1 / 20

Gateway System

Gateway System. New Generation of WebFlow. To provide infrastructure supporting development of problem solving environments create user space define problem identify resources To provide seamless and secure access to remote resources allocate resources monitor resources.

alamea
Download Presentation

Gateway System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gateway System New Generation of WebFlow T. Haupt, DATORR meeting

  2. To provide infrastructure supporting development of problem solving environments create user space define problem identify resources To provide seamless and secure access to remote resources allocate resources monitor resources Gateway Objectives Ken Flurchick, http://www.osc.edu/~kenf/Gateway T. Haupt, DATORR meeting

  3. Front-End Services User Modules Back-End Resources Three-Tier Architecture • Tier 1 is a high-level front-end for visual programming • Distributed object-based, scalable, and • reusable Web server and Object broker • Middleware forms Tier 2 • Back-end services • comprise Tier 3. T. Haupt, DATORR meeting

  4. OO Front-End Data Flow Front-End Standard Interfaces Task Specification Services User Modules DATORR Metacomputing Services Back-End Resources

  5. Architecture of Gateway DOM/XML Globus T. Haupt, DATORR meeting

  6. Mesh of WebFlow Servers implemented as CORBA objects. Each server provides specific services and serves as a container for user’s modules Front End CORBA Based Middle-Tier Gatekeeper: Authentication Authorization T. Haupt, DATORR meeting

  7. Middle-Tier T. Haupt, DATORR meeting

  8. Security Model Front End Applet Stakeholders https Layer 1: secure Web delegation Layer 2: secure CORBA Gatekeeper SECIOP Layer 3: Secure access to resources authentication & authorization GSSAPI GSSAPI HPCC resources Policies defined by resource owners

  9. Distributed Objects are less secure • can play both client and server • in client/server you trust the server, but not clients • evolve continually • objects delegate parts of its implementation to the other objects (also dynamically composed at runtime). Because of subclassing, the implementation of an object may change over time • interaction are not well defined • because of encapsulation, you cannot understand all the interactions between objects • are polymorphic (ideal for Trojan horses!) • can scale without limit • how do you manage access right to millions of servers? • are very dynamic T. Haupt, DATORR meeting

  10. CORBA security is built into ORB User Client Server Object Adapter Credentials Authentication Encryption Encryption Audit Authorization Secure Communications

  11. Authentication • A principal is authenticated once by ORB and given a set of credentials, including one or more roles, privileges, and an authenticated ID. • An authenticated ID is automatically propagated by a secure ORB; it’s part of the caller context Client Server authenticate Principal Credentials Current set_credentials get_attributes

  12. Privilege Delegation Client Target Object Target Client Target Client Target Client • No delegation • The intermediary uses its own credentials • Simple delegation • The intermediary impersonate the client • Composite delegation • The intermediary uses both IIOP T. Haupt, DATORR meeting

  13. CORBA access model • Based on a trusted ORB model:you must trust that your ORB will enforce the access policy on the server resource • The ORB determines:if this client on - behalf of this principal - can do this operation on this object • Server uses Access Control Lists (ACL) to control user access Principal Role Rights Operation

  14. Mary Thompson, http://www-itg.lbl.gov/security/Akenti/DOE2000/sld014.htm T. Haupt, DATORR meeting

  15. WebFlow Server WebFlow server is given by a hierarchy of containers and components WebFlow server hosts users and services Each user maintainsa number of applicationscomposed of custom modules and common services User 1 User 2 Application 1 App 1 App 2 Application 2 WebFlow Services T. Haupt, DATORR meeting

  16. Initialization of a session Portal Page Mutual authentication Secure Web Server AKENTI start Credentials Globus Cert. Front End Applet User Context WebFlow Server IIOP ORBacus ORB Netscape’s ORB

  17. Building an application Application Context Applet List of servers Add module List of modules local remote List of events List of methods Adapter LLM M Attach Event E IIOP Netscape ORB ORBacus ORB T. Haupt, DATORR meeting

  18. Event binding Event Source Adapter Event Target addEventListener rmEventListener fireEvent(E,M) method M binding table Event DII DSI ORB T. Haupt, DATORR meeting

  19. In order to run WebFlow over Globus there must be at least one WebFlow node capable of executing Globus commands, such as globusrun Jobs that require computational power of massively parallel computers are directed to the Globus domain, while others can be launched on much more modest platforms, such as the user’s desktop or even a laptop running Windows NT. Bridge between WebFlow and Globus WebFlow over Globus T. Haupt, DATORR meeting

  20. Gateway Components • Front End (Java Applets) • many different “plug-ins” implementing WebFlow API • Middle Tier (CORBA) • Back End modules (anything from JBDC to HPF) • JavaBeans model • Proxy Modules • Access to remote HPCC resources T. Haupt, DATORR meeting

More Related