Grid security in NAREGI project NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e- Science infrastructure in CSI( Cyber Science Infrastructure) concept. This presentation will provide issues and future plans regarding grid security including VO management for interoperability of grid projects. APAN Grid-Middleware Workshop 2006
Publication of scientific results from academina Human Resource Development and strong organization NAREGI Middleware Virtual Organization For science CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry UPKI Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers CyberScience Infrastructure Scientific Repository Industry Liaison and Social Benefit Global Contribution
Super SINET provides 10 Gbps Backbone
Grid for enabling Collaborative Computing Researchers Experimental Devices Super Computer Data Base Server Experiments using special devices Analysis using Super Computers Search in Data Bases Researchers Overseas Lab B University A Domestic Lab C Super SINET Security is a key issue to be solved! A Virtual Organization To realize heterogeneous large scale computational environment To share Large and expensive devices and data bases
Computing Centers &VOs NII IMS KEK Univ. Centers Globus 4 / NAREGI - - WSRF + Services Core SuperSINET Grid-EnabledNano-Applications (WP6) Grid PSE (WP3) Grid Programing -Grid RPC -Grid MPI (WP2) GridVis(WP3) Grid VM (WP1) Packaging Distributed Information Service (WP1) Grid Workflow (WP3) Super Scheduler (WP1) -HighPerformance & Secure Grid Networking (WP5) Data Grid (WP4) NAREGI Software Stack (Beta ver. 2006)
Computing Resource GridVM Accounting CIM UR/RUS GridVM Resource Info. Reservation, Submission, Query, Control… Client Concrete JSDL Concrete JSDL Workflow Abstract JSDL Super Scheduler Information Service DAI Resource Query Reservation based Co-Allocation GridMPI WFT, PSE, GVS, GridRPC A Use Case : Job Submission with Reservation based Co-Allocation
Future issues Current Issues to be solved Developed NAREGI-CA to be deployed in UPKI Security Requirements in AAA Authentication –PKI based user authentication –Compatible with GSI standards –Trust federation between CA’s Authorization –VO management for Inter-organizational collaboration –Interoperable with other Grid projects Accounting –ID federation for authorization & traceability –With privacy protection!
Virtual Organization user 1 ( VO Manager ) service_c service_a Services and Users are exposed in a Virtual Organization Organization A service_c service_b service_a user 2 user 3 user 1 Contract A service_x service_y user p service_z service_x service_y user puser q user r Organization B Contract B PKI domain VO domain Virtual Organization and Security Domain Definition of VO on GGF ・ CAS (Community Authorization Service) ・ VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.
User CA/RA VOMS Proxy Cert + VO User Cert CRL Grid Job Submission VOMS-type VO Management developed in EGEE DN,VO, Group, roll, capability GRAM MK-gridmapfile Gridmap file GACL LCAS EGEE Grid site DN > pseudo accounts
User CA/RA VOMS GRAM Proxy Cert + VO User Cert CRL Grid Job Submission Managed by the Super Scheduler Account Mapping Gridmap file Policy file NAREGI Grid site VOMS-type VO Management adopted in NAREGI DN,VO info Grid VM Information Service Certificates handling is too hard for users
Job Submission mechanism in NAREGI Middleware version VOMS MyProxy VOMS Proxy Certificate VOMS Proxy Certificate User Management Server(UMS) User Management Server(UMS) VOMS Proxy Certificate VOMS Proxy Certificate User Certificate Private Key Client Environment Portal Services WFT PSE GVS VOMS Proxy Certificate VOMS Proxy Certificate SS client The Super Scheduler (SS) VOMS Proxy Certificate VOMS Proxy Certificate GridVM WF Credential Repository VOMS Proxy Certificate VOMS Proxy Certificate Users Integrated and easy handling of VOMS and MyProxy Log in Workflow (WF) WF Credential is a user proxy cert passed through to the SS with the delegation protocol delegation Grid Jobs delegation The SS receives WF and deploys Grid jobs
VO and User Management Service Adoption of VOMS for VO management –Using proxy certificates with VO attributes for the interoperability with EGEE –GridVM is used instead of LCAS/LCMAPS Integration of MyProxy and VOMS servers –with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal –using gLite implemented at UMS to connect VOMS server Workflow Credential Repository –As Workflow Credential a User Proxy Cert is used to realize safety delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy. –The Super Scheduler receives Workflow (BPEL) and reserves resources to deploy Grid jobs with GSI interface.
Current Issues and the Future Plan Current Issues on VO management –VOMS platform gLite is running on GT2, while NAREGI middleware on GT4 –GridVM Interoperability of authorization policy with other Grid projects is to be realized. –Proxy certificate renewal Need to invent a new mechanism Future plan –Cooperation with GGF security area members to realize interoperability with each other. –A new proposal of VO management methodology and trial of reference implementation.
MyProxy User CA/RA Web Server VO Management Policy Enforcement Point Authentication &Authorization Service Proxy Cert of User User Cert SAML+XACML CRL Log in Grid Job Submission Policy Decision Point Policy Information Point OCSP/ XKMS LDAP AuthN&AuthZ Services in the future Super Scheduler GRAM (Grid VM)
Summery NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. VO management was the second target and VOMS has been adopted for interoperability with EGEE. NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.