290 likes | 483 Views
Grid Security. Steve Tuecke Argonne National Laboratory. Overview. The Grid Concept Community Authorization Implementation Approach. The Grid Concept. Grid Computing.
E N D
Grid Security Steve Tuecke Argonne National Laboratory
Overview • The Grid Concept • Community Authorization • Implementation Approach
Grid Computing • Enable communities (“virtual organizations”) to share geographically distributed resources as they pursue common goals—in the absence of central control, omniscience, trust relationships • Via investigations of • New applications that become possible when resources can be shared in a coordinated way • Protocols, algorithms, persistent infrastructure to facilitate sharing
http:// Web: Uniform access to HTML documents http:// Software catalogs Computers Sensor nets Colleagues Data archives The Grid: The Web on Steroids Grid: Flexible, high-perf access to all significant resources On-demand creation of powerful virtual computing systems
Grid Communities and Applications:NSF National Technology Grid
Grid Communities & Applications:Online Instrumentation Advanced Photon Source wide-area dissemination desktop & VR clients with shared controls real-time collection archival storage tomographic reconstruction DOE X-ray grand challenge: ANL, USC/ISI, NIST, U.Chicago
Grid Communities and Applications:Mathematicians Solve NUG30 • Community=an informal collaboration of mathematicians and computer scientists • Condor-G delivers 3.46E8 CPU seconds in 7 days (peak 1009 processors) in U.S. and Italy (8 sites) • Solves NUG30 quadratic assignment problem • 14,5,28,24,1,3,16,15, • 10,9,21,2,4,29,25,22, • 13,26,17,30,6,20,19, • 8,18,7,27,12,11,23 MetaNEOS: Argonne, Iowa, Northwestern, Wisconsin
Grid Communities and Applications:Network for Earthquake Eng. Simulation • NEESgrid: national infrastructure to couple earthquake engineers with experimental facilities, databases, computers, & each other • On-demand access to experiments, data streams, computing, archives, collaboration NEESgrid: Argonne, Michigan, NCSA, UIUC, USC
~PBytes/sec ~100 MBytes/sec Offline Processor Farm ~20 TIPS There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size ~100 MBytes/sec Online System Tier 0 CERN Computer Centre ~622 Mbits/sec or Air Freight (deprecated) Tier 1 FermiLab ~4 TIPS France Regional Centre Germany Regional Centre Italy Regional Centre ~622 Mbits/sec Tier 2 Tier2 Centre ~1 TIPS Caltech ~1 TIPS Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS HPSS HPSS HPSS HPSS HPSS ~622 Mbits/sec Institute ~0.25TIPS Institute Institute Institute Physics data cache ~1 MBytes/sec 1 TIPS is approximately 25,000 SpecInt95 equivalents Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Tier 4 Physicist workstations Grid Communities & Applications:Data Grids for High Energy Physics Image courtesy Harvey Newman, Caltech
Grid Communities and Applications:Home Computers Evaluate AIDS Drugs • Community = • 1000s of home computer users • Philanthropic computing vendor (Entropia) • Research group (Scripps) • Common goal= advance AIDS research
Broader Context • “Grid Computing” has much in common with major industrial thrusts • Business-to-business, Peer-to-peer, Application Service Providers, Internet Computing, … • Distinguished primarily by more sophisticated sharing modalities • E.g., “run program X at site Y subject to community policy P, providing access to data at Z according to policy Q” • Secondarily by unique demands of advanced & high-performance systems
The Globus Project • Started in 1995 (I-WAY software) • Globus R&D • Definition of Grid architecture • Grid protocols, services, APIs • Security, resource mgmt, data access, information, communication, etc. • Development of Globus Toolkit • Large user base among tool developers & in production Grids • Open source • Numerous application projects • Outreach & leadership
More Details • www.globus.org • “The Anatomy of the Grid: Enabling Scalable Virtual Organizations” • Foster, Kesselman, Tuecke • www.globus.org/research/papers/anatomy.pdf
Community Properties • 100s of resource providers, 1000s of users • N users from many institutions, worldwide • M independent resource providers which contribute resources to one or more communities • How to avoid N X M trust relationships? • Resource providers grant/sell to communities • Grant bulk access to community • Community representative handles fine grained authorization and prioritization within bulk grants • Users may combine community resources with own resources to solve problems • Various services carrying out requests of users
Capability Based Solution • A community service & administrator, which: • Maintains user membership to the community. • Maintains resource service agreements to community. • Maintains access control database, granting users access to (part of) resources, based on community policies and priorities. • May employ groups, roles, etc. • Issues capabilities to community members (users) to grant them access to resources. • User presents capability directly to resource to claim service. • AAAArch “push” model
