Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, 2005 2-4 Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance.

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
MyProxy Jim Basney Senior Research Scientist NCSA
Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.
Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
High Performance Computing Course Notes Grid Computing.
The Globus Toolkit and OMII-Europe Neil Chue Hong EPCC, University of Edinburgh Thanks to Ian Foster and the Globus Team for slides.
MTA SZTAKI Hungarian Academy of Sciences Grid Computing Course Porto, January Introduction to Grid portals Gergely Sipos
Seminar Grid Computing ‘05 Hui Li Sep 19, Overview Brief Introduction Presentations Projects Remarks.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Globus Toolkit 4 hands-on Gergely Sipos, Gábor Kecskeméti MTA SZTAKI
Distributed Heterogeneous Data Warehouse For Grid Analysis
Seminar Grid Computing ‘06 Hui Li Sep 18, Overview Brief Introduction Presentations –Architecture –Functionality/Middleware –Applications Projects.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
Globus Computing Infrustructure Software Globus Toolkit 11-2.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
1 Globus Developments Malcolm Atkinson for OMII SC 18 th January 2005.
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Core Grid Functions: A Minimal Architecture for Grids William E. Johnston Lawrence Berkeley National Lab and NASA Ames Research Center (www-itg.lbl.gov/~wej)
Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.
OPEN GRID SERVICES ARCHITECTURE AND GLOBUS TOOLKIT 4
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Grid Services Overview & Introduction Ian Foster Argonne National Laboratory University of Chicago Univa Corporation OOSTech, Baltimore, October 26, 2005.
CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Middleware for Grid Computing and the relationship to Middleware at large ECE 1770 : Middleware Systems By: Sepehr (Sep) Seyedi Date: Thurs. January 23,
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
The Globus Authorization Processing Framework New Challenges for Access Control Workshop April 27, 2005, Ottawa, Canada Frank Siebenlist (Argonne National.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
The Replica Location Service The Globus Project™ And The DataGrid Project Copyright (c) 2002 University of Chicago and The University of Southern California.
Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
CEOS Working Group on Information Systems and Services - 1 Data Services Task Team Discussions on GRID and GRIDftp Stuart Doescher, USGS WGISS-15 May 2003.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]
Grid Authorization Landscape and Futures Von Welch NCSA
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Policy-driven Negotiation for Authorization in the Grid 8 th IEEE POLICY Bologna, Italy, 15 th June 2007 Ionut ConstandacheDuke University Daniel OlmedillaL3S.
Securing the Grid & other Middleware Challenges Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Preservation Data Services Persistent Archive Research Group Reagan W. Moore October 1, 2003.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Liang Fang, Dennis Gannon Indiana University Frank Siebenlist
The Anatomy and The Physiology of the Grid
The Anatomy and The Physiology of the Grid
Grid Systems: What do we need from web service standards?
Presentation transcript:

Infrastructure Systems: The Globus Toolkit BRIITE Meeting - Nov 2-4, Nov 2005, Salk Institute, La Jolla, CA Frank Siebenlist (Globus Alliance / Argonne National Laboratory / University of Chicago) -

Nov 3, 2005BRIITE Meeting: The Globus Toolkit2 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

Nov 3, 2005BRIITE Meeting: The Globus Toolkit3 The Globus Alliance Making Grid computing a reality l Close collaboration with real Grid projects in science and industry l Development and promotion of standard Grid protocols (e.g. OGSA) to enable interoperability and shared infrastructure l Development and promotion of standard Grid software APIs and SDKs to enable portability and code sharing l The Globus Toolkit ® : Open source, reference software base for building Grid infrastructure and applications l Global Grid Forum: Development of standard protocols and APIs for Grid computing

Nov 3, 2005BRIITE Meeting: The Globus Toolkit4 How Globus Works l Globus is a distributed open source community with many contributors & users u CVS, documentation, bugzilla, lists u Modular structure allows many to contribute l Globus Alliance Board provides governance when needed u Meritocracy: individuals who demonstrate ongoing contributions & commitment u Primarily: what to include, when to release l Globus Alliance is an informal partnership of organizations led by Board members

Nov 3, 2005BRIITE Meeting: The Globus Toolkit5

Nov 3, 2005BRIITE Meeting: The Globus Toolkit6 The Application-Infrastructure Gap Dynamic and/or Distributed Applications A 1 B Shared Distributed Infrastructure

Nov 3, 2005BRIITE Meeting: The Globus Toolkit7 Provisioning Bridging the Gap: Grid Infrastructure l Service-oriented Grid infrastructure u Provision physical resources to support application workloads Appln Service Users Workflows Composition Invocation l Service-oriented applications u Wrap applications as services u Compose applications into workflows

