Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security: What is it? Where is it going? Why? Von Welch National Center for Supercomputing Applications Globus Alliance.

Published byAlisha Glenn Modified over 9 years ago

Similar presentations

Presentation on theme: "Grid Security: What is it? Where is it going? Why? Von Welch National Center for Supercomputing Applications Globus Alliance."— Presentation transcript:

1 Grid Security: What is it? Where is it going? Why? Von Welch vwelch@ncsa.uiuc.edu National Center for Supercomputing Applications Globus Alliance

2 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)2 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

3 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)3 Authentication, Authorization, Delegation Authentication: Proving who you are. John Doe @ NCSA Authorization: What are you are allowed to do? Delegation: Granting a right to another entity.

4 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)4 Public Key Infrastructure l Used in almost all Grids today u Allows for two entities to authenticate with minimal cross-organizational supprt l Based on asymmetric cryptography u Private and Public Key l Public key is encoded in a Certificate by a Certificate Authority (CA) u Certificate and Private key are used to establish identity

5 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)5 John Doe 755 E. Woodlawn Urbana IL 61801 BD 08-06-65 Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates l Allow for binding of an Identity (John Doe) to a key or person Name Issuer Public Key Signature

6 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)6 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

7 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)7 Grid Security’s goal is to support the virtual organization. Site A Site B Site C Site D Virtual Organization (VO)

8 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)8 Example: NSF TeraGrid

9 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)9 Field Equipment Laboratory Equipment Remote Users Remote Users: ( K-12 Faculty and Students) High- Performance Network(s) Instrumented Structures and Sites Leading Edge Computation Curated Data Repository Laboratory Equipment Global Connections (FY 2005 – FY 2014) Simulation Tools Repository

10 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)10 Controlled Resource Sharing Compute Center HEP VO Chem Eng VO BIO VO 5pm-9am only 20 Tflops per month max 100 Tbytes max 20 Mbytes/sec max Globally: User must agree to AUP User must use strong authentication

11 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)11 Grid Authorization “Flow” VO User Process Resource Delegate: VO may use 50% of cycles Delegate: Jane may use 1000 cycles Delegate: Job X may use 100 cycles

12 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)12 So, what are the challenges? l Resources being used may be valuable & the problems being solved sensitive u Both users and resources need to be careful l VOs aren’t static u Large, dynamic, unpredictable… l VO Resources and users are often located in distinct administrative domains u Can’t assume cross-organizational trust agreements u Different mechanisms, trust roots & credentials l X.509 vs Kerberos l Different CAs l X.509 attribute certs vs SAML assertions

13 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)13 More challenges… l Interactions are not just client/server, but service-to-service on behalf of the user u Requires delegation of rights by user to service u Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use l Implementation must be broadly available & applicable u Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined u Varying formats: SAML, XACML, local custom, etc. l Want to hide as much as possible from applications!

14 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)14 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

15 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)15 Grid Security Infrastructure (GSI) l Open source libraries, tools and standards which provide security functionality of the Globus Toolkit l Provides for cross-organizational: u Authentication u Message protection u Authorization u Single sign-on

16 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)16 GSI Stack PKI (Certs, CAs) GSI uses a standard PKI for identity certificates. Each entity (user, service) has an X.509 certificate from a CA that uniquely names it.

17 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)17 GSI Stack PKI (Certs, CAs) SSL SSL, using the certificates, is used as the network protocol Performs authentication, like in the web, but client as well as server Also provides message protection as needed (integrity, encryption)

18 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)18 GSI Stack PKI (Certs, CAs) SSL X.509 Proxy Certificates X.509 Proxy Certificates are our extension Standardized in IETF (pkix) Allow for dynamic delegation

19 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)19 GSI Stack PKI (Certs, CAs) SSL X.509 Proxy Certificates Grid-Mapfile Grid-Mapfile maps Grid users (identified by certificates) to local users (e.g. Unix account) Allows authorization using normal local methods (e.g. filesystem perms, quotas)

20 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)20 GSI-Enabled Coordination Site A Site BSite C Allows for standard authentication method Allows for delegation to allow for coordinated resource Usage. Proxy Certificate

21 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)21 Grid Security Services l How does a site with an existing sophisticated security infrastructure leverage that for Grids? u E.g. Kerberos l How do I carry X.509 credentials around with me? How do I use with non-GSI aware applications? u E.g. Web portals? l How does a VO manage the resources contributed to it?

