Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo APAN Grid-Middleware Workshop 2006.

Slides:

Advertisements

Similar presentations

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Advertisements

Introduction of Grid Security

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

GT 4 Security Goals & Plans Sam Meder

The National Grid Service and OGSA-DAI Mike Mineter

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.

Toward Production Level Operation of Authentication System for High Performance Computing Infrastructure in Japan Eisaku Sakane and Kento Aida National.

Daonity: Grid Security with Behaviour Conformity from Trusted Computing Daonity Team Led by HP Labs China Joint work with Wuhan University Huazhong University.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

PDC Enabling Science Grid Security Research Olle Mulmo.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

2015/6/21 UPKI project update Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Grid security in NAREGI project NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e- Science.

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

NAREGI WP4 (Data Grid Environment) Hideo Matsuda Osaka University.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Introduction of NAREGI-CA National Institute of Informatics JAPAN Toshiyuki Kataoka, July 19, 2006 APAN Grid-Middleware Workshop, Singapore.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

National Institute of Advanced Industrial Science and Technology GGF12 Workshop on Operational Security for the Grid Cross-site authentication and access.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

The Roadmap of NAREGI Security Services Masataka Kanamori NAREGI WP

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

NAREGI PSE with ACS S.Kawata 1, H.Usami 2, M.Yamada 3, Y.Miyahara 3, Y.Hayase 4 1 Utsunomiya University 2 National Institute of Informatics 3 FUJITSU Limited.

Stephen Pickles Technical Director, GOSC

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

Update on EDG Security (VOMS)

Presentation transcript:

Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo APAN Grid-Middleware Workshop 2006

● Publication of scientific results from academia Human Resource Development and strong organization NAREGI Middleware Virtual Organization For science CyberScience Infrastructure for Advanced Science (by NII) CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry UPKI ★ ★ ★ ★ ★ ★ ★ ☆ Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers CyberScience Infrastructure 北海道大学東北大学東京大学ＮＩＩＮＩＩ名古屋大学京都大学大阪大学九州大学（東京工業大学、早稲田大学、高エネルギー加速器研究機構等） Scientific Repository Industry Liaison and Social Benefit Global Contribution

Super SINET provides 10 Gbps Backbone

Grid for enabling Collaborative Computing Researchers Experimental Devices Super Computer Data Base Server Experiments using special devices Analysis using Super Computers Search in Data Bases Researchers Overseas Lab B University A Domestic Lab C Super SINET Security is a key issue to be solved! A Virtual Organization To realize heterogeneous large scale computational environment To share Large and expensive devices and data bases

Computing Centers &VOs NII IMS KEK Univ. Centers Globus 4 / NAREGI - - WSRF + Services Core SuperSINET Grid-EnabledNano-Applications (WP6) Grid PSE (WP3) Grid Programming -Grid RPC -Grid MPI (WP2) GridVis(WP3) Grid VM (WP1) Packaging Distributed Information Service (WP1) Grid Workflow (WP3) Super Scheduler (WP1) -HighPerformance & Secure Grid Networking (WP5) Data Grid (WP4) NAREGI Software Stack (Beta ver. 2006)

Computing Resource GridVM Accounting CIM UR/RUS GridVM Resource Info. Reservation, Submission, Query, Control… Client Concrete JSDL Concrete JSDL Workflow Abstract JSDL Super Scheduler Information Service DAI Resource Query Reservation based Co-Allocation GridMPI WFT, PSE, GVS, GridRPC A Use Case : Job Submission with Reservation based Co-Allocation

Future issues Current Issues to be solved Developed NAREGI-CA to be deployed in UPKI Security Requirements in AAA Authentication –PKI based user authentication –Compatible with GSI standards –Trust federation between CA’s Authorization –VO management for Inter-organizational collaboration –Interoperable with other Grid projects Accounting –ID federation for authorization & traceability –With privacy protection!

Virtual Organization user 1 ( VO Manager ) service_c service_a Services and Users are exposed in a Virtual Organization Organization A service_c service_b service_a user 2 user 3 user 1 Contract A service_x service_y user p service_z service_x service_y user puser q user r Organization B Contract B PKI domain VO domain Virtual Organization and Security Domain Definition of VO on GGF ・ CAS (Community Authorization Service) ・ VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.

User CA/RA VOMS Proxy Cert + VO User Cert CRL Grid Job Submission VOMS-type VO Management developed in EGEE DN,VO, Group, roll, capability GRAM MK-gridmapfile Gridmap file GACL LCAS EGEE Grid site DN > pseudo accounts Policy Decision Point X.509AC

User CA/RA VOMS GRAM Proxy Cert + VO User Cert CRL Grid Job Submission Managed by the Super Scheduler Account Mapping Gridmap file Policy file NAREGI Grid site VOMS-type VO Management adopted in NAREGI DN,VO info Grid VM Information Service Certificates handling is too hard for users Policy Decision & Enforcement Point Policy Information Point

Job Submission mechanism in NAREGI Middleware  version VOMS MyProxy VOMS Proxy Certificate VOMS Proxy Certificate User Management Server(UMS) User Management Server(UMS) VOMS Proxy Certificate VOMS Proxy Certificate User Certificate Private Key Client Environment Portal Services WFT PSE GVS VOMS Proxy Certificate VOMS Proxy Certificate SS client The Super Scheduler (SS) VOMS Proxy Certificate VOMS Proxy Certificate GridVM WF Credential Repository VOMS Proxy Certificate VOMS Proxy Certificate Users Integrated and easy handling of VOMS and MyProxy Log in Workflow (WF) WF Credential is a user proxy cert passed through to the SS with the delegation protocol delegation Grid Jobs delegation The SS receives WF and deploys Grid jobs

NAREGI’s Solution for VO and Job Management Adoption of VOMS for VO management –Using proxy certificates with VO attributes for the interoperability with EGEE –GridVM is used instead of LCAS/LCMAPS Integration of MyProxy and VOMS servers –with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal –using gLite implemented at UMS to connect VOMS server Development of Workflow Credential Repository –User Proxy Certificates are used as Workflow Credential to realize GSI delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy. –The Super Scheduler converts security protocols of job signature to GSI delegation.

Open Issues on VO Management Current Issues on VO management –VOMS platform gLite is running on GT2, while NAREGI middleware on GT4 –GridVM Interoperability of authorization policy with other Grid projects is to be realized. –Proxy certificate renewal Need to invent a new mechanism Future plan –Cooperation with GGF security area members to realize interoperability with each other. –A proposal of new VO management methodology and trial of reference implementation.

MyProxy User CA/RA Web Server VO Management Policy Enforcement Point Authentication &Authorization Service Proxy Cert of User User Cert SAML+XACML CRL Log in Grid Job Submission Policy Decision Point Policy Information Point OCSP/ XKMS LDAP AuthN&AuthZ Services in the future Super Scheduler GRAM (Grid VM)

Summary NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. VO management was the second target and VOMS has been adopted for interoperability with EGEE. NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.