View
214
Download
0
Category
Tags:
Preview:
Citation preview
Grid security in NAREGI project
July 19, 2006National Institute of Informatics, Japan
Shinichi Mineo
APAN Grid-Middleware Workshop 2006
●
Publication of scientific results from academia
Human Resource Development and strong organization
NAREGI Middleware
Virtual OrganizationFor science
CyberScience Infrastructure for Advanced Science (by NII)CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry
UPKI
★
★
★★★
★★
☆
Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers
CyberScience Infrastructure
北海道大学
東北大学
東京大学NII
名古屋大学
京都大学
大阪大学
九州大学
(東京工業大学、早稲田大学、高エネルギー加速器研究機構等)
Scientific Repository
Ind
ustry L
iaison
and
So
cial B
enefit
Global C
ontribution
Grid for enabling Collaborative Computing
Researchers
Researchers
Experimental Devices
Super Computer
Data Base Server
Experiments using special
devices
Analysis using Super Computers
Search in Data Bases
Researchers
Overseas Lab BOverseas Lab BOverseas Lab BOverseas Lab B
University AUniversity AUniversity AUniversity A
Domestic Lab CDomestic Lab CDomestic Lab CDomestic Lab C
Super SINETSuper SINET
Security is a key issue to be solved!
A Virtual Organization
To realize heterogeneous large scale computational environmentTo share Large and expensive devices and data bases
Computing Centers & VOs
NII IMS KEK Univ. Centers
GlobusGlobus 4 / NAREGI 4 / NAREGI -- WSRF + Services CoreWSRF + Services Core
SuperSINET
Grid-Enabled Nano-Applications (WP6)
Grid PSE (WP3)Grid Programming
-Grid RPC
-Grid MPI
(WP2)
Grid Vis (WP3)
Grid VM (WP1)
Packag
ing
DistributedInformation Service
(WP1)
Grid Workflow (WP3)
Super Scheduler(WP1)
-High Performance & Secure Grid Networking (WP5)
Data G
rid(W
P4)
NAREGI Software Stack (Beta ver. 2006)
Computing ResourceComputing ResourceComputing ResourceComputing Resource
GridVMGridVM
Accounting
CIM
UR/RUS
GridVMGridVM
ResourceInfo.
Reservation, Submission,Query, Control…
ClientClient
ConcreteJSDL
ConcreteJSDL
Workflow
AbstractJSDL
SuperScheduler
InformationService
DAI
ResourceQuery
Reservation basedCo-Allocation
GridMPI
WFT, PSE, GVS, GridRPC
A Use Case : Job Submission with Reservation based Co-Allocation
Future issues
Current Issues to be solved
Developed NAREGI-CA to be deployed in UPKI
Security Requirements in AAA
• Authentication– PKI based user authentication– Compatible with GSI standards– Trust federation between CA’s
• Authorization– VO management for
Inter-organizational collaboration – Interoperable with other Grid projects
• Accounting– ID federation for authorization & traceability– With privacy protection!
Virtual Organization
user 1(VO Manager)
service_c
service_a
Services and Users are exposed in a Virtual Organization
Organization A
service_c
service_b
service_auser 2
user 3user 1
Contract A
service_x
service_y
user p
service_z
service_x
service_yuser p
user quser r
Organization B
Contract B
PKI domain
VO domain
Virtual Organization and Security Domain
Definition of VO on GGF ・ CAS (Community Authorization Service) ・ VOMS (Virtual Organization Membership Service)
A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.
User
CA/RA
VOMS
Proxy Cert+ VO
User Cert
CRL
Grid JobSubmission
VOMS-type VO Management
developed in EGEE
DN,VO, Group, roll, capability
GRAM
MK-gridmapfile
Gridmapfile
GACL
LCAS
EGEE Grid site
DN > pseudo accounts
Policy Decision
Point
X.509AC
User
CA/RA
VOMS
GRAM
Proxy Cert+ VO
User Cert
CRL
Grid JobSubmission
Managed by the Super Scheduler
Account Mapping
Gridmapfile
Policyfile
NAREGI Grid site
VOMS-type VO Management adopted in NAREGI
DN,VO info
Grid VM
Information Service
Certificates handling is too hard for users
Policy Decision & Enforcement
Point
Policy Information
Point
Job Submission mechanismin NAREGI Middleware version
VOMSVOMS
MyProxyMyProxyVOMSProxy
Certificate
VOMSProxy
Certificate
User Management Server(UMS)
User Management Server(UMS)
VOMSProxy
Certificate
VOMSProxy
Certificate
UserCertificate
PrivateKey
Client EnvironmentClient Environment
Portal Services
WFT
PSE
GVS
VOMSProxy
Certificate
VOMSProxy
Certificate
SS
clie
ntThe Super
Scheduler (SS)VOMSProxy
Certificate
VOMSProxy
Certificate
GridVM
GridVM
GridVM
WF Credential
Repository
WF Credential
RepositoryVOMSProxy
Certificate
VOMSProxy
Certificate
Users
Integrated and easy handling of VOMS and
MyProxy
Log inWorkflow(WF)
WF Credential is a user proxy cert passed through to the SS with the delegation protocol
delegation
delegation
Grid Jobsdelegation
delegation
The SS receives WF and deploys Grid jobs
NAREGI’s Solution for VO and Job Management
• Adoption of VOMS for VO management– Using proxy certificates with VO attributes for the interoperability
with EGEE– GridVM is used instead of LCAS/LCMAPS
• Integration of MyProxy and VOMS servers– with UMS (User Management Server) to realize one-stop service
at the NAREGI Grid Portal– using gLite implemented at UMS to connect VOMS server
• Development of Workflow Credential Repository– User Proxy Certificates are used as Workflow Credential to
realize GSI delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy.
– The Super Scheduler converts security protocols of job signature to GSI delegation.
Open Issues on VO Management
• Current Issues on VO management– VOMS platform
• gLite is running on GT2, while NAREGI middleware on GT4
– GridVM• Interoperability of authorization policy with other Grid projects is to be
realized.
– Proxy certificate renewal• Need to invent a new mechanism
• Future plan– Cooperation with GGF security area members to realize
interoperability with each other.– A proposal of new VO management methodology and trial of
reference implementation.
MyProxy
User
CA/RA
Web Server
VO Management
Policy Enforcement Point
Authentication &Authorization
Service
Proxy Certof User
User Cert
SAML+XACML
CRL
Log inGrid JobSubmission
Policy Decision Point
Policy Information Point
OCSP/XKMS
LDAP
AuthN&AuthZ Services in the future
Super Scheduler GRAM (Grid VM)
Summary
• NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project.
• VO management was the second target and VOMS has been adopted for interoperability with EGEE.
• NAERGI commits to OGSA and will contribute standardization of VO management in Grid community.
• ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.
Recommended