The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids Desktop Grids Desktop Grids EDGeS project EDGeS project.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
JSAGA2 Overview job desc. gLite plug-ins Globus plug-ins JSAGA hidemiddlewareheterogeneity (e.g. gLite, Globus, Unicore) JDLRSL.
Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.
P-GRADE and WS-PGRADE portals supporting desktop grids and clouds Peter Kacsuk MTA SZTAKI
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EDGeS project receives Community research funding 1 EDGeS Bridge technology to interconnect EGEE and BOINC grids Peter Kacsuk MTA.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
The EDGI project receives Community research funding 1 EDGI Brings Desktop Grids To Distributed Computing Interoperability Etienne URBAH
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
INFSO-RI Enabling Grids for E-sciencE Workload Management System Mike Mineter
Javascript Cog Kit By Zhenhua Guo. Grid Applications Currently, most grid related applications are written as separate software. –server side: Globus,
The EDGeS project receives Community research funding 1 SG-DG Bridges Zoltán Farkas, MTA SZTAKI.
The EDGeS project receives Community research funding 1 Bridging EGEE to BOINC and XtremWeb GIN : From interoperation to interoperability.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks State of Interoperability Laurence Field.
The EDGeS project receives Community research funding 1 EDGeS infrastructure for the EGEE user community Peter Kacsuk MTA SZTAKI.
The EDGeS project receives Community research funding XtremWeb-HEP & EGEE CSST-HUST-Wuhan Octobre 11-15th, 2010 Oleg Lodygensky - LAL -
Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)
Oleg LODYGENSKY Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay,
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Services for advanced workflow programming.
1 Andrea Sciabà CERN Critical Services and Monitoring - CMS Andrea Sciabà WLCG Service Reliability Workshop 26 – 30 November, 2007.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
INFSO-RI Enabling Grids for E-sciencE Αthanasia Asiki Computing Systems Laboratory, National Technical.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Alexandre Duarte CERN IT-GD-OPS UFCG LSD 1st EELA Grid School.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Grid2Win: Porting of gLite middleware to.
SAM Sensors & Tests Judit Novak CERN IT/GD SAM Review I. 21. May 2007, CERN.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid2Win : gLite for Microsoft Windows Roberto.
Testing and integrating the WLCG/EGEE middleware in the LHC computing Simone Campana, Alessandro Di Girolamo, Elisa Lanciotti, Nicolò Magini, Patricia.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
DIRAC Pilot Jobs A. Casajus, R. Graciani, A. Tsaregorodtsev for the LHCb DIRAC team Pilot Framework and the DIRAC WMS DIRAC Workload Management System.
11 Introduction to EDGI Peter Kacsuk, MTA SZTAKI Start date: Duration: 27 months EDGI.
EGI Technical Forum Amsterdam, 16 September 2010 Sylvain Reynaud.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using WMProxy advanced job submission.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite – UNICORE interoperability Daniel Mallmann.
The EDGeS project receives Community research funding 1 Support services for desktop grids and service grids by the EDGeS project Tamas Kiss – University.
SHIWA Simulation Platform (SSP) Gabor Terstyanszky, University of Westminster EGI Community Forum Munnich March 2012 SHIWA is supported by the FP7.
The EDGI project receives Community research funding 1 Desktop Grid Infrastructure and User Support Services for EGI/NGI User Communities Tamas Kiss –
RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.
11 Extending EMI middleware with DGs Peter Kacsuk, MTA SZTAKI Start date: Duration:
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
1 Globe adapted from wikipedia/commons/f/fa/ Globe.svg IDGF-SP International Desktop Grid Federation - Support Project SZTAKI.
SAM architecture EGEE 07 Service Availability Monitor for the LHC experiments Simone Campana, Alessandro Di Girolamo, Nicolò Magini, Patricia Mendez Lorenzo,
DIRAC for Grid and Cloud Dr. Víctor Méndez Muñoz (for DIRAC Project) LHCb Tier 1 Liaison at PIC EGI User Community Board, October 31st, 2013.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
OGF PGI – EDGI Security Use Case and Requirements
How to connect your DG to EDGeS? Zoltán Farkas, MTA SZTAKI
Peter Kacsuk MTA SZTAKI
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Short update on the latest gLite status
Interoperability & Standards
Why does EDGeS need OGF PGI ?
a middleware implementation
Presentation transcript:

