Presented by Justin Burruss CLADE 2005 Research Triangle Park, NC July 24, 2005 Simplifying FusionGrid.

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Why Web services should care about grid security Taavi Hupponen, CSC.
File Server Organization and Best Practices IT Partners June, 02, 2010.
High Performance Computing Course Notes Grid Computing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
MDSplus Tom Fredian MIT Plasma Science and Fusion Center.
SWIM WEB PORTAL by Dipti Aswath SWIM Meeting ORNL Oct 15-17, 2007.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Active Directory: Final Solution to Enterprise System Integration
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.
Principles of Secure Account Management By Chuck Connell
THOUGHTS ON DATA MANAGEMENT by Justin Burruss & David Schissel SWIM Workshop November 7-9, 2005 Oak Ridge, TN.
Enforcing Concurrent Logon Policies with UserLock.
High Performance Louisiana State University - LONI HPC Enablement Workshop – LaTech University,
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Presented by Amlan B Dey.  Access control is the traditional center of gravity of computer security.  It is where security engineering meets computer.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
The Grid System Design Liu Xiangrui Beijing Institute of Technology.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
August 13, 2003Eric Hjort Getting Started with Grid Computing in STAR Eric Hjort, LBNL STAR Collaboration Meeting August 13, 2003.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Cracow Grid Workshop October 2009 Dipl.-Ing. (M.Sc.) Marcus Hilbrich Center for Information Services and High Performance.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Exporting User Certificate from Internet Explorer.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Commodity Grid Kits Gregor von Laszewski (ANL), Keith Jackson (LBL) Many state-of-the-art scientific applications, such as climate modeling, astrophysics,
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
John Kewley e-Science Centre All Hands Meeting st September, Nottingham GROWL: A Lightweight Grid Services Toolkit and Applications John Kewley.
By David P. Schissel and Reza Shakoori Presented at DOE Office of Science High-Performance Network Research PI Meeting Brookhaven National Lab September.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Data Management Program Introduction
Grid Security.
Update on EDG Security (VOMS)
Outline Chapter 2 (cont) OS Design OS structure
Use of MyProxy for the FusionGrid
Grid Computing Software Interface
Presentation transcript:

Presented by Justin Burruss CLADE 2005 Research Triangle Park, NC July 24, Simplifying FusionGrid Security

Acknowledgements U. S. Department of Energy –OFES & OASCR (SciDAC) DIII-D National Fusion Facility –Operated by General Atomics FusionGrid collaborators –MIT, PPPL, LBL, ANL, Utah CS, Princeton CS

Outline Background –What is fusion? –What is FusionGrid? Problem –Initial FusionGrid security did not meet needs Solution –Credential management –Authorization management Outcome Conclusion

Presentation Key Points FusionGrid required security across administrative domains that –met site security needs –met resource owner needs –did not stifle developer innovation –was usable by mere mortals FusionGrid developers addressed these needs by –replacing self-management of credentials with MyProxy –creating a grid-wide authorization management system (ROAM) Users, admins, and developers responded positively

Fusion science seeks an environmentally & economically attractive power plant Fusion is when you combine two atoms into one atom Energy is released from this fusion reaction An attractive power source –Abundant fuel available to all nations –Environmentally friendly –No proliferation risk –Can’t blow up/melt down –Not subject to weather/seasonal issues –Concentrated relative to wind/solar

Fusion research takes place across the U. S.

Fusion research takes place worldwide

DIII-D has active collaborators on four continents Fusion research today is a team effort

The Six ITER Partners Fusion research will continue to be a team effort

FusionGrid created for better use of resources U. S. Fusion Grid (FusionGrid) aims to make more efficient use of computing resources –Access is stressed rather than portability –Not CPU cycle scavenging or “distributed” supercomputing Share resources between sites –Reduce duplication of effort –Exploit comparative advantage Develop a common tool set for fusion –Globus Toolkit (GRAM & GSI) –Access Grid and VRVS

