Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive

Published byLillian Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive"— Presentation transcript:

1 1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team http://www.inria.fr/oasis ProActive http://proactive.objectweb.org

2 2 2 Outline  Context ProActive overview Abstract Deployment model  Security Model Security Entities Security Policies Example  Conclusion

3 3 3 The ProActive Middleware A Java API + Tools for Parallel & Distributed Computing  A uniform framework : Active Object (AO) pattern one thread, owns passive objects, remotely accessible  Programming model : groups, mobility, components, security  A formal model Determinism, Insensitivity to deployment

4 4 4 Deployment Model  Virtual Nodes : Identified as a string name, used in program source, configured (mapped) in an XML descriptor file  2 distinct steps : Development Source Code Deployment XML Descriptor Active Objets  VN VN  Runtimes (JVMs)  Hosts

5 5 5 A ProActive Application Virtual Node 1 Virtual Node 2 Virtual Node 3 Active objectPassive object

6 6 6 Multiple Deployment Issues One Host ClusterGrid Different Deployments  Different Security Policies

7 7 7 Issues & Goals  Authentication of Computers, Users, and Applications  Creation, connection to, and monitoring of activities  Authentication, Integrity and Confidentiality (AIC) of communications  Several levels of security policies: users, resource providers, administrators Main objective : Facilitate the use and the management of security features by removing them from the source code

8 8 8 Outline  Context ProActive overview Abstract Deployment model  Security Model Security Entities Security Policies Example  Conclusion

9 9 9 Security Entity Model  Generic definition, composed of a security manager and a protected object  Subject of security policies  Transparent for the protected object (meta object protocol)  No supposition on the protected object (runtimes, nodes, active objects, …)  Hierarchical structure

10 10 Security Manager: Entity ID Security Policies Session Manager Negotiation protocol Security Manager: Entity ID Security Policies Session Manager Normal communications Secured communications Security Entities Protected Object

11 11 Application Authentication User certificate Application certificate Certificate chain certificates for active objects, nodes SPKI : Certificate chain No Certificate Authority

12 12 Hierarchical Security Policies DnDn Accept Deny Runtime Accept Deny D0D0 VN Accept Deny AO Accept Deny Final Security policy Administrator policy Application-level policy Security policy is defined according all matching rules from: Domains / Runtime Virtual Node Active Object Resource provider policy

13 13 Security Rule  Interactions: JVMCreation NodeCreation CodeLoading ObjectCreation ObjectMigration Request Reply Listing  Entities: Domain User Virtual Node Object Entities -> Entities : Interactions # Security Attributes  Attributes: Authentication Integrity Confidentiality  Each attribute can be: Allowed Optional Disallowed

14 14 Descriptor Security Model  A key principle: Specify security policies in the XML deployment, NOT IN SOURCE CODE !  In program source: Virtual Node (VN, a string name)  In XML descriptors: List of policy rules between virtual nodes, runtimes, domains, …

15 15 Security Example  2 domains GridA & GridB with security policies Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C] Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C]  Application : 2 Virtual Nodes (vn1,vn2) 2 Active objects

16 16 Descriptor with Security VirtualNodes: vn1, vn2 SECURITY: VN [vn1] -> VN [vn2] : Q,P # [?A,?I,?C] VN [vn1] -> VN [vn2] : M # Forbidden VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C] VN [vn2] -> VN [vn1] : M # Forbidden Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C] Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C] Mapping: vn1 --> GridAComputers, GridBComputers vn2 --> GridAComputers JVMs: /…/

17 17 Example: std. code, no security /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vn1"); vn2 = proActiveDescriptor.getVirtualNode("vn2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2);

18 18 Example Domain GridADomain GridB VN1 VN2 Policy rules database Runtime

19 19 Example Domain GridADomain GridB VN1 VN2 Policy rules database Runtime

20 20 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Runtime

21 21 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime Can I migrate to the next VN1 node ?

22 22 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime 1 - Retrieve VN policy 2 - migration allowed Rose

23 23 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime

24 24 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime Negotiated Policy: Rose -> Daliah : [?A,?I,?C] Perform a method call Rose -> Daliah : [?A,?I,?C] Receive a method call : Daliah -> Rose : [?A,?I,?C]

25 25 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - same domain Runtime

26 26 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Runtime Can I migrate to the next VN1 node on GridB domain?

27 27 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Rose Runtime 1- VN1 policy -> none 2- GridA -> GridB : [+A,+I,+C] 3- migration with [+A,+I,+C]

28 28 Example Domain GridADomain GridB Rose Daliah VN1 VN2 Policy rules database Migration : - same VN - other domain Runtime

29 29 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Method call : - other VN - other domain From Rose --> Daliah Rose Runtime Negotiated Policy: Rose -> Daliah : [+A,+I,+C] Perform a method call Rose -> Daliah : [+A,+I,+C] Receive a method call : Daliah -> Rose : [+A,+I,+C]

30 30 Example Domain GridADomain GridB Daliah VN1 VN2 Policy rules database Migration : - other VN From Rose --> Daliah Rose Runtime Migration to VN2 ? VN1 -> VN2 : [-M] NO !

31 31 Conclusion  Transparent to application  Take care of a hierarchy of security policies  Security can be adapted to application deployment

32 32 Thank you for your time Questions ?

33 33 Security Context Propagation  Grid Applications are dynamic Acquire resources Create new entities on allocated resources  Automatic security context propagation to maintain application security context

34 34 Hierarchical Domains  A logical way to group entities that have the same security needs.  Domains are Security Entities : are hierarchical enforce policies to contained security entities

Download ppt "1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive"

Similar presentations

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire.

26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Denis Caromel, Arnaud Contes www.inria.fr/oasis/ProActive OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis 1. Introduction to the GRID.

Denis Caromel, Arnaud Contes OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis 1. Introduction to the GRID.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Scheduling ProActive Applications using Gridbus Broker Xingchen Chu, Srikumar Venugopal and Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS)

Scheduling ProActive Applications using Gridbus Broker Xingchen Chu, Srikumar Venugopal and Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS)
Grids and Grid Technologies for Wide-Area Distributed Computing Mark Baker, Rajkumar Buyya and Domenico Laforenza.

Grids and Grid Technologies for Wide-Area Distributed Computing Mark Baker, Rajkumar Buyya and Domenico Laforenza.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
QoS-enabled middleware by Saltanat Mashirova. Distributed applications Distributed applications have distinctly different characteristics than conventional.

QoS-enabled middleware by Saltanat Mashirova. Distributed applications Distributed applications have distinctly different characteristics than conventional.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Similar presentations

Ads by Google