The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids Desktop Grids Desktop Grids EDGeS project EDGeS project Delegation for access to trusted resources Delegation for access to trusted resources

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 2 DG = Desktop Grid = Loose grid scavenging idle resources Specific security needs of Desktop Grids DG = Desktop Grid = Loose grid scavenging idle resources Unit of Work = Application + Input Data Unit of Work = Application + Input Data Grid User Submits input data for an application Requests Unit of Work Sends Unit of Work Application Manager Certifies Application Resource Owner (often volunteer) Owns Resource Sends back results Accepts or Refuses an application on his resource Grid Server with Application Repository Computing Resource (often Desktop Computer) Sends back results Currently, for BOINC, both roles of ‘Application Manager’ and ‘Grid User’ are fulfilled by ‘BOINC Project Owners’.

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 3 DG = Desktop Grid = Loose grid scavenging idle resources Specific security needs of Desktop Grids DG = Desktop Grid = Loose grid scavenging idle resources Computing and Storage Resources are owned by various Owners (it is often volunteer computing), but they are NOT managed and NOT authenticated.Computing and Storage Resources are owned by various Owners (it is often volunteer computing), but they are NOT managed and NOT authenticated. Grid Servers are authenticated by a X509 certificate.Grid Servers are authenticated by a X509 certificate. Users are authenticated by the Grid Servers, but NOT by the Computing and Storage Resources.Users are authenticated by the Grid Servers, but NOT by the Computing and Storage Resources. Executables are certified by managers of the Grid Servers.Executables are certified by managers of the Grid Servers. So :– Resource Owners have to trust the Grid Servers, – BOINC sends each Work Unit to several Resource Owners, because BOINC does NOT fully trust them. Order of magnitude can be CPUs.Order of magnitude can be CPUs. Starving Computing Resources pull Work Units from Grid Servers.Starving Computing Resources pull Work Units from Grid Servers. Examples : BOINC, XtremWeb, xGrid, OurGrid

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 4 Presentation of the EDGeS project Specific security needs of Desktop Grids Presentation of the EDGeS project New FP7 project started on 01/01/2008 Integrate Service Grids and Desktop GridsIntegrate Service Grids and Desktop Grids Enable very large number of computing resources (100K-1M processors)Enable very large number of computing resources (100K-1M processors) Attract new scientific communitiesAttract new scientific communities Provide a Grid application development environmentProvide a Grid application development environment Provide application repository and bridges for the execution in the SG-DG systemProvide application repository and bridges for the execution in the SG-DG system WLCG (CERN) EDGeS gLite (EGEE) ARC (NorduGrid) Boinc (Berkeley) XtremWeb (INRIA/IN2P3) Xgrid (Apple) Unicore (DEISA) VDT (OSG) Current Future

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 5 Presentation of the EDGeS project Specific security needs of Desktop Grids Presentation of the EDGeS project Now, Interoperation : Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb.Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb. A MoU between EDGeS and EGEE has been signed on 23 Sept 2008.A MoU between EDGeS and EGEE has been signed on 23 Sept XtremWeb users must have a X509 certificate, be registered in a VO and submit their Jobs with a VOMS proxy.XtremWeb users must have a X509 certificate, be registered in a VO and submit their Jobs with a VOMS proxy. BOINC Project Owners must have a X509 certificate, be registered in a VO and store a medium-term X509 proxy in a MyProxy server.BOINC Project Owners must have a X509 certificate, be registered in a VO and store a medium-term X509 proxy in a MyProxy server. All files must be transferred through the Input and Output sandboxes.All files must be transferred through the Input and Output sandboxes. In the future : Interoperability using OGF standards, in order to bridge more Grids.Interoperability using OGF standards, in order to bridge more Grids. Better support of grid file access (ByteIO, GridFTP).Better support of grid file access (ByteIO, GridFTP).