Nov 3, 2005BRIITE Meeting: The Globus Toolkit8 Globus is Grid Infrastructure l Software for Grid infrastructure u Service enable new & existing resources u E.g., GRAM on computer, GridFTP on storage system, custom application service u Uniform abstractions & mechanisms l Tools to build applications that exploit Grid infrastructure u Registries, security, data management, … l Open source & open standards u Each empowers the other l Enabler of a rich tool & service ecosystem

Nov 3, 2005BRIITE Meeting: The Globus Toolkit9 Globus as Service-Oriented Infrastructure Uniform interfaces, security mechanisms, Web service transport, monitoring ComputersStorage Specialized resource User Application User Application User Application GRAMGridFTP Host Env User Svc DAIS Database Tool Reliable File Transfer MyProxy Host Env User Svc MDS- Index

Nov 3, 2005BRIITE Meeting: The Globus Toolkit10 A Typical eScience Use of Globus: Network for Earthquake Eng. Simulation Links instruments, data, computers, people

Nov 3, 2005BRIITE Meeting: The Globus Toolkit11 LHC Data Distribution 1 TIPS is approximately 25,000 SpecInt95 equivalents Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPSFrance Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a bunch crossing every 25 nsecs. There are 100 triggers per second Each triggered event is ~1 MByte in size Physicists work on analysis channels. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec or Air Freight (deprecated) Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4

Global Community

Nov 3, 2005BRIITE Meeting: The Globus Toolkit13 Globus Toolkit l Core Web services u Infrastructure for building new services l Security u Apply uniform policy across distinct systems l Execution management u Provision, deploy, & manage services l Data management u Discover, transfer, & access large data l Monitoring u Discover & monitor dynamic services

Nov 3, 2005BRIITE Meeting: The Globus Toolkit14 WSRF & WS-Notification l Naming and bindings (basis for virtualization) u Every resource can be uniquely referenced, and has one or more associated services for interacting with it l Lifecycle (basis for fault resilient state management) u Resources created by services following factory pattern u Resources destroyed immediately or scheduled l Information model (basis for monitoring & discovery) u Resource properties associated with resources u Operations for querying and setting this info u Asynchronous notification of changes to properties l Service Groups (basis for registries & collective svcs) u Group membership rules & membership management l Base Fault type

Data MgmtSecurity Common Runtime Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Authentication Authorization GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery C Common Libraries Authentication Authorization Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Java WS Core Community Authorization Replica Location eXtensible IO (XIO) Credential Mgmt Community Scheduling Framework Delegation Globus Toolkit version 4 (GT4) Data Replication Trigger C WS Core Python WS Core WebMDS Workspace Management Grid Telecontrol Protocol Contrib/ Preview Core Depre- cated

Nov 3, 2005BRIITE Meeting: The Globus Toolkit16 Java Services in Apache Axis Plus GT Libraries and Handlers Your Java Service Your Python Service Your Java Service RFT GRAM Delegation Index Trigger Archiver pyGlobus WS Core Your C Service C WS Core RLS Pre-WS MDS CAS Pre-WS GRAM SimpleCAMyProxy OGSA-DAI GTCP GridFTP C Services using GT Libraries and Handlers SERVER CLIENT Interoperable WS-I-compliant SOAP messaging Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client Your Java Client Your C Client Your Python Client X.509 credentials = common authentication Python hosting, GT Libraries GT4 Components

Nov 3, 2005BRIITE Meeting: The Globus Toolkit17 Our Goals for GT4 l Usability, reliability, scalability, … u Web service components have quality equal or superior to pre-WS components u Documentation at acceptable quality level l Consistency with latest standards (WS-*, WSRF, WS-N, etc.) and Apache platform u WS-I Basic Profile compliant u WS-I Basic Security Profile compliant l New components, platforms, languages u And links to larger Globus ecosystem

Nov 3, 2005BRIITE Meeting: The Globus Toolkit18 Contrib/ Preview Core Data MgmtSecurity Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Authentication Authorization GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Authentication Authorization Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Community Authorization Replica Location Credential Mgmt Community Scheduling Framework Delegation Data Replication Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core GT4 Common Runtime

Nov 3, 2005BRIITE Meeting: The Globus Toolkit19 Custom Web Services WS-Addressing, WSRF, WS-Notification Custom WSRF Web Services GT4 WSRF Web Services WSDL, SOAP, WS-Security User Applications Registry Administration GT4 Container GT4 Web Services Core

