Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.
Introduction To Windows NT ® Server And Internet Information Server.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB,
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Secure middleware patterns E.B.Fernandez. Middleware security Architectures have been studied and several patterns exist Security aspects have not been.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
DIRAC Pilot Jobs A. Casajus, R. Graciani, A. Tsaregorodtsev for the LHCb DIRAC team Pilot Framework and the DIRAC WMS DIRAC Workload Management System.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
DIRAC Project A.Tsaregorodtsev (CPPM) on behalf of the LHCb DIRAC team A Community Grid Solution The DIRAC (Distributed Infrastructure with Remote Agent.
EGI Technical Forum Amsterdam, 16 September 2010 Sylvain Reynaud.
LHCb Pilot Job Tests. We have not started this test due to several reasons: our analysis job submission (ganga) was not interfaced in time to DIRAC3,
Proxy management mechanism and gLExec integration with the PanDA pilot Status and perspectives.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
INFSO-RI Enabling Grids for E-sciencE Ganga 4 Technical Overview Jakub T. Moscicki, CERN.
Security and VO management enhancements in Panda Workload Management System Jose Caballero Maxim Potekhin Torre Wenaus Presented by Maxim Potekhin at HPDC08.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Breaking the frontiers of the Grid R. Graciani EGI TF 2012.
Core and Framework DIRAC Workshop October Marseille.
The NGS Portal Guy Warner NeSC Training.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Authentication, Authorisation and Security
OGF PGI – EDGI Security Use Case and Requirements
Enabling Secure Internet Access with TMG
Grid Security.
Grid accounting system
Grid Security Jinny Chien Academia Sinica Grid Computing.
THE STEPS TO MANAGE THE GRID
IIS.
The New Virtual Organization Membership Service (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
a middleware implementation
Access Control What’s New?
Presentation transcript:

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat de Barcelona) on behalf of the LHCb DIRAC team Distributed Secure Framework Payload and proxies DIRAC has to make sure the user payload runs under the user credential. DIRAC stores the user proxy and takes it to the resource where the user payload will run. All the proxy managing is done under a very strict security schema to minimize the damage that a stolen proxy may cause. The way DIRAC does it is the following: 1.A user uploads a proxy with the group embedded to the Proxy Manager and then submits a job to DIRAC. 2.In order to submit pilot jobs to the resources, the Pilot Director downloads a non-limited proxy using its own credential, and requests a proxy token. This token will have to be presented by the pilot job to be able to retrieve the real user proxy. 3.When the Job Agent matches a job to run in the resource, it downloads the payload proxy using its own credentials and token. Before the payload starts to run the payload environment is changed, so the payload automatically only sees the user proxy. Pilot proxies have a special DIRAC group embedded. They can only belong to a very restricted set of users. See [108] by R. Graciani et al. for more information about pilot jobs. Proxy management DIRAC has its own component for managing proxies. The Proxy Manager is a repository where users can upload their proxies. It will be used later on by all DIRAC components that require a user proxy. All proxy movements through the network are done through delegation. The Proxy Manager can use other grid middleware proxy management components to enhance its functionality. For instance it can use VOMS to add the required attributes to a proxy. DIRAC only keeps a short-lived user proxy in the system. Typically user’s proxy life time is shorter that the time a user job stays in the system, and DIRAC needs to keep the proxy alive while the job is in the system. That requires DIRAC to extend the proxies in the system that are about to expire. The DIRAC Proxy Management system talks to the MyProxy service and request new proxies for those about to expire when needed. Permissions and proxies Not all users are allowed to perform all actions. DIRAC implements a authorization schema to decide if a given entity can execute an action. All actions have a set of valid properties. The requesting entities have to present at least one allowed property for that action. All users in DIRAC are assigned to a set of groups depending on their privileges, and each group has a set of properties. At any time a given user can only act using one of his/her groups. Users define under which group they want to act by embedding the group in their proxy. DIRAC provides this functionality when creating a new proxy. Thus having the group signed directly by the user, the user group cannot be changed (or added if it’s not there) after the proxy has been created. DIRAC Service User proxy DIRAC Group User Configuration Service Users info Groups definition Authorization rules DN valid? DENY User in group? Group has a valid property? NO YES EXECUTE Configuration Service Users info Groups definition Authorization rules DIRAC Component Cache DIRAC Component Cache DIRAC Client DISET DIRAC Client DISET DIRAC Security Framework All DIRAC components rely on a low level framework that provides the necessary basic functionality. This framework contains: DISET: DIRAC’s secure communication protocol for RPC and file transfer Configuration System: Providing redundant distributed mechanism for configuration and service discovery. All DIRAC connections are handled by DISET. DISET uses OpenSSL through a custom python binding (derived from pyOpenSSL). This provides grid authentication and encryption, using X509 certificates and grid proxies. User Proxy Manager Proxy Job Manager Jobs DB Pilot Director Job Pilot proxies Proxy tokens Resource Pilot job Job Agent Payload proxy Proxy token User payload Output 1 Proxy token 2 3 User Proxy Manager Short-lived proxy MyProxy Long-lived proxy DIRAC Component User proxy Proxy repository Extended proxy VOMS VOMS extensions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.