Presentation is loading. Please wait.

Presentation is loading. Please wait.

Genesis II “Open Source, OGSA Implementation” Genesis II: From Specification to Implementation Andrew Grimshaw, Mark Morgan Global Bio Grid Team University.

Published byBlaze Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "Genesis II “Open Source, OGSA Implementation” Genesis II: From Specification to Implementation Andrew Grimshaw, Mark Morgan Global Bio Grid Team University."— Presentation transcript:

1 Genesis II “Open Source, OGSA Implementation” Genesis II: From Specification to Implementation Andrew Grimshaw, Mark Morgan Global Bio Grid Team University of Virginia “Open Source, OGSA Implementation”

2 Genesis II “Open Source, OGSA Implementation” Responsible Parties Andrew Grimshaw Mark Morgan John Karpovich Duane Merrill

3 Genesis II “Open Source, OGSA Implementation” Outline Background Genesis II Demo Next Steps

4 Genesis II “Open Source, OGSA Implementation” Background Specifications cannot exist in vacuum –Implementations Vet Specifications –Implementation experience shows how spec’s interact Grids have been around for a while, but adoption remains low – why? –Usability –Gap between grid designers and grid users

5 Genesis II “Open Source, OGSA Implementation” Genesis II Goals Provide an open source, reference implementation of the OGSA and OGSA-related specifications Use standards and proto-standards available from the OGF and OGSA to –Provide a secure, cohesive system in a production system available to users today! –Provide feedback into the OGF process on various standards based on implementation experience –Design the system from the ground up with the overriding mantra that users come first!

6 Genesis II “Open Source, OGSA Implementation” Standards Represented in Genesis II WSDL SOAP WS-Addressing WS-Security XACML SAML Shibboleth OGF OGSA WS-Naming BES ByteIO RNS JSDL

7 Genesis II “Open Source, OGSA Implementation” User’s First A large percentage of a grid’s target audience is unable or unwilling to learn new interaction abstractions Instead of asking the user to adapt to the grid, we should adapt the grid to the user

8 Genesis II “Open Source, OGSA Implementation” User Abstractions One of the most ubiquitous user interaction abstractions is the file system –Drag-and-drop –Double Click –/proc filesystem –Named pipes RNS, ByteIO, and WS-Naming provide the foundation for building these abstractions

9 Genesis II “Open Source, OGSA Implementation” Thought Games What would it mean to browse a grid “directory” structure? What if you double-clicked on a ByteIO resource in it? What if you double-clicked on a grid resource representing a database query? What about dragging a JSDL document onto a BES container? A scheduler? What about “browsing” into a BES container?

10 Genesis II “Open Source, OGSA Implementation” Thought Games Many different answers are possible All represent semantics on top of familiar user abstractions which bring the grid closer to the end-user. Is this proliferation of different answers a problem? –Maybe common abstractions are needed, maybe it should be configurable. –This question needs to be answered, but first we have to get it to work

11 Genesis II “Open Source, OGSA Implementation” Outline Background Genesis II Demo Next Steps

12 Genesis II “Open Source, OGSA Implementation” Genesis II Standards based, production level grid system Designed with the primary goal of putting users first Provides data grid and compute grid technology using secure infrastructure

13 Genesis II “Open Source, OGSA Implementation” Genesis II Specifications Written in Java 1.5.x using Jetty 5, Axis 1.4, and WSS4J Pluggable security infrastructure currently supporting both Username/Password profile, and GAML (Genesis II SAML implementation) Currently tested on Windows XP and Linux

14 Genesis II “Open Source, OGSA Implementation” Genesis II Every service/resource in Genesis II may implement RNS and/or ByteIO (and most do)

15 Genesis II “Open Source, OGSA Implementation” UNIX-like command line interface

16 Genesis II “Open Source, OGSA Implementation” UNIX-like command line interface

17 Genesis II “Open Source, OGSA Implementation” Other Filesystem Aware Interfaces

18 Genesis II “Open Source, OGSA Implementation” Interesting Combinations of RNS, ByteIO, and others

19 Genesis II “Open Source, OGSA Implementation” Using RNS to name non- filesystem components

20 Genesis II “Open Source, OGSA Implementation” Using RNS to name non- filesystem components

21 Genesis II “Open Source, OGSA Implementation” Genesis II’s BES implements RNS too!

22 Genesis II “Open Source, OGSA Implementation” Genesis II’s BES even implements ByteIO!

23 Genesis II “Open Source, OGSA Implementation” Genesis II’s BES even implements ByteIO!

24 Genesis II “Open Source, OGSA Implementation” Export Directory

25 Genesis II “Open Source, OGSA Implementation” WS-Naming and Genesis II Extensive use of Endpoint Identifiers Simple Resolvers Future Work –Security Modifications –Fault Tolerance –Performance –Etc.

