Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security: What is it? Where is it going? Why?

Published byJasper Shields Modified over 5 years ago

Similar presentations

Presentation on theme: "Grid Security: What is it? Where is it going? Why?"— Presentation transcript:

1 Grid Security: What is it? Where is it going? Why?
Von Welch National Center for Supercomputing Applications Globus Alliance

2 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

3 Authentication, Authorization, Delegation
What are you are allowed to do? Delegation: Granting a right to another entity. Authentication: Proving who you are. John NCSA ClusterWorld 2004 Grid Security - Von Welch

4 Public Key Infrastructure
Used in almost all Grids today Allows for two entities to authenticate with minimal cross-organizational supprt Based on asymmetric cryptography Private and Public Key Public key is encoded in a Certificate by a Certificate Authority (CA) Certificate and Private key are used to establish identity ClusterWorld 2004 Grid Security - Von Welch

5 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Certificates Allow for binding of an Identity (John Doe) to a key or person State of Illinois John Doe 755 E. Woodlawn Urbana IL 61801 BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Name Issuer Public Key Signature ClusterWorld 2004 Grid Security - Von Welch

6 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

7 Grid Security’s goal is to support the virtual organization.
(VO) Site D Site A Site C Site B ClusterWorld 2004 Grid Security - Von Welch

8 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Example: NSF TeraGrid NCSA Grid-building activities: National Computational Science Alliance Alliance Grid Testbed (formerly Grid-in-a-Box) TeraGrid ClusterWorld 2004 Grid Security - Von Welch

9 Instrumented Structures and Sites Remote Users
Simulation Tools Repository High-Performance Network(s) Laboratory Equipment Field Equipment Curated Data Repository Leading Edge Computation Global Connections (FY 2005 – FY 2014) Remote Users: (K-12 Faculty and Students) Laboratory Equipment ClusterWorld 2004 Grid Security - Von Welch

10 Controlled Resource Sharing
Globally: User must agree to AUP User must use strong authentication Compute Center 20 Mbytes/sec max BIO VO 5pm-9am only HEP VO 100 Tbytes max 20 Tflops per month max Chem Eng VO ClusterWorld 2004 Grid Security - Von Welch

11 Grid Authorization “Flow”
VO Delegate: VO may use 50% of cycles Delegate: Jane may use 1000 cycles Delegate: Job X may use 100 cycles User Resource Process ClusterWorld 2004 Grid Security - Von Welch

12 So, what are the challenges?
Resources being used may be valuable & the problems being solved sensitive Both users and resources need to be careful VOs aren’t static Large, dynamic, unpredictable… VO Resources and users are often located in distinct administrative domains Can’t assume cross-organizational trust agreements Different mechanisms, trust roots & credentials X.509 vs Kerberos Different CAs X.509 attribute certs vs SAML assertions ClusterWorld 2004 Grid Security - Von Welch

13 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
More challenges… Interactions are not just client/server, but service-to-service on behalf of the user Requires delegation of rights by user to service Services may be dynamically instantiated Standardization of interfaces to allow for discovery, negotiation and use Implementation must be broadly available & applicable Standard, well-tested, well-understood protocols; integrated with wide variety of tools Policy from sites, VO, users need to be combined Varying formats: SAML, XACML, local custom, etc. Want to hide as much as possible from applications! ClusterWorld 2004 Grid Security - Von Welch

14 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

15 Grid Security Infrastructure (GSI)
Open source libraries, tools and standards which provide security functionality of the Globus Toolkit Provides for cross-organizational: Authentication Message protection Authorization Single sign-on ClusterWorld 2004 Grid Security - Von Welch

16 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GSI Stack GSI uses a standard PKI for identity certificates. Each entity (user, service) has an X.509 certificate from a CA that uniquely names it. PKI (Certs, CAs) ClusterWorld 2004 Grid Security - Von Welch

17 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GSI Stack SSL, using the certificates, is used as the network protocol Performs authentication, like in the web, but client as well as server Also provides message protection as needed (integrity, encryption) SSL PKI (Certs, CAs) ClusterWorld 2004 Grid Security - Von Welch

18 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GSI Stack X.509 Proxy Certificates are our extension Standardized in IETF (pkix) Allow for dynamic delegation X.509 Proxy Certificates SSL PKI (Certs, CAs) ClusterWorld 2004 Grid Security - Von Welch

19 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GSI Stack Grid-Mapfile maps Grid users (identified by certificates) to local users (e.g. Unix account) Allows authorization using normal local methods (e.g. filesystem perms, quotas) Grid-Mapfile X.509 Proxy Certificates SSL PKI (Certs, CAs) ClusterWorld 2004 Grid Security - Von Welch