Securing the computational resources of FusionGrid while keeping them usable is the security goal Need to allow resource owners to control access to their resources Starting with first FusionGrid service in 2002, Globus Toolkit used –GSI –GRAM –grid-mapfiles Was supplemented with Akenti for fine grained authorization Need to identify FusionGrid users –Tricky as they exist in separate administrative domains

openssl x509 -in cert.p12 –clcerts -nokeys -out usercert.pem Problem #1: self-management of credentials was too burdensome to FusionGrid scientists /etc/grid-security/grid-mapfile openssl pkcs12 -in cert.p12 –nocerts -out userkey.pem Early use of X.509 certificates demonstrated that requiring each scientist to manage their own credentials was too much of a burden –Browser/platform problems –Exporting/converting/installing –Had to learn new concept Scientists need to get work done, not figure out how to work with certificates A solution was needed –Make things simple for the users

Problem #2: authorization relied on grid-mapfiles and lacked a big-picture coherence Site administrators need to control access to their sites Resource providers need to control access to their codes/data Users just need to get work done In this distributed environment, it was easy to get lost A solution was needed

Security was simplified through a credential manager and a new authorization system Self-management of credentials was too hard for users –Get rid of self-management where possible Use MyProxy to get rid of import/export/installation tasks –Make remaining tasks easier Credential manager to request/renew/revoke certs Password hint/change Authorization was too hard for users (and admins) –Created an authorization system (ROAM) Build a coherent model of grid-wide authorization Centralize authorization information Leave room for innovation

Credential manager simplified many tasks MyProxy used to store delegated proxy certificates –Users retrieved delegation when they “sign in” to FusionGrid –Username/Password Understood by all Credential manager created simple web interface for many tasks –Request certificate –Request password hint –Change password User registration process

A coherent authorization information model laid the foundation for a new authorization system (ROAM) Resource Oriented Authorization Manager (ROAM) Focus on resources A resource can be a code, a database, an entire site If you have to sign a form to use it, it’s probably a resource Empower stakeholders to specify types of permissions

Users and admins interact with ROAM through a secure web page Users request authorization through web page Admins grant authorization through same page Create new resource or permissions View your permissions Show log of queries

Centralization simplified FusionGrid authorization Before

Centralization simplified FusionGrid authorization After

ROAM avoids push model of authorization User “signs in” as normal, tries to use resource as normal Resource queries ROAM for authorization information and makes authorization decision based on that information

Example: a typical two-rule authorization policy Authorization policy for a service S 1 might be 1.user must have access permission on site S 0 and 2.user must have execute permission on code S 1 Service sends two queries to ROAM If answers are both yes, user can use the service

Context field used for user/group mapping, so no more grid-mapfiles needed Context field can be used for anything, but so far is being used for username/group mapping GRAM & MDSplus fusion database can call ROAM No more grid-mapfiles Similarly, no more “mdsip.hosts” files for MDSplus fusion database system

ROAM an easier sell to site admins and developers Site admins reluctant to put access control in hands of “somebody else’s” authorization system But…if you’re merely consulting ROAM for authorization information, and letting each resource make decisions based on that information, it’s easier to get site admins to adopt Developers are free to innovate –Could implement complex authorization policies Works well with multiple stakeholders –If you need site access and code permission, both can be modeled and either administrator can stop user

User feedback on new credential management positive Put simply, nobody misses self-management of credentials Scientists understand the metaphor –username/password needed to “sign on” to grid –no new knowledge needed (no training) –easier to get work done Other benefits: –Password hint/change has been helpful –MyProxy arguably more secure users don’t interact with their files (which are kept on secure server) and instead “sign in”

Next steps Fusion scientists use Mac OS X, Linux, and Windows –Already did a partial port of GSI to Mac OS X (“GSI-lite”) –Windows will be harder –At least a partial GSI port to Windows needed so they can read their data from Windows machines How scalable is ROAM? –Expect model works even if all 2,000+ fusion scientists use it –Will it scale to ITER? (next generation fusion device) –So far, peak usage very light at 854 queries/hour –Will be testing ROAM with a widely-used FusionGrid service to increase usage by order of magnitude

Conclusion: simplification of FusionGrid security made for happier users and administrators The new credential management system is easier for users –No need to learn new metaphor –No self-management of credentials –Friendly web interface The new authorization system is easier for users, developers, and administrators –Users have one place to go to request permissions –Admins have one place to go to set permissions –Developers have room to innovate –Meets need to allow multiple stakeholders to control access

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.