Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration

Published byDominick Simon Modified over 7 years ago

Similar presentations

Presentation on theme: "Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration"— Presentation transcript:

1 Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration
Security in ARC Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration Middleware Security Group Meeting SWITCH, Zürich, 30 March 2009

2 ARC in a nutshell Advanced Resource Connector
General purpose Open Source Grid middleware One of the production grid middlewares Developed & maintained by theNorduGrid Collaboration Deployment support, extensive documentation, available on most of the popular Linux distributions Lightweight architecture for a dynamic heterogeneous system following Scandinavian design principles start with something simple that works for users and add functionality gradually non-intrusive on the server side Flexible & powerful on the client side User- & performance-driven development Production quality software since May 2002 First middleware ever to contribute to HEP data challenge Strong commitment to standards & interoperability JSDL, GLUE, Active OGF player Middleware of choice by many national grid infrastructures due to its technical merits SweGrid, SWISS Grid(s), Finnish M-Grid, NDGF, etc… Majority of ARC users are NOT from the HEP community Illustrations:“Scandinavian Design beyond the Myth” 22/02/2018

3 Brief history of ARC 22/02/2018 www.nordugrid.org
Y2K: Grid Hype, European Data Grid (EDG), re-discovery of Globus Toolkit (version 1.1.4) Back in HEP Institutes from Scandinavia wanted to share their computing resources and jointly contribute to CERN/LHC computing The born of the “NorduGrid”, a research project of the NORDUNet2 program aimed to enable Grid in the Nordic countries 2002 February: decision to develop an alternative middleware by making use of Globus libraries. NorduGrid design, architecture, philosophy. 2002 May: 3rd NorduGrid Workshop, Helsinki demonstration of the first version of the middleware. Since then the NorduGrid middleware has been used in production, first middleware ever to contribute to a production HEP data challenge. 2004 April: announcement of release 0.4 of NorduGrid middleware (also known as the Advanced Resource Connector), the first official release of this software. 2006 June: EU KnowARC project starts; aims at providing Web Service interfaces for ARC components. 2007 May: After a long hardenning process ARC version 0.6, the second stable release of the middleware was released. 2008 August: a prototype version of the next generation ARC 2008 December: Version of production ARC released All over the years: ARC has become one of the major grid middlewares used in production all over the world. 22/02/2018

4 Deployment of ARC Used in multiple production Grid infrastructures
Also by individual sites 22/02/2018

5 Production ARC - overview
Provides reliable implementation of fundamental Grid services: The usual Grid security: single sign on, Grid ACLs (GACL), VOs (VOMS) Job submission: direct or via matchmaking and brokering Job monitoring & management Information services: resource aggregation, representation, discovery and monitoring Implements core data management functionality Storage Elements Interfacing to Data Indexing, client-side data movement Automated seamless input/output data movement Logging service Builds upon open source solutions and protocols Globus Toolkit® pre-WS API and libraries (no services!) OpenLDAP, OpenSSL, SASL, SOAP, GridFTP, GSI 22/02/2018

6 Production ARC - protocols
Uses X.509 for authentication of users Uses communication protocols which provide data integrity and protection GridFTP Used for most communications Including communication with Computing Element HTTPS Third-party proprietary protocols Data management – RLS, LFC Unprotected communication LDAP Used by Information System 22/02/2018

7 Production ARC - authorization
Relatively thin layer integrated into communication stack Strongly coupled with delegation Based on information stored in X.509 certificate Simple hard-coded and configurable authorization rules DN of X.509 VOMS attributes External plugin/executable LCAS framework Some services implement own authorization based on internal information Hard-coded rules GACL polices 22/02/2018

8 Production ARC - delegation
Full identity delegation - X.509 Proxy Certificates Used by Computing Element to retrieve and store data on behalf of original user No additional restrictions put into Proxy Certificates Delegation performed as part of GSI handshake Embedded into GridFTP protocol Support for renewal of delegated credentials Support for MyProxy service (for renewal) 22/02/2018

9 Overview of new ARC components
A Web-service based solution Strategy: interoperability via open standards BES, JSDL, GLUE, SRM, GridFTP, X509, SAML Participation in standardization and profiling activities (OGF) Migration plan: gradually replace ARC components with new modules, possibly co-deploying both initially For transitional period gateway-like solutions are necessary Targeting gLite, Unicore, production ARC 22/02/2018

10 Service decomposition
22/02/2018

11 New components Hosting Environment (Daemon) HED
Flexible service hosting and development framework Takes care of the networking-layer (e.g. SOAP) Available on MS Windows and Mac OS as well as Linux Offers Python and Java language bindings in addition to the native C++ A-REX (computing element) Central Information Indexing service (to become P2P distributed) Distributed Storage System services Security framework (including delegation) ARCLIB and powerful command-line tools Including plugins for production ARC, gLite CREAM CE, Unicore 22/02/2018

