1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture,

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

GridPP July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

Database Architectures and the Web

Distributed Systems basics

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

A Computation Management Agent for Multi-Institutional Grids

Seminar Grid Computing ‘05 Hui Li Sep 19, Overview Brief Introduction Presentations Projects Remarks.

Chapter 19: Network Management Business Data Communications, 4e.

USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.

Grids and Globus at BNL Presented by John Scott Leita.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Grid Information Systems. Two grid information problems Two problems  Monitoring  Discovery We can use similar techniques for both.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.

A Framework for Automated Web Application Security Evaluation

Chapter 6: Packet Filtering

OPEN GRID SERVICES ARCHITECTURE AND GLOBUS TOOLKIT 4

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Tech talk 20th June Andrey Grid architecture at PHENIX Job monitoring and related stuff in multi cluster environment.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Job Submission Condor, Globus, Java CoG Kit Young Suk Moon.

Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

COMP3019 Coursework: Introduction to GridSAM Steve Crouch School of Electronics and Computer Science.

Scalable Systems Software Center Resource Management and Accounting Working Group Face-to-Face Meeting October 10-11, 2002.

PNPI HEPD seminar 4 th November Andrey Shevel Distributed computing in High Energy Physics with Grid Technologies (Grid tools at PHENIX)

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Resource Brokering in the PROGRESS Project Juliusz Pukacki Grid Resource Management Workshop, October 2003.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Code Applications Tamas Kiss Centre for Parallel.

© 2007 UC Regents1 Track 1: Cluster and Grid Computing NBCR Summer Institute Session 1.1: Introduction to Cluster and Grid Computing July 31, 2007 Wilfred.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,

Cracow Grid Workshop ‘06 17 October 2006 Execution Management and SLA Enforcement in Akogrimo Antonios Litke Antonios Litke, Kleopatra Konstanteli, Vassiliki.

CEOS WGISS-21 CNES GRID related R&D activities Anne JEAN-ANTOINE PICCOLO CEOS WGISS-21 – Budapest – 2006, 8-12 May.

July 11-15, 2005Lecture3: Grid Job Management1 Grid Compute Resources and Job Management.

Globus Toolkit Massimo Sgaravatto INFN Padova. Massimo Sgaravatto Introduction Grid Services: LHC regional centres need distributed computing Analyze.

INTRODUCTION TO DBS Database: a collection of data describing the activities of one or more related organizations DBMS: software designed to assist in.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Applications.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Module 10: Windows Firewall and Caching Fundamentals.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

Grid Interoperability Update on GridFTP tests Gregor von Laszewski

CSC 480 Software Engineering Lecture 17 Nov 4, 2002.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks CNES GRID EXPERIENCES AND PLANS FOR SPACE.

Grid Execution Management for Legacy Code Architecture Exposing legacy applications as Grid services: the GEMLCA approach Centre.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

A System for Monitoring and Management of Computational Grids Warren Smith Computer Sciences Corporation NASA Ames Research Center.

G. Russo, D. Del Prete, S. Pardi Kick Off Meeting - Isola d'Elba, 2011 May 29th–June 01th A proposal for distributed computing monitoring for SuperB G.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

Chapter 19: Network Management

Peter Kacsuk – Sipos Gergely MTA SZTAKI

CSC 480 Software Engineering

a VO-oriented perspective

University of Technology

Presentation transcript:

1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture, Cnes feedbacks Anne Jean-Antoine Piccolo

2 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Introduction A Grid architecture is such a distributed architecture. ëFrom a logical view, 4 sub–systems compose a grid: administration (software and hardware allocation & administration, VO management) job management (user requests analysis, resource allocation & status monitoring, workflow execution) job processing (storage and processing facilities, file handlers, data transfer tools) security (user access control, data flow security, event monitoring). Here, we focus on the security subsystem. ëSpecific security requirements analysis derived from CNES high level security requirements applicable to a CNES designed system defined on a distributed architecture allowing users from different organizations : - to work according to a collaborative schema - to share resources.

