Upload
derick
View
54
Download
0
Embed Size (px)
DESCRIPTION
Unicore Security and its Way to Interoperability. Daniel Mallmann – Research Centre Juelich MWSG Meeting, CERN 14-15 November 2006. Unicore Architecture and Roles. Client. User Credentials. User creates job including subjob user role: user. Job Preparation Workflow Editor. Job. Sub Job. - PowerPoint PPT Presentation
Citation preview
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
Unicore Security and its Way to InteroperabilityDaniel Mallmann – Research Centre Juelich
MWSG Meeting, CERN 14-15 November 2006
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
Job PreparationWorkflow Editor
Job Monitoring
TSI
FileSystem
BatchSystem
Usite B
Vsite B1
TargetSystem TSI
FileSystem
Gateway
BatchSystem
Vsite B2
TargetSystem
FileSystem
BatchSystem
TSI
UserCredentials
Workflow Engine
NJS
Workflow Engine
NJS
Workflow Engine
ApplicationPlugin
UnicoreUser
Database
UnicoreUser
Database
UnicoreUser
Database
IncarnationDatabase
Unicore Architecture and Roles
IncarnationDatabase
IncarnationDatabase
JobUser creates job including subjobuser role: user
User sends job to first NJS consignor role: user
SubJob
User credentials NJS server credentials
NJS unpacks job and sends subjob to second NJS user role:userendorser role: user consignor role: NJS
User signs both jobs endorser role: user
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
Workflow Engine
Portal
Job PreparationWorkflow Editor
Job Monitoring
PortalCredentials
ApplicationPlugin
IncarnationDatabase
ETDUUDB
Unicore Explicit Trust Delegation
Client(Web Browser)
UserCredentials
Job
User credentials portal credentials
User authenticates at portal (not necessarily using credentials)User creates job in portal - user role: userPortal signs job - user role: user - endorser role: portalPortal sends job to NJS - user role: user - endorser role: portal - consignor role: portalNJS unpacks job and sends subjob to second NJSuser role: user - endorser role: portal - consignor role: NJS
UsiteA
Gateway
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
Workflow Engine
IncarnationDatabase
ETDUUDB
SubJob
NJS credentials
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
UserCredentials
UnicoreUser
Database
Unicore Security Components
• Transport Level– Client-Gateway and Gateway-NJS
connections are mutually authenticatedclient-server SSL (consignor key and Gateway/NJS key)
• Message Level– All Messages are signed with the
endorser key Still looking for a high-performance signing
mechanism for the Unicore 6 Web services implementation
• NJS and Gateway Credentials– X509 certificates– PKCS12 format– Password usually in configuration file
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
UserCredentials
UnicoreUser
Database
Unicore Security Components
• User Credentails: Unicore Keystore– File in configuration directory of the
Unicore client– X509 certificate– Private key PKCS12 format– List of trusted CAs– List of trusted developer certificates for
application plugins
• User Authentication: Unicore Gateway– List of trusted CAs– List of URLs of the certificate revocation
lists (CRLs)
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
UserCredentials
UnicoreUser
Database
Unicore Security Components
• User Authorization:Unicore User DataBase– Mapping of
user certificates to Xlogin on target system– Different implementations
Java class with plain file Web service with xml file DEISA evaluates only Distinguished Name
of certificate
• Delegation:NJS – Explicit Trust Delegation – Each trusted agent has to be added to the
UUDB Xlogin prefix = agent-
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 7
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
GlobusTSI
Globus
UserCredentials
UnicoreUser
Database
Unicore Security Components
• Unicore – Globus Interoperability:Globus Proxy Certificates
– Generated by Proxy Certificate Plugin
– Extracted from Unicore job at NJS
– Send to the Globus TSI
Proxy Certificate
Plugin
UserCredentials
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
UserCredentials
Workflow Engine
Missing Components in Unicore
• VO Management– HPC background:
access granted to single users
– Possible integration scenario: VOMS proxy plugin generates
VOMS certificate (voms-proxy-init) NJS uses VOMS enabled UUDB for
user authorization
VOMSProxyPlugin
VOMSServer
VOMSenabledUUDB
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
UsiteA
Gateway
Client
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
UserCredentials
Workflow Engine
Missing Components in Unicore
• Proxy Service– Job send to batch system– Access only to local
file systems (GPFS, NFS, …)– No additional “Grid authorization”
necessary (and possible)
– Possible integration scenario: MyProxy plugin generates and
stores proxy certificate in MyProxy Server
TSI accesses MyProxy server to obtain user credentials
MyProxyPlugin
MyProxyServer
UUDB
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Interoperability Environment
gLite Environment
Resource BrokerNode
Network Server
gLite UI
glite-job-submitglite-job-status
…
WorkloadManager
MatchMakerBroker
JobAdapter
BDII
FileCatalogue
UNICORE Information Provider
UNICORE Trusted Agent
UNICORE Environment
UsiteA
Gateway
Vsite A1
TargetSystem
NJS
TSI
FileSystem
BatchSystem
WorkflowEngine
Usercredentials
IncarnationDatabase
Job Controller-
Condor-U
UUDB
JobSubmit gLite to Unicore
MyProxyServer
VOMS
VOMSUUDB
DEISA MDS4
VOMSclient
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Interoperability Environment
UNICORE Environment gLite Environment
Resource BrokerNode
Network Server
gLite UI
glite-job-submitglite-job-status
…
WorkloadManager
Job Controller-
CondorG
MatchMakerBroker
JobAdapter
BDII
FileCatalogue
UsiteA
Gateway
Vsite A1
NJS
TSI
WorkflowEngine
gLite Computing Element
Client
Job PreparationWorkflow Editor
Job Monitoring
UserCertificate
VOMSMyProxyPlugin
UnicoreUser
Database
IncarnationDatabase
Unicore to gLite
MyProxyServer
VOMS
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Next Steps
• VOMS Integration– Addressed in OMII-Europe JRA1
Focus on Unicore 6 EGEE-II needs solution for Unicore 5
• MyProxy Integration– Has to be addressed in OMII-Europe JRA3– Offers access to
“Grid storage” OGSA-DAI (?) Applications using remote services
– Strong reservations within Unicore community
• Fine grained Authorization– Application level– Methods on properties
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Some Questions
• VOMS-Proxy-Init– Java version available?
• VOMS Client (similar to component running on CE)– Java version available?
• MyProxy Client– Java version available?
• WMS– Does it access VOMS server?
• Server Credentials– How are they stored?
• Integration of OGSA-BES Interface into ICE (Interface to CREAM Environment)– Access to Unicore, gLite, Globus
– How is authentication and authorization handled?
Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Future
Users can access applications on any Gird infrastructure without worrying about credentials