoice for computational time, or to justify expenditures to funding agencies.

Senior Staff: If Thebes is going to be used to cross administrative domains, there may need to be senior staff buy-in and participation to protect local interests and satisfy legal requirements. Generally, sharing resources will require agreements between each institution involved in the exchange, with expectations, limitations, responsibilities and requirements spelled out. Once this is in place, the policies agreed upon will have to be codified in the policy administration tools, which will represent the minimum set of restrictions that comply with the agreements.