1

Virtual Organizations and Community Authorization

Service

Andrew A. ChienMay 19, 2004

UCSD CSE225

CSE225 Lecture #14

Administrivia

• Project Presentations, 6/11, 2-4pm, location TBD• Next week:

» 5/26 meet at regular time» 5/28 meet ½ hour early (430pm)

2

CSE225 Lecture #14

Last Time

• Globus Grid Security Architecture and Services» Requirements and alternative bases» Globus Security Infrastructure

– Single Sign On– X.509 certificates– Translation to/from local identity– Proxy certificates and Restricted Delegation

» What is enables– Transitive delegation– Third party access on your behalf– Limited loss if compromise, Limited scope of delegation

CSE225 Lecture #14

Today’s Readings

• The Anatomy of the Grid: Enabling Scalable Virtual Organizations. I. Foster, C. Kesselman, S. Tuecke. International J. Supercomputer Applications, 15(3), 2001.

• A Community Authorization Service for Group Collaboration. L. Pearlman, V. Welch, I. Foster, C. Kesselman, S. Tuecke. Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002.

3

CSE225 Lecture #14

Grid Definition

• “Grids involve coordinated resource sharing and problem-solving in dynamic, multi-institutional virtual organizations.”

• Umm…. Okay, so what is a grid really?• Concrete examples…think about the sharing and

security issues

CSE225 Lecture #14

• Community =» 1000s of home computer

users» Philanthropic computing

vendor (Entropia)» Research group (Scripps)

• Common goal= advance AIDS research

Home ComputersEvaluate AIDS Drugs

4

CSE225 Lecture #14

Internet Desktop Grid

• Each Desktop in a separate administrative domain (essentially)

• Create a shared resource pool of workers• Exploit to do a large-scale computation• Need: access, protection?, authentication?, private

communication?• How many administrators? Certificates? What trust?

CSE225 Lecture #14

Mathematicians Solve NUG30• Looking for the solution to the NUG30

quadratic assignment problem • An informal collaboration of

mathematicians and computer scientists

• Condor-G delivered 3.46E8 CPU seconds in 7 days (peak 1009 processors) in U.S. and Italy (8 sites)

14,5,28,24,1,3,16,15,10,9,21,2,4,29,25,22,13,26,17,30,6,20,19,8,18,7,27,12,11,23

MetaNEOS: Argonne, Iowa, Northwestern, Wisconsin

5

CSE225 Lecture #14

Enterprise(s) Desktop Grid

• Servers and Desktops in a shared administrative domain » Or sets of desktops in different administrative domains

• Create a shared resource pool of workers• Exploit to do a large-scale computation• Need: access, protection?, authentication?, private

communication?• How many administrators? Certificates? What trust?

CSE225 Lecture #14

Network for EarthquakeEngineering Simulation

• NEESgrid: US national infrastructure to couple earthquake engineers with experimental facilities, databases, computers, & each other

• On-demand access to experiments, data streams, computing, archives, collaboration

NEESgrid: Argonne, Michigan, NCSA, UIUC, USC

6

CSE225 Lecture #14

Enterprises Grid - Computation

• Servers in multiple Administrative Domains• Create a coordinated scheduling of a set of resources

» Computers and unusual instruments/devices

• Communicate securely and authenticated amongst the entities

• Exploit to do distributed simulation • Need: access, co-scheduling, protection,

authentication, private communication?• How many administrators? Certificates? What trust?

CSE225 Lecture #14 Image courtesy Harvey Newman, Caltech

Data Grids forHigh Energy Physics

Tier2 Centre ~1 TIPS

Online System

Offline Processor Farm

~20 TIPS

CERN Computer Centre

FermiLab ~4 TIPSFrance Regional Centre

Italy Regional Centre

Germany Regional Centre

InstituteInstituteInstituteInstitute ~0.25TIPS

Physicist workstations

~100 MBytes/sec

~100 MBytes/sec

~622 Mbits/sec

~1 MBytes/sec

There is a “bunch crossing” every 25 nsecs.There are 100 “triggers” per secondEach triggered event is ~1 MByte in size

Physicists work on analysis “channels”.Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server

Physics data cache

~PBytes/sec

~622 Mbits/sec or Air Freight (deprecated)

Tier2 Centre ~1 TIPS

Tier2 Centre ~1 TIPS

Tier2 Centre ~1 TIPS

Caltech ~1 TIPS

~622 Mbits/sec

Tier 0Tier 0

Tier 1Tier 1

Tier 2Tier 2

Tier 4Tier 4

1 TIPS is approximately 25,000 SpecInt95 equivalents

7

CSE225 Lecture #14

Enterprises Grid – Data Sharing

• Servers in multiple Administrative Domains• Create an integrated view of data

» Dependent on access rights? What’s a view

• Communicate securely and authenticated amongst the entities

• Access resources in coordinated fashion, and source/sink/move data for analysis

• Need: access control for data, protection, authentication, private communication

• How many administrators? Certificates? What trust?