Nov 3, 2005BRIITE Meeting: The Globus Toolkit20 GT4 Web Services Core l Supports both GT (GRAM, RFT, Delegation, etc.) & user-developed services l Redesign to enhance scalability, modularity, performance, usability l Leverages existing WS standards u WS-I Basic Profile: WSDL, SOAP, etc. u WS-Security, WS-Addressing l Adds support for emerging WS standards u WS-Resource Framework, WS-Notification l Java, Python, & C hosting environments u Java is standard Apache

Nov 3, 2005BRIITE Meeting: The Globus Toolkit21 WSRF & WS-Notification l Naming and bindings (basis for virtualization) u Every resource can be uniquely referenced, and has one or more associated services for interacting with it l Lifecycle (basis for fault resilient state mgmt) u Resources created by services following factory pattern u Resources destroyed immediately or scheduled l Information model (basis for monitoring, discovery) u Resource properties associated with resources u Operations for querying and setting this info u Asynchronous notification of changes to properties l Service groups (basis for registries, collective svcs) u Group membership rules & membership management l Base Fault type

Nov 3, 2005BRIITE Meeting: The Globus Toolkit22 Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Execution Mgmt Info Services Web Services Components Non-WS Components GridFTP Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Index Replica Location Community Scheduling Framework Data Replication Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Security Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation

Nov 3, 2005BRIITE Meeting: The Globus Toolkit23 Globus Security l Control access to shared services u Address autonomous management, e.g., different policy in different work-groups l Support multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Allow users and application communities to set up dynamic trust domains u Personal/VO collection of resources working together based on trust of user/VO

Nov 3, 2005BRIITE Meeting: The Globus Toolkit24 GT4 Security l Public-key-based authentication l Extensible authorization framework based on Web services standards u SAML-based authorization callout l As specified in GGF OGSA-Authz WG u Integrated policy decision engine l XACML policy language, per-operation policies, pluggable l Credential management service u MyProxy (One time password support) l Community Authorization Service l Standalone Delegation Service

Nov 3, 2005BRIITE Meeting: The Globus Toolkit25 GT4s Use of Security Standards Supported, Supported, Fastest, but slow but insecure so default

Nov 3, 2005BRIITE Meeting: The Globus Toolkit26 GT-XACML Integration l eXtensible Access Control Markup Language u OASIS standard, open source implementations l XACML: sophisticated policy language l Globus Toolkit ships with XACML runtime u Included in every client and server built on GT u Turned-on through configuration l … that can be called transparently from runtime and/or explicitly from application … l … and we use the XACML-model for our Authz Processing Framework

Nov 3, 2005BRIITE Meeting: The Globus Toolkit27 Other Security Services Include … l MyProxy u Simplified credential management u Web portal integration u Single-sign-on support l KCA & kx.509 u Bridging into/out-of Kerberos domains l SimpleCA u Online credential generation l PERMIS u Authorization service callout

Nov 3, 2005BRIITE Meeting: The Globus Toolkit28 Contrib/ Preview Core Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Execution Mgmt Info Services Web Services Components Non-WS Components Pre-WS Grid Resource Alloc. & Mgmt Pre-WS Monitoring & Discovery Grid Resource Allocation & Management Index Community Scheduling Framework Trigger WebMDS Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Data Management Data Mgmt GridFTP Reliable File Transfer Data Access & Integration Replica Location Data Replication

Nov 3, 2005BRIITE Meeting: The Globus Toolkit29 GT4 Data Management l Stage/move large data to/from nodes u GridFTP, Reliable File Transfer (RFT) u Alone, and integrated with GRAM l Locate data of interest u Replica Location Service (RLS) l Replicate data for performance/reliability u Distributed Replication Service (DRS) l Provide access to diverse data sources u File systems, parallel file systems, hierarchical storage: GridFTP u Databases: OGSA DAI

Nov 3, 2005BRIITE Meeting: The Globus Toolkit30 GridFTP in GT4 l 100% Globus code u No licensing issues u Stable, extensible l IPv6 Support l XIO for different transports l Striping multi-Gb/sec wide area transport u 27 Gbit/s on 30 Gbit/s link l Pluggable u Front-end: e.g., future WS control channel u Back-end: e.g., HPSS, cluster file systems u Transfer: e.g., UDP, NetBLT transport Disk-to-disk on TeraGrid

