Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
MyProxy Jim Basney Senior Research Scientist NCSA
March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness
Grid Standardization from the NorduGrid/ARC perspective Balázs Kónya, Lund University, Sweden NorduGrid Technical Coordinator ETSI Grid Workshop on Standardization,
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
CSC Grid Activities Arto Teräs HIP Research Seminar February 18th 2005.
WebFTS as a first WLCG/HEP FIM pilot
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Overview of the security capabilities of ARC Aleksandr Konstantinov, Weizhong Qiang (presented by Balázs Kónya) NorduGrid collaboration EGEE'09 Conference.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
The European KnowARC Project Péter Stefán, NIIF/HUNGARNET/KnowARC TNC2009, June 2009, Malaga.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Argus EMI Authorization Integration
Access Policy - Federation March 23, 2016
Accessing the VI-SEEM infrastructure
Grid Computing Security Mechanisms: the state-of-the-art
OGF PGI – EDGI Security Use Case and Requirements
Oxana Smirnova, Jakob Nielsen (Lund University/CERN)
OGSA-WG Basic Profile Session #1 Security
Third Party Transfers & Attribute URI ideas
StoRM: a SRM solution for disk based storage systems
Use of Nagios in Central European ROC
HMA Identity Management Status
Identity Federations - Overview
EMI Interoperability Activities
Distribution and components
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Short update on the latest gLite status
Interoperability & Standards
Management of Virtual Execution Environments 3 June 2008
What’s changed in the Shibboleth 1.2 Origin
Grid Engine Diego Scardaci (INFN – Catania)
ARC6 retreat, Umeå, 7-9 November 2018
Grid Computing Software Interface
Presentation transcript:

Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration Security in ARC Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration Middleware Security Group Meeting SWITCH, Zürich, 30 March 2009

ARC in a nutshell Advanced Resource Connector General purpose Open Source Grid middleware One of the production grid middlewares Developed & maintained by theNorduGrid Collaboration Deployment support, extensive documentation, available on most of the popular Linux distributions Lightweight architecture for a dynamic heterogeneous system following Scandinavian design principles start with something simple that works for users and add functionality gradually non-intrusive on the server side Flexible & powerful on the client side User- & performance-driven development Production quality software since May 2002 First middleware ever to contribute to HEP data challenge Strong commitment to standards & interoperability JSDL, GLUE, Active OGF player Middleware of choice by many national grid infrastructures due to its technical merits SweGrid, SWISS Grid(s), Finnish M-Grid, NDGF, etc… Majority of ARC users are NOT from the HEP community Illustrations:“Scandinavian Design beyond the Myth” www.scandesign.org 22/02/2018 www.nordugrid.org

Brief history of ARC 22/02/2018 www.nordugrid.org Y2K: Grid Hype, European Data Grid (EDG), re-discovery of Globus Toolkit (version 1.1.4) Back in 2001...HEP Institutes from Scandinavia wanted to share their computing resources and jointly contribute to CERN/LHC computing The born of the “NorduGrid”, a research project of the NORDUNet2 program aimed to enable Grid in the Nordic countries 2002 February: decision to develop an alternative middleware by making use of Globus libraries. NorduGrid design, architecture, philosophy. 2002 May: 3rd NorduGrid Workshop, Helsinki demonstration of the first version of the middleware. Since then the NorduGrid middleware has been used in production, first middleware ever to contribute to a production HEP data challenge. 2004 April: announcement of release 0.4 of NorduGrid middleware (also known as the Advanced Resource Connector), the first official release of this software. 2006 June: EU KnowARC project starts; aims at providing Web Service interfaces for ARC components. 2007 May: After a long hardenning process ARC version 0.6, the second stable release of the middleware was released. 2008 August: a prototype version of the next generation ARC 2008 December: Version 0.6.5 of production ARC released All over the years: ARC has become one of the major grid middlewares used in production all over the world. 22/02/2018 www.nordugrid.org

Deployment of ARC Used in multiple production Grid infrastructures Also by individual sites 22/02/2018 www.nordugrid.org

Production ARC - overview Provides reliable implementation of fundamental Grid services: The usual Grid security: single sign on, Grid ACLs (GACL), VOs (VOMS) Job submission: direct or via matchmaking and brokering Job monitoring & management Information services: resource aggregation, representation, discovery and monitoring Implements core data management functionality Storage Elements Interfacing to Data Indexing, client-side data movement Automated seamless input/output data movement Logging service Builds upon open source solutions and protocols Globus Toolkit® pre-WS API and libraries (no services!) OpenLDAP, OpenSSL, SASL, SOAP, GridFTP, GSI 22/02/2018 www.nordugrid.org

Production ARC - protocols Uses X.509 for authentication of users Uses communication protocols which provide data integrity and protection GridFTP Used for most communications Including communication with Computing Element HTTPS Third-party proprietary protocols Data management – RLS, LFC Unprotected communication LDAP Used by Information System 22/02/2018 www.nordugrid.org

Production ARC - authorization Relatively thin layer integrated into communication stack Strongly coupled with delegation Based on information stored in X.509 certificate Simple hard-coded and configurable authorization rules DN of X.509 VOMS attributes External plugin/executable LCAS framework Some services implement own authorization based on internal information Hard-coded rules GACL polices 22/02/2018 www.nordugrid.org

