GCRC Meeting 2004 Introduction to the Grid and Security Philip Papadopoulos

An Introduction to the Grid  Definition – Grid software allows a user to assemble remote resources and treat them as if they were local Uses a scalable security model Does not require centralized administration Does not require sites to give up administrative control of their resource  Simple Example A Morphometric BIRN researcher wants to test a new image segmentation program on brain image data.  The computing cluster is in San Diego  The Brain Data is physically stored at centers in Harvard, UCI, and Duke

What a Grid Is not  It’s not free computing  It does not replace large-scale “supercomputers”  Putting your resource on the grid does not mean anybody can use it  Note: Grid and “Cyberinfrastructure” are two words that describe the same thing

How is a Grid different from the Web ? FeatureWebGrid Physical Connections Ethernet, ATM, SONET, … Same User Identification Managed per site Single Sign On Program Access Web Browser (http protocol) Multiple programs and protocols SearchingGoogleWell-defined meta data and databases Starting User- defined Programs Not SupportedVery Flexible

Abridged History of Distributed Computing  Classification by administrative domain  1980 Single administrative domain  SUN NFS (file sharing)  Yellow Pages (authentication)  Remote shell (task creation)  1990 Virtual User Administrative Domain  A user logs onto various machines and runs software that makes these appear as a single system Example PVM (Parallel Virtual Machine)  Mid 90’s - Clusters  Message passing (MPI) used for communication  Usually a single administrative domain

Abridged History Continued  Mid 90’s. Cooperating (Mutual Trust) Domains  Kerberos and CORBA  Trust is administered centrally  Late 90’s. Grid Systems  Public Key Certificates identified individual users. All or nothing domain trust not needed  Mechanisms for interprocess communication needed re-visting  More like Virtual User Domains early 90’s but with a more scalable security model  Example: Globus, Avaki, United Devices,

Clusters - The New Workstation  Commodity CPUs  Supercomputer-class performance  Easily replicated to form a distributed grid of computing and storage  Canonical IT platform for Biology  You may want/need access to cluster located at another site One of many clusters at UCSD. 256 Programs

“Wrapping” Resources for Symmetry Grid Interface Grid User Site Policies Grid Interface Standard Internet Network Site Policies Grid Interface Site Policies Grid Interface Site Policies Grid Interface Grid User Grid Interface provides security, identity Mapping, resource access/abstraction

How Grid Computing has Evolved  The Grid interface has evolved from scripts to a services based architecture  Service - a resource that has a well-defined programmatic interface that can be called remotely  A Web Service – a resource that can be called remotely using SOAP ( Simple Object Access Protocol ). Example: google in your web browser toolbar  A Grid Service – uses SOAP or other protocols with a defined authentication interface  Application – software that utilizes one or more services to work on the grid

What are Some Key Issues?  Some programs need to be re-engineered to work with non-local resources  Many programs need to explicitly carry a security credential (and not rely on a single administrative domain for implied authentication)  A culture of sharing resources and data among colleagues needs to be developed  Robustness of underlying grid middleware is being improved – (government investment, private investment) – but improvements are still needed

Summary  There is no magic program that takes existing code and makes it work with the grid.  Grid (or cyberinfrastructure) is an evolution of the web Security explicitly addressed Services programming model requires some change to applications  Benefits Utilizing and bridging remote resources is analogous bringing critical knowledge and information to you.

GCRC Meeting 2004 Grid Security Philip Papadopoulos

What is Grid Security?  Cooperating entities accept a cryptographically secure identification certificate  The certificate uniquely identifies a user or a resource Think of it as a passport  A resource interprets a presented certificate to determine whether access should be granted

GSI  GSI – Grid Security Infrastructure  A Certificate Authority creates a grid identity for a user (or resource) X.509 Certificate  A resource provider decides which Certificate Authorities it will trust https websites use Verisign, Thawte, Other Commercial and Private Certificates.  When a user signs on to the grid a time-limited proxy is generated. It is the proxy that is interpreted by a site

Simplified Grid Services Client (Requestor ) read rawdata; call.setTargetObjectURI("urn:gtomo-svc") call.setMethodName(“backproject") Call.setParams(“unprocesseddata”,rawdata) Response = invoke(call, result = Response.getReturnValue(); GSI Processed Response 1. client formats request (parameters + security) 2. Provider starts instance of service for client 3. Results returned over net Backproject instance Formatted Request Service Provider Grid services leverages web service infrastructure

Enable Workflows in a Grid Service-Oriented Environment Interface CCDB Back- project GSI Proxy User Sign on Art/Blobs Osaka U. PACI Resources Ucsd.edu Common Security, discovery, and instantiation framework of Grid services enables construction of complex workflows that crosses domains

Pros and Cons of Grid Certificates  X.509 proxies allow us to program workflows and maintain a secure identity This is known as single sign on  User management of certificates can be burdensome Online certificate “banks” can simplify this  Software systems have to be modified to accept certificates for authentication  The certificate is only identity management, deciding what a user can do (authorization) still needs work.  Like any new software, management isn’t 0 But, projects like BIRN are significantly easing this transition