1 Presentation at SciDAC face-to-face January 2005 Ron A. Oldfield Sandia National Laboratories The Lightweight File System.

Slides:

Advertisements

Similar presentations

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Advertisements

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

1 Principles of Reliable Distributed Systems Tutorial 12: Frangipani Spring 2009 Alex Shraer.

Group Management, Permissions, and Revocation in OceanStore Barbara Engelhardt George Porter Naveen Sastry UC Berkeley January 2002.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

OSD TWG 1 Mike Mesnier January 2003 Object-based Storage 101 SNIA.

Implementing User-Defined Security Policies in Cooperative Systems With Group Access Controls Jeffrey Hemmes 28 June June June 2015.

Overview of Lustre ECE, U of MN Changjin Hong (Prof. Tewfik’s group) Monday, Aug. 19, 2002.

Concurrency Control & Caching Consistency Issues and Survey Dingshan He November 18, 2002.

Connecting HPIO Capabilities with Domain Specific Needs Rob Ross MCS Division Argonne National Laboratory

Sanzaru Capability-Based Interactions for Web Applications Raluca Sauciuc Shaunak Chatterjee University of California, Berkeley Motivation Limitations.

Reliable PVFS. High Performance I/O ? Three Categories of applications demand good I/O performance  Database management systems (DBMSs) Reading or writing.

Frangipani: A Scalable Distributed File System C. A. Thekkath, T. Mann, and E. K. Lee Systems Research Center Digital Equipment Corporation.

Sun NFS Distributed File System Presentation by Jeff Graham and David Larsen.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.

Object-based Storage Long Liu Outline Why do we need object based storage? What is object based storage? How to take advantage of it? What's.

Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Digital Object Architecture

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 Configurable Security for Scavenged Storage Systems NetSysLab The University of British Columbia Abdullah Gharaibeh with: Samer Al-Kiswany, Matei Ripeanu.

DFS & Active Directory Joshua Hedges |Brandon Maxfield | Robert Rivera | Will Zilch.

Building a Parallel File System Simulator E Molina-Estolano, C Maltzahn, etc. UCSC Lab, UC Santa Cruz. Published in Journal of Physics, 2009.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Distributed File Systems Overview  A file system is an abstract data type – an abstraction of a storage device.  A distributed file system is available.

What is a Distributed File System?? Allows transparent access to remote files over a network. Examples: Network File System (NFS) by Sun Microsystems.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.

SciDAC All Hands Meeting, March 2-3, 2005 Northwestern University PIs:Alok Choudhary, Wei-keng Liao Graduate Students:Avery Ching, Kenin Coloma, Jianwei.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.

Opportunities in Parallel I/O for Scientific Data Management Rajeev Thakur and Rob Ross Mathematics and Computer Science Division Argonne National Laboratory.

Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

The Vesta Parallel File System Peter F. Corbett Dror G. Feithlson.

Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Silberschatz, Galvin, and Gagne  Applied Operating System Concepts Module 18: Protection Goals of Protection Domain of Protection Access Matrix.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.

Towards Exascale File I/O Yutaka Ishikawa University of Tokyo, Japan 2009/05/21.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

CS525: Big Data Analytics MapReduce Computing Paradigm & Apache Hadoop Open Source Fall 2013 Elke A. Rundensteiner 1.

Wireless and Mobile Security

System-Directed Resilience for Exascale Platforms LDRD Proposal Ron Oldfield (PI)1423 Ron Brightwell1423 Jim Laros1422 Kevin Pedretti1423 Rolf.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

11.1 CSE Department MAITSandeep Tayal 11: Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.

Em Spatiotemporal Database Laboratory Pusan National University File Processing : Database Management System Architecture 2004, Spring Pusan National University.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

18.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 18: Protection Goals of Protection Domain of Protection Access Matrix.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

Truly Distributed File Systems Paul Timmins CS 535.

Sarah Diesburg Operating Systems CS 3430

Cryptography and Network Security

Authentication Applications

Power BI Security Best Practices

Sarah Diesburg Operating Systems CS 3430

Presentation transcript:

1 Presentation at SciDAC face-to-face January 2005 Ron A. Oldfield Sandia National Laboratories The Lightweight File System

2 The Lightweight File System Project Participants: –SNL: Ward, Oldfield, Riesen, Lawry –UNM: Maccabe, Arunagiri Motivation –Risk-mitigation for Red Storm PFS (Lustre) –Vehicle for parallel I/O research Design Goals –Lightweight design only critical I/O functionality (direct access to storage, security) special functionality implemented in I/O libraries (above LWFS) –Scalable expect clients with tens-to-hundreds of thousands of processes I/O system should not hinder scalability of the application –Secure authentication and authorization fine-grained access controls with revocation An experimental object-based storage system (funded by Sandia’s CS research foundation)

3 Key features of LWFS Initial focus is on “secure storage architecture” (not a file system) Policy vs mechanism –Separate policy decisions from policy enforcement –Metadata servers and storage servers cooperate for policy consistency Access-control –capability-based –immediate revocation –automatic refresh –fine-grained operation control Containers for related objects –the unit for access control (no control for byte, object, or block access) –Every object is in a container –LWFS knows nothing about the structure of container –We have backwards pointers (not forwards)

4 What LWFS does not do naming (e.g, metadata) data synchronization data consistency caching prefetching quota enforcement data distribution

5 Basic LWFS Architecture Security model (Authentication and Authorization) –Separation of policy from mechanism –Scalable No connection-based mechanisms (e.g., Kerberos) –Capabilities for access control (well... not quite) not independently verifiable Similar to the NASD access credential –Coarse-grained access control (containers) Storage service –object-based –enforcement of access control policies

6 Security Assumptions and Requirements We assume a trusted transport mechanism –prevents replay attacks, man-in-the-middle attacks, and eavesdropping –provides network integrity –We do not need to provide encryption Authentication –Use existing mechanisms (e.g., Kerberos, GSS-API) –Scalable (no connection-based schemes) Authorization –Coarse grained access controls (at the container level) –Capabilities for scalability –“Immediate” revocation of capabilities Integrity –Make sure users cannot modify capabilities

7 Understanding the Scalability Requirements Prohibit ops with O(n) communications Prohibit data structures of size O(n) Limit ops with O(m) comms to rare events The I/O system should not hinder scalability of application

8 Motivating the “Open-Architecture” Model Application-specific APIs –MPI-IO –HDF5, PnetCDF –ChemIO, SalvoIO Application control of policies –Caching and prefetching –Data distribution –Synchronization Applications should choose nearly all features of the I/O system application LWFS access to datasets, app-specific APIs, caching, prefetching high-level I/O lib acesss to (parallel) files, reliability, data distribution, consistency, synchronization access to bytes (in objects), metadata management, security traditional PFS low-level I/O lib

9 Status APIs defined –Storage service –Authentication and Authorization –Naming service –Transactions (Locks and Journals) Prototype implementations –Storage service –Authorization service –Naming service (in progress)

10 Current and Future Work Vehicle for parallel I/O research –Scalable metadata –Application-specific I/O libs and file systems data distribution, data consistency, caching, prefetching to match access patterns mobile app/lib code (e.g., active disk) –Lock-free synchronization schemes –Lightweight database (using LWFS) Framework for developing production-level parallel I/O systems