Production ARC - delegation Full identity delegation - X.509 Proxy Certificates Used by Computing Element to retrieve and store data on behalf of original user No additional restrictions put into Proxy Certificates Delegation performed as part of GSI handshake Embedded into GridFTP protocol Support for renewal of delegated credentials Support for MyProxy service (for renewal) 22/02/2018 www.nordugrid.org

Overview of new ARC components A Web-service based solution Strategy: interoperability via open standards BES, JSDL, GLUE, SRM, GridFTP, X509, SAML Participation in standardization and profiling activities (OGF) Migration plan: gradually replace ARC components with new modules, possibly co-deploying both initially For transitional period gateway-like solutions are necessary Targeting gLite, Unicore, production ARC 22/02/2018 www.nordugrid.org

Service decomposition 22/02/2018 www.nordugrid.org

New components Hosting Environment (Daemon) HED Flexible service hosting and development framework Takes care of the networking-layer (e.g. SOAP) Available on MS Windows and Mac OS as well as Linux Offers Python and Java language bindings in addition to the native C++ A-REX (computing element) Central Information Indexing service (to become P2P distributed) Distributed Storage System services Security framework (including delegation) ARCLIB and powerful command-line tools Including plugins for production ARC, gLite CREAM CE, Unicore 22/02/2018 www.nordugrid.org

Modular approach New ARC services and clients are based on modular approach Message Chain Component (MCC) Protocol layer module Data Management Component (DMC) Full data protocol(s) ARC Client Component (ACC) Job submission and control modules Security Handler Component (SHC) Security related attributes collection and handling Policies and Attributes evaluation TCP MCC TLS MCC X.509 DN VOMS PC Policy HTTP MCC 22/02/2018 www.nordugrid.org

New security modules Security Handler components X.509 generic information extraction VOMS information extraction WS-Security extraction and insertion X.509 Token Profile Username Token Profile Local policy evaluation Remote policy evaluation (call to remote service) X.509 proxy certificate policy evaluation Future plans WS-S SAML Token Profile Consumption of SAML assertions (from SAML token, and SAML 2.0 SSO profile) 22/02/2018 www.nordugrid.org

New security modules Evaluation of policies Modular – Policy Decision Point components Supported policy expressions/languages Lists of X.509 DNs – gridmap-like Grid Access Control List (GACL) Proprietary ARC policy language XML based Similar to XACML with simplification for (relative) user-friendliness Future plans SAML support XACML support 22/02/2018 www.nordugrid.org

New approach for delegation Still full identity delegation - X.509 Proxy Certificates WS Port type for delegating credentials to service Implemented by services which accept delegation Support for proxy policies According to RFC 3820 policyLanguage = id-ppl-anyLanguage policy = ARC Policy XML document 22/02/2018 www.nordugrid.org

New security services (very much work in progress) Policy decision service Accepts policy evaluation request Returns evaluation result Short-lived credential service Accepts Shibboleth tokens Generates short-lived X.509 credentials SAML attribute assertion returned from Shibboleth IdP is embedded as certificate extension The credential then can be used to access services which require X.509 credentials 22/02/2018 www.nordugrid.org

New security services (very much work in progress) Delegation service (DS) Web Service for X.509 credential delegation Functionality similar to Myproxy – but uses standard communication channel Acts as intermediate for passing delegated credentials from client to sevice Corresponding Security Handler Component to (almost) seamlessly Delegate credentials to DS on client side Fetch credentials from DS on service side 22/02/2018 www.nordugrid.org

Unified security in ARC Every service developed in HED gets generic security infrastructure Information collected and processed at protocol levels Authorization decisions based on protocol specific information Authorization configuration fully depends on deployment Every service can implement own authorization Through pluggable modules Using direct support to policy evaluation library 22/02/2018 www.nordugrid.org

Unified security in ARC Services which implement own authorization A-REX – BES compliant Grid Computing Element Per Grid Job authorization policies Storage system (multiple services) Per stored entity authorization policies Inter-service trust relationship Service properties filtering (GLUE2 documents over WSRF) Each node in XML document may have policy attached Document is pre-filtered by matching policies to authentication tokens provided by client. 22/02/2018 www.nordugrid.org

Questions? 22/02/2018 www.nordugrid.org

Backups 22/02/2018 www.nordugrid.org

New security clients arcslcs: client utility for SLC generation arcproxy: client utility for proxy generation Include the functionality of grid-proxy-init, plus the embedding of delegation policy Include the functionality of contacting VOMS server, and generating proxy certificate with VOMS AC inside Include the functionality of contacting myproxy server (delegating credential to myproxy server, and getting delegated credential from myproxy server) by taking globus GSI protocol arcslcs: client utility for SLC generation As the client of SLCS service 22/02/2018 www.nordugrid.org

New security services Service Provider service Http layer service In charge of Service Provider (SP) functionality of SAML 2.0 SSO profile Act together with client interface (in charge of the functionality of user agent of SAML 2.0 SSO), and Shibboleth IdP (2.0) SP service shares the same session with other services (one SP service per container) SSL Client certificate authentication should be switched off Service Provider service (cont.) SAML attribute assertion can be used for access control Benefit: Use community credential (Username/Passwd) as a replacement of X.509 cred. 22/02/2018 www.nordugrid.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.