26 Genesis II “Open Source, OGSA Implementation” Security Design Goals Per-resource configurable information security: –Authentication (strong resource identity) –Confidentiality (encryption) –Integrity (digital signatures) –Authorization (pluggable schemes) Standards-based: –Follow OGSA AuthN & AuthZ models as they develop OGSA Basic Security Profile for placing keys in EPRs –Leverage standard profiles, specifically WS-Security token profiles: Username/Password, X.509, SAML

27 Genesis II “Open Source, OGSA Implementation” Resource Identity and Authentication Cryptographic identity for individual resources: X.509 digital certificates –Public-key cryptography for AuthN of resources to clients –Leverage existing trust hierarchies and relationships –WS-Naming EPIs incorporated into certificates –Proper security under migration, replication –Digital certificate distribution via EPRs: certificate- chains embedded as non-critical EPR metadata

28 Genesis II “Open Source, OGSA Implementation” Separating AuthN, AuthZ, and Message-level Security Concerns Hard to do –AuthN, AuthZ, and message security can leverage common cryptographic mechanisms (e.g., signing) No systematic mutual-AuthN: –Resources are authenticated to clients via X.509 certificates –Clients are not authenticated per-se Ensuring client identity treated as AuthZ decision of credentials Credentials may be arbitrary SAML assertions, Username-token, X.509 identity, etc. –Doesn’t preclude client-privacy, anonymity, delegation –For message integrity/confidentiality, the caller can generate an anonymous keypair In fact, SAML assertions may be delegated to this transient keypair Both client and resource may separately specify message-level security requirements: –E.g., client has policy that interactions with certain resources must be encrypted –E.g., resource requires encrypted access Resource message security requirements hinted within EPR metadata

29 Genesis II “Open Source, OGSA Implementation” Authorization WS SOA paradigm: interface specification & implementation transparency: –How AuthZ policy is enforced is up to the implementer e.g., engines for XACML, SecPAL, etc. –The credentials they leverage (and protocols for obtaining them), however, need to be profiled SAML credentials –Powerful enough to represent any security credential scheme –Attribute Authorities (AAs) federate existing subject identity e.g., LDAP, NIS, X.509, etc. Support SAML Authentication Request profile Optional support for Assertion Query and Request profile for Shibboleth-like anonymity –Credentials are signed, “holder-of-key” SAML attribute assertions e.g., identity, roles, capabilities, etc. –Credentials may be delegated –Limited lifetimes and # of delegations Also support WS-S Username-token and X.509 credentials

30 Genesis II “Open Source, OGSA Implementation” Authentication Con’t

31 Genesis II “Open Source, OGSA Implementation” Genesis II EPRs Example EPR

32 Genesis II “Open Source, OGSA Implementation” Genesis II Status http://vcgr.cs.virginia.edu/genesisII

33 Genesis II “Open Source, OGSA Implementation” Outline Background Genesis II Demo Next Steps

34 Genesis II “Open Source, OGSA Implementation” Demo Participants University of Virginia University of Linz Imperial College London Texas Tech. University

35 Genesis II “Open Source, OGSA Implementation” Outline Background Genesis II Demo Next Steps

36 Genesis II “Open Source, OGSA Implementation” Next Steps Further integration of RNS/ByteIO into various grid components –Schedulers –Resolvers More sophisticated WS-Naming resolvers –Migration –QoS –Security

37 Genesis II “Open Source, OGSA Implementation” Next Steps (cont.) BES Queue Implementation More advanced schedulers Application Deployment and Configuration Workflows Native FS drivers

38 Genesis II “Open Source, OGSA Implementation” Next Steps (command line shell) Command line shell Tighter user integration –Familiar tools like tab completion and environment variables –Access to both local and remote resources seamlessly (through “mount” like configurations) Automatic generation of JSDL documents and BES control mechanisms

39 Genesis II “Open Source, OGSA Implementation” Next Steps (GALE) Grid Aware Legacy Environment (GALE) –Realization that part of a user’s first philosophy includes supporting the users’ applications –Allows legacy applications to use the grid without re-targeting, re-compiling, or re- implementation –Tightly bound with the command line shell mentioned before

40 Genesis II “Open Source, OGSA Implementation” Genesis II Take-away messages Sufficient body of standards exist with which to build interesting, useful grid systems Alpha Release available under Apache 2 licenses Very active project! Information and Download Page –http://vcgr.cs.virginia.edu/genesisIIhttp://vcgr.cs.virginia.edu/genesisII Forum –http://www.cs.virginia.edu/forums/viewforum.php?f=26http://www.cs.virginia.edu/forums/viewforum.php?f=26

Download ppt "Genesis II “Open Source, OGSA Implementation” Genesis II: From Specification to Implementation Andrew Grimshaw, Mark Morgan Global Bio Grid Team University."

Similar presentations

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Genesis II Open Source, OGSA Implementation Genesis II: Mapping Grids into the Local File System: Access, RNS, and ByteIO Andrew Grimshaw Genesis II Team.

Genesis II Open Source, OGSA Implementation Genesis II: Mapping Grids into the Local File System: Access, RNS, and ByteIO Andrew Grimshaw Genesis II Team.
Genesis II Open Source, OGSA Implementation Genesis II: Easy-to-use, Standards Based Grid Middleware Andrew Grimshaw Genesis II Team University of Virginia.

Genesis II Open Source, OGSA Implementation Genesis II: Easy-to-use, Standards Based Grid Middleware Andrew Grimshaw Genesis II Team University of Virginia.
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
© 2008 Open Grid Forum Grid Standards Realizing Basic Grid Use Cases Using Existing Standards and Profiles.

© 2008 Open Grid Forum Grid Standards Realizing Basic Grid Use Cases Using Existing Standards and Profiles.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Similar presentations

Ads by Google