170 likes | 326 Views
Specific security needs of Desktop Grids. Desktop Grids EDGeS project Delegation for access to trusted resources. Specific security needs of Desktop Grids DG = Desktop Grid = Loose grid scavenging idle resources. Unit of Work = Application + Input Data. Requests Unit of Work.
E N D
Specific security needs of Desktop Grids Desktop Grids EDGeS project Delegation for access to trusted resources The EDGeS project receives Community research funding
Specific security needs of Desktop Grids DG = Desktop Grid = Loose grid scavenging idle resources Unit of Work = Application + Input Data Requests Unit of Work Grid Server withApplication Repository Computing Resource (often Desktop Computer) Submits input data for an application Sends Unit of Work Sends back results Sends back results Grid User Owns Resource Certifies Application Accepts or Refusesan applicationon his resource Currently, for BOINC, both roles of ‘Application Manager’ and ‘Grid User’ are fulfilled by ‘BOINC Project Owners’. Resource Owner(often volunteer) Application Manager Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop Grids DG = Desktop Grid = Loose grid scavenging idle resources • Computing and Storage Resources are owned by various Owners (it is often volunteer computing), but they are NOT managed and NOT authenticated. • Grid Servers are authenticated by a X509 certificate. • Users are authenticated by the Grid Servers, but NOT by the Computing and Storage Resources. • Executables are certified by managers of the Grid Servers. So : – Resource Owners have to trust the Grid Servers, – BOINC sends each Work Unit to several Resource Owners, because BOINC does NOT fully trust them. • Order of magnitude can be 1 000 000 CPUs. • Starving Computing Resources pull Work Units from Grid Servers. Examples : BOINC, XtremWeb, xGrid, OurGrid Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsPresentation of the EDGeS project New FP7 project started on 01/01/2008 • Integrate Service Grids and Desktop Grids • Enable very large number of computing resources (100K-1M processors) • Attract new scientific communities • Provide a Grid application development environment • Provide application repository and bridges for the execution in the SG-DG system WLCG (CERN) gLite (EGEE) ARC (NorduGrid) VDT (OSG) Unicore (DEISA) EDGeS Future Current Boinc (Berkeley) XtremWeb (INRIA/IN2P3) Xgrid (Apple) Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsPresentation of the EDGeS project http://www.edges-grid.eu Now, Interoperation : • Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb. • A MoU between EDGeS and EGEE has been signed on 23 Sept 2008. • XtremWeb users must have a X509 certificate, be registered in a VO and submit their Jobs with a VOMS proxy. • BOINC Project Owners must have a X509 certificate, be registered in a VO and store a medium-term X509 proxy in a MyProxy server. • All files must be transferred through the Input and Output sandboxes. In the future : • Interoperability using OGF standards, in order to bridge more Grids. • Better support of grid file access (ByteIO, GridFTP). Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridge BOINC EGEE (WU = Work Unit) EDGeS 3G bridge EGEE BOINC Handler1 for each (BOINC server, BOINC Project Owner, EGEE VO) triple Queue Manager & Job DB EGEE Plugin1 for each (BOINC Project Owner, EGEE VO) pair WMS Work Unit BOINC jobwrapper client (simulating a large BOINC computing resource) WUi+1 Jobi+1 Job Handler Interface BOINC Server Grid Handler Interface Jobi+1 WUi+2 3G job-wrapper 3G job-wrapper Jobi+2 WUi+3 VOMS Server Submission DN of X509 proxy Config. file VOMS proxy Retriever VOMS extensions Short term X509 proxy MyProxy trusting EDGeS 3G bridge Medium term X509 proxy BOINC Project Owner Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridge BOINC EGEE Solution = Inside EDGeS bridge, marshalling of the BOINC Work Units into Job collections • For each (BOINC server, BOINC Project Owner, EGEE VO) triple, a separate Job Handler collects the BOINC Work Units and place them in a queue. • For each (BOINC Project Owner, EGEE VO) pair, a separate EGEE plugin : • Retrieves a short term X509 Proxy for the BOINC Project Owner from a MyProxy server, and VOMS extensions from a VOMS server, • Periodically processes new Work Units found in the queue : • It converts each Work Unit into an EGEE Job, • In order to reduce the usage of the EGEE WMS, it uses Collection possibili-ties of EGEE to submit many Jobs in one request described using JDL. Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridge XtremWeb EGEE EGEE Pushes Pilot job VOMS Server gLite WMS Computing Element Gives Pilot Job Status Submits mono-user Pilot Job with VOMS proxy Gives Pilot Job Status Mono-user Pilot Job XtremWeb Bridge User Job Requests User Jobs Sends User Jobs with VOMS proxy Requests only 1 User Job X509 proxy VOMS proxy Manages User Job status Sends 1 User Job with same VOMS proxy Submits User Job with VOMS proxy XtremWeb Server Sends back Job Status and Results XtremWeb User Sends back results directly Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridge XtremWeb EGEE Solution = XtremWeb bridge : Gliding with a mono-user Pilot Job • A XtremWeb User submits to the XtremWeb server his User Job with a VOMS proxy. • At the request of the XtremWeb bridge, the XtremWeb server sends him the User Job with the VOMS proxy. • The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this VOMS proxy (job description in a JDL). • The gLite WMS pushes the Pilot Job to a Computing Element, which executes it. • The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and stops itself if it receives none. • The XtremWeb server verifies that the requested User Job has a VOMS proxy, and sends the User Job and the VOMS proxy to the Pilot Job. • The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS proxy, and executes the User Job. • At the end of the User Job, the Pilot Job sends the Job results directly to the XtremWeb server, then stops itself. Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridge EGEE Desktop Grids EGEE EDGeS3G bridge gLite WMS EGEE BDII LCG-CE for EDGeS Informationprovider Reports resources and performance Queue Manager& Job DB Sends output Logs events Submits Job Pushes job GRAM JobManagerfor EDGeS EGEE LB Generic Job WS Handler Adds job Watches job Logs events Gets output EGEE VOMS Watches Desktop Grid plugin Checks EXE Gets VOMS proxy EDGeS Application Repository Gets EXE Desktop Grid EGEE User Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsBridges EGEE BOINC & XtremWeb Solution = Installation of a LCG-CE sending the EGEE Jobs to the EDGeS bridge, which marshals them into Desktop Grid Jobs • Information Provider publishes information to the BDII according toGLUE 1.3 • Customized GRAM Job Manager (EGEE producer) • Gets job information from wrapper • Checks if exe is validated in the EDGeS application repository (GEMLCA) • Checks if exe is supported by attached BOINC • Gets files from WMS • Adds job to 3G bridge job Database • Polls status of jobs in 3G bridge job Database • Gets results from 3G bridge and uploads them to Logging & Bookkeeping • EDGeS 3G bridge • Manages jobs in the 3G bridge database • On events, updates entries in the 3G bridge database • Desktop Grid plugins • BOINC plugin uses DC-API to generate BOINC Work Units • XtremWeb plugin generates XtremWeb Jobs Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop GridsDelegation for access to trusted resources Jobs having to access trusted Resources require delegation (through X509 proxies or SAML assertions) Is it possible to provide delegation to untrusted Computing Resources of Desktop Grids ? Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions Specific security needs of Desktop Grids – DelegationCurrent situation : NO restriction Full impersonation Acceptable only with trusted computing resources NOT acceptable with untrusted (DG) computing resources EGEE Computing Element Trusted Worker Node Trusted Data Access Trusted Storage Resource Submits Job Submits Job Full impersonation Full impersonation Full impersonation Grid User Untrusted Worker Node Untrusted Data Access EGEE Computing Element Trusted Storage Resource Submits Job Submits Job Full impersonation Full impersonation Full impersonation Grid User Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop Grids – DelegationCurrent situation : NO restriction Full impersonation By now, WITHOUT restrictions on delegation, X509 proxies permit full impersonation. Therefore, when sending jobs, it is acceptable to send along such X509 proxies : • only to TRUSTED computing resources (for example Worker Nodes of local or EGEE clusters), because the storage resources must trust that the computing resource will only access to data described in the job, • but NOT to UNTRUSTED computing resources (for example from a public Desktop Grid), because they could then have access to all user data. Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions Specific security needs of Desktop Grids – DelegationUnder development : X509 Proxies with Restrictions Improved security with trusted computing resources Could also be acceptable with untrusted computing resources EGEE Computing Element Trusted Worker Node Trusted Data Access Trusted Storage Resource Submits Job Submits Job Restricted impersonation Restricted impersonation Restricted impersonation Grid User Untrusted Worker Node Trusted Data Access EGEE Computing Element Trusted Storage Resource Submits Job Submits Job Restricted impersonation Restricted impersonation Restricted impersonation Grid User Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
Specific security needs of Desktop Grids – DelegationUnder development : X509 Proxies with Restrictions When sending jobs, it could be acceptable to send X509 proxies containing restriction attributes about data access to UNTRUSTED computing resources (for example from a public Desktop Grid), because : • In order to get access to data, computing resources have to present to storage resources the full X509 proxy, INCLUDING ALL restriction attributes. • Storage resources are then able to refuse data access if restriction attributes forbid it, • Data that the jobs have to read are easily protected against corruption or deletion by using restriction attributes setting those data as read-only. • Malicious computing resources can always corrupt data on which they have write access, but they can already write false data in the Output Sandbox of jobs anyway. If these restriction attributes are really implemented, enforced and considered secure enough, this would permit computing resources of Desktop Grids to access storage resources of EGEE Storage Elements (using SRM, GridFTP, …), with a great impact on EDGeS JRA3. Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France
X509 proxy X509 proxy Specific security needs of Desktop Grids – DelegationAccess to untrusted Storage Resources of Desktop Grids Could access of trusted Computing Resources to untrusted Storage Resources of Desktop Grids be acceptable ? EDGeS is studying the issue. We can get advices from you and Jesus LUNA. EGEE Computing Element Trusted Worker Node Untrusted Data Access Untrusted Storage Resource Submits Job Submits Job NO X509 proxy Grid User Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France