130 likes | 255 Views
PKI in Practice: The Open Science Grid. Michael Fenn CPSC 620, Fall 09. What is grid computing?. Grid computing is the process of allowing loosely-coupled virtual organizations to share resources over a wide area network. What does this mean? I’m at Prestigious University I have some jobs
E N D
PKI in Practice: The Open Science Grid Michael Fenn CPSC 620, Fall 09
What is grid computing? • Grid computing is the process of allowing loosely-coupled virtual organizations to share resources over a wide area network. • What does this mean? • I’m at Prestigious University • I have some jobs • I want to run them • Well-known State University has idling computers • Grid computing lets me get my jobs there • (Foster, Kesselman and Tuecke, The Anatomy of the Grid: Enabling Scalable Virtual Organzations 2001)
Motivations • My usage is bursty • Big paper deadline • End of semester • Etc. • Their usage is bursty • Our bursts don’t coincide • Let’s share • (Armbrust, et al. 2009)
OSG • Many grids, let’s pick one • 2 realities • Loosely federated Virtual Organizations (VOs) • Loosely federated sites • 2 elements of security • Public Key Infrastructure (PKI) • Web of trust model
Virtual Organizations • A group of users who share a “common interest” • Definition of “common interest” is flexible • Examples: • High-energy physicists: ATLAS, STAR, CMS, Alice • Bioinformatics: CompBioGrid • Nanotechnology: Nanohub • Just learning: Engagement, OSG-EDU
Sites • Sites are collections of resources • Compute Elements • Globus gatekeeper for authentication • Batch scheduler (PBS, Condor) for getting jobs to compute nodes • Monitoring and accounting to keep the higher-ups happy • Storage Elements • Storage Resource Manager (SRM) for authentication • Big bit bucket for storage • Monitoring and accounting here too
Securing the grid • Public-key infrastructure • Users are affiliated with VOs • VOs issue certificates • Sites trust certificates issued by particular VOs • Confidentiality and Integrity are maintained
Web of trust • Sites choose which VOs to trust • Resources also have certificates • Users can be confident that the resource is what it claims to be • Sites generally trust the VO that issued their cert • This is not required however!
Types of trust • 3 main types: • VO-User trust • VOs establish criteria for membership • Site-VO trust • Factors in deciding whom to trust • VO requirements • Trust reciprocity • OSG-VO trust • OSG maintains a list of trusted VOs • Trusted VOs have their CA certificates included in the OSG software distribution
Security Implications • Users have been “accredited” by a VO • If things do go wrong, I have his cert • I know his name • I know who vouched for him • VOs have incentive to maintain well-behaved membership
Conclusions • OSG runs securely due to: • PKI • Web of trust • Flexible and scalable • I don’t have to make a UNIX user account for everybody • Users are still accountable
Questions, Comments? • Thank you for listening!