150 likes | 240 Views
APAN Grid-Middleware Workshop 2006. Grid security in NAREGI project.
E N D
APANGrid-Middleware Workshop 2006 Grid security in NAREGI project NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e-Science infrastructure in CSI( Cyber Science Infrastructure) concept. This presentation will provide issues and future plans regarding grid security including VO management for interoperability of grid projects.
CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry CyberScience Infrastructure Scientific Repository Virtual Organization For science Industry Liaison and Social Benefit NAREGI Middleware UPKI Global Contribution Human Resource Development and strong organization 北海道大学 Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers ★ ● ★ 東北大学 京都大学 ☆ ★ ★ ★ 東京大学 九州大学 ★ NII 名古屋大学 ★ 大阪大学 (東京工業大学、早稲田大学、高エネルギー加速器研究機構等) Publication of scientific results from academina
Grid for enabling Collaborative Computing • To realize heterogeneous large scale computational environment • To share Large and expensive devices and data bases Security is a key issue to be solved! Experiments using special devices A Virtual Organization Experimental Devices Overseas Lab B Analysis using Super Computers Researchers University A Super SINET Super Computer Search in Data Bases Domestic Lab C Researchers Data Base Server Researchers
High - Performance & Secure Grid Networking (WP5) NII IMS KEK Univ. Centers NAREGI Software Stack (Beta ver. 2006) Grid - Enabled Nano - Applications (WP6) Grid PSE (WP3) Grid Vis (WP3) Grid Programing Grid Workflow (WP3) Data Grid (WP4) - Grid RPC Distributed - Grid MPI Super Scheduler Packaging Information Service (WP2) (WP1) (WP1) Globus 4 / NAREGI - WSRF + Services Core Globus 4 / NAREGI - WSRF + Services Core Grid VM (WP1) SuperSINET Computing Centers & VOs
Workflow Abstract JSDL WFT, PSE, GVS, GridRPC ResourceQuery Information Service Super Scheduler Client DAI CIM Reservation, Submission, Query, Control… Reservation based Co-Allocation Resource Info. Concrete JSDL Concrete JSDL Computing Resource Computing Resource GridVM GridVM UR/RUS GridMPI Accounting A Use Case : Job Submission with Reservation based Co-Allocation
Developed NAREGI-CA to be deployed in UPKI Current Issues to be solved Future issues Security Requirements in AAA • Authentication • PKI based user authentication • Compatible with GSI standards • Trust federation between CA’s • Authorization • VO management for Inter-organizational collaboration • Interoperable with other Grid projects • Accounting • ID federation for authorization & traceability • With privacy protection!
user r user 2 user 3 user 1 user q user p service_b service_c service_a Organization A Virtual Organization and Security Domain Definition of VO on GGF ・CAS (Community Authorization Service) ・VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. service_x service_c service_a service_y VO domain user 1 (VO Manager) user p Virtual Organization Services and Users are exposed in a Virtual Organization Contract A Contract B service_x service_z service_y PKI domain Organization B
VOMS-type VO Managementdeveloped in EGEE CRL CA/RA DN,VO, Group, roll, capability MK-gridmapfile DN > pseudo accounts Gridmapfile GACL VOMS LCAS User GRAM Grid JobSubmission User Cert Proxy Cert+ VO EGEE Grid site
VOMS-type VO Management adopted in NAREGI CRL CA/RA Information Service DN,VO info Account Mapping Gridmapfile Policyfile VOMS Certificates handling is too hard for users Grid JobSubmission Managed by the Super Scheduler User GRAM Grid VM User Cert Proxy Cert+ VO NAREGI Grid site
WF CredentialRepository VOMS Proxy Certificate User Management Server(UMS) SS client VOMS Proxy Certificate User Certificate Private Key Client Environment Portal Services WFT VOMS Proxy Certificate PSE GVS Job Submission mechanismin NAREGI Middleware b version Integrated and easy handling of VOMS and MyProxy VOMS WF Credential is a user proxy cert passed through to the SS with the delegation protocol MyProxy VOMS Proxy Certificate delegation delegation delegation Grid Jobs delegation GridVM The Super Scheduler (SS) Users GridVM VOMS Proxy Certificate Log in Workflow(WF) GridVM The SS receives WF and deploys Grid jobs
VO and User Management Service • Adoption of VOMS for VO management • Using proxy certificates with VO attributes for the interoperability with EGEE • GridVM is used instead of LCAS/LCMAPS • Integration of MyProxy and VOMS servers • with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal • using gLite implemented at UMS to connect VOMS server • Workflow Credential Repository • As Workflow Credential a User Proxy Cert is used to realize safety delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy. • The Super Scheduler receives Workflow (BPEL) and reserves resources to deploy Grid jobs with GSI interface.
Current Issues and the Future Plan • Current Issues on VO management • VOMS platform • gLite is running on GT2, while NAREGI middleware on GT4 • GridVM • Interoperability of authorization policy with other Grid projects is to be realized. • Proxy certificate renewal • Need to invent a new mechanism • Future plan • Cooperation with GGF security area members to realize interoperability with each other. • A new proposal of VO management methodology and trial of reference implementation.
AuthN&AuthZ Services in the future OCSP/XKMS Policy Information Point Policy Decision Point CRL CA/RA LDAP Authentication &AuthorizationService VO Management MyProxy Proxy Certof User SAML+XACML Policy Enforcement Point User Web Server Log in Grid JobSubmission User Cert Super Scheduler GRAM (Grid VM)
Summery • NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. • VO management was the second target and VOMS has been adopted for interoperability with EGEE. • NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. • ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.