Community Authorization (1) Community Authorization Service Site A Resources User 1 1: Obtain capability for service User 2 Site B Resources 2: Request service User N Site M Resources
Community Authorization (2) Community Authorization Service Site A Resources User 1 2: Obtain capability for services, on behalf of user 2 User 2 Site B Resources 1: Delegate user proxy Request Manager 3: Request services User N Site M Resources
Community Authorization (3) Community Authorization Service Site A Resources User 1 2: Obtain capabilities for services, on behalf of user 2 User 2 Site B Resources Request Planner 1: Delegate user proxy 3: Delegate capabilities User N 4: Request services Site M Resources Task Manager
Grid Security Infrastructure (GSI) • Authentication and message protection • Extensions to existing standard protocols & APIs • Standards: SSL/TLS, X.509, GSS-API • Extensions for single sign-on and delegation • Internet X.509 PKI Impersonation Proxy Certificate Profile • TLS Delegation Protocol • Globus Toolkit reference implementation of GSI • OpenSSL + GSS-API + delegation • Tools and services to interface to local security • Simple ACLs; SSLK5 & PKINIT for access to K5, AFS, etc. • Tools for credential management • Login, logout, cert request, smartcards, cred repository, etc.
X.509 Proxy Certificate Overview • To support single sign-on and delegation • Proxy Certificate (PC) is signed by End Entity Certificate (EEC) or another Proxy Certificate • We are NOT using an EEC to as if it were a CA • CA performs two functions: 1) Assigns a name (or identity), and 2) Binds the name to the a key. • PC only does #2. It binds the name to an proxy key. • PC inherits its name from its signing EEC • Subject name used for two purposes: 1) Path discovery & validation, and 2) To hold the assigned name. • In a PC, the subject is used only for #1, path discovery • “TLS Delegation Protocol” draft defines how to create a remote Proxy Certificate
Features Of This Approach • Ease of integration • Requires only a small change to path validation • SSL/TLS requires no protocol change to use PC • Authorization based on identity still works • Ease of use • Enables single sign-on & credential repositories • Protection of EEC private key • Single sign-on & delegation w/o sharing EEC keys • Limits consequences of a compromised key • Can restrict PC (e.g. lifetime, uses, etc.) • Compromised PC does not compromise EEC
Implementation Status • Globus Toolkit’s Grid Security Infrastructure (GSI) has used similar approach for ~4 years • GSI = GSS-API + X.509 + PC + SSL + delegation • Integrated into numerous “Grid” tools (C & Java) • Globus Toolkit, Condor, SRB, MPI, ssh/SecureCRT, FTP, etc. • Adopted by 100s of sites, 1000s of users • NCSA, NPACI, NASA IPG, DOE Science Grid, European Datagrid, GriPhyN (Phyics Grids), NEESgrid (Earthquake Engineering Grid) • Global Grid Forum & IETF effort to move GSI forward through cleanup, better integration with standards, technical specifications, etc. • http://www.gridforum.org/security/gsi
Capabilities • By extending a Proxy Certificate to hold a restriction policy, one can build a form of capability • Currently, the holder of a user’s proxy credential allows that holder to impersonate the user, to access any resources available to the user • But can extend the proxy credential to contain a restriction policy • E.g. “Holder of this proxy can only start a process on resource X, and read user’s file Y.”
Community Authorization Service • CAS has its own identity certificate • It is this CAS identity that is known to resources • User authenticates with CAS using user’s identity certificates (or proxy of identity certificate) • User requests access to a community resource(s) • CAS delegates back to user a restricted proxy credential from the CAS identity credential • User authenticates with resource using this CAS identity
Resource Checking of Capability • Authentication from client is with the CAS identity • Resource sees the “community” identity • Though an X.509 extension in the capability may include user’s identity, etc. for audit purposes • Resource maps CAS identity to local account and privileges • E.g. A Unix account, with a given file system quota • Different communities map to different accounts • For each request, resource evaluates the request against the policy contained in the CAS restricted proxy certificate that was used to authenticate.
Accounting • CAS inserts GUID into capability, which is used for: • Accounting: Resources can log consumption using this GUID. CAS can recombine with log of issued capabilities to reconstruct full accounting info. • Requires protocol for propagation of accounting info • Usage enforcement: Restriction policy in capability may include usage constraints. Resource can track and enforce such constraints using the GUID, including across multiple requests using the same capability.