Presentation is loading. Please wait.

Presentation is loading. Please wait.

26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire.

Published byRichard Chorley Modified over 10 years ago

Similar presentations

Presentation on theme: "26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire."— Presentation transcript:

1 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire 1. Introduction to the GRID 2. ProActive 3. Declarative Security 4. Example Arnaud Contes - OASIS

2 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire2 1. Introduction : Context Net Applications Single Grid Distributed Grid

3 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire3 Issues for Grid Security Authentication of Computers, Users, and Applications Creation, connection to, and monitoring of activities Authentication, Integrity and Confidentiality (AIC) of communications Hierarchical domains Security Policies: Application, Domain Variation in Grid network links : LAN, Wireless, VPN, Internet Variation in deployment

4 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire4 Objectives Goals : Authentication of Computers, Users, and Applications Communication authentication, privacy and integrity Security defined at user and administrator level Easy and adaptable configuration Support for current middlewares features : deployment, migration, group communication, components Ways : Ubiquitous Security (Meta Object Protocol) Logical Security Architecture / Abstract Deployment Declarative Security Language

5 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire5 A Java API + Tools for Parallel, Distributed Computing A uniform framework: An Active Object pattern A formal model behind: Prop. Determinism, insensitivity to deploy. Main features: Remotely accessible Objects Asynchronous Communications with synchro: automatic Futures Group Communications, Migration (mobile computations) XML Deployment Descriptors Interfaced with various protocols: rsh,ssh,LSF,Globus,Jini,RMIregistry Visualization and monitoring: IC2D Security 2. ProActive

6 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire6 Standard system at Runtime No sharing between activities Active Object Passive Object Node

7 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire7 Secure Active Object Body Reply Receiver Service A Security Manager Reply Sender Request Sender Request Receiver B Stub_A Proxy node1node2

8 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire8 Abstract Deployment Model A key principle: Abstract Away from source code: Machine names, Creation Protocols, Lookup and Registry Protocols In program source: Virtual Node (a string name) In XML descriptors: Mapping of VN to JVMs Create or Acquire JVMs Program Source Descriptor (RunTime) |----------------------------------| |-------------------------------------------| Activities (AO) --> VN VN --> JVMs --> Hosts

9 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire9 Descriptors: Mapping Virtual Nodes VirtualNodes: Dispatcher RendererSet Mapping: Dispatcher --> DispatcherJVM RendererSet --> JVMset JVMs: DispatcherJVM = Current // (the current JVM) JVMset=//ClusterSophia.inria.fr/

10 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire10 3. Security Non-functional security Hierarchical security domains Dynamic policy negotiation Certification chain to identify users, JVMs, objects Application security policies set by deployment descriptors

11 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire11 Authentication : X509 Certificate Requestor Generates Key Pair CA Verifies ID, Key Pair, and User Eligibility CA Binds Public Key to ID by Signing the Certificate CA Presents Signed X509 v3 Certificate to Requestor

12 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire12 Application authentication User certificate Application certificate Entities certificates Generate certificate

13 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire13 Hierarchical Domains Logical way to group many entities that have the same security needs. Domains are hierarchical. Sub-domains inherits parent’s security policies. Default : Sub-domains cannot weaken parent’s security policies. ‘Can override‘ : a domain authorizes an entity to override its policies Find the first common domain if exists Dynamically configurable via SSL connections

14 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire14 Multi-level Policies DnDn Accept Deny D0D0 D n-1 Accept Deny VN Accept Deny AO Accept Deny Computing a security policy according all matching rules from domains, Virtual Node and Active Object. Security policy Administrator-/ User-level policy Application- level policy

15 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire15 Security Rule Interactions : JVMCreation NodeCreation CodeLoading ObjectCreation ObjectMigration Request Reply Listing Entities : Domain User Virtual Node Object Entities -> Entities : Interactions # Security Attributes Attributes : Authentication Integrity Confidentiality Each attribute can be : Allowed Optional Disallowed

16 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire16 Combining Policies Search for the most specific rule in each domain. Retrieve all matching rules in the Domain hierarchy, the Virtual Node and the Active Object. Compute policies according to security attributes. Required (+) Optional (?) Disallowed (-) Optional (?) Disallowed (-) Sender Receiver + + + ? - - - invalid

17 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire17 Descriptor Security Model A key principle: Specify security policies according to the deployment In program source: Virtual Node (VN, a string name): In XML descriptors: List of policy rules Trusted Certification Authorities