3 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Grid overall architecture (target)

4 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Security studies : the following methodology ëCNES led security studies based on the previous target architecture according to the classical methodology : 1. Consequences assessment : comparison between security criteria (availability, integrity, confidentiality, imputability) and sensitive levels (no impact, minor, major, critical, vital) for user data, grid management data and security data. 2. Threads analysis. 3. Risks analysis and a first security objective definition in term of network security, data and software integrity, processing control & monitoring, I&A, authorization, data flow, data protection, and so on … 4. Risks covered by security objectives ? 5. Security architecture : a first proposal => functional requirements in term of security (ISO/IEC 15408) 6. List of non recovered risks

5 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Global security needs to be reached ëNeeds issued from « Virtual Organization » : Protection of their resources (user data and software), Availability of the grid infrastructure hosting their resources (for user request processing). ëNeeds issued from providers of grid resources : Grid resource under full control of local administrators, Security of resources which are not provided for grids => need to isolate these resources regarding grid ones.

6 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (1/2) ëGrid use cases : user requests for accessing computing software implemented on CNES machines  Previously known resources (software or data) before request processing,  Resources have to be dynamically allocated step by step. user requests for accessing VO resources (software, data) and CNES resources (servers) resulting in data backward transfers (e.g. computing results) : a command flow in input and a data flow in output, user requests for accessing resources (software, data) located outside CNES. Resulting security concerns authentication of user requests and of jobs running on behalf of the user, integrity of software and data implemented on CNES resources, control of dynamically accessed resources, data in/out transfers, isolation of CNES resources regarding VOs, except of resources formally designated as accessible to users.

7 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (2/2) Resource classification systems supporting tools and services devoted to grid utilization systems devoted to grid management: authentication, authorization, allocation, information user workstations located outside CNES network protocols for - Calling remote request - Cascading authentication (SSL/TLS with delegation) - Routing and localization service or node (OSPF, DNS) - Transferring files (e.g. ftp, gridftp) - Transferring data (e.g. http/SOAP) - Accessing security data (e.g. LDAP) - Information notification - communications between grid management services (depend on the grid middleware)

8 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Architecture overview : CS recommandations

9 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera over Globus GT4 : experiment configuration CNES local network IPCOP Objective : to experiment Globus through a firewall and test the security architecture feasibility (simulate an extra grid).

10 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 ëIf Globus is behind a firewall then some ports need to be opened : 2119 (gatekeeper), 2811 (gridftp) and 2135 (GIS). ëGlobus will also need a range of ports opened for GASS (Global Access to Secondary Storage) to inform Globus of the port range you need to set the GLOBUS_TCP_PORT_RANGE variable in “xinetd” files and user start up scripts. ëThe size of the port range depends on how many services are expected – generally a range of couple of thousand should be necessary.

11 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 (*) CEP: Controllable ephemeral port (*) TCP Transmission Control protocol

12 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department A Chistera processing demonstration CHISTERA Processing Synoptic of High Resolution Processing High resolution product Intermediate product ëIntegrated into the Spot 5 user ground segment

13 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master Image splitting Data sending and command monitoring Image gathering and assembly Data Reception Commands monitoring CHISTERA treatment Results sending Data transfer : globus-url-copy Control transfer : globus-job-run Slaves Data Reception Command monitoring CHISTERA treatment Result sending

14 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master GT4 Client Data transfer : globus-url-copy Remote Processing : globus-job-run Slaves GRAM Server GridFTP Server GRAM Server GridFTP Server

15 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Open Ports: CEP CNES internal network

16 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master Image splitting Creation of job descriptions (XML) XML files sending Assembly XML file reception Container processing XML file reception Container processing XML job submission : globusrun-ws Slaves/Containers

17 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master GridFTP Server GT4 Client GT4 web service container Soumission de job XML: globusrun-ws Slaves/Containers

18 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Open Ports: 2811/tcp CEP CNES internal network

19 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Firewall consequences on transfer time : first results Image processingTransfer with FirewallTransfer without FirewallRatio (364x364) 280 s50 s17 s2.9 (12000 x 12000) 1950 s2446 s110 s22.2 ë Globus feasibility through cascading firewalls proved, ë  Not very compliant with performance requirements (explain why ?) => a user recommendation can be to define a complete workflow avoiding several requests from outside

20 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CPU charge Spliting phaseAssembly Imalise1 Treatment Imalise2 Solex

21 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CNES feedbacks ë Some technical results reached and a strong involvement of CS company in the R&D project, ë A promising technology for future distributed ground segment if we adjust architecture design and project needs, ë A good collaboration between the CS company and the Cnes security experts, ë  Grid technology trends needs expertise in different fields : security, middleware, architecture design, … (not always available in our organization !), ë  A weak involvement from the Cnes directors yet => a strong need to be supported if we want GRID succeeds and be used in our future projects.