20 GSI-Enabled Coordination
Site B Site C Proxy Certificate Allows for delegation to allow for coordinated resource Usage. Allows for standard authentication method Site A ClusterWorld 2004 Grid Security - Von Welch

21 Grid Security Services
How does a site with an existing sophisticated security infrastructure leverage that for Grids? E.g. Kerberos How do I carry X.509 credentials around with me? How do I use with non-GSI aware applications? E.g. Web portals? How does a VO manage the resources contributed to it? ClusterWorld 2004 Grid Security - Von Welch

22 Kerberos CA: Grid access from Krb5
KCA Krb5 to Grid ID Mappings Krb5 Ticket X509 Certificate GSI Kerberos User Grid Site Allows use of Kerberos credentials to get on the Grid In use at FNAL, USC KRB5 Resources ClusterWorld 2004 Grid Security - Von Welch

23 MyProxy Credential Wallet
Username Password Web Server Username Password Username Password Allows users to acquire Grid credentials from Username/Password Enables mobility and use of non-GSI aware applications The Grid ClusterWorld 2004 Grid Security - Von Welch

24 Community Authorization Service (CAS)
Resources are Contributed to VO From a number of sites VO decides how its users Can use those resources. CAS CAS Gives user Assertion Granting access VO User requests access User presents assertion to resource to gain access CAS: Allows VO to set Fine-grain access policy on its resources ClusterWorld 2004 Grid Security - Von Welch

25 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

26 Grid Evolution: Open Grid Services Architecture
Goals Refactor Globus protocol suite to enable common base and expose key capabilities Service orientation to virtualize resources and unify resources/services/information Embrace key Web services technologies for standard IDL, leverage commercial efforts Result = standard interfaces & behaviors for distributed system mgmt: the Grid service Standardization within Global Grid Forum and OASIS Open source & commercial implementations ClusterWorld 2004 Grid Security - Von Welch

27 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
The Grid Service Use WSDL to advertise interface WS-Policy to advertise security requirements (Krb5, GSI, etc.) Allow for automated discovery and binding Hosting environment handles msgs including authentication, msg protection, authorization, etc. Allows app developer to focus on app- specific logic. Application Interface Hosting Environment ClusterWorld 2004 Grid Security - Von Welch

28 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Based on Standards Web Services SOAP WSDL Extensions (follow-on to OGSI) WSRF Lifetime control WS-ResourceProperties Expose state WS-Notification WS-ServiceGroup WS-RenewableReference ClusterWorld 2004 Grid Security - Von Welch

29 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

30 Leverage existing/emerging Security Standards
WS-Security/Policy/Trust/Federation/ Authorization/SecureConversation/Privacy XKMS, XML-Signature/Encryption, SAML, XACML, XrML But… Need to OGSA’fy Need to define Profile/Mechanisms Need to define Naming conventions Need to address late/missing specs Support for delegation, transient services ClusterWorld 2004 Grid Security - Von Welch

31 WS Security Current/proposed WSS-specs
WS-Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy WS-Security In progress SOAP Foundation proposed promised ClusterWorld 2004 Grid Security - Von Welch

32 Current/proposed specs Building on the SOAP Foundation
Today: describes SOAP extensions for secure messaging, provides foundation for other building blocks WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

33 Current/proposed specs Building on the SOAP Foundation
Today: how to express capabilities and constraints of security policies. Along with WS-SecurityPolicy, WS-PolicyAsserts, WS-PolicyAttachment WS-Policy WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

34 Current/proposed specs Building on the SOAP Foundation
Today: describes the model for establishing both direct and brokered trust relationships (including third parties and intermediaries) WS-Policy WS-Trust WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

35 Current/proposed specs Building on the SOAP Foundation
Today: how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys WS-Secure Conversation WS-Policy WS-Trust WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

36 Current/proposed specs Building on the SOAP Foundation
WS-Secure Conversation Planned: will be a model for how users state privacy preferences, and for how Web Services state and implement privacy practices WS-Policy WS-Trust WS-Privacy WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

37 Current/proposed specs Building on the SOAP Foundation
WS-Secure Conversation WS-Federation Planned: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities WS-Policy WS-Trust WS-Privacy WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

38 Current/proposed specs Building on the SOAP Foundation
WS-Secure Conversation WS-Federation WS-Authorization Planned: will define how Web services manage authorization data and policies WS-Policy WS-Trust WS-Privacy WS-Security SOAP Foundation ClusterWorld 2004 Grid Security - Von Welch

39 WS Security Current/proposed WSS-specs
WS-Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Trust WS-Privacy WS-Security In progress SOAP Foundation proposed promised ClusterWorld 2004 Grid Security - Von Welch

40 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Other Standards SAML looks good for assertions XACML as language for policy exchange? But don’t fit nicely together (NASA work). SAML 2.0 will hopefully help. XACML delegation of rights? XrML Another policy language Liberty Alliance Federated Identity like WS-Federation ClusterWorld 2004 Grid Security - Von Welch