18 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire18 Descriptors: Security VirtualNodes vn1, vn2 SECURITY: VN [vn1] -> VN [vn2] : Q,P # [+A,?I,+C] VN [vn1] -> VN [vn2] : M # Forbidden VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C] VN [vn2] -> VN [vn1] : M # Forbidden Mapping: vn1 --> GridAComputers, GridBComputers vn2 --> GridAComputers JVMs: /…/

19 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire19 ProActive Security Manager In charge of security for an active object Retrieve, combine and negotiate policies Negotiate session key, Encrypt/decrypt messages

20 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire20 Request to an Active Object Body Request Receiver Reply Receiver Service Object Security Manager Reply Sender Body Request Receiver Reply Receiver Service Object Security Manager Reply Sender Proxy Request Sender Policy computation Keys exchange Request pathSecurity mechanims encrypt decrypt Active Object

21 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire21 4. Example 2 domaines GridA & gridB with security policies Domain [GridA]-> Domain [GridB]: Q,P,M # [+A,+I,+C] Domain [GridB]-> Domain [GridA]: Q,P,M # [+A,+I,+C] Application : 2 Virtual Nodes (vn1,vn2) 2 Active objects

22 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire22 Example Domain GridADomain GridB VN1 VN2 Policy rules database JVM

23 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire23 Descriptors: Security VirtualNodes vn1, vn2 SECURITY: VN [vn1] -> VN [vn2] : Q,P # [+A,?I,+C] VN [vn1] -> VN [vn2] : M # Forbidden VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C] VN [vn2] -> VN [vn1] : M # Forbidden Mapping: vn1 --> GridAComputers, GridBComputers vn2 --> GridAComputers JVMs: /…/

24 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire24 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

25 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire25 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

26 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire26 Example Domain GridADomain GridB VN1 VN2 Policy rules database JVM

27 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire27 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

28 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire28 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database JVM

29 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire29 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

30 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire30 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Can I migrate to the next VN1 node ? JVM

31 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire31 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Rose Migration : - same VN - same domain 1 - retrieve VN policy 2 - migration allowed JVM

32 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire32 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain JVM

33 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire33 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

34 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire34 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Method call : - other VN - same domain JVM Can I make a method call to Daliah on vn2 ?

35 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire35 Example Domain GridADomain GridB VN1 VN2 Policy rules database Method call : - other VN - same domain JVM Rose 1 - VN1 -> VN2 : [?A,?I,?C] 2 - result policy : [?A,?I,?C] 3 - method call allowed Daliah

36 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire36 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

37 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire37 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - other VN - same domain JVM Rose Can I migrate to the next VN2 node ? VN1 policy : forbidden

38 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire38 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

39 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire39 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain JVM Can I migrate to the next VN1 node on GridB domain?

40 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire40 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Rose JVM 1- VN1 policy -> none 2- GridA -> GridB : [+A,+I,+C] 3- migration with [+A,+I,+C]

41 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire41 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain JVM

42 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire42 Example /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah);

43 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire43 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Method call : - other VN - other domain Rose JVM

44 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire44 Conclusion ProActive Security Features Authentication of users and applications Authentication, integrity and confidentiality of communications Security model for mobile applications Dynamically negotiated policies, non-functional security Logical security representation : security is easily adaptable to the deployment Perspectives: Group communication, OGSA Security: Open Grid Services Architecture, Hardware mobility : PDAs

45 26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire45 Questions ?

Download ppt "26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
The road to reliable, autonomous distributed systems

The road to reliable, autonomous distributed systems
Denis Caromel, Arnaud Contes www.inria.fr/oasis/ProActive OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis 1. Introduction to the GRID.

Denis Caromel, Arnaud Contes OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis 1. Introduction to the GRID.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Ludovic Henrio Paris, 2006-06-08 An Open Source Middleware for the Grid Programming Wrapping Composing Deploying.

1 Ludovic Henrio Paris, An Open Source Middleware for the Grid Programming Wrapping Composing Deploying.
Distributed Heterogeneous Data Warehouse For Grid Analysis

Distributed Heterogeneous Data Warehouse For Grid Analysis
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
.NET Mobile Application Development Introduction to Mobile and Distributed Applications.

.NET Mobile Application Development Introduction to Mobile and Distributed Applications.
Chapter 4.1 Interprocess Communication And Coordination By Shruti Poundarik.

Chapter 4.1 Interprocess Communication And Coordination By Shruti Poundarik.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Similar presentations

Ads by Google