22 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)22 Kerberos CA: Grid access from Krb5 GSI KCA KRB5 Resources Allows use of Kerberos credentials to get on the Grid In use at FNAL, USC Kerberos User Grid Site Krb5 Ticket X509 Certificate Krb5 to Grid ID Mappings

23 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)23 Allows users to acquire Grid credentials from Username/Password Enables mobility and use of non-GSI aware applications MyProxy Credential Wallet MyProxy The Grid Username Password Username Password Web Server Username Password

24 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)24 Community Authorization Service (CAS) Resources are Contributed to VO From a number of sites VO decides how its users Can use those resources. CAS VO User requests access CAS Gives user Assertion Granting access User presents assertion to resource to gain access CAS: Allows VO to set Fine-grain access policy on its resources

25 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)25 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

26 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)26 Grid Evolution: Open Grid Services Architecture l Goals u Refactor Globus protocol suite to enable common base and expose key capabilities u Service orientation to virtualize resources and unify resources/services/information u Embrace key Web services technologies for standard IDL, leverage commercial efforts l Result = standard interfaces & behaviors for distributed system mgmt: the Grid service u Standardization within Global Grid Forum and OASIS u Open source & commercial implementations

27 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)27 The Grid Service Application Use WSDL to advertise interface WS-Policy to advertise security requirements (Krb5, GSI, etc.) Allow for automated discovery and binding Interface Hosting environment handles msgs including authentication, msg protection, authorization, etc. Allows app developer to focus on app- specific logic. Hosting Environment

28 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)28 Based on Standards l Web Services u SOAP u WSDL l Extensions (follow-on to OGSI) u WSRF l Lifetime control u WS-ResourceProperties l Expose state u WS-Notification u WS-ServiceGroup u WS-RenewableReference

29 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)29 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

30 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)30 Leverage existing/emerging Security Standards l WS-Security/Policy/Trust/Federation/ Authorization/SecureConversation/Privacy l XKMS, XML-Signature/Encryption, SAML, XACML, XrML l But… u Need to OGSA’fy u Need to define Profile/Mechanisms u Need to define Naming conventions u Need to address late/missing specs u Support for delegation, transient services

31 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)31 WS Security Current/proposed WSS-specs proposed SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-Authorization In progress promised WS-Federation

32 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)32 Current/proposed specs Building on the SOAP Foundation Today: describes SOAP extensions for secure messaging, provides foundation for other building blocks SOAP Foundation WS-Security

33 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)33 Current/proposed specs Building on the SOAP Foundation Today: how to express capabilities and constraints of security policies. Along with WS- SecurityPolicy, WS- PolicyAsserts, WS- PolicyAttachment SOAP Foundation WS-Security WS-Policy

34 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)34 Current/proposed specs Building on the SOAP Foundation Today:describes the model for establishing both direct and brokered trust relationships (including third parties and intermediaries) Today: describes the model for establishing both direct and brokered trust relationships (including third parties and intermediaries) SOAP Foundation WS-Security WS-PolicyWS-Trust

35 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)35 Current/proposed specs Building on the SOAP Foundation Today:how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys Today: how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys SOAP Foundation WS-Security WS-PolicyWS-Trust WS-SecureConversation

36 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)36 Current/proposed specs Building on the SOAP Foundation Planned:will be a model for how users state privacy preferences, and for how Web Services state and implement privacy practices Planned: will be a model for how users state privacy preferences, and for how Web Services state and implement privacy practices SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversation

37 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)37 Current/proposed specs Building on the SOAP Foundation Planned:will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities Planned: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-Federation

38 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)38 Current/proposed specs Building on the SOAP Foundation Planned:will define how Web services manage authorization data and policies Planned: will define how Web services manage authorization data and policies SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-FederationWS-Authorization

39 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)39 WS Security Current/proposed WSS-specs proposed SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-Authorization In progress promised WS-Federation