Nov 3, 2005BRIITE Meeting: The Globus Toolkit31 Reliable File Transfer: Third Party Transfer RFT Service RFT Client SOAP Messages Notifications (Optional) Data Channel Protocol Interpreter Master DSI Data Channel Slave DSI IPC Receiver IPC Link Master DSI Protocol Interpreter Data Channel IPC Receiver Slave DSI Data Channel IPC Link GridFTP Server l Fire-and-forget transfer l Web services interface l Many files & directories l Integrated failure recovery l Has transferred 900K files

Nov 3, 2005BRIITE Meeting: The Globus Toolkit32 Replica Location Service l Identify location of files via logical to physical name map l Distributed indexing of names, fault tolerant update protocols l GT4 version scalable & stable l Managing ~40 million files across ~10 sites Index Local DB Update send (secs) Bloom filter (secs) Bloom filter (bits) 10K<121 M M 5 M M

Nov 3, 2005BRIITE Meeting: The Globus Toolkit33 Cardiff AEI/Golm Birmingham Reliable Wide Area Data Replication Replicating >1 Terabyte/day to 8 sites >30 million replicas so far MTBF = 1 month LIGO Gravitational Wave Observatory

Nov 3, 2005BRIITE Meeting: The Globus Toolkit34 Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Info Services Web Services Components Non-WS Components GridFTP Pre-WS Monitoring & Discovery Reliable File Transfer Data Access & Integration Index Replica Location Data Replication Trigger WebMDS Depre- cated GT4 Execution Management Execution Mgmt Pre-WS Grid Resource Alloc. & Mgmt Grid Resource Allocation & Management Community Scheduling Framework Workspace Management Grid Telecontrol Protocol

Nov 3, 2005BRIITE Meeting: The Globus Toolkit35 Execution Management (GRAM) l Common WS interface to schedulers u Unix, Condor, LSF, PBS, SGE, … l More generally: interface for process execution management u Lay down execution environment u Stage data u Monitor & manage lifecycle u Kill it, clean up l A basis for application-driven provisioning

Nov 3, 2005BRIITE Meeting: The Globus Toolkit36 GT4 WS GRAM l 2nd-generation WS implementation optimized for performance, flexibility, stability, scalability l Streamlined critical path u Use only what you need l Flexible credential management u Credential cache & delegation service l GridFTP & RFT used for data operations u Data staging & streaming output

Nov 3, 2005BRIITE Meeting: The Globus Toolkit37 GRAM services GT4 Java Container GRAM services Delegation RFT File Transfer request GridFTP Remote storage element(s) Local scheduler User job Compute element GridFTP sudo GRAM adapter FTP control Local job control Delegate FTP data Client Job functions Delegate Service host(s) and compute element(s) GT4 WS GRAM Architecture SEG Job events

Nov 3, 2005BRIITE Meeting: The Globus Toolkit38 Security Pre-WS Authentication Authorization Authentication Authorization Community Authorization Credential Mgmt Delegation Contrib/ Preview Core Common Runtime C Common Libraries Java WS Core eXtensible IO (XIO) C WS Core Python WS Core Data Mgmt Execution Mgmt Web Services Components Non-WS Components GridFTP Pre-WS Grid Resource Alloc. & Mgmt Reliable File Transfer Data Access & Integration Grid Resource Allocation & Management Replica Location Community Scheduling Framework Data Replication Workspace Management Grid Telecontrol Protocol Depre- cated GT4 Information Services Info Services Pre-WS Monitoring & Discovery Index Trigger WebMDS

Nov 3, 2005BRIITE Meeting: The Globus Toolkit39 Monitoring and Discovery l Every service should be monitorable and discoverable using common mechanisms u WSRF/WSN provides those mechanisms l A common aggregator framework for collecting information from services, thus: u MDS-Index: Xpath queries, with caching u MDS-Trigger: perform action on condition u (MDS-Archiver: Xpath on historical data) l Deep integration with Globus containers & services: every GT4 service is discoverable u GRAM, RFT, GridFTP, CAS, …

Nov 3, 2005BRIITE Meeting: The Globus Toolkit40 GT4 Container GT4 Monitoring & Discovery GRAMUser MDS- Index GT4 Cont. RFT MDS- Index GT4 Container MDS- Index GridFTP adapter Registration & WSRF/WSN Access Custom protocols for non-WSRF entities Clients (e.g., WebMDS) Automated registration in container WS-ServiceGroup

Nov 3, 2005BRIITE Meeting: The Globus Toolkit41 GT4 Documentation is Extensive!

