Security and Certification Issues in Grid Computing

0
0
2662 days ago, 828 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

Security and Certification Issues in Grid Computing Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer Science The University of Chicago http://www.mcs.anl.gov/~foster International Workshop on Certification and Security in E-Services (CSES 2002), Montreal, Canada, Aug 28

Slide 2

Partial Acknowledgments Grid registering, Globus Project, and OGSA Carl Kesselman @ USC/ISI, Steve Tuecke @ANL Talented group of researchers and designers at ANL, USC/ISI, somewhere else (see www.globus.org) Open Grid Services Architecture (OGSA) Karl Czajkowski @ USC/ISI, Jeff Nick, Steve Graham, Jeff Frey @ IBM, www.globus.org/ogsa Grid security, OGSA Security, CAS Frank Siebenlist, Von Welch, Laura Pearlman Support from DOE, NASA, NSF, IBM, Microsoft

Slide 3

Overview What is the Grid at any rate? Also, what's it got the opportunity to do with e-administrations? Network security & accreditation issues Demands of virtual associations—and Grid way to deal with tending to these requests Implementation approach Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security design Summary

Slide 4

Overview What is the Grid in any case? Furthermore, what's it got the chance to do with e-administrations? Matrix security & affirmation issues Demands of virtual associations—and Grid way to deal with tending to these requests Implementation approach Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security design Summary

Slide 5

E-Science: The Original Grid Driver Pre-electronic science Theorize &/or analyze, in little groups Post-electronic science Construct and mine substantial databases Develop PC recreations & investigations Access specific gadgets remotely Exchange data inside appropriated multidisciplinary groups Need to oversee powerful, circulated frameworks, administrations, and applications

Slide 6

And Thus: The Grid " Resource sharing & facilitated critical thinking in element, multi-institutional virtual associations"

Slide 7

Human Models Grids at NASA: Aviation Safety Wing Models Lift Capabilities Drag Capabilities Responsiveness Stabilizer Models Airframe Models Deflection capacities Responsiveness Crew Capabilities - exactness - observation - stamina - re-activity times - SOPs Engine Models Braking execution Steering abilities Traction Dampening capacities Thrust execution Reverse Thrust execution Responsiveness Fuel Consumption Landing Gear Models

Slide 8

Life Sciences: Telemicroscopy DATA ACQUISITION PROCESSING, ANALYSIS ADVANCED VISUALIZATION NETWORK COMPUTATIONAL RESOURCES IMAGING INSTRUMENTS LARGE DATABASES

Slide 9

Galaxy bunch estimate dissemination Chimera Virtual Data System + GriPhyN Virtual Data Toolkit + iVDGL Data Grid (numerous CPUs) Sloan Digital Sky Survey Analysis Size conveyance of universe groups? www.griphyn.org/delusion

Slide 10

~PBytes/sec ~100 MBytes/sec Offline Processor Farm ~20 TIPS There is a "group intersection" each 25 nsecs. There are 100 "triggers" every second Each activated occasion is ~1 MByte in size ~100 MBytes/sec Online System Tier 0 CERN Computer Center ~622 Mbits/sec or Air Freight (censured) Tier 1 FermiLab ~4 TIPS France Regional Center Germany Regional Center Italy Regional Center ~622 Mbits/sec Tier 2 Tier2 Center ~1 TIPS Tier2 Center ~1 TIPS Caltech ~1 TIPS Tier2 Center ~1 TIPS Tier2 Center ~1 TIPS HPSS ~622 Mbits/sec Institute ~0.25TIPS Institute Physics information store ~1 MBytes/sec 1 TIPS is around 25,000 SpecInt95 reciprocals Physicists take a shot at investigation "channels". Every organization will have ~10 physicists dealing with at least one stations; information for these stations ought to be reserved by the foundation server Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Tier 4 Physicist workstations Data Grids for High Energy Physics

Slide 11

Resource Sharing inside "VOs" is Not Unique to Science! Discontinuity of big business framework Driven by shoddy servers, quick nets, omnipresent Internet, eBusiness workloads Need to arrange conveyed accumulations of administrations to convey indicated QoS Virtualization Emerging administration foundation, utility figuring models, economies of scale Services progressively instantiated crosswise over gadget range B2B, B2C, C2C associations

Slide 12

Distributed administration Resource & benefit total Delivery of virtualized administrations with QoS ensures Dynamic, secure administration revelation & structure Virtualization and Distributed Service Management Larger, more coordinated More associated Dynamically provisioned Less able, incorporated Less associated User benefit locus Device Continuum

Slide 13

Grid Computing Grid Computing By M. Mitchell Waldrop May 2002 Hook enough PCs together and what do you get? Another sort of utility that offers supercomputer preparing on tap . Is Internet history going to rehash itself?

