1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive

2 2 Outline  Context ProActive overview Abstract Deployment model  Security Model Security Entities Security Policies Example  Conclusion

3 3 The ProActive Middleware A Java API + Tools for Parallel & Distributed Computing  A uniform framework : Active Object (AO) pattern one thread, owns passive objects, remotely accessible  Programming model : groups, mobility, components, security  A formal model Determinism, Insensitivity to deployment

4 4 Deployment Model  Virtual Nodes : Identified as a string name, used in program source, configured (mapped) in an XML descriptor file  2 distinct steps : Development Source Code Deployment XML Descriptor Active Objets  VN VN  Runtimes (JVMs)  Hosts

5 5 A ProActive Application Virtual Node 1 Virtual Node 2 Virtual Node 3 Active objectPassive object

6 6 Multiple Deployment Issues One Host ClusterGrid Different Deployments  Different Security Policies

7 7 Issues & Goals  Authentication of Computers, Users, and Applications  Creation, connection to, and monitoring of activities  Authentication, Integrity and Confidentiality (AIC) of communications  Several levels of security policies: users, resource providers, administrators Main objective : Facilitate the use and the management of security features by removing them from the source code

8 8 Outline  Context ProActive overview Abstract Deployment model  Security Model Security Entities Security Policies Example  Conclusion

9 9 Security Entity Model  Generic definition, composed of a security manager and a protected object  Subject of security policies  Transparent for the protected object (meta object protocol)  No supposition on the protected object (runtimes, nodes, active objects, …)  Hierarchical structure

10 Security Manager: Entity ID Security Policies Session Manager Negotiation protocol Security Manager: Entity ID Security Policies Session Manager Normal communications Secured communications Security Entities Protected Object

11 Application Authentication User certificate Application certificate Certificate chain certificates for active objects, nodes SPKI : Certificate chain No Certificate Authority

12 Hierarchical Security Policies DnDn Accept Deny Runtime Accept Deny D0D0 VN Accept Deny AO Accept Deny Final Security policy Administrator policy Application-level policy Security policy is defined according all matching rules from: Domains / Runtime Virtual Node Active Object Resource provider policy

13 Security Rule  Interactions: JVMCreation NodeCreation CodeLoading ObjectCreation ObjectMigration Request Reply Listing  Entities: Domain User Virtual Node Object Entities -> Entities : Interactions # Security Attributes  Attributes: Authentication Integrity Confidentiality  Each attribute can be: Allowed Optional Disallowed

14 Descriptor Security Model  A key principle: Specify security policies in the XML deployment, NOT IN SOURCE CODE !  In program source: Virtual Node (VN, a string name)  In XML descriptors: List of policy rules between virtual nodes, runtimes, domains, …

15 Security Example  2 domains GridA & GridB with security policies Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C] Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C]  Application : 2 Virtual Nodes (vn1,vn2) 2 Active objects

16 Descriptor with Security VirtualNodes: vn1, vn2 SECURITY: VN [vn1] -> VN [vn2] : Q,P # [?A,?I,?C] VN [vn1] -> VN [vn2] : M # Forbidden VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C] VN [vn2] -> VN [vn1] : M # Forbidden Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C] Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C] Mapping: vn1 --> GridAComputers, GridBComputers vn2 --> GridAComputers JVMs: /…/

17 Example: std. code, no security /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vn1"); vn2 = proActiveDescriptor.getVirtualNode("vn2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2);

18 Example Domain GridADomain GridB VN1 VN2 Policy rules database Runtime

19 Example Domain GridADomain GridB VN1 VN2 Policy rules database Runtime

20 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Runtime

21 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime Can I migrate to the next VN1 node ?

22 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime 1 - Retrieve VN policy 2 - migration allowed Rose

23 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime

24 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime Negotiated Policy: Rose -> Daliah : [?A,?I,?C] Perform a method call Rose -> Daliah : [?A,?I,?C] Receive a method call : Daliah -> Rose : [?A,?I,?C]

25 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime

26 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Runtime Can I migrate to the next VN1 node on GridB domain?

27 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Rose Runtime 1- VN1 policy -> none 2- GridA -> GridB : [+A,+I,+C] 3- migration with [+A,+I,+C]

28 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Runtime

29 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Method call : - other VN - other domain From Rose --> Daliah Rose Runtime Negotiated Policy: Rose -> Daliah : [+A,+I,+C] Perform a method call Rose -> Daliah : [+A,+I,+C] Receive a method call : Daliah -> Rose : [+A,+I,+C]

30 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - other VN From Rose --> Daliah Rose Runtime Migration to VN2 ? VN1 -> VN2 : [-M] NO !

31 Conclusion  Transparent to application  Take care of a hierarchy of security policies  Security can be adapted to application deployment

32 Thank you for your time Questions ?

33 Security Context Propagation  Grid Applications are dynamic Acquire resources Create new entities on allocated resources  Automatic security context propagation to maintain application security context

34 Hierarchical Domains  A logical way to group entities that have the same security needs.  Domains are Security Entities : are hierarchical enforce policies to contained security entities