Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture,"— Presentation transcript:

1 1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture, Cnes feedbacks Anne Jean-Antoine Piccolo

2 2 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Introduction A Grid architecture is such a distributed architecture. ëFrom a logical view, 4 sub–systems compose a grid: administration (software and hardware allocation & administration, VO management) job management (user requests analysis, resource allocation & status monitoring, workflow execution) job processing (storage and processing facilities, file handlers, data transfer tools) security (user access control, data flow security, event monitoring). Here, we focus on the security subsystem. ëSpecific security requirements analysis derived from CNES high level security requirements applicable to a CNES designed system defined on a distributed architecture allowing users from different organizations : - to work according to a collaborative schema - to share resources.

3 3 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Grid overall architecture (target)

4 4 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Security studies : the following methodology ëCNES led security studies based on the previous target architecture according to the classical methodology : 1. Consequences assessment : comparison between security criteria (availability, integrity, confidentiality, imputability) and sensitive levels (no impact, minor, major, critical, vital) for user data, grid management data and security data. 2. Threads analysis. 3. Risks analysis and a first security objective definition in term of network security, data and software integrity, processing control & monitoring, I&A, authorization, data flow, data protection, and so on … 4. Risks covered by security objectives ? 5. Security architecture : a first proposal => functional requirements in term of security (ISO/IEC 15408) 6. List of non recovered risks

5 5 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Global security needs to be reached ëNeeds issued from « Virtual Organization » : Protection of their resources (user data and software), Availability of the grid infrastructure hosting their resources (for user request processing). ëNeeds issued from providers of grid resources : Grid resource under full control of local administrators, Security of resources which are not provided for grids => need to isolate these resources regarding grid ones.

6 6 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (1/2) ëGrid use cases : user requests for accessing computing software implemented on CNES machines  Previously known resources (software or data) before request processing,  Resources have to be dynamically allocated step by step. user requests for accessing VO resources (software, data) and CNES resources (servers) resulting in data backward transfers (e.g. computing results) : a command flow in input and a data flow in output, user requests for accessing resources (software, data) located outside CNES. Resulting security concerns authentication of user requests and of jobs running on behalf of the user, integrity of software and data implemented on CNES resources, control of dynamically accessed resources, data in/out transfers, isolation of CNES resources regarding VOs, except of resources formally designated as accessible to users.

7 7 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (2/2) Resource classification systems supporting tools and services devoted to grid utilization systems devoted to grid management: authentication, authorization, allocation, information user workstations located outside CNES network protocols for - Calling remote request - Cascading authentication (SSL/TLS with delegation) - Routing and localization service or node (OSPF, DNS) - Transferring files (e.g. ftp, gridftp) - Transferring data (e.g. http/SOAP) - Accessing security data (e.g. LDAP) - Information notification - communications between grid management services (depend on the grid middleware)

8 8 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Architecture overview : CS recommandations

9 9 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera over Globus GT4 : experiment configuration CNES local network IPCOP Objective : to experiment Globus through a firewall and test the security architecture feasibility (simulate an extra grid).

10 10 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 ëIf Globus is behind a firewall then some ports need to be opened : 2119 (gatekeeper), 2811 (gridftp) and 2135 (GIS). ëGlobus will also need a range of ports opened for GASS (Global Access to Secondary Storage) to inform Globus of the port range you need to set the GLOBUS_TCP_PORT_RANGE variable in “xinetd” files and user start up scripts. ëThe size of the port range depends on how many services are expected – generally a range of couple of thousand should be necessary.

11 11 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 (*) CEP: Controllable ephemeral port (*) TCP Transmission Control protocol

12 12 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department A Chistera processing demonstration CHISTERA Processing Synoptic of High Resolution Processing High resolution product Intermediate product ëIntegrated into the Spot 5 user ground segment

13 13 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master Image splitting Data sending and command monitoring Image gathering and assembly Data Reception Commands monitoring CHISTERA treatment Results sending Data transfer : globus-url-copy Control transfer : globus-job-run Slaves Data Reception Command monitoring CHISTERA treatment Result sending

14 14 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master GT4 Client Data transfer : globus-url-copy Remote Processing : globus-job-run Slaves GRAM Server GridFTP Server GRAM Server GridFTP Server

15 15 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Open Ports: CEP CNES internal network

16 16 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master Image splitting Creation of job descriptions (XML) XML files sending Assembly XML file reception Container processing XML file reception Container processing XML job submission : globusrun-ws Slaves/Containers

17 17 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master GridFTP Server GT4 Client GT4 web service container Soumission de job XML: globusrun-ws Slaves/Containers

18 18 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Open Ports: 2811/tcp CEP CNES internal network

19 19 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Firewall consequences on transfer time : first results Image processingTransfer with FirewallTransfer without FirewallRatio (364x364) 280 s50 s17 s2.9 (12000 x 12000) 1950 s2446 s110 s22.2 ë Globus feasibility through cascading firewalls proved, ë  Not very compliant with performance requirements (explain why ?) => a user recommendation can be to define a complete workflow avoiding several requests from outside

20 20 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CPU charge Spliting phaseAssembly Imalise1 Treatment Imalise2 Solex

21 21 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CNES feedbacks ë Some technical results reached and a strong involvement of CS company in the R&D project, ë A promising technology for future distributed ground segment if we adjust architecture design and project needs, ë A good collaboration between the CS company and the Cnes security experts, ë  Grid technology trends needs expertise in different fields : security, middleware, architecture design, … (not always available in our organization !), ë  A weak involvement from the Cnes directors yet => a strong need to be supported if we want GRID succeeds and be used in our future projects.

Download ppt "1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture,"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
GridPP7 - 02 July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.

GridPP July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
Database Architectures and the Web

Database Architectures and the Web
Distributed Systems basics www.smartphonetech.org.

Distributed Systems basics
4/2/2002HEP Globus Testing Request - Jae Yu x2814 1 Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
A Computation Management Agent for Multi-Institutional Grids

A Computation Management Agent for Multi-Institutional Grids
Seminar Grid Computing ‘05 Hui Li Sep 19, 2005. Overview Brief Introduction Presentations Projects Remarks.

Seminar Grid Computing ‘05 Hui Li Sep 19, Overview Brief Introduction Presentations Projects Remarks.
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:

USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.
Grids and Globus at BNL Presented by John Scott Leita.

Grids and Globus at BNL Presented by John Scott Leita.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Grid Information Systems. Two grid information problems Two problems  Monitoring  Discovery We can use similar techniques for both.

Grid Information Systems. Two grid information problems Two problems  Monitoring  Discovery We can use similar techniques for both.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation

Similar presentations

Ads by Google