Globus Grid Tutorial Part 1: Security and Remote Process Creation

Globus Grid TutorialPart 1:

Security and Remote Process Creation

Security and Remote Process Creation 2

Goals of this Tutorial

Learn how to start a process on a remote resource

Examples of applications that use this operation Desktop supercomputing applications

(e.g., ECCE’, Cactus, WebFlow) Network enabled servers

(e.g., NEOS, NetSolve)


Desktop Supercomputing Seamlessly, from the desktop

Sign-on once Locate available computers Start computation on an appropriate

system Monitor progress Get [subsampled] output files Manipulate locally

E.g., astrophysics, chemistry, environmental models

Also WebFlow, LSA, others


WebFlow Grid Interface Dataflow computing

interface to grid computing Fox, Haupt: Syracuse

Globus services for Authentication Process creation and

management Applications include

nanomaterials


??

Application

Backend

Resourcebroker

code expertise

“Solver X, problem Y, cost 100, time 20 secs”

Network-Enabled Servers

Seamless access of remote resources Examples: NEOS,

NetSolve, Nimrod Issues

Scheduling for real-time & high-throughput

Code management & security

Algorithm design


Problems

Security How do we authenticate ourselves at the

remote site? Resource specification

How do we locate and request a resource? Staging of code and data

How do we stage a user’s executables and data to the remote resource?

Computation How do we start & manage computation?


The Globus Advantage

Single sign-on for all resources No need to keep track of accounts and

passwords at multiple sites No plaintext passwords

Uniform interface to various local scheduling mechanisms LSF, NQE, LoadLeveler, fork, etc. No need to learn and remember obscure

command sequences at different sites Support for staging, etc., also: see later


Authentication Model

Authentication is done on a “user” basis Single authentication step allows access to all

grid resources No communication of plaintext passwords Most sites will use conventional account

mechanisms You must have an account on a resource to use

that resource Sites may use “generic” Grid accounts

Not common, but Globus can deal with it


Grid Security Infrastructure

Based on public key technology Standard X.509 certificate, same as certificates

used for the Web Each user has:

a Grid user id (called a Subject Name) a private key (like a password) a certificate signed by a Certificate Authority

(CA) A “gridmap” file at each site specifies

grid-id to local-id mapping


Certificate Based Authentication User has a certificate, signed by a trusted

“certificate authority” (CA) Certificate contains users name and public key Globus project operates a CA

User’s private key is used to encode a challenge string

Public key is used to decode the challenge If you can decode it, you know the user

Treat your private key carefully!! Private key is stored in encrypted form


User Proxies

Minimize exposure of user’s private key A temporary credential for use by our

computations We call this a user proxy certificate Allows process to act on behalf of user User-signed user proxy certificate stored in local

file Proxy’s private key is not encrypted

Rely on file system security, proxy certificate file must be readable only by the owner


Delegation

Remote creation of a user proxy Allows remote process to act on behalf of

the user Avoids sending passwords or private keys

across the network


Single sign-onvia “grid-id”

User

User Proxy

GlobusGlobusCredentialCredential

Site 1

Kerberos

GRAM Process

Process

ProcessGSI

TicketTicket

Site 2

Public Key

GRAM

GSI

CertificateCertificate

Process

Process

Process

Authenticatedinterprocess

communication

CREDENTIAL

GSSAPI:multiplelow-level

mechanisms

Mutualuser-resourceauthentication

Mappingto local ids

Assignment of credentials to“user proxies”


Installing Globus

Before you can use Globus, you need to install the Globus client-side software Installation and administration of server-

side software is discussed later Ftp the Globus software from:

ftp://ftp.globus.org/pub/globus Follow the installation instructions at:

http://www.globus.org/software


Globus Authentication Setup

Before you can run Globus applications: Obtain a Grid certificate and key Set up your environment so Globus knows

where to find certificates and keys Contact sites to set up local accounts and

globusmap entries Create proxy certificate for each application

run Documentation

http://www.globus.org/security


Obtaining a Certificate

The program grid-cert-request is used to create an public/private key pair and unsigned certificate in ~/.globus/: usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file

Must be readable only by the owner

Mail usercert_request.pem to [email protected] Receive a Globus-signed certificate

Place in ~/.globus/usercert.pem NCSA & NASA will use different approaches


Your New CertificateCertificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21:50 1998 GMT Not After : Apr 22 19:21:50 1999 GMT Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: <snip> b4:e1:54:e7:87:57:b7:d0:61 Exponent: 65537 (0x10001)Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: <snip> 8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:

NTP is highly

recommended


-----BEGIN CERTIFICATE-----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY

<snip>u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4-----END CERTIFICATE-----

Sample usercert.pem:

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl

<snip>et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=-----END RSA PRIVATE KEY-----

Sample userkey.pem:

Certificate and Key Data


“Logging” onto the Grid

To run programs, authenticate to Globus:

% grid-proxy-init

Enter PEM pass phrase: ****** Creates a temporary, short-lived credential for use

by our computations

Private key is not exposed past grid-proxy-init Options for grid-proxy-init:

-hours <lifetime of credential>

-bits <length of key>

-help


Grid Sign-On With grid-proxy-init

User certificate file

Private Key(Encrypted)

PassPhrase

User Proxycertificate file


Proxy Information

To get proxy information run grid-proxy-info

% grid-proxy-info -subject/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster

Options for printing proxy information-subject -issuer-type -timeleft-strength -help

Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key> Returns 0 status for true, 1 for false:


Sample Gridmap File

# Distinguished name Local# username"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost"/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf

Gridmap file maintained by Globus administrator

Entry maps Grid-id into local user name(s)


Remote Startup Mechanism

key

cert

gatekeeperclient

1. Exchange certificates, authenticate, delegate

2. Check gridmap file

3. Lookup service

4. Run service program (e.g. jobmanager)

jobmanager

key

cert

1.

2.

map

4.

services3.


Simple job submission

globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]


1. Lookup Contact String2. Build RSL string3. Startup GASS server4. Submit to request

jobmanager

gatekeeperMDS

program

Host name

Contactstring

RSLstring

globus-job-run: Beneath the coversstdout

GASSserver

3.

1.

2.

4.


Exercise 1Sign-On & Remote Process Creation

Use grid-proxy-init to create a proxy certificate:

% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++

Use grid-proxy-info to query proxy:% grid-proxy-info -subject

Use globus-job-run to start remote programs:

% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp


Globus Components Being Used

GRAM: Globus Resource Allocation Manager Create process on remote resource, deal with

local resource managers MDS: Metacomputing Directory Service

Map machine name into GRAM contact string GSI: Grid Security Infrastructure

Authenticate to remote system GASS: Global Access to Secondary Storage

Redirect standard output


Globus Components in Action

globus-job-run

jobmanager

fork

P1 P2

gatekeeper

jobmanager

LSF

P1 P2

gatekeeper

jobmanager

LoadLeveler

P1 P2

gatekeeper

GRAM


Summary

Grid security provides single sign-on capability

globus-job-run can be used to create a remote process Difference between schedulers managed by

Globus Strong authentication provided

Remote process creation can be added to applications by using Globus services


Changes from 1.0 to 1.1

Tools are renamed globus-proxy-{init,destroy} is now

grid-proxy-{init,destroy} globus-{cert,certreq} is now

grid-cert-{info,request} Tools are added

grid-proxy-info grid-cert-renew grid-mapfile-{add,delete}-entry

Documents

Globus Grid Tutorial Part 1: Security and Remote Process Creation