CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

Slides:

Advertisements

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

Advertisements

- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.

GT 4 Security Goals & Plans Sam Meder

Authorization Policy in a PKI Environment

A3.1 Assignment 3 Simple Job Submission Using GT 4 GRAM.

Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Towards the Design and Implementation of the DAME prototype: OGSA Compliant Grid Services on the White Rose Grid Sarfraz A Nadeem University of Leeds.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Basic Grid Job Submission Alessandra Forti 28 March 2006.

AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Member of the ExperTeam Group Ralf Ratering Pallas GmbH Hermülheimer Straße Brühl, Germany

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Resource Management Reading: “A Resource Management Architecture for Metacomputing Systems”

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

1 All-Hands Meeting 2-4 th Sept 2003 e-Science Centre The Data Portal Glen Drinkwater.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Grid Workload Management Massimo Sgaravatto INFN Padova.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey.

Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Basic Grid Projects - Globus Sathish Vadhiyar Sources/Credits: Project web pages, publications available at Globus site. Some of the figures were also.

Creating and running an application.

Proposal for a IS schema Massimo Sgaravatto INFN Padova.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

Grid Authorization Landscape and Futures Von Welch NCSA

OSG AuthZ components Dane Skow Gabriele Carcassi.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.

Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

Claudio Grandi INFN Bologna Virtual Pools for Interactive Analysis and Software Development through an Integrated Cloud Environment Claudio Grandi (INFN.

A System for Monitoring and Management of Computational Grids Warren Smith Computer Sciences Corporation NASA Ames Research Center.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Peter Kacsuk – Sipos Gergely MTA SZTAKI

Use of MyProxy for the FusionGrid

Presentation transcript:

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang ANL, Bo Lui ANL, Von Welch ANL, Sam Meder ANL, Abdelilah Essiari LBL

CHEP03 Mar 25Mary Thompson Motivation for Fine-grained Authorization A Virtual Organization (VO) wants to provide limited services to its members –Allow most users to only run a small number of services but possibly with high resource limits –Allow developers to run a wider range of programs such as compilers or debuggers but with stricter resource limits –Administrators may want to monitor jobs and kill misbehaving user jobs

CHEP03 Mar 25Mary Thompson Globus GT2 GRAM only does admission control Users in the grid-mapfile have the equivalent of a login account on the host. –No limit on binaries that can be executed. –No limit on compute time or disk resources. –All fine-grain authorization is done by OS on the basis of the local user id assigned to the job. Users can kill or manage their own jobs, but no other party can.

CHEP03 Mar 25Mary Thompson GRAM (Grid Resource Acquisition and Management) modules Gatekeeper –Does the admission control based on a static grid- mapfile entry –Starts the requested service, e.g. job manager Job Manager –Parses the Resource Specification Language (RSL) that specifies the binary to be executed, and may specify additional parameters such as CPU time or number of processors needed. –Handles requests pertaining to executing jobs Suspend, stop, query

CHEP03 Mar 25Mary Thompson Job Manager authorization Does no authorization on job startup –Gatekeeper verified that the user has privileges to run on the machine before starting the job manager Only allows the initiator of the job to issue job control directives Runs with uid of the user so it can only control jobs started by the initial user.

CHEP03 Mar 25Mary Thompson Add authorization callouts from the Job Manager Add a generic authorization callout at the points where a job is started And when one of the following job managements requests is made –Cancel, suspend, resume, ask for status, change priority of job –register or deregister a call-back contact –stop or restart the job manager process that is watching the job

CHEP03 Mar 25Mary Thompson Information Passed to Authorization Call gss_context of job initiator gss_context of requester Static job-group, dynamic job id action requested RSL for the request –On job start the RSL may specify parameters that need to be controlled such as: Number of CPUs requested CPU time needed Queue (or priority) desired

CHEP03 Mar 25Mary Thompson GSS Context Generic Security Service Context (IETF RFC 2744) For GSI implementations this contains –Requestor’s X.509 proxy certificate –Requestor’s Distinguished Name –Acceptor’s name –Intended use –Cryptographic state – shared session keys

CHEP03 Mar 25Mary Thompson Akenti Authorization Server Authorization policy created by independent stakeholder as digitally signed certificates. Requestors are identified by X.509 certificates or DN and CA’s DN. Resource gateway asks for a authorization decision based on a resource name and the requestor’s identity. Akenti finds (pulls) all the relevant authorization policy and returns allowed actions and conditional actions. Conditional actions may specify runtime conditions that the resource gateway must evaluate.

CHEP03 Mar 25Mary Thompson Akenti Authorization plug-in Handles the interface between the Job Manager and the Akenti authorization service. Extracts X.509 proxy certificate from GSS_CTX Maps Globus resource name e.g. pathname of binary or job tag to an Akenti policy resource name. Interprets Akenti response. –Evaluates runtime conditions Policy might limit number of CPUs used –Maps Akenti actions to Globus actions e.g. “control job” to cancel job, get job status, suspend, resume, etc. Returns allowed or disallowed answer to Job Manager and a Globus Error object.

CHEP03 Mar 25Mary Thompson Status Two prototypes with progressively refined functionalities have been built and were demonstrated at Fusion Physics meetings (TTF and Sherwood Theory) Apr. ‘02 and SC02 in Nov.’02 Production version currently under development Plan to release modified Job manager as part of a future GT2 release. (hopefully 2.4) Akenti interface module will be released as a user contributed plug-in to GT2 Akenti server currently released as open source software by LBNL

CHEP03 Mar 25Mary Thompson Future Work Globus Tool kit is evolving to Open Grid Services Globus is working with input from GGF to define a generic authorization service API. Akenti has been wrapped by Python as a Grid service and a SOAP interface to the server has recently been added. It will become an instance of a pull model Grid Authorization service.

CHEP03 Mar 25Mary Thompson Project web sites Akenti – Globus – Fusion Grid –