UCS D OSG Summer School 2011 Single sign-on1 2011 OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
CernVM and Volunteer Computing Ivan D Reid Brunel University London Laurence Field CERN.
UCS D OSG Summer School 2011 Life of an OSG job OSG Summer School A peek behind the scenes The life of an OSG job by Igor Sfiligoi University of.
How to get the needed computing Tuesday afternoon, 1:30pm Igor Sfiligoi Leader of the OSG Glidein Factory Operations University of California San Diego.
Introduction to Distributed HTC and overlay systems Tuesday morning, 9:00am Igor Sfiligoi Leader of the OSG Glidein Factory Operations University of California.
Introduction to the Grid and the glideinWMS architecture Tuesday morning, 11:15am Igor Sfiligoi Leader of the OSG Glidein Factory Operations University.
UCS D OSG Summer School 2011 Intro to DHTC OSG Summer School An introduction to Distributed High-Throughput Computing with emphasis on Grid computing.
UCS D OSG Summer School 2011 Overlay systems OSG Summer School An introduction to Overlay systems Also known as Pilot systems by Igor Sfiligoi University.
Security in OSG Tuesday afternoon, 4:15pm Igor Sfiligoi Member of the OSG Security team University of California San Diego.
Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.
UCS D OSG School 11 Grids vs Clouds OSG Summer School Comparing Grids to Clouds by Igor Sfiligoi University of California San Diego.
Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Key management issues in PGP
Trust Profiling for Adaptive Trust Negotiation
Grid Computing Security Mechanisms: the state-of-the-art
Authentication, Authorisation and Security
Grid Security.
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Practicals on VOMS and MyProxy
Grid accounting system
EGEE VO Management.
How to enable computing
Certificates An increasingly popular form of authentication
Security in OSG Rob Quick
Grid Security Jinny Chien Academia Sinica Grid Computing.
THE STEPS TO MANAGE THE GRID
Kerberos Kerberos is a network authentication protocol and it is designed to provide strong authentication for client server applications. It uses secret.
Update on EDG Security (VOMS)
Using SSL – Secure Socket Layer
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Protocol ap1.0: Alice says “I am Alice”
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Grid Security Overview
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Use of MyProxy for the FusionGrid
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Certificates An increasingly popular form of authentication
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

UCS D OSG Summer School 2011 Single sign-on OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego

UCS D OSG Summer School 2011 Single sign-on2 Summary of past lessons ● HTC is maximizing CPU use over long periods ● And getting lots of computation done ● DHTC is HTC over many sites ● Using an overlay system hides most of the change ● Grid and Cloud resources are really very similar ● Especially is you use them from inside an overlay system

UCS D OSG Summer School 2011 Single sign-on3 Single sign-on in OSG Introducing the Open Science Grid

UCS D OSG Summer School 2011 Single sign-on4 Scientific Grids ● Just a reminder ● Widely distributed (continent wide) ● Many participants O(1k+) – Just moderate trust (no way everybody knows everybody else) ● Many local HTC technologies – Joining sites may have existing infrastructure

UCS D OSG Summer School 2011 Single sign-on5 The Open Science Grid ● US+ wide scientific Grid ● With partner Grids from around the world (e.g. EGI) ● Sponsored jointly by NSF and DOE

UCS D OSG Summer School 2011 Single sign-on6 Some history ● Built on experience dating to the previous Millennium

UCS D OSG Summer School 2011 Single sign-on7 Who is part of OSG ● Heavily HEP dominated (LHC, Tevatron) ● They need it to do their science ● Followed by other physics communities (e.g. LIGO, RHIC) ● But also a healthy mix of other sciences ● Biology and chemistry related fields ● Math and CS related fields ● Engineering related fields

UCS D OSG Summer School 2011 Single sign-on8 OSG in numbers ● No sites: ~50 ● Ranging in size from ~10 cores to ~7k cores ● Small sites may have a 10% of a grad student running the system ● Large ones may have several dedicated sysadmins ● No of users: >10k ● Not all active at the same time ● But most of them have used OSG at least once

UCS D OSG Summer School 2011 Single sign-on9 Scale problem Requesting and managing an account at each site would be a lot of work!

UCS D OSG Summer School 2011 Single sign-on10 Is it really my problem? But I will be using an overlay system. I will only see my local submit system. Well, someone still needs to send the pilots. You think it works by magic? But why should I care? Why again did you come here??? You will need it for storage.

UCS D OSG Summer School 2011 Single sign-on11 Single sign-on in OSG Single sign-on using X.509 PKI

UCS D OSG Summer School 2011 Single sign-on12 Single sign-on ● The idea is simple ● The user should use the same mechanism to submit jobs to all O(100) sites Hi. I am Igor

UCS D OSG Summer School 2011 Single sign-on13 Passwords a non-starter ● We all know username/password is the preferred authentication mechanism ● Almost everybody use it! ● But not a good solution for distributed systems ● Uses a shared secret between the user and the service provider ● And secrets stay secret only if few entities know it – Sharing passwords between sites a bad idea! How many passwords do you have for all the Web pages you use?

UCS D OSG Summer School 2011 Single sign-on14 Adding an intermediary ● A better approach is to introduce a highly trusted intermediary ● Have been used in real life for ages ● e.g. States as issuers of IDs ● Getting the ID is lengthy, but easy afterwards Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID

UCS D OSG Summer School 2011 Single sign-on15 Technical implementations ● Many technical solutions ● x.509 PKI ● Kerberos ● OpenID ● many more... ● All based on the same basic principle ● Each has strengths and weaknesses ● OSG standardized on x.509 Will not argue if it is the best one.