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 6 EGEE WMS EDGeS 3G bridge EGEE Plugin 1 for each (BOINC Project Owner, EGEE VO) pair Queue Manager & Job DB BOINC Handler 1 for each (BOINC server, BOINC Project Owner, EGEE VO) triple Bridge BOINC  EGEE (WU = Work Unit) Specific security needs of Desktop Grids Bridge BOINC  EGEE (WU = Work Unit) WU i+1 WU i+2 WU i+3 Job i+1 Job i+2 BOINC Server Work Unit BOINC Project Owner Submission MyProxy trusting EDGeS 3G bridge Medium term X509 proxy Config. file DN of X509 proxy Short term X509 proxy VOMS Server VOMS extensions Job Handler Interface Grid Handler Interface BOINC jobwrapper client (simulating a large BOINC computing resource) 3G job- wrapper VOMS proxy Retriever

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 7 Bridge BOINC  EGEE Specific security needs of Desktop Grids Bridge BOINC  EGEE Solution = Inside EDGeS bridge, marshalling of the BOINC Work Units into Job collections For each (BOINC server, BOINC Project Owner, EGEE VO) triple, a separate Job Handler collects the BOINC Work Units and place them in a queue.For each (BOINC server, BOINC Project Owner, EGEE VO) triple, a separate Job Handler collects the BOINC Work Units and place them in a queue. For each (BOINC Project Owner, EGEE VO) pair, a separate EGEE plugin :For each (BOINC Project Owner, EGEE VO) pair, a separate EGEE plugin : –Retrieves a short term X509 Proxy for the BOINC Project Owner from a MyProxy server, and VOMS extensions from a VOMS server, –Periodically processes new Work Units found in the queue : It converts each Work Unit into an EGEE Job, In order to reduce the usage of the EGEE WMS, it uses Collection possibili- ties of EGEE to submit many Jobs in one request described using JDL.

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 8 EGEE Bridge XtremWeb  EGEE Specific security needs of Desktop Grids Bridge XtremWeb  EGEE XtremWeb User X509 proxy VOMS proxy Submits User Job with VOMS proxy Sends back Job Status and Results VOMS Server XtremWeb Server Submits mono-user Pilot Job with VOMS proxy Gives Pilot Job Status gLite WMS Computing Element Pushes Pilot job Mono-user Pilot Job Requests only 1 User Job Sends 1 User Job with same VOMS proxy User Job Gives Pilot Job Status Sends back results directly XtremWeb Bridge Requests User Jobs Sends User Jobs with VOMS proxy Manages User Job status

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v1.2 9 Bridge XtremWeb  EGEE Specific security needs of Desktop Grids Bridge XtremWeb  EGEE Solution = XtremWeb bridge : Gliding with a mono-user Pilot Job 1.A XtremWeb User submits to the XtremWeb server his User Job with a VOMS proxy. 2.At the request of the XtremWeb bridge, the XtremWeb server sends him the User Job with the VOMS proxy. 3.The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this VOMS proxy (job description in a JDL). 4.The gLite WMS pushes the Pilot Job to a Computing Element, which executes it. 5.The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and stops itself if it receives none. 6.The XtremWeb server verifies that the requested User Job has a VOMS proxy, and sends the User Job and the VOMS proxy to the Pilot Job. 7.The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS proxy, and executes the User Job. 8.At the end of the User Job, the Pilot Job sends the Job results directly to the XtremWeb server, then stops itself.

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v Bridge EGEE  Desktop Grids Specific security needs of Desktop Grids Bridge EGEE  Desktop Grids EGEE LCG-CE for EDGeS Gets EXE Watches Reports resources and performance Pushes job Checks EXE Submits Job Logs events Gets VOMS proxy Logs events EDGeS Application Repository EGEE BDII gLite WMS EGEE LB EGEE VOMS EGEE User Sends output Gets output EDGeS 3G bridge Adds job Watches job Desktop Grid plugin Information provider GRAM Job Manager for EDGeS Queue Manager & Job DB Generic Job WS Handler Desktop Grid

