Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Steve Tuecke Argonne National Laboratory.

Published byDelphia Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "Grid Security Steve Tuecke Argonne National Laboratory."— Presentation transcript:

1 Grid Security Steve Tuecke Argonne National Laboratory

2 Overview l The Grid Concept l Community Authorization l Implementation Approach

3 The Grid Concept

4 Grid Computing l Enable communities (“virtual organizations”) to share geographically distributed resources as they pursue common goals—in the absence of central control, omniscience, trust relationships l Via investigations of –New applications that become possible when resources can be shared in a coordinated way –Protocols, algorithms, persistent infrastructure to facilitate sharing

5 On-demand creation of powerful virtual computing systems The Grid: The Web on Steroids http:// Web: Uniform access to HTML documents Grid: Flexible, high-perf access to all significant resources Sensor nets Data archives Computers Software catalogs Colleagues

6 Grid Communities and Applications: NSF National Technology Grid

7 tomographic reconstruction real-time collection wide-area dissemination desktop & VR clients with shared controls Advanced Photon Source Grid Communities & Applications: Online Instrumentation archival storage DOE X-ray grand challenge: ANL, USC/ISI, NIST, U.Chicago

8 Grid Communities and Applications: Mathematicians Solve NUG30 l Community=an informal collaboration of mathematicians and computer scientists l Condor-G delivers 3.46E8 CPU seconds in 7 days (peak 1009 processors) in U.S. and Italy (8 sites) l Solves NUG30 quadratic assignment problem 14,5,28,24,1,3,16,15, 10,9,21,2,4,29,25,22, 13,26,17,30,6,20,19, 8,18,7,27,12,11,23 MetaNEOS: Argonne, Iowa, Northwestern, Wisconsin

9 Grid Communities and Applications: Network for Earthquake Eng. Simulation l NEESgrid: national infrastructure to couple earthquake engineers with experimental facilities, databases, computers, & each other l On-demand access to experiments, data streams, computing, archives, collaboration NEESgrid: Argonne, Michigan, NCSA, UIUC, USC

10 Grid Communities & Applications: Data Grids for High Energy Physics Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPS France Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec or Air Freight (deprecated) Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4 1 TIPS is approximately 25,000 SpecInt95 equivalents Image courtesy Harvey Newman, Caltech

11 l Community = –1000s of home computer users –Philanthropic computing vendor (Entropia) –Research group (Scripps) l Common goal= advance AIDS research Grid Communities and Applications: Home Computers Evaluate AIDS Drugs

12 Broader Context l “Grid Computing” has much in common with major industrial thrusts –Business-to-business, Peer-to-peer, Application Service Providers, Internet Computing, … l Distinguished primarily by more sophisticated sharing modalities –E.g., “run program X at site Y subject to community policy P, providing access to data at Z according to policy Q” –Secondarily by unique demands of advanced & high-performance systems

13 The Globus Project l Started in 1995 (I-WAY software) l Globus R&D –Definition of Grid architecture –Grid protocols, services, APIs >Security, resource mgmt, data access, information, communication, etc. –Development of Globus Toolkit >Large user base among tool developers & in production Grids >Open source l Numerous application projects l Outreach & leadership

14 More Details l www.globus.org l “The Anatomy of the Grid: Enabling Scalable Virtual Organizations” –Foster, Kesselman, Tuecke –www.globus.org/research/papers/anatomy.pdf

15 Community Authorization

16 Community Properties l 100s of resource providers, 1000s of users –N users from many institutions, worldwide –M independent resource providers which contribute resources to one or more communities –How to avoid N X M trust relationships? l Resource providers grant/sell to communities –Grant bulk access to community –Community representative handles fine grained authorization and prioritization within bulk grants l Users may combine community resources with own resources to solve problems l Various services carrying out requests of users

17 Capability Based Solution l A community service & administrator, which: –Maintains user membership to the community. –Maintains resource service agreements to community. –Maintains access control database, granting users access to (part of) resources, based on community policies and priorities. >May employ groups, roles, etc. –Issues capabilities to community members (users) to grant them access to resources. >User presents capability directly to resource to claim service. l AAAArch “push” model

18 Community Authorization (1) Site A Resources Site M Resources Site B Resources User 1 User 2 Community Authorization Service 1: Obtain capability for service 2: Request service User N

19 Community Authorization (2) Site A Resources Site M Resources Site B Resources User 1 User 2 Community Authorization Service 2: Obtain capability for services, on behalf of user 2 3: Request services User N Request Manager 1: Delegate user proxy