Slide 14

Challenging Technical Requirements Dynamic arrangement and administration of virtual associations Discovery & online transaction of access to administrations: who, what, why, when, how Configuration of utilizations and frameworks ready to convey numerous characteristics of administration Management of disseminated state inside foundations, administrations, and applications Open, extensible, evolvable framework

Slide 15

Challenging Technical Requirements Dynamic development and administration of virtual associations Discovery & online transaction of access to administrations: who, what, why, when, how Configuration of uses and frameworks ready to convey different characteristics of administration Management of appropriated state inside foundations, administrations, and applications Open, extensible, evolvable foundation Security and Certification Issues

Slide 16

Overview What is the Grid at any rate? What's more, what's it got the chance to do with e-administrations? Lattice security & affirmation issues Demands of virtual organizations—and Grid way to deal with tending to these requests Implementation approach Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security engineering Summary

Slide 17

Grid Security & Certification Challenges incorporate Dynamic gathering enrollment and trust connections inside virtual associations Complex computational structures stretching out past customer server: designation Mission-basic applications and significant assets Issues incorporate Cross-accreditation Mechanisms and qualifications Distributed approval Secure logging and review

Slide 18

No Cross-Domain Trust Mismatch Cross "Confirmation" Issue Certification Authority Domain B Domain A Policy Authority Task Server Y Server X Sub-Domain A1 Sub-Domain B1

Slide 19

Cross-Certification Cross-affirmation at corporate level troublesome Legal ramifications, obligation, administration Address trust at client/asset level! Numerous business connections don't require inclusion of President/CEO … Virtual association as extension Federate through commonly trusted administrations Local arrangement powers manage … Assertions dialect for trust connections WS-Trust, WS-Federation, WS-Policy

Slide 20

Certification Authority Policy Authority Sub-Domain B1 Sub-Domain A1 Domain B Task Server X Server Y Grid Solution: Use Virtual Organization as Bridge No Cross-Domain Trust Certification Domain A Federation Service normal instrument Virtual Organization Domain

Slide 21

Mechanism and Credential Issue Different systems & accreditations X.509 versus Kerberos, SSL versus GSSAPI, X.509 versus X.509 (distinctive areas) X.509 trait certs versus SAML declarations Need for normal component GSI-SecureConversation Need for certification alliance administrations Obtain X.509 creds with Kerberos ticket Obtain Kerberos ticket with X.509 creds Cross X.509 or Kerberos spaces/domains

Slide 22

Example: Kerberos-X.509 Federation Requestor: Kerberos domain Server: X.509-based space (just confirms requestors with X.509 creds) VO gives Kerberos-CA league benefit Has Kerberos personality inside requestor's domain Kerb-CA cert is trusted inside server-side VO Kerb-CA issues (brief) X.509-certs that attest requestor's Kerberos vital name Requestor's runtime is "X.509-empowered" Server's get to control arrangement inside the VO depends on requestor's Kerberos essential name

Slide 23

Kerberos-X.509 Federation Service Kerberos Realm X.509 Domain Kerberos-CA Svc Policy Authority Kerberos Ticket trusts Krb-CA issued certs implementation on requestor's X.509 cert key name X.509 secured convention Requestor Server Virtual Organization Domain

Slide 24

Grid Authorization/Policy Issue Resources may not know outside requestors Impairs fine-grained approach administrator Outsource strategy administrator to req's sub-area Enables fine-grained arrangement "Group Authorization Service" (CAS) Resource proprietor sets course-grained strategy rules for remote area on "CAS-character" CAS sets strategy rules for its nearby clients Requestors get abilities from their neighborhood CAS that get upheld at the asset

Slide 25

Community Authorization Service Domain A Domain B Sub-Domain B1 Sub-Domain A1 Policy Authority Community Authorization Svc requirement CAS personality on CAS-character and "trusted" requestor's capacities ability affirmations ask for + CAS statements Server Requestor Virtual Organization Domain

Slide 26

Security Services & VO Requestor's Service Provider's Domain Trust Service Attribute Authorization Attribute Service Audit/Audit/Privacy Secure-Logging Secure-Logging Service Credential Validation Service Bridge/Transla

SPONSORS