1 / 15

Grid security in NAREGI project

APAN Grid-Middleware Workshop 2006. Grid security in NAREGI project.

jillian-adriano
Download Presentation

Grid security in NAREGI project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. APANGrid-Middleware Workshop 2006 Grid security in NAREGI project NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e-Science infrastructure in CSI( Cyber Science Infrastructure) concept. This presentation will provide issues and future plans regarding grid security including VO management for interoperability of grid projects.

  2. CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry CyberScience Infrastructure Scientific Repository Virtual Organization For science Industry Liaison and Social Benefit NAREGI Middleware UPKI Global Contribution Human Resource Development and strong organization 北海道大学 Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers ★ ● ★ 東北大学 京都大学 ☆ ★ ★ ★ 東京大学 九州大学 ★ NII 名古屋大学 ★ 大阪大学 (東京工業大学、早稲田大学、高エネルギー加速器研究機構等) Publication of scientific results from academina

  3. Super SINETprovides 10 Gbps Backbone

  4. Grid for enabling Collaborative Computing • To realize heterogeneous large scale computational environment • To share Large and expensive devices and data bases Security is a key issue to be solved! Experiments using special devices A Virtual Organization Experimental Devices Overseas Lab B Analysis using Super Computers Researchers University A Super SINET Super Computer Search in Data Bases Domestic Lab C Researchers Data Base Server Researchers

  5. High - Performance & Secure Grid Networking (WP5) NII IMS KEK Univ. Centers NAREGI Software Stack (Beta ver. 2006) Grid - Enabled Nano - Applications (WP6) Grid PSE (WP3) Grid Vis (WP3) Grid Programing Grid Workflow (WP3) Data Grid (WP4) - Grid RPC Distributed - Grid MPI Super Scheduler Packaging Information Service (WP2) (WP1) (WP1) Globus 4 / NAREGI - WSRF + Services Core Globus 4 / NAREGI - WSRF + Services Core Grid VM (WP1) SuperSINET Computing Centers & VOs

  6. Workflow Abstract JSDL WFT, PSE, GVS, GridRPC ResourceQuery Information Service Super Scheduler Client DAI CIM Reservation, Submission, Query, Control… Reservation based Co-Allocation Resource Info. Concrete JSDL Concrete JSDL Computing Resource Computing Resource GridVM GridVM UR/RUS GridMPI Accounting A Use Case : Job Submission with Reservation based Co-Allocation

  7. Developed NAREGI-CA to be deployed in UPKI Current Issues to be solved Future issues Security Requirements in AAA • Authentication • PKI based user authentication • Compatible with GSI standards • Trust federation between CA’s • Authorization • VO management for Inter-organizational collaboration • Interoperable with other Grid projects • Accounting • ID federation for authorization & traceability • With privacy protection!

  8. user r user 2 user 3 user 1 user q user p service_b service_c service_a Organization A Virtual Organization and Security Domain Definition of VO on GGF   ・CAS (Community Authorization Service)   ・VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. service_x service_c service_a service_y VO domain user 1 (VO Manager) user p Virtual Organization Services and Users are exposed in a Virtual Organization Contract A Contract B service_x service_z service_y PKI domain Organization B

  9. VOMS-type VO Managementdeveloped in EGEE CRL CA/RA DN,VO, Group, roll, capability MK-gridmapfile DN > pseudo accounts Gridmapfile GACL VOMS LCAS User GRAM Grid JobSubmission User Cert Proxy Cert+ VO EGEE Grid site

  10. VOMS-type VO Management adopted in NAREGI CRL CA/RA Information Service DN,VO info Account Mapping Gridmapfile Policyfile VOMS Certificates handling is too hard for users Grid JobSubmission Managed by the Super Scheduler User GRAM Grid VM User Cert Proxy Cert+ VO NAREGI Grid site

  11. WF CredentialRepository VOMS Proxy Certificate User Management Server(UMS) SS client VOMS Proxy Certificate User Certificate Private Key Client Environment Portal Services WFT VOMS Proxy Certificate PSE GVS Job Submission mechanismin NAREGI Middleware b version Integrated and easy handling of VOMS and MyProxy VOMS WF Credential is a user proxy cert passed through to the SS with the delegation protocol MyProxy VOMS Proxy Certificate delegation delegation delegation Grid Jobs delegation GridVM The Super Scheduler (SS) Users GridVM VOMS Proxy Certificate Log in Workflow(WF) GridVM The SS receives WF and deploys Grid jobs

  12. VO and User Management Service • Adoption of VOMS for VO management • Using proxy certificates with VO attributes for the interoperability with EGEE • GridVM is used instead of LCAS/LCMAPS • Integration of MyProxy and VOMS servers • with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal • using gLite implemented at UMS to connect VOMS server • Workflow Credential Repository • As Workflow Credential a User Proxy Cert is used to realize safety delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy. • The Super Scheduler receives Workflow (BPEL) and reserves resources to deploy Grid jobs with GSI interface.

  13. Current Issues and the Future Plan • Current Issues on VO management • VOMS platform • gLite is running on GT2, while NAREGI middleware on GT4 • GridVM • Interoperability of authorization policy with other Grid projects is to be realized. • Proxy certificate renewal • Need to invent a new mechanism • Future plan • Cooperation with GGF security area members to realize interoperability with each other. • A new proposal of VO management methodology and trial of reference implementation.

  14. AuthN&AuthZ Services in the future OCSP/XKMS Policy Information Point Policy Decision Point CRL CA/RA LDAP Authentication &AuthorizationService VO Management MyProxy Proxy Certof User SAML+XACML Policy Enforcement Point User Web Server Log in Grid JobSubmission User Cert Super Scheduler GRAM (Grid VM)

  15. Summery • NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. • VO management was the second target and VOMS has been adopted for interoperability with EGEE. • NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. • ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.

More Related