20 Community Authorization (3) Site A Resources Site M Resources Site B Resources User 1 User 2 Community Authorization Service 2: Obtain capabilities for services, on behalf of user 2 4: Request services User N Request Planner 1: Delegate user proxy Task Manager 3: Delegate capabilities

21 Implementation Approach

22 Grid Security Infrastructure (GSI) l Authentication and message protection l Extensions to existing standard protocols & APIs –Standards: SSL/TLS, X.509, GSS-API –Extensions for single sign-on and delegation >Internet X.509 PKI Impersonation Proxy Certificate Profile >TLS Delegation Protocol l Globus Toolkit reference implementation of GSI –OpenSSL + GSS-API + delegation –Tools and services to interface to local security >Simple ACLs; SSLK5 & PKINIT for access to K5, AFS, etc. –Tools for credential management >Login, logout, cert request, smartcards, cred repository, etc.

23 X.509 Proxy Certificate Overview l To support single sign-on and delegation l Proxy Certificate (PC) is signed by End Entity Certificate (EEC) or another Proxy Certificate –We are NOT using an EEC to as if it were a CA >CA performs two functions: 1) Assigns a name (or identity), and 2) Binds the name to the a key. >PC only does #2. It binds the name to an proxy key. –PC inherits its name from its signing EEC >Subject name used for two purposes: 1) Path discovery & validation, and 2) To hold the assigned name. >In a PC, the subject is used only for #1, path discovery l “TLS Delegation Protocol” draft defines how to create a remote Proxy Certificate

24 Features Of This Approach l Ease of integration –Requires only a small change to path validation >SSL/TLS requires no protocol change to use PC –Authorization based on identity still works l Ease of use –Enables single sign-on & credential repositories l Protection of EEC private key –Single sign-on & delegation w/o sharing EEC keys l Limits consequences of a compromised key –Can restrict PC (e.g. lifetime, uses, etc.) –Compromised PC does not compromise EEC

25 Implementation Status l Globus Toolkit’s Grid Security Infrastructure (GSI) has used similar approach for ~4 years –GSI = GSS-API + X.509 + PC + SSL + delegation –Integrated into numerous “Grid” tools (C & Java) >Globus Toolkit, Condor, SRB, MPI, ssh/SecureCRT, FTP, etc. –Adopted by 100s of sites, 1000s of users >NCSA, NPACI, NASA IPG, DOE Science Grid, European Datagrid, GriPhyN (Phyics Grids), NEESgrid (Earthquake Engineering Grid) l Global Grid Forum & IETF effort to move GSI forward through cleanup, better integration with standards, technical specifications, etc. –http://www.gridforum.org/security/gsi

26 Capabilities l By extending a Proxy Certificate to hold a restriction policy, one can build a form of capability –Currently, the holder of a user’s proxy credential allows that holder to impersonate the user, to access any resources available to the user –But can extend the proxy credential to contain a restriction policy >E.g. “Holder of this proxy can only start a process on resource X, and read user’s file Y.”

27 Community Authorization Service l CAS has its own identity certificate –It is this CAS identity that is known to resources l User authenticates with CAS using user’s identity certificates (or proxy of identity certificate) l User requests access to a community resource(s) l CAS delegates back to user a restricted proxy credential from the CAS identity credential l User authenticates with resource using this CAS identity

28 Resource Checking of Capability l Authentication from client is with the CAS identity –Resource sees the “community” identity –Though an X.509 extension in the capability may include user’s identity, etc. for audit purposes l Resource maps CAS identity to local account and privileges –E.g. A Unix account, with a given file system quota –Different communities map to different accounts l For each request, resource evaluates the request against the policy contained in the CAS restricted proxy certificate that was used to authenticate.

29 Accounting l CAS inserts GUID into capability, which is used for: –Accounting: Resources can log consumption using this GUID. CAS can recombine with log of issued capabilities to reconstruct full accounting info. >Requires protocol for propagation of accounting info –Usage enforcement: Restriction policy in capability may include usage constraints. Resource can track and enforce such constraints using the GUID, including across multiple requests using the same capability.

Download ppt "Grid Security Steve Tuecke Argonne National Laboratory."

Similar presentations

The Anatomy of the Grid Enabling Scalable Virtual Organizations Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department.

The Anatomy of the Grid Enabling Scalable Virtual Organizations Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department.
International Grid Communities Dr. Carl Kesselman Information Sciences Institute University of Southern California.

International Grid Communities Dr. Carl Kesselman Information Sciences Institute University of Southern California.
Introduction of Grid Security

Introduction of Grid Security
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Similar presentations

Ads by Google