14
EGEE-II INFSO-RI- 031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Unicore Security and its Way to Interoperability Daniel Mallmann – Research Centre Juelich MWSG Meeting, CERN 14-15 November 2006

Unicore Security and its Way to Interoperability

  • Upload
    derick

  • View
    54

  • Download
    0

Embed Size (px)

DESCRIPTION

Unicore Security and its Way to Interoperability. Daniel Mallmann – Research Centre Juelich MWSG Meeting, CERN 14-15 November 2006. Unicore Architecture and Roles. Client. User Credentials. User creates job including subjob user role: user. Job Preparation Workflow Editor. Job. Sub Job. - PowerPoint PPT Presentation

Citation preview

Page 1: Unicore Security  and its Way to Interoperability

EGEE-II INFSO-RI-031688

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered trademarks

Unicore Security and its Way to InteroperabilityDaniel Mallmann – Research Centre Juelich

MWSG Meeting, CERN 14-15 November 2006

Page 2: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 2

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

Job PreparationWorkflow Editor

Job Monitoring

TSI

FileSystem

BatchSystem

Usite B

Vsite B1

TargetSystem TSI

FileSystem

Gateway

BatchSystem

Vsite B2

TargetSystem

FileSystem

BatchSystem

TSI

UserCredentials

Workflow Engine

NJS

Workflow Engine

NJS

Workflow Engine

ApplicationPlugin

UnicoreUser

Database

UnicoreUser

Database

UnicoreUser

Database

IncarnationDatabase

Unicore Architecture and Roles

IncarnationDatabase

IncarnationDatabase

JobUser creates job including subjobuser role: user

User sends job to first NJS consignor role: user

SubJob

User credentials NJS server credentials

NJS unpacks job and sends subjob to second NJS user role:userendorser role: user consignor role: NJS

User signs both jobs endorser role: user

Page 3: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 3

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

Workflow Engine

Portal

Job PreparationWorkflow Editor

Job Monitoring

PortalCredentials

ApplicationPlugin

IncarnationDatabase

ETDUUDB

Unicore Explicit Trust Delegation

Client(Web Browser)

UserCredentials

Job

User credentials portal credentials

User authenticates at portal (not necessarily using credentials)User creates job in portal - user role: userPortal signs job - user role: user - endorser role: portalPortal sends job to NJS - user role: user - endorser role: portal - consignor role: portalNJS unpacks job and sends subjob to second NJSuser role: user - endorser role: portal - consignor role: NJS

UsiteA

Gateway

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

Workflow Engine

IncarnationDatabase

ETDUUDB

SubJob

NJS credentials

Page 4: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 4

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

UserCredentials

UnicoreUser

Database

Unicore Security Components

• Transport Level– Client-Gateway and Gateway-NJS

connections are mutually authenticatedclient-server SSL (consignor key and Gateway/NJS key)

• Message Level– All Messages are signed with the

endorser key Still looking for a high-performance signing

mechanism for the Unicore 6 Web services implementation

• NJS and Gateway Credentials– X509 certificates– PKCS12 format– Password usually in configuration file

Page 5: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 5

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

UserCredentials

UnicoreUser

Database

Unicore Security Components

• User Credentails: Unicore Keystore– File in configuration directory of the

Unicore client– X509 certificate– Private key PKCS12 format– List of trusted CAs– List of trusted developer certificates for

application plugins

• User Authentication: Unicore Gateway– List of trusted CAs– List of URLs of the certificate revocation

lists (CRLs)

Page 6: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 6

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

UserCredentials

UnicoreUser

Database

Unicore Security Components

• User Authorization:Unicore User DataBase– Mapping of

user certificates to Xlogin on target system– Different implementations

Java class with plain file Web service with xml file DEISA evaluates only Distinguished Name

of certificate

• Delegation:NJS – Explicit Trust Delegation – Each trusted agent has to be added to the

UUDB Xlogin prefix = agent-

Page 7: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 7

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

GlobusTSI

Globus

UserCredentials

UnicoreUser

Database

Unicore Security Components

• Unicore – Globus Interoperability:Globus Proxy Certificates

– Generated by Proxy Certificate Plugin

– Extracted from Unicore job at NJS

– Send to the Globus TSI

Proxy Certificate

Plugin

UserCredentials

Page 8: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 8

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

UserCredentials

Workflow Engine

Missing Components in Unicore

• VO Management– HPC background:

access granted to single users

– Possible integration scenario: VOMS proxy plugin generates

VOMS certificate (voms-proxy-init) NJS uses VOMS enabled UUDB for

user authorization

VOMSProxyPlugin

VOMSServer

VOMSenabledUUDB

Page 9: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 9

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

UsiteA

Gateway

Client

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

UserCredentials

Workflow Engine

Missing Components in Unicore

• Proxy Service– Job send to batch system– Access only to local

file systems (GPFS, NFS, …)– No additional “Grid authorization”

necessary (and possible)

– Possible integration scenario: MyProxy plugin generates and

stores proxy certificate in MyProxy Server

TSI accesses MyProxy server to obtain user credentials

MyProxyPlugin

MyProxyServer

UUDB

Page 10: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 10

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Interoperability Environment

gLite Environment

Resource BrokerNode

Network Server

gLite UI

glite-job-submitglite-job-status

WorkloadManager

MatchMakerBroker

JobAdapter

BDII

FileCatalogue

UNICORE Information Provider

UNICORE Trusted Agent

UNICORE Environment

UsiteA

Gateway

Vsite A1

TargetSystem

NJS

TSI

FileSystem

BatchSystem

WorkflowEngine

Usercredentials

IncarnationDatabase

Job Controller-

Condor-U

UUDB

JobSubmit gLite to Unicore

MyProxyServer

VOMS

VOMSUUDB

DEISA MDS4

VOMSclient

Page 11: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 11

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Interoperability Environment

UNICORE Environment gLite Environment

Resource BrokerNode

Network Server

gLite UI

glite-job-submitglite-job-status

WorkloadManager

Job Controller-

CondorG

MatchMakerBroker

JobAdapter

BDII

FileCatalogue

UsiteA

Gateway

Vsite A1

NJS

TSI

WorkflowEngine

gLite Computing Element

Client

Job PreparationWorkflow Editor

Job Monitoring

UserCertificate

VOMSMyProxyPlugin

UnicoreUser

Database

IncarnationDatabase

Unicore to gLite

MyProxyServer

VOMS

Page 12: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 12

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Next Steps

• VOMS Integration– Addressed in OMII-Europe JRA1

Focus on Unicore 6 EGEE-II needs solution for Unicore 5

• MyProxy Integration– Has to be addressed in OMII-Europe JRA3– Offers access to

“Grid storage” OGSA-DAI (?) Applications using remote services

– Strong reservations within Unicore community

• Fine grained Authorization– Application level– Methods on properties

Page 13: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 13

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Some Questions

• VOMS-Proxy-Init– Java version available?

• VOMS Client (similar to component running on CE)– Java version available?

• MyProxy Client– Java version available?

• WMS– Does it access VOMS server?

• Server Credentials– How are they stored?

• Integration of OGSA-BES Interface into ICE (Interface to CREAM Environment)– Access to Unicore, gLite, Globus

– How is authentication and authorization handled?

Page 14: Unicore Security  and its Way to Interoperability

Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 14

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Future

Users can access applications on any Gird infrastructure without worrying about credentials