1 / 15

Legion - A Grid OS

Legion - A Grid OS. Object Model. Everything is object Core objects - processing resource – host object - stable storage - vault object - definition of object – class object

teenie
Download Presentation

Legion - A Grid OS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Legion - A Grid OS

  2. Object Model • Everything is object • Core objects - processing resource – host object - stable storage - vault object - definition of object – class object • Legion provides default implementation, but all system components can be extended, specialized and replaced.

  3. Object Model • Object state Active: hosted within a running process Inert: state/OPR is stored on a persistent storage device OPR: LOID, private key, ACL • Identified by location-independent LOID • LOID include the public key

  4. Status Of An Object

  5. Legion Runtime Library • Defines generic interfaces to services - message passing - object creation, location, deletion • flexible, configurable protocol stack - adding message privacy is simply a matter of registering the appropriate message processing event handlers into the Legion protocol stack

  6. Two main concerns • User’s concern Protecting the meta-computer’s high-level resources, services, and users from possibly corrupted underlying resources • Administrator’s concern Preserving the security policies of the underlying resources that from the foundation of the meta-computer and minimizing their vulnerability to attacks from the meta-computer level

  7. Features • Flexible simple policy-neutral mechanism build different policy on top of it • Easy to use explore the legion inheritance mechanism • Scalable object authenticate one another directly no centralized key services • Isolated Object isolation & site isolation

  8. Object Management • Object Isolation - isolate system object to user object host object and vault object run in different local account - isolate different user-object from one another native user or generic account • Host object does not run in root account • PCD(Process Control Daemon) does the object activate, deactivate, reactivate under the request of host object

  9. Creating object • Class manager - assigns LOID for the new object - create object’s key - pass the LOID and key to the host object on the machine where the object will run - pass the binary of the object implementation to host object - ask vault object to create directory for the object • Host object - map the LOID to local user account - spawn a process to host the object - pass the LOID and key to the active object - change the ownership of the directory for the object

  10. Credential • A list of rights granted by the credential’s maker can be passed along the call chain • Delegated credentials – what is the right and to who e.g., [object A may call object B’s method M as Alice during the period T] signed Alice • Bearer credentials – what is the right - call chain may branch out - the identity of the final object on the call chain may be unknown by the user - increase the risk • Both have valid period or short time • Authentication credential

  11. Access Control • Each object is responsible for enforcing its own access control policy • MayI for each object implements access control on a per-function basis B b.foo() Object A MayI? foo ok No! • Who decides the security policy of object? • user initiating the object • class object of this object

  12. Scenario 1 • Site isolation Problem: No matter how subverted any external sites in the Legion system might be, no intruder can invoke methods on local Legion resources as Admin Solution: - Local Legion resources should be started as a separate Legion domain - Automated enforcement of no leakage of site critical information off-site by configuring extra event handler e.g., an event handler for message-send event to check whether the ACL of host object is being sent out. If so, the message is block and an exception is raised

  13. Scenario2 • Site-wide required access control Problem: - File object with no restrictions on which user can access the file it represents - a site wishes to enforce the policy that files may not be accessed by outside users Solution: use local host object to control access to local resources. The site administrator can configure the ACL of host object to limit the classes of objects that may run at the site.

  14. Scenario3 • Site selection policy Problem: which resource to execute my job? Solution: encode the site selection policy in the user’s class manager objects

  15. Comparison • Resource proxy vs. host object • Delegate identity vs. delegate right • No object control vs. MayI

More Related