40 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)40 Other Standards l SAML looks good for assertions l XACML as language for policy exchange? u But don’t fit nicely together (NASA work). l SAML 2.0 will hopefully help. u XACML delegation of rights? l XrML u Another policy language l Liberty Alliance u Federated Identity like WS-Federation

41 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)41 WS Security (Confusing Picture) proposed SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-Authorization In progress promised WS-Federation Liberty Alliance SAML XACML XrML

42 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)42 How does all this fit into Grids? l WS-Policy/XACML/XrML for expressing security constraints u What credentials (Kebreros, GSI) are accepted and preferred u Encryption supported? Required? Rejected? l WS-Authorization/XACML/XrML for managing authorization data u e.g. in CAS l WS-Privacy (?) for managing privacy

43 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)43 OGSA Security Roadmap Goal l Address the Grid Security Architecture Requirements l Make Implementations Possible l Address Interoperability l Address Pluggability/Replaceability l Address missing/late/insufficient Standards “OGSA Security Roadmap” submitted to GGF – co-authored with IBM

44 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)44 OGSA Security l Security implemented by pluggable security services u Usable by clients and services l Allow for more agnostic approach to security mechanisms u As implementations are created for a mechanism they can be plugged into existing tools to enable use. u Applications and services can examine published security policies and convert/acquire credentials as needed

45 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)45 Remove Security from Applications l Allow deployment-time selection of supported mechanisms and policies l OGSA resource virtualization allows for policy on application-independent operation invocation l Place as much security functionality as possible into sophisticated hosting environments

46 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)46 Transparent Call-outs from WS-Stubs

47 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)47 Outline l Some quick terminology l What is Grid Security? l Current State of the Art l OGSA Grid Evolution l OGSA Security and Web Services Security l Globus Toolkit Implementation and Futures

48 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)48 What’s actually in GT3? l SOAP-based wire protocol l WS-Security (XML-Signature, XML-Encryption) for authentication, message protection l GSI-SecureConversation u Based on GT2’s TLS/GSSAPI implementation u Based on a poor-man’s “interpretation” of WS-Trust/WS-SecureConversation specs plus XML-Signature/XML-Encryption/WS-Security u Waiting for WS-Trust & WS-SecureConversation & WS-Kerberos specs to be submitted to standards body

49 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)49 What’s Actually in GT3? l SAML assertions in Community Authorization Service (GT 3.2) u Allow VOs to set and distribute policy on file access l Standardized Proxy Certificates l Java and C implementations l Java based on Axis with security implemented in handlers

50 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)50 GT Security Futures (1) l Authorization is “KEY” for the coming year u Includes communicating/sharing/matching of authz-policies and capabilities u Profiles for Attributes u Standards for authorization services u GGF OGSA Authorization WG l Restricted Delegation u By service and operation u By “domains”

51 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)51 GT Security Futures (2) l Securely route through firewalls/network- hurdles u Tackle the firewall/NAT traversal issues transparently in the runtime l Integration of Group authentication/key- exchange protocols u Going from 2 parties to N parties should be “seamless” l Secure Logging and Audit u Another undefined, unstandardized missing link… while the requirements are there!

52 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)52 Conclusion l Grid’s requirements maybe few years ahead, but industry will face same challenges soon u Few “new” distributed computing requirements… l Our security requirements are conceptually 1-2 levels above what is available now as specifications, standards and open source u Ideally, we want to be end-users of WSS not plumbers… l The standards circus is very worrisome u And distracting and time consuming… l Come help us at the Global Grid Forum u Exciting security stuff! u We need your help… (www.ggf.org) l Play with the Globus Toolkit (GT3.2) u Downloaded 100k+ times already (www.globus.org)

53 ClusterWorld 2004Grid Security - Von Welch (vwelch@ncsa.uiuc.edu)53 Thanks l Many colleagues at Argonne, NCSA, ISI & PDC: u Frank Siebenlist, Sam Meder, Olle Mulmo, Leaur Pearlman, Jarek Garow, Jim Basney, Steve Tuecke, Ian Foster, Carl Kesselman, Rachana Ananthakrishnan and many others. l Funding from DOE, NSF and IBM Questions?

Download ppt "Grid Security: What is it? Where is it going? Why? Von Welch National Center for Supercomputing Applications Globus Alliance."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.

Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Similar presentations

Ads by Google