Presentation is loading. Please wait.

Presentation is loading. Please wait.

The VEGA Approach to Grid Security Grid System Software Group, ICT, CAS 2005-4-11 --Security In VEGA GOS v2 Li ZHA

Published byAudrey Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "The VEGA Approach to Grid Security Grid System Software Group, ICT, CAS 2005-4-11 --Security In VEGA GOS v2 Li ZHA"— Presentation transcript:

1 The VEGA Approach to Grid Security Grid System Software Group, ICT, CAS 2005-4-11 --Security In VEGA GOS v2 Li ZHA char@ict.ac.cn

2 Outline Background of VEGA GOS Motivations And Goals Security In VEGA GOS  VEGA GOS Architecture  Grid Security Mechanism Key Approaches  WS-Security Implementation  Agora (VO, Community) Based Authorization  Runtime construct (Grip, Grid Process) for secured accessing the service Hosting Environment And Deployment Conclusion And Roadmap

3 Background of VEGA GOS Background  Grid related research and the VEGA brand at ICT since 1999  Part of the Grid Software program supported by the China Ministry of Science and Technology 863 program (2002~2005) Goals  Support multiple geographical distributed grid nodes (HPC Center)  Sharing mechanism and framework on computing, data, software and combined resources  Provide secured, uniformed and friendly interfaces accessing the scientific computing and information services Research  Focus on 4 key issues and aim at minimal common requirements Naming, Process/States, VO, Programming  Focus on implementation architecture, not protocols/services Use computer systems approach, not middleware or network Use SOA concept

4 Application Scope of VEGA GOS VEGA GOS Distributed Resources and Services Science Research ManufacturingResources and Environment Weather Forecast

5 Motivations And Goals -- What is needed In grid environment, security should solve or cover:  Traditional security issues such as authentication, access control, information integrity, information privacy (according to OSI security architecture)  Grid authentication Single Sign On  Grid authorization Adapt to loosely coupled or de-coupled architecture Access control decided by resource owner or provider  Communication security guarantees Adopt opened and standardized protecting mechanism (signature, encryption, and etc.)  All the information separated or put together? How to put them together?

6 Motivations And Goals -- More concrete Integrate security with Web service and VEGA GOS  Independent with service implementations (utilizing handler-chain mechanism at client and service sides) Conformed to existing security standards  X.509 (for authentication)  SAML (for authorization)  WS-Security Implementation (for service oriented security architecture)  Standard signature and encryption algorithms Ensure mutual security at both user and resource sides  User and Service MUST both have certificates Departs authorization with authentication  Token based authorization (tokens are dynamically issued by Authorization Authority in Agora)  GOS context (Agora id, cert/proxy cert and token) is added into each SOAP message when accessing the service Keep resource as autonomous  Implement access control at resource side with interfaces which can be customized  Multiple granularity access control based on authorization token

7 VEGA GOS v2 Architecture (hierarchical)

8 Security Mechanism In VEGA GOS v2 Browser uCert Grid Portal Engine use uid/pass load proxy cert into grip Grip Container Service Agora Service u_p Physical Service u_p uTK u_p uTK u_p uTK u_p uTK User Mgmt. Service Resource Mgmt. Service AA Service uTK Grid Application uCert user cert u_p proxy cert uTK authorization token Physical Service Physical Service Physical Service Grid Portal CA u_p upload the proxy cert to Agora u_p

9 Key Approaches WS-Security Implementation Agora (VO, Community) Based Authorization Runtime construct (Grip, Grid Process) for secured accessing the service

10 WS-Security Implementation Handler chains mechanism  Sign SOAP message, add cert (or proxy cert) and token  Authenticate caller’s and AAA’s identification  Implement access control GOS context  A common system object storing Agora id, cert or proxy cert (with key), token in a structured manner

11 E2E Message Process Flow

12 Client Request/ Service Response SOAP Header cert..................

13 Agora Based Authorization Separate authorization from authentication  Agora Authorization Authority can dynamically issue tokens according to trusted resource request  Flexible authentication at service side according to handler configurations Implement multiple grained resource access control  Token can contain service operations or logic operations  Service side ACHandler implement access control integrate with local security policy

14 Agora Internals Tomcat+Axis Agora Access Control Mechanism Authorization Engine Resource Mgmt. ClientUser Mgmt. Client User Authentication Resource Authorization Resource Mgmt. Interface User Mgmt. Interface Resource Mgmt. ServiceUser Mgmt. Service RoleProxy User Name profile ERes Mapping VResPT Tomcat+Axis AAA Client Authorization Authority Service AC Policy Mgmt. Agora Mgmt.