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v Bridges EGEE  BOINC & XtremWeb Specific security needs of Desktop Grids Bridges EGEE  BOINC & XtremWeb Solution = Installation of a LCG-CE sending the EGEE Jobs to the EDGeS bridge, which marshals them into Desktop Grid Jobs Information Provider publishes information to the BDII according to GLUE 1.3Information Provider publishes information to the BDII according to GLUE 1.3 Customized GRAM Job Manager (EGEE producer)Customized GRAM Job Manager (EGEE producer) –Gets job information from wrapper –Checks if exe is validated in the EDGeS application repository (GEMLCA) –Checks if exe is supported by attached BOINC –Gets files from WMS –Adds job to 3G bridge job Database –Polls status of jobs in 3G bridge job Database –Gets results from 3G bridge and uploads them to Logging & Bookkeeping EDGeS 3G bridge EDGeS 3G bridge –Manages jobs in the 3G bridge database –On events, updates entries in the 3G bridge database –Desktop Grid plugins BOINC plugin uses DC-API to generate BOINC Work Units XtremWeb plugin generates XtremWeb Jobs

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v Delegation for access to trusted resources Specific security needs of Desktop Grids Delegation for access to trusted resources Jobs having to access trusted Resources require delegation (through X509 proxies or SAML assertions) Is it possible to provide delegation to untrusted Computing Resources of Desktop Grids ?

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v – Delegation Current situation : NO restriction  Full impersonation Specific security needs of Desktop Grids – Delegation Current situation : NO restriction  Full impersonation Acceptable only with trusted computing resources NOT acceptable with untrusted (DG) computing resources Grid User Submits Job EGEE Computing Element Submits Job Trusted Worker Node Trusted Data Access Trusted Storage Resource Full impersonation Grid User Submits Job EGEE Computing Element Submits Job Untrusted Worker Node Untrusted Data Access Trusted Storage Resource Full impersonation X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions X509 proxy without restrictions

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v – Delegation Current situation : NO restriction  Full impersonation Specific security needs of Desktop Grids – Delegation Current situation : NO restriction  Full impersonation By now, WITHOUT restrictions on delegation, X509 proxies permit full impersonation. Therefore, when sending jobs, it is acceptable to send along such X509 proxies : –only to TRUSTED computing resources (for example Worker Nodes of local or EGEE clusters), because the storage resources must trust that the computing resource will only access to data described in the job, –but NOT to UNTRUSTED computing resources (for example from a public Desktop Grid), because they could then have access to all user data.

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v – Delegation Under development : X509 Proxies with Restrictions Specific security needs of Desktop Grids – Delegation Under development : X509 Proxies with Restrictions Improved security with trusted computing resources Could also be acceptable with untrusted computing resources Could also be acceptable with untrusted computing resources Grid User Submits Job EGEE Computing Element Submits Job Trusted Worker Node Trusted Data Access Trusted Storage Resource Restricted impersonation Grid User Submits Job EGEE Computing Element Submits Job Untrusted Worker Node Trusted Data Access Trusted Storage Resource Restricted impersonation X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions X509 proxy with restrictions

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v – Delegation Under development : X509 Proxies with Restrictions Specific security needs of Desktop Grids – Delegation Under development : X509 Proxies with Restrictions When sending jobs, it could be acceptable to send X509 proxies containing restriction attributes about data access to UNTRUSTED computing resources (for example from a public Desktop Grid), because : –In order to get access to data, computing resources have to present to storage resources the full X509 proxy, INCLUDING ALL restriction attributes. –Storage resources are then able to refuse data access if restriction attributes forbid it, –Data that the jobs have to read are easily protected against corruption or deletion by using restriction attributes setting those data as read-only. –Malicious computing resources can always corrupt data on which they have write access, but they can already write false data in the Output Sandbox of jobs anyway. If these restriction attributes are really implemented, enforced and considered secure enough, this would permit computing resources of Desktop Grids to access storage resources of EGEE Storage Elements (using SRM, GridFTP, …), with a great impact on EDGeS JRA3.

Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France v – Delegation Access to untrusted Storage Resources of Desktop Grids Specific security needs of Desktop Grids – Delegation Access to untrusted Storage Resources of Desktop Grids Could access of trusted Computing Resources to untrusted Storage Resources of Desktop Grids be acceptable ? EDGeS is studying the issue. We can get advices from you and Jesus LUNA. Grid User Submits Job EGEE Computing Element Submits Job Trusted Worker Node Untrusted Data Access Untrusted Storage Resource X509 proxy X509 proxy NO X509 proxy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.