CSE225 Lecture #14

The 13.6 TF TeraGrid:Distributed Computing at 40 Gb/s

26

24

8

4 HPSS

5

HPSS

HPSS UniTree

External Networks

External NetworksExternal

Networks

External Networks

Site Resources Site Resources

Site ResourcesSite ResourcesNCSA/PACI8 TF240 TB

SDSC4.1 TF225 TB

Caltech Argonne

TeraGrid/DTF: NCSA, SDSC, Caltech, Argonne www.teragrid.org

8

CSE225 Lecture #14

Virtual Organization

• Involves multiple organization and security domains

• Users from multiple domains• Resource from multiple

domains• Clashes and conflicts• “Security Policy Overlay”

» What does this mean?• Cross-organizational activity

CSE225 Lecture #14

Virtual Organization Examples

• Consultants engaged by a car manufacturer to perform scenario evaluation for planning a new factory

• Industrial consortium bidding on a new aircraft RFP• Crisis management team and databases and

simulation systems that they use to plan a response to an emergency situation

• Large international, multi-year high-energy physics collaboration

• Application, Storage, Cycle providers (and combinations)

9

CSE225 Lecture #14

Risks in using a Virtual Organization

• Outsiders get access to inappropriate data• Internal data escapes• Insiders get access to inappropriate data• External data leaks in• Someone causes local resource problems• Someone causes remote resource problems• More subtle information flow• Dependence on other definers of identity• … lots of risks …

CSE225 Lecture #14

VO as Realized by GSI

• Create global identities for each user (can elevate a local identity)

• Create local identities for each user on local resources

• Each domain defines global to local identity mappings (and reverse)

• Account grouping and Group accounts can be used within a domain

» audit challenges» Reverse mapping challenges

• How to determine access to a resource? Transitively?

10

CSE225 Lecture #14

Examples

• Creating shared access to a set of compute resources» In one organization» In several organizations

• Creating shared access to a set of data resources» In one organization» In several organizations

• Transitive combinations of these?• Users with identities in multiple organizations?

CSE225 Lecture #14

Discussion Questions

• How to define policy?• How to administer?• How modular?• What level of effort?• Who needs this?• How far down is this worth taking?• What alternatives?

11

CSE225 Lecture #14

Alternatives

CSE225 Lecture #14

Community Authorization Service

• Question: How does a large community grant its users access to a large set of resources?» Should minimize burden on both the users and resource providers

• Community Authorization Service (CAS)» Community negotiates access to resources» Resource outsources fine-grain authorization to CAS» Resource only knows about “CAS user” credential

– CAS handles user registration, group membership…» User who wants access to resource asks CAS for a capability

credential– Restricted proxy of the “CAS user” credential, checked by resource

12

CSE225 Lecture #14

CAS1. CAS request, withresource namesand operations

Community Authorization Service Prototype

Does the collective policy authorize this

request for this user?

user/group membership

resource/collective membership

collective policy information

Resource

Is this request authorized for

the CAS?

Is this request authorized by

the capability? local policy

information4. Resource reply

User3. Resource request,

authenticated withcapability

2. CAS reply, with

and resource CA infocapability

CSE225 Lecture #14

Community Authorization Service

• CAS provides user community with information needed to authenticate resources» Sent with capability credential, used on connection with

resource» Resource identity (DN), CA

• This allows new resources/users (and their CAs) to be made available to a community through the CAS without action on the other user’s/resource’s part

13

CSE225 Lecture #14

Community Authorization Service Uses

• Avoid per-user administration activities (export to “group”)

• Advertise resources for anonymous use (utility)• Compute? Data?

• Would an enterprise use a CAS? • A public CAS?• Could NPACI/Alliance?• Why and why not?

CSE225 Lecture #14

Summary

• Grids are varied in structure and relationship» Internet Desktop Grid, Enterprise Grid» Compute Resource Oriented, Data Resource Oriented

• Virtual Organizations are a Security Policy Overlay» Notion of Virtual Organization is diverse» GSI can be used to build VO’s based on individual identity

– Challenges in administration: local/VO, management, lack of group identity

» Community Authorization Service supports notion of group– Anonymous use, Group management– Lesser Audit and no fine-grained control