Presentation is loading. Please wait.

Presentation is loading. Please wait.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Published byStuart Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat."— Presentation transcript:

1 Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat de Barcelona) on behalf of the LHCb DIRAC team Distributed Secure Framework Payload and proxies DIRAC has to make sure the user payload runs under the user credential. DIRAC stores the user proxy and takes it to the resource where the user payload will run. All the proxy managing is done under a very strict security schema to minimize the damage that a stolen proxy may cause. The way DIRAC does it is the following: 1.A user uploads a proxy with the group embedded to the Proxy Manager and then submits a job to DIRAC. 2.In order to submit pilot jobs to the resources, the Pilot Director downloads a non-limited proxy using its own credential, and requests a proxy token. This token will have to be presented by the pilot job to be able to retrieve the real user proxy. 3.When the Job Agent matches a job to run in the resource, it downloads the payload proxy using its own credentials and token. Before the payload starts to run the payload environment is changed, so the payload automatically only sees the user proxy. Pilot proxies have a special DIRAC group embedded. They can only belong to a very restricted set of users. See [108] by R. Graciani et al. for more information about pilot jobs. Proxy management DIRAC has its own component for managing proxies. The Proxy Manager is a repository where users can upload their proxies. It will be used later on by all DIRAC components that require a user proxy. All proxy movements through the network are done through delegation. The Proxy Manager can use other grid middleware proxy management components to enhance its functionality. For instance it can use VOMS to add the required attributes to a proxy. DIRAC only keeps a short-lived user proxy in the system. Typically user’s proxy life time is shorter that the time a user job stays in the system, and DIRAC needs to keep the proxy alive while the job is in the system. That requires DIRAC to extend the proxies in the system that are about to expire. The DIRAC Proxy Management system talks to the MyProxy service and request new proxies for those about to expire when needed. Permissions and proxies Not all users are allowed to perform all actions. DIRAC implements a authorization schema to decide if a given entity can execute an action. All actions have a set of valid properties. The requesting entities have to present at least one allowed property for that action. All users in DIRAC are assigned to a set of groups depending on their privileges, and each group has a set of properties. At any time a given user can only act using one of his/her groups. Users define under which group they want to act by embedding the group in their proxy. DIRAC provides this functionality when creating a new proxy. Thus having the group signed directly by the user, the user group cannot be changed (or added if it’s not there) after the proxy has been created. DIRAC Service User proxy DIRAC Group User Configuration Service Users info Groups definition Authorization rules DN valid? DENY User in group? Group has a valid property? NO YES EXECUTE Configuration Service Users info Groups definition Authorization rules DIRAC Component Cache DIRAC Component Cache DIRAC Client DISET DIRAC Client DISET DIRAC Security Framework All DIRAC components rely on a low level framework that provides the necessary basic functionality. This framework contains: DISET: DIRAC’s secure communication protocol for RPC and file transfer Configuration System: Providing redundant distributed mechanism for configuration and service discovery. All DIRAC connections are handled by DISET. DISET uses OpenSSL through a custom python binding (derived from pyOpenSSL). This provides grid authentication and encryption, using X509 certificates and grid proxies. User Proxy Manager Proxy Job Manager Jobs DB Pilot Director Job Pilot proxies Proxy tokens Resource Pilot job Job Agent Payload proxy Proxy token User payload Output 1 Proxy token 2 3 User Proxy Manager Short-lived proxy MyProxy Long-lived proxy DIRAC Component User proxy Proxy repository Extended proxy VOMS VOMS extensions

Download ppt "Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Similar presentations

Ads by Google