UCS D OSG Summer School 2011 Single sign-on16 x.509 PKI ● Based on public key cryptography ● A user has a (public,private) key pair – one encrypts, the other decrypts – similarly, one signs, the other verifies ● The highly trusted entity is called a Certification Authority (CA) ● The user is given a certificate ● Cert. has user name in it ● Cert. also contains the (pub,priv) key pair ● Cert. is signed by the CA private key You should have gotten one yesterday from DOEGrids

UCS D OSG Summer School 2011 Single sign-on17 x.509 authentication ● Sites have CA public key pre-installed ● User authenticates by signing a site provided string and providing the public part of the cert Hi, here is my pub cert Please sign Here it is Igor's Cert Hi, Igor CA pub

UCS D OSG Summer School 2011 Single sign-on18 x.509 as single sign-on ● Use the same cert for all the sites Hi. Hi. I am Igor Hi. Use this cert

UCS D OSG Summer School 2011 Single sign-on19 Scheduler CE Job Hi... ehm... I am Igor Impersonation ● Sometimes your jobs need to impersonate you ● For example to access an FTP server FTP More on storag e tomorr ow How will this work?

UCS D OSG Summer School 2011 Single sign-on20 Impersonation problem ● The problem is that the job does not have your private key ● And it should not, if it is to remain “private” (remember, secrets only stay secret if few entities know about it) ● So it cannot impersonate you ● We have similar problems in real life, too ● e.g. attorney representing you in court ● Nobody will buy it that he is you, yet he can speak on your behalf

UCS D OSG Summer School 2011 Single sign-on21 Scheduler CE Job FTP Proxy delegation ● The job is indeed not you ● Create a certificate for the job ● And send it in the job sandbox Proxy ~= Job cert

UCS D OSG Summer School 2011 Single sign-on22 Proxy risks ● You are sending private keys with the job ● You risk that they be stolen ● To mitigate this risk, the proxy lifetime should be very limited ● Say, a few hours ● But long enough to do the needed work Risk mitigation can be annoying! More on security Thursday

UCS D OSG Summer School 2011 Single sign-on23 Delegation and overlays ● Not really any different ● Still need priv keys on the remote CPU ● But you may exploit the additional control you have ● e.g. Condor will automatically shorten proxy lifetime and re-delegate as needed

UCS D OSG Summer School 2011 Single sign-on24 Are we done yet? Why should any site give you access to their CPUs? (or disks)

UCS D OSG Summer School 2011 Single sign-on25 Do I really care? But I will be using an overlay system. All I need is contacting my local sysadmin. YOU AGAIN!!! Someone still needs to send the pilots! Just kidding And don't forget about storage.

UCS D OSG Summer School 2011 Single sign-on26 Single sign-on in OSG Tiered authorization or Introduction to Virtual Organizations

UCS D OSG Summer School 2011 Single sign-on27 Authentication vs. Authorization ● Just because you can authenticate yourself, it does not mean you are authorized, too ● e.g. your drivers license tells who you are, but does not allow you to enter a nuclear plant ● x.509 PKI only covers authentication ● Tells the site who you are

UCS D OSG Summer School 2011 Single sign-on28 Authorization in OSG ● Each site in OSG decides autonomously which users to authorize ● Nobody in OSG can force a site to let a user in (but we can ask) ● The problem, again, is scale ● Over 10,000 users! If each site had to worry about every single user, very few users would be authorized!

UCS D OSG Summer School 2011 Single sign-on29 Adding roles ● Sites want to operate on higher level concepts ● Some kind of attribute ● Like in real life ● Think about passport vs driver's license ● Both tell a cop who you are (and to 1 st approx. are issued by the same entity) ● But the driver's license tells him you are allowed to use a car, too – “Class:C”

UCS D OSG Summer School 2011 Single sign-on30 Attribute authority ● Like before, we need someone trustworthy to issue attributes ● Sites cannot just trust whatever the user says! ● In the case of driver's license it was the DMV ● In OSG, the attribute authority is called the Virtual Organization (VO) ● And the service issuing the attributes VOMS ● Based on issuing augmented x.509 proxies

UCS D OSG Summer School 2011 Single sign-on31 VO and VOMS ● VO decides who is worthy of an attribute ● Site decides based on that attribute Hi. Hi. I work in CMS Hi. Use this proxy VOMS Register I need a CMS proxy Hi, CMS user

UCS D OSG Summer School 2011 Single sign-on32 OSG VOs in numbers ● O(10) VOs ● Typically one per scientific domain e.g. CMS, ATLAS, SBGrid, LIGO, … ● But we have regional VOs as well e.g. Holland Computing Center (HCC), Fermigrid ● OSG operates an “Engage VO” for new users until there is an appropriate VO for them ● Sites typically support a set of VOs ● And all the users inside those VOs (although they don't need to)

UCS D OSG Summer School 2011 Single sign-on33 Are we done yet? Yes. At least for now. More details Thursday

UCS D OSG Summer School 2011 Single sign-on34 Copyright statement ● This presentation contains images copyrighted by ToonClipart.com ● These images have been licensed to Igor Sfiligoi for use in his presentations ● Any other use of them is prohibited

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.