Embed Size (px)
Citation preview
Grid Security
Steve TueckeArgonne National Laboratory
Overview The Grid Concept Community Authorization Implementation Approach
The Grid Concept
Grid Computing
Enable communities (“virtual organizations”) to share geographically distributed resources as they pursue common goals—in the absence of central control, omniscience, trust relationships
Via investigations of– New applications that become possible when
resources can be shared in a coordinated way
– Protocols, algorithms, persistent infrastructure to facilitate sharing
On-demand creation of powerful virtual computing systems
The Grid: The Web on Steroids
http://
http://
Web: Uniform access to HTML documents
Grid: Flexible, high-perf access to all significant resources
Sensor nets
Data archives
Computers
Softwarecatalogs
Colleagues
Grid Communities and Applications:NSF National Technology Grid
tomographic reconstruction
real-timecollection
wide-areadissemination
desktop & VR clients with shared controls
Advanced Photon Source
Grid Communities & Applications:Online Instrumentation
archival storage
DOE X-ray grand challenge: ANL, USC/ISI, NIST, U.Chicago
Grid Communities and Applications:Mathematicians Solve NUG30
Community=an informal collaboration of mathematicians and computer scientists
Condor-G delivers 3.46E8 CPU seconds in 7 days (peak 1009 processors) in U.S. and Italy (8 sites)
Solves NUG30 quadratic assignment problem
14,5,28,24,1,3,16,15,10,9,21,2,4,29,25,22,13,26,17,30,6,20,19,8,18,7,27,12,11,23
MetaNEOS: Argonne, Iowa, Northwestern, Wisconsin
Grid Communities and Applications:Network for Earthquake Eng. Simulation
NEESgrid: national infrastructure to couple earthquake engineers with experimental facilities, databases, computers, & each other
On-demand access to experiments, data streams, computing, archives, collaboration
NEESgrid: Argonne, Michigan, NCSA, UIUC, USC
Grid Communities & Applications:Data Grids for High Energy Physics
Tier2 Centre ~1 TIPS
Online System
Offline Processor Farm
~20 TIPS
CERN Computer Centre
FermiLab ~4 TIPSFrance Regional Centre
Italy Regional Centre
Germany Regional Centre
InstituteInstituteInstituteInstitute ~0.25TIPS
Physicist workstations
~100 MBytes/sec
~100 MBytes/sec
~622 Mbits/sec
~1 MBytes/sec
There is a “bunch crossing” every 25 nsecs.
There are 100 “triggers” per second
Each triggered event is ~1 MByte in size
Physicists work on analysis “channels”.
Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server
Physics data cache
~PBytes/sec
~622 Mbits/sec or Air Freight (deprecated)
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Caltech ~1 TIPS
~622 Mbits/sec
Tier 0Tier 0
Tier 1Tier 1
Tier 2Tier 2
Tier 4Tier 4
1 TIPS is approximately 25,000
SpecInt95 equivalents
Image courtesy Harvey Newman, Caltech
Community =– 1000s of home
computer users
– Philanthropic computing vendor (Entropia)
– Research group (Scripps)
Common goal= advance AIDS research
Grid Communities and Applications:Home Computers Evaluate AIDS Drugs
Broader Context
“Grid Computing” has much in common with major industrial thrusts– Business-to-business, Peer-to-peer, Application
Service Providers, Internet Computing, … Distinguished primarily by more sophisticated
sharing modalities– E.g., “run program X at site Y subject to community
policy P, providing access to data at Z according to policy Q”
– Secondarily by unique demands of advanced & high-performance systems
The Globus Project
Started in 1995 (I-WAY software) Globus R&D
– Definition of Grid architecture
– Grid protocols, services, APIs> Security, resource mgmt, data access, information,
communication, etc.
– Development of Globus Toolkit> Large user base among tool developers & in
production Grids
> Open source
Numerous application projects Outreach & leadership
More Details www.globus.org
“The Anatomy of the Grid: Enabling Scalable Virtual Organizations”– Foster, Kesselman, Tuecke
– www.globus.org/research/papers/anatomy.pdf
Community Authorization
Community Properties 100s of resource providers, 1000s of users
– N users from many institutions, worldwide
– M independent resource providers which contribute resources to one or more communities
– How to avoid N X M trust relationships? Resource providers grant/sell to communities
– Grant bulk access to community
– Community representative handles fine grained authorization and prioritization within bulk grants
Users may combine community resources with own resources to solve problems
Various services carrying out requests of users
Capability Based Solution A community service & administrator, which:
– Maintains user membership to the community.
– Maintains resource service agreements to community.
– Maintains access control database, granting users access to (part of) resources, based on community policies and priorities.