41 WS Security (Confusing Picture)
Liberty Alliance XrML WS-Secure Conversation WS-Federation WS-Authorization XACML WS-Policy WS-Trust WS-Privacy SAML WS-Security In progress SOAP Foundation proposed promised ClusterWorld 2004 Grid Security - Von Welch

42 How does all this fit into Grids?
WS-Policy/XACML/XrML for expressing security constraints What credentials (Kebreros, GSI) are accepted and preferred Encryption supported? Required? Rejected? WS-Authorization/XACML/XrML for managing authorization data e.g. in CAS WS-Privacy (?) for managing privacy ClusterWorld 2004 Grid Security - Von Welch

43 OGSA Security Roadmap Goal
Address the Grid Security Architecture Requirements Make Implementations Possible Address Interoperability Address Pluggability/Replaceability Address missing/late/insufficient Standards “OGSA Security Roadmap” submitted to GGF – co-authored with IBM ClusterWorld 2004 Grid Security - Von Welch

44 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
OGSA Security Security implemented by pluggable security services Usable by clients and services Allow for more agnostic approach to security mechanisms As implementations are created for a mechanism they can be plugged into existing tools to enable use. Applications and services can examine published security policies and convert/acquire credentials as needed ClusterWorld 2004 Grid Security - Von Welch

45 Remove Security from Applications
Allow deployment-time selection of supported mechanisms and policies OGSA resource virtualization allows for policy on application-independent operation invocation Place as much security functionality as possible into sophisticated hosting environments ClusterWorld 2004 Grid Security - Von Welch

46 Transparent Call-outs from WS-Stubs
ClusterWorld 2004 Grid Security - Von Welch

47 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Outline Some quick terminology What is Grid Security? Current State of the Art OGSA Grid Evolution OGSA Security and Web Services Security Globus Toolkit Implementation and Futures ClusterWorld 2004 Grid Security - Von Welch

48 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
What’s actually in GT3? SOAP-based wire protocol WS-Security (XML-Signature, XML-Encryption) for authentication, message protection GSI-SecureConversation Based on GT2’s TLS/GSSAPI implementation Based on a poor-man’s “interpretation” of WS-Trust/WS-SecureConversation specs plus XML-Signature/XML-Encryption/WS-Security Waiting for WS-Trust & WS-SecureConversation & WS-Kerberos specs to be submitted to standards body ClusterWorld 2004 Grid Security - Von Welch

49 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
What’s Actually in GT3? SAML assertions in Community Authorization Service (GT 3.2) Allow VOs to set and distribute policy on file access Standardized Proxy Certificates Java and C implementations Java based on Axis with security implemented in handlers ClusterWorld 2004 Grid Security - Von Welch

50 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GT Security Futures (1) Authorization is “KEY” for the coming year Includes communicating/sharing/matching of authz-policies and capabilities Profiles for Attributes Standards for authorization services GGF OGSA Authorization WG Restricted Delegation By service and operation By “domains” ClusterWorld 2004 Grid Security - Von Welch

51 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
GT Security Futures (2) Securely route through firewalls/network-hurdles Tackle the firewall/NAT traversal issues transparently in the runtime Integration of Group authentication/key-exchange protocols Going from 2 parties to N parties should be “seamless” Secure Logging and Audit Another undefined, unstandardized missing link… while the requirements are there! ClusterWorld 2004 Grid Security - Von Welch

52 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Conclusion Grid’s requirements maybe few years ahead, but industry will face same challenges soon Few “new” distributed computing requirements… Our security requirements are conceptually 1-2 levels above what is available now as specifications, standards and open source Ideally, we want to be end-users of WSS not plumbers… The standards circus is very worrisome And distracting and time consuming… Come help us at the Global Grid Forum Exciting security stuff! We need your help… ( Play with the Globus Toolkit (GT3.2) Downloaded 100k+ times already ( ClusterWorld 2004 Grid Security - Von Welch

53 Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)
Thanks Many colleagues at Argonne, NCSA, ISI & PDC: Frank Siebenlist, Sam Meder, Olle Mulmo, Leaur Pearlman, Jarek Garow, Jim Basney, Steve Tuecke, Ian Foster, Carl Kesselman, Rachana Ananthakrishnan and many others. Funding from DOE, NSF and IBM Questions? ClusterWorld 2004 Grid Security - Von Welch

Download ppt "Grid Security: What is it? Where is it going? Why?"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Www.ggf.org OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.

OGSA SEC WG [OGSA= Open Grid Services Architecture] Co-chairs: Nataraj Nagaratnam, IBM, USA Marty Humphrey University of Virginia, USA GGF9.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Similar presentations

Ads by Google