140 likes | 156 Views
Unicore Security and its Way to Interoperability. Daniel Mallmann – Research Centre Juelich MWSG Meeting, CERN 14-15 November 2006. Unicore Architecture and Roles. Client. User Credentials. User creates job including subjob user role: user. Job Preparation Workflow Editor. Job. Sub Job.
E N D
Unicore Security and its Way to Interoperability Daniel Mallmann – Research Centre Juelich MWSG Meeting, CERN 14-15 November 2006
Unicore Architecture and Roles Client UserCredentials User creates job including subjobuser role: user Job PreparationWorkflow Editor Job SubJob User signs both jobs endorser role: user Job Monitoring ApplicationPlugin User sends job to first NJS consignor role: user Gateway Gateway NJS unpacks job and sends subjob to second NJS user role:userendorser role: user consignor role: NJS Usite A Usite B Vsite B1 Vsite B2 Vsite A1 NJS UnicoreUserDatabase NJS NJS UnicoreUserDatabase UnicoreUserDatabase Workflow Engine Workflow Engine Workflow Engine IncarnationDatabase IncarnationDatabase IncarnationDatabase TargetSystem TargetSystem TargetSystem TSI TSI TSI BatchSystem FileSystem BatchSystem FileSystem BatchSystem FileSystem NJS server credentials User credentials Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore Explicit Trust Delegation User authenticates at portal (not necessarily using credentials) User creates job in portal - user role: user Portal signs job - user role: user - endorser role: portal Portal sends job to NJS - user role: user - endorser role: portal - consignor role: portal NJS unpacks job and sends subjob to second NJSuser role: user - endorser role: portal - consignor role: NJS Gateway Client(Web Browser) UserCredentials Gateway Usite A Usite A Vsite A1 Vsite A1 NJS NJS ETDUUDB ETDUUDB Workflow Engine Workflow Engine IncarnationDatabase IncarnationDatabase Portal PortalCredentials Job PreparationWorkflow Editor Job SubJob TargetSystem TargetSystem Job Monitoring TSI TSI ApplicationPlugin BatchSystem FileSystem BatchSystem FileSystem portal credentials User credentials NJS credentials Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore Security Components • Transport Level • Client-Gateway and Gateway-NJS connections are mutually authenticatedclient-server SSL (consignor key and Gateway/NJS key) • Message Level • All Messages are signed with the endorser key • Still looking for a high-performance signing mechanism for the Unicore 6 Web services implementation • NJS and Gateway Credentials • X509 certificates • PKCS12 format • Password usually in configuration file Client UserCredentials Gateway Usite A Vsite A1 NJS UnicoreUserDatabase TargetSystem TSI BatchSystem FileSystem Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore Security Components • User Credentails: Unicore Keystore • File in configuration directory of the Unicore client • X509 certificate • Private key PKCS12 format • List of trusted CAs • List of trusted developer certificates for application plugins • User Authentication: Unicore Gateway • List of trusted CAs • List of URLs of the certificate revocation lists (CRLs) Client UserCredentials Gateway Usite A Vsite A1 NJS UnicoreUserDatabase TargetSystem TSI BatchSystem FileSystem Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore Security Components • User Authorization:Unicore User DataBase • Mapping of user certificates to Xlogin on target system • Different implementations • Java class with plain file • Web service with xml file • DEISA evaluates only Distinguished Name of certificate • Delegation:NJS – Explicit Trust Delegation • Each trusted agent has to be added to the UUDB • Xlogin prefix = agent- Client UserCredentials Gateway Usite A Vsite A1 NJS UnicoreUserDatabase TargetSystem TSI BatchSystem FileSystem Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore Security Components • Unicore – Globus Interoperability:Globus Proxy Certificates • Generated by Proxy Certificate Plugin • Extracted from Unicore job at NJS • Send to the Globus TSI Client UserCredentials UserCredentials Proxy CertificatePlugin Gateway Usite A Vsite A1 NJS UnicoreUserDatabase TargetSystem GlobusTSI Globus Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Missing Components in Unicore • VO Management • HPC background:access granted to single users • Possible integration scenario: • VOMS proxy plugin generates VOMS certificate (voms-proxy-init) • NJS uses VOMS enabled UUDB for user authorization Client UserCredentials VOMSProxyPlugin VOMSServer Gateway Usite A Vsite A1 NJS VOMSenabledUUDB Workflow Engine TargetSystem TSI BatchSystem FileSystem Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Missing Components in Unicore • Proxy Service • Job send to batch system • Access only to local file systems (GPFS, NFS, …) • No additional “Grid authorization” necessary (and possible) • Possible integration scenario: • MyProxy plugin generates and stores proxy certificate in MyProxy Server • TSI accesses MyProxy server to obtain user credentials Client UserCredentials MyProxyPlugin MyProxyServer Gateway Usite A Vsite A1 NJS UUDB Workflow Engine TargetSystem TSI BatchSystem FileSystem Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
JobSubmit gLite to Unicore gLite Environment UNICORE Environment VOMS Usercredentials gLite UI DEISA MDS4 glite-job-submit glite-job-status … Gateway VOMSclient MyProxyServer Usite A Resource BrokerNode Vsite A1 Network Server FileCatalogue NJS UUDB VOMSUUDB MatchMakerBroker WorkflowEngine BDII WorkloadManager IncarnationDatabase JobAdapter TargetSystem TSI BatchSystem FileSystem Interoperability Environment Job Controller - Condor-U UNICORE Information Provider UNICORE Trusted Agent Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Unicore to gLite UNICORE Environment gLite Environment Client UserCertificate VOMS Job PreparationWorkflow Editor MyProxyServer Job Monitoring VOMSMyProxyPlugin Gateway Usite A Resource BrokerNode Network Server FileCatalogue Vsite A1 MatchMakerBroker NJS UnicoreUserDatabase WorkflowEngine WorkloadManager BDII IncarnationDatabase JobAdapter Job Controller - CondorG Interoperability Environment gLite UI TSI glite-job-submit glite-job-status … gLite Computing Element Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Next Steps • VOMS Integration • Addressed in OMII-Europe JRA1 • Focus on Unicore 6 • EGEE-II needs solution for Unicore 5 • MyProxy Integration • Has to be addressed in OMII-Europe JRA3 • Offers access to • “Grid storage” • OGSA-DAI (?) • Applications using remote services • Strong reservations within Unicore community • Fine grained Authorization • Application level • Methods on properties Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Some Questions • VOMS-Proxy-Init • Java version available? • VOMS Client (similar to component running on CE) • Java version available? • MyProxy Client • Java version available? • WMS • Does it access VOMS server? • Server Credentials • How are they stored? • Integration of OGSA-BES Interface into ICE (Interface to CREAM Environment) • Access to Unicore, gLite, Globus • How is authentication and authorization handled? Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006
Future Users can access applications on any Gird infrastructure without worrying about credentials Daniel Mallmann, FZJ, MWSG Meeting, CERN, 14-15 November 2006