Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Published byKristopher McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA."— Presentation transcript:

1 Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA

2 Outline MGRID: Background and Motivation MGRID Architecture NTAP: A Grid Application Distributed Authorization Issues What's Next

3 MGRID Michigan Grid Research and Infrastructure Development is a collaborative effort of many parts of the University of Michigan focused on developing and deploying grid computing for the University of Michigan. –Characterize and optimize the UM network –Assist in the development of Grid security middleware –Determine the requirements for a production Grid site within the UM –Develop and test Grid Applications

4 Why MGRID Multiple Grid efforts at the U of M –Clusters –Automated network configuration and testing –Remote instrument operation Middleware issues are difficult –Single solution –Leverage existing security services Potentially large user base for Grid services

5 U of M Security Services Uniqname –Unique campus wide user name and UID Kerberos V5 (multiple cells) KX509 Group Services –AFS PTS –LDAP (email groups)

6 MGRID Architecture mod ssl mod kx509 mod kct CHEF Apache Tomcat KCT GateKeeper Service Grid Service KCA Browser kx509 libpkcs11 kinit User Workstation KDC Kerberos V5 SSL – Client Certificate required GSI Kerberos Grid-Mapfile LDAP SASL Web Server 1 2 3 4 5 6 7 6 Group Services Resource Mng Authorization 8 mod jk mod php

7 MGRID Portal Proxy KX509 credentials, keep the Globus client off workstations Ease of use for U of M faculty, staff, and students –Kerberos + kx509 + browser = Grid access Single point for PKI management –CA self-signed keys –CA policy files Single entry point for MGRID services

8 MGRID Portal User workstation –KX509 to obtain user X509 credentials –KX509 Certificate available to browser Additions to OpenSSL, required on Web Server –SSL handshake recorded Web server SSL configured to require user X509 credentials

9 MGRID Portal SSL Handshake transcript –Contains all packets exchanged –Allows KCT to repeat user certificate verification –Handshake time stamp used Apache module, mod_kct –Sends ssl handshake transcript to KCT service –Requests KCA Kerberos service ticket

10 MGRID Portal Apache module, mod_kx509 –Uses the KCA TGS –Obtains user proxy KX509 credentials –Places them in a ticket file Apache module, mod_php –Creates RSL, uses KX509 credentials CHEF runs in Tomcat –Communicates with Apache through mod_jk –Creates RSL, uses KX509 or MyProxy credentials

11 MGRID Architecture mod ssl mod kx509 mod kct CHEF Apache Tomcat KCT GateKeeper Service Grid Service KCA Browser kx509 libpkcs11 kinit User Workstation KDC Kerberos V5 SSL – Client Certificate required GSI Kerberos Grid-Mapfile LDAP SASL Web Server 1 2 3 4 5 6 7 6 Group Services Resource Mng Authorization 8 mod jk mod php

12 MGRID NTAP Project NTAP: Network Testing and Performance Globus Service to run network test and performance tools Purpose: Help build and maintain a secure and functional network at UMICH Runs on multi homed nodes placed in a VLANed network

13 MGRID NTAP Architecture Web Portal Router 1 Host A Router 2Router 3 Host B NTAP 1NTAP 2NTAP 3 GSI Group Services

14 MGRID NTAP Project Based on GARA: General-purpose Architecture for Reservation and Allocation GARA bandwidth reservation –Adds and removes configuration stanza's in network hardware –Includes scheduler for future reservations Security of communications and the ability to support roles is required

15 MGRID NTAP Project Added fine grained authorization Added signed group membership RSL payload Extended bandwidth reservation to be able to run arbitrary programs at a Grid service endpoint Designed to easily add functionality Network testing tools being run –Iperf, traceroute, ping, owamp, etc

16 MGRID NTAP Architecture Web Portal Router 1 Host A Router 2Router 3 Host B NTAP 1NTAP 2NTAP 3 GSI Group Services Local Domain

17 Cross-domain Authorization Implemented with Policy based software Policy engine makes authorization decision –Input are matched against resource specific policy rules –Input attribute names are matched to policy attribute names by a string compare Cross-domain attribute name space is therefore required

18 Cross-domain Authorization Attributes include –Group membership from group services –Resource request parameters: bandwidth, number of CPU's, etc from RSL –Environment parameters: time of day, CPU load, etc Use of existing local group services is required –U of M has 100,000+ active uniqnames to manage –Avoid replicating data and management tasks

19 Cross-domain Authorization Our first design in use today uses a modular group membership call-out and the KeyNote Policy Engine Group membership determined by –Secure RX call to AFS PTS Fine-grained authorization expressed in KeyNote policy rules Works across U of M campus

20 MGRID Architecture mod ssl mod kx509 mod kct CHEF Apache Tomcat KCT GateKeeper Service Grid Service KCA Browser kx509 libpkcs11 kinit User Workstation KDC Kerberos V5 SSL – Client Certificate required GSI Kerberos Grid-Mapfile LDAP SASL Web Server 1 2 3 4 5 6 7 6 Group Services Resource Mng Authorization 8 mod jk mod php

21 Authorization: Where? Earlier is better At the portal –RSL, group membership, and some environment attributes available –Can remove load from Grid Service At the Grid Service –Needed when policy has components that can only be satisfied at end service Both (divided policy)

22 PERMIS Similar functionality to KeyNote –Attributes and policy rules Follows XACML standard Signed policy stored in LDAP Signed user attributes stored in LDAP –Current design requires new database of users

23 MGRID: Whats Next? Use XACML to exchange authorization data –XACML front end to existing UMICH group services Replace grid-mapfile with LDAP call out –Central administration –Dynamic local cluster accounts Investigate NFSv4 as a grid file system

24 Summary Kx509, CHEF, and PERMIS (XACML) NMI components are being integrated and tested by MGRID We would like mod_kct and mod_kca to be considered for NMI-5 Construction and management of a shared attribute name space is the largest problem facing cross-domain authorization

25 http://mgrid.umich.edu Any Questions?

Download ppt "Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
ICS 434 Advanced Database Systems

ICS 434 Advanced Database Systems
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
Using the Collaborative Tools in NEESgrid Charles Severance University of Michigan.

Using the Collaborative Tools in NEESgrid Charles Severance University of Michigan.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Similar presentations

Ads by Google