12 Modular approach New ARC services and clients are based on modular approach Message Chain Component (MCC) Protocol layer module Data Management Component (DMC) Full data protocol(s) ARC Client Component (ACC) Job submission and control modules Security Handler Component (SHC) Security related attributes collection and handling Policies and Attributes evaluation TCP MCC TLS MCC X.509 DN VOMS PC Policy HTTP MCC 22/02/2018

14 New security modules Security Handler components
X.509 generic information extraction VOMS information extraction WS-Security extraction and insertion X.509 Token Profile Username Token Profile Local policy evaluation Remote policy evaluation (call to remote service) X.509 proxy certificate policy evaluation Future plans WS-S SAML Token Profile Consumption of SAML assertions (from SAML token, and SAML 2.0 SSO profile) 22/02/2018

15 New security modules Evaluation of policies
Modular – Policy Decision Point components Supported policy expressions/languages Lists of X.509 DNs – gridmap-like Grid Access Control List (GACL) Proprietary ARC policy language XML based Similar to XACML with simplification for (relative) user-friendliness Future plans SAML support XACML support 22/02/2018

16 New approach for delegation
Still full identity delegation - X.509 Proxy Certificates WS Port type for delegating credentials to service Implemented by services which accept delegation Support for proxy policies According to RFC 3820 policyLanguage = id-ppl-anyLanguage policy = ARC Policy XML document 22/02/2018

17 New security services (very much work in progress)
Policy decision service Accepts policy evaluation request Returns evaluation result Short-lived credential service Accepts Shibboleth tokens Generates short-lived X.509 credentials SAML attribute assertion returned from Shibboleth IdP is embedded as certificate extension The credential then can be used to access services which require X.509 credentials 22/02/2018

18 New security services (very much work in progress)
Delegation service (DS) Web Service for X.509 credential delegation Functionality similar to Myproxy – but uses standard communication channel Acts as intermediate for passing delegated credentials from client to sevice Corresponding Security Handler Component to (almost) seamlessly Delegate credentials to DS on client side Fetch credentials from DS on service side 22/02/2018

19 Unified security in ARC
Every service developed in HED gets generic security infrastructure Information collected and processed at protocol levels Authorization decisions based on protocol specific information Authorization configuration fully depends on deployment Every service can implement own authorization Through pluggable modules Using direct support to policy evaluation library 22/02/2018

20 Unified security in ARC
Services which implement own authorization A-REX – BES compliant Grid Computing Element Per Grid Job authorization policies Storage system (multiple services) Per stored entity authorization policies Inter-service trust relationship Service properties filtering (GLUE2 documents over WSRF) Each node in XML document may have policy attached Document is pre-filtered by matching policies to authentication tokens provided by client. 22/02/2018

21 Questions? 22/02/2018

22 Backups 22/02/2018

23 New security clients arcslcs: client utility for SLC generation
arcproxy: client utility for proxy generation Include the functionality of grid-proxy-init, plus the embedding of delegation policy Include the functionality of contacting VOMS server, and generating proxy certificate with VOMS AC inside Include the functionality of contacting myproxy server (delegating credential to myproxy server, and getting delegated credential from myproxy server) by taking globus GSI protocol arcslcs: client utility for SLC generation As the client of SLCS service 22/02/2018

24 New security services Service Provider service Http layer service
In charge of Service Provider (SP) functionality of SAML 2.0 SSO profile Act together with client interface (in charge of the functionality of user agent of SAML 2.0 SSO), and Shibboleth IdP (2.0) SP service shares the same session with other services (one SP service per container) SSL Client certificate authentication should be switched off Service Provider service (cont.) SAML attribute assertion can be used for access control Benefit: Use community credential (Username/Passwd) as a replacement of X.509 cred. 22/02/2018

Download ppt "Aleksandr Konstantinov, Weizhong Qiang NorduGrid collaboration"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness

March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness
Grid Standardization from the NorduGrid/ARC perspective Balázs Kónya, Lund University, Sweden NorduGrid Technical Coordinator ETSI Grid Workshop on Standardization,

Grid Standardization from the NorduGrid/ARC perspective Balázs Kónya, Lund University, Sweden NorduGrid Technical Coordinator ETSI Grid Workshop on Standardization,
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
CSC Grid Activities Arto Teräs HIP Research Seminar February 18th 2005.

CSC Grid Activities Arto Teräs HIP Research Seminar February 18th 2005.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Similar presentations

Ads by Google