> May employ groups, roles, etc.
– Issues capabilities to community members (users) to grant them access to resources.
> User presents capability directly to resource to claim service.
AAAArch “push” model
Community Authorization (1)
Site AResources
Site MResources
Site BResources
User 1
User 2
CommunityAuthorization
Service
1: Obtain capability for service
2: Request service
User N
Community Authorization (2)
Site AResources
Site MResources
Site BResources
User 1
User 2
CommunityAuthorization
Service
2: Obtain capability for services, on behalf of user 2
3: Request servicesUser N Request
Manager
1: Delegate user proxy
Community Authorization (3)
Site AResources
Site MResources
Site BResources
User 1
User 2
CommunityAuthorization
Service
2: Obtain capabilities for services, on behalf of user 2
4: Request services
User N
RequestPlanner1: Delegate user
proxy
TaskManager
3: Delegate capabilities
Implementation Approach
Grid Security Infrastructure (GSI) Authentication and message protection Extensions to existing standard protocols & APIs
– Standards: SSL/TLS, X.509, GSS-API
– Extensions for single sign-on and delegation> Internet X.509 PKI Impersonation Proxy Certificate Profile
> TLS Delegation Protocol
Globus Toolkit reference implementation of GSI– OpenSSL + GSS-API + delegation
– Tools and services to interface to local security> Simple ACLs; SSLK5 & PKINIT for access to K5, AFS, etc.
– Tools for credential management> Login, logout, cert request, smartcards, cred repository, etc.
X.509 Proxy Certificate Overview To support single sign-on and delegation Proxy Certificate (PC) is signed by End Entity Certificate
(EEC) or another Proxy Certificate– We are NOT using an EEC to as if it were a CA
> CA performs two functions: 1) Assigns a name (or identity), and 2) Binds the name to the a key.
> PC only does #2. It binds the name to an proxy key.
– PC inherits its name from its signing EEC> Subject name used for two purposes: 1) Path discovery & validation, and 2) To
hold the assigned name.
> In a PC, the subject is used only for #1, path discovery
“TLS Delegation Protocol” draft defines how to create a remote Proxy Certificate
Features Of This Approach Ease of integration
– Requires only a small change to path validation> SSL/TLS requires no protocol change to use PC
– Authorization based on identity still works Ease of use
– Enables single sign-on & credential repositories Protection of EEC private key
– Single sign-on & delegation w/o sharing EEC keys Limits consequences of a compromised key
– Can restrict PC (e.g. lifetime, uses, etc.)
– Compromised PC does not compromise EEC
Implementation Status Globus Toolkit’s Grid Security Infrastructure (GSI) has
used similar approach for ~4 years– GSI = GSS-API + X.509 + PC + SSL + delegation
– Integrated into numerous “Grid” tools (C & Java)> Globus Toolkit, Condor, SRB, MPI, ssh/SecureCRT, FTP, etc.
– Adopted by 100s of sites, 1000s of users> NCSA, NPACI, NASA IPG, DOE Science Grid, European Datagrid, GriPhyN
(Phyics Grids), NEESgrid (Earthquake Engineering Grid)
Global Grid Forum & IETF effort to move GSI forward through cleanup, better integration with standards, technical specifications, etc.– http://www.gridforum.org/security/gsi
Capabilities By extending a Proxy Certificate to hold a
restriction policy, one can build a form of capability– Currently, the holder of a user’s proxy credential
allows that holder to impersonate the user, to access any resources available to the user
– But can extend the proxy credential to contain a restriction policy
> E.g. “Holder of this proxy can only start a process on resource X, and read user’s file Y.”
Community Authorization Service CAS has its own identity certificate
– It is this CAS identity that is known to resources User authenticates with CAS using user’s identity
certificates (or proxy of identity certificate) User requests access to a community resource(s) CAS delegates back to user a restricted proxy
credential from the CAS identity credential User authenticates with resource using this CAS
identity
Resource Checking of Capability Authentication from client is with the CAS identity
– Resource sees the “community” identity
– Though an X.509 extension in the capability may include user’s identity, etc. for audit purposes
Resource maps CAS identity to local account and privileges– E.g. A Unix account, with a given file system quota
– Different communities map to different accounts For each request, resource evaluates the request
against the policy contained in the CAS restricted proxy certificate that was used to authenticate.
Accounting CAS inserts GUID into capability, which is used for:
– Accounting: Resources can log consumption using this GUID. CAS can recombine with log of issued capabilities to reconstruct full accounting info.
> Requires protocol for propagation of accounting info
– Usage enforcement: Restriction policy in capability may include usage constraints. Resource can track and enforce such constraints using the GUID, including across multiple requests using the same capability.
