1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

GEO WG updates Resource WG established the GEO group in PRAGMA VO GEO WG members easily make registration Registered members can access.
Satellite Database Federations on GEO Grid Portal Naotaka YAMAMOTO AIST Taiwan Mar. 12,
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Resource WG Summary Mason Katz, Yoshio Tanaka. Next generation resources on PRAGMA Status – Next generation resource (VM-based) in PRAGMA by UCSD (proof.
Introduction of Grid Security
PRAGMA BioSciences Portal Raj Chhabra Susumu Date Junya Seo Yohei Sawai.
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
7.n次の行列式   一般的な(n次の)行列式の定義には、数学的な概念がいろいろ必要である。まずそれらを順に見ていく。
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
3.正方行列(単位行列、逆行列、対称行列、交代行列)
Analog “ neuronal ” networks in early vision Koch and Yuille et al. Proc Academic National Sciences 1986.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.
PRAGMA 17 – PRAGMA 18 Resources Group. PRAGMA Grid 28 institutions in 17 countries/regions, 22 compute sites (+ 7 site in preparation) UZH Switzerland.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Holding slide prior to starting show. A Portlet Interface for Computational Electromagnetics on the Grid Maria Lin and David Walker Cardiff University.
All Hands Meeting 2005 BIRN Portal Architecture: Security Jana Nguyen
Japanese Virtual Observatory Project Abstract : The National Astronomical Observatory of Japan (NAOJ) started the Japanese Virtual Observatory (JVO) project.
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
The MyProxy Online Credential Repository Jim Basney NCSA
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
The FederID project The First Identity Management and Federation Free Software.
The LGI Pilot job portal EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers.
Grid Security.
Grid accounting system
Web Portal Project.
MyProxy and NVO or Web SSO for Grid Portals
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009 GEO Workshop / PRAGMA17 Hanoi

What is Grid Security Who am I? / Who are they? Grid Security Infrastructure (GSI) What can I do? / What can they do? Virtual Organization Membership Service (VOMS)

GEO Grid VO Design Identity

44 4Requirements Credential Management: Non-secure users often manage their private keys for PKI / GSI credentials without careful planning. Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc.

55 5Tsukuba-GAMA Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language. Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning. Manages user credentials on the server side, instead of leaving it to inexperienced users. Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Generates Grid credentials from any method. Proxy Certificate OUR SOLUTION: TSUKUBA-GAMA

User Management System Authentication types (c) External Authentication (c) External Authentication (b) Credential (a)GAMA style External Authentication service On-line CA (MyProxy CA) On-line CA (MyProxy CA) VO Management Server (VOMS) VO Management Server (VOMS) Web Portal User DB Credential Reposigtry Username and Password Globus User Certificate OpenID Shibboleth VOMS-enabled Proxy CertificateArchitecture

DEMO 1: TSUKUBA-GAMA LOGIN PRAGMA VO PORTAL (GRIDSPHERE)

Demo Environments - login Credential Repository PRAGMA VOMS PRAGMA VO portal USER voms proxy cert 2. generategloubs proxy certificate 1. input username and pass of user cert 3. add voms attribute 4. register proxy cert

Identity Attribute

DEMO 2: TSUKUBA-GAMA LOGIN TESTVO PORTAL (GRIDSPHERE)

Same Identity Different Attribute

GEO Grid VO Design PRAGMA VO TEST VO I’m here

GSI w/ VOMS PRAGMA VO Portal (GridSphere, Perl, PHP, Java etc.) PRAGMA VO Portal (GridSphere, Perl, PHP, Java etc.) TEST VO Portal Credential Repository (MyProxy Repository) Credential Repository (MyProxy Repository) Online-CA (MyProxy CA) Online-CA (MyProxy CA) PRAGMA-VO (VOMS) PRAGMA-VO (VOMS) GHZ-VO (VOMS) GHZ-VO (VOMS) Sign Certificate VO member management Share Account

新システムの構成(3 VO による例) BIG User Portal (GridSphere, Perl, PHP, Java etc.) BIG User Portal (GridSphere, Perl, PHP, Java etc.) GHZ User Portal ECO User Portal 証明書置き場 (MyProxy Repository) 証明書置き場 (MyProxy Repository) オンライン - CA (MyProxy CA) オンライン - CA (MyProxy CA) BIG-VO (VOMS) BIG-VO (VOMS) ユーザ管理 Portal (GridSphere3) ユーザ管理 Portal (GridSphere3) GHZ-VO (VOMS) GHZ-VO (VOMS) ECO-VO (VOMS) ECO-VO (VOMS) アカウント管理 rekey (年1回) パスワード変更 が可能 証明書発行 VO メンバ管理 任意の言語での ウェブアプリケーション開発 が可能となる 複数ポータルか らの接続が可能 CA と証明書 置き場を分離 CA と証明書 置き場を分離 アカウント import が不要

EXAMPLE SCENARIO: SATELLITE DATABASE FEDERATION

OGSA-DAI Demo environment /PRAGMA/Geo /TESTVO /GHZNONE (FREE)

DEMO 3: SIMS SATELLITE DATABASE FEDERATION

Database Server (Sybase) FORMOSAT-2 Application Server OGSA- DAI Globus SQL w/ JDBC Database Server (PostgreSQL) ASTERMODIS OGSA- DAI SQL w/ JDBC OGSA- DAI Globus AIST OGSA-DAI Client Integration Framework with OGSA-DAI Java Program SQL SIMS portlet - query data - create web page which shows thumbnail images VOMS VOMSSIMS

SIMS – Search Results MODIS FORMOSAT-2 ASTER

DEMO 4: LANGUAGE FREE PORTAL DEVELOPMENT

DEMO 4-1: PORTAL DEVELOPMENT (OPENLAYERS)

URL= User Contents ACL: /testvo.geogrid.org/aster GridSite VOMS Proxy VO NameGroupOGCProxy OGCProxy is a broker portlet forwarding users' requests to backend OGC services. providing freely development environment of client application. OGCProxy

ASTER + Formosat2 / OpenLayers ASTER / Japan Formosat2 / Taiwan

DEMO 4-2: PORTAL DEVELOPMENT (PHP, PERL,...)

Web Portal Development apache_ahtn_myproxy module PHP, Perl, Phython, etc. Servlet basic authentication module Java Servlet GridSphere authentication module

DEMO 5: INDEPENDENCE FROM AUTHENTICATION METHODS

DEMO 5-1: INDEPENDENCE FROM AUTHENTICATION METHODS: (OPENID)

User Password for OpenID OpenID Server VO member DB VOMS server MyProxy CA - Account DB - Credential Repository Web Portal Request short-lived credential VOMS proxy OpenID URL OpenID authentication module

DEMO 5-1: INDEPENDENCE FROM AUTHENTICATION METHODS: (CREDENTIAL)

Credential Login Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language. Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning. Manages user credentials on the server side, instead of leaving it to inexperienced users. Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Generates Grid credentials from any method.

Compare Identity Identity Same VO Credential Login OpenID Login

Conclusions Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: - GridSphere / Satellite database federation - Geographical portal / OpenLayers - PHP, Perl Credential Management: - User does not need to manage their credentials Independencefrom Authentication methods: - Username and Password - OpenID - Globus credential

THANK YOU To be released NEXT month!

DEMO 6: ACCOUNT CREATION

Account Creation Account DB (GAMA) VO (VOMS) VO portal Account Portal USER 1. Request an account Account Admin 2. Approve 3. Activate an account VO Admin 4. Register the user to the VO 4. Import the user’s account information to the VO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.