15 SAML based authorization token... FILE PATH to local storage...... O=Grid,OU=GOSTEST,OU=grid.org.cn,OU=linux.ict.ac.cn,CN=usr1 ping......... can be logical operations, such as “read” and “write” that parsed by service side access control mechanism user DN

16 Runtime construct (Grip, Grid Process) for secured accessing the service Dynamically created at runtime  responding to user requests  simple interfaces (5 in total) Keep some information for reusing  Load and store proxy cert, user profile and service address  Destroyed until grip closed Relay user’s invocation requests  Extends called service with an asynchronous interface  Cache the returned result, such as batch job query status

17 Physical Service Grip At Runtime create Agora Service grip uid/pass Proxy, Profile bind ERes name VRes name, Token, PT invoke Physical Service crtl (getResult) grip Network of Resource Routers authentication resource selection resource authorization resource locating service invocation return cache close uCert_p Profile uCert_p Profile VRes Token PT uCert_p Profile VRes Token PT PRes Ret uCert_p Profile VRes Token PT PRes

18 Sample Code Using Grip... //define effective resource name String effective = "eres://agora1:MService"; //new a gripclient object GripClient testgripclient = new GripClient( ); //create a grip with user id, passwd and //agora name want to login UserHandle griphandle = testgripclient.create("usr1", "usr1", "agora1"); //bind the effective resource int index = testgripclient.bind(effective, griphandle); //invoke the bound service by resource index and //pass the parameters required Object retvalue = testgripclient.invoke(index, "list", new Object[] {"/"}, GripContainer.M_SYNCHRONIZED, griphandle);... //process the return value here... //close it, reclaim the resources used by grip testgripclient.close(griphandle);... synchronization flag parameters passed to actual service

19 VEGA GOS v2 Hosting Environments Grid Portal and Grid Applications OS (Linux/Unix/Windows*) Intel or AMD based PC Server (Grid Server) J2SE( 1.4.2_07 ), J2EE Tomcat( 5.0.28 ) +Axis( 1.2 rc2 ) Axis Handlers For Message Level Security Grid Portal Engine Core, System And App Level GOS v2 Services

20 VEGA GOS v2 Deployment

21 Conclusion WS-Security Implementation and integrated into VEGA GOS  Header and attachment, Which one is the best place for security info? (my opinion)  Implementations are different, how can be interoperable? Agora (VO, Community) Based Authorization  Loosely coupled Multi-grained access control implementation mechanism according to info carried by token  Adapt to resource provider side’s security mechanism Runtime construct (Grip, Grid Process) for secured accessing the service  Simple and easy to use

22 VEGA GOS v2 Roadmap Time Schedule  2005.3, GOS v2 Alpha (prototype)  2005.4, GOS v2 Beta (barely fixed)  2005.5, GOS v2 release (include sample application and full documents)

23 GOS mailing list : gos@software.ict.ac.cn CNGrid : http://www.grid.org.cn/ VEGA : http://vega.ict.ac.cn/ Thanks!

Download ppt "The VEGA Approach to Grid Security Grid System Software Group, ICT, CAS 2005-4-11 --Security In VEGA GOS v2 Li ZHA"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
System Software Overview of China National Grid 8-12-2006 VEGA R&D Team, Research Centre for Grid and Service Computing, ICT, CAS.

System Software Overview of China National Grid VEGA R&D Team, Research Centre for Grid and Service Computing, ICT, CAS.
CNGrid Software Progress Zhiwei Xu Institute of Computing TechnologySoftware Team Chinese Academy of SciencesChina National.

CNGrid Software Progress Zhiwei Xu Institute of Computing TechnologySoftware Team Chinese Academy of SciencesChina National.
Software Infrastructure of China National Grid Li Zha, Wei Li, Haiyan Yu, Zhiwei Xu Institute of Computing Technology, Chinese Academy of Sciences Xianghui.

Software Infrastructure of China National Grid Li Zha, Wei Li, Haiyan Yu, Zhiwei Xu Institute of Computing Technology, Chinese Academy of Sciences Xianghui.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.
1 G2 and ActiveSheets Paul Roe QUT Yes Australia!

1 G2 and ActiveSheets Paul Roe QUT Yes Australia!
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Workshop on Cyber Infrastructure in Combustion Science April 19-20, 2006 Subrata Bhattacharjee and Christopher Paolini Mechanical.

Workshop on Cyber Infrastructure in Combustion Science April 19-20, 2006 Subrata Bhattacharjee and Christopher Paolini Mechanical.
A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal

Similar presentations

Ads by Google