Nov 3, 2005BRIITE Meeting: The Globus Toolkit42 Working with GT4 l Download and use the software, and provide feedback u Join mail list l Review, critique, add to documentation u Globus Doc Project: l Tell us about your GT4-related tool, service, or application u

Nov 3, 2005BRIITE Meeting: The Globus Toolkit43 Time Success/Maturity/Acceptance DCE CORBA WebServices Globus + OGSA + WSRF + WebServices Silver Bullet Hype-Curve… OGSA: Open Grid Services Architecture WSRF: WebServices Resource Framework

Nov 3, 2005BRIITE Meeting: The Globus Toolkit44 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

Nov 3, 2005BRIITE Meeting: The Globus Toolkit45 Objective: Enable Cross-Organizational Collaboration

Nov 3, 2005BRIITE Meeting: The Globus Toolkit46 Security of Grid Brokering Services It is expected brokers will handle resource coordination for users Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services QoS/QoP Negotiation and multi-level delegation

Nov 3, 2005BRIITE Meeting: The Globus Toolkit47 Security Objective: Forceful Enforcement (?)

Nov 3, 2005BRIITE Meeting: The Globus Toolkit48 Security Services Objectives l Its all about Policy u (Virtual) Organizations Security Policy u Security Services facilitate the enforcement l Security Policy to facilitate Business Objectives u Related to higher level agreement l Security Policy often delicate balance u More security Higher costs u Less security Higher exposure to loss u Risk versus Rewards u Legislation sometimes mandates minimum security

Nov 3, 2005BRIITE Meeting: The Globus Toolkit49 Security: Risk versus Reward

Nov 3, 2005BRIITE Meeting: The Globus Toolkit50 Agreement VO Security Policy Price Cost Obligations QoS T&Cs …………… Security …………… trust anchors (initial) members (initial) resources (initial) roles Access rules Privacy rules (Business) Agreement Dynamic VO Security Policy members resources roles Attribute mgmt Authz mgmt Static Initial VO Security Policy

Nov 3, 2005BRIITE Meeting: The Globus Toolkit51 Virtual Organization (VO) Concept l VO for each application/workload/collaboration l Carve out and configure resources for a particular use and set of users

Nov 3, 2005BRIITE Meeting: The Globus Toolkit52 Effective Policy Governing Access Within A Collaboration

Nov 3, 2005BRIITE Meeting: The Globus Toolkit53 Why Grid Security is Hard… (1) l Resources being used may be valuable & the problems being solved sensitive u Both users and resources need policy enforcement l Dynamic formation and management of Virtual Organizations (VOs) u Large, dynamic, unpredictable… l VO Resources and Users are often located in distinct administrative domains u Cant assume cross-organizational trust agreements u Different mechanisms & credentials l X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), l X.509 attribute certs vs SAML assertions

Nov 3, 2005BRIITE Meeting: The Globus Toolkit54 Why Grid Security is Hard… (2) l Interactions are not just client/server, but service-to-service on behalf of the user u Requires delegation of rights by user to service u Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use of resources/services l Implementation must be broadly available & applicable u Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined u Varying formats l Want to hide as much as possible from applications!

Nov 3, 2005BRIITE Meeting: The Globus Toolkit55 The Grid Trust solution l Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) => set up trust at the user/resource level l Virtual Organizations (VOs) for multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Users able to set up dynamic trust domains u Personal collection of resources working together based on trust of user

Nov 3, 2005BRIITE Meeting: The Globus Toolkit56 GT4 Security VO Users Compute Center Services (running on users behalf) Rights Local policy on VO identity or attribute authority Rights CAS or VOMS issuing SAML or X.509 ACs Rights SSL/WS-Security with Proxy Certificates Access AuthZ Policy Enforcement KCA MyProxy

Nov 3, 2005BRIITE Meeting: The Globus Toolkit57 Propagation of Requesters Rights through Job Scheduling and Submission Process Dynamically limit the Delegated Rights more as Job specifics become clear Trust parties downstream to limit rights for you… or let them come back with job specifics such that you can limit them Virtualization complicates Least Privilege Delegation of Rights

Nov 3, 2005BRIITE Meeting: The Globus Toolkit58 Grid Security must address… l Trust between resources without organization support l Bridging differences between mechanisms u Authentication, assertions, policy… l Allow for controlled sharing of resources u Delegation from site to VO l Allow for coordination of shared resources u Delegation from VO to users, users to resources l...all with dynamic, distributed user communities and least privilege.

Nov 3, 2005BRIITE Meeting: The Globus Toolkit59 Outline l Globus Alliance l Grids l Globus Toolkit Introduction l Virtual Organizations l GTs BIG Security Issue l Questions & Discussion

Nov 3, 2005BRIITE Meeting: The Globus Toolkit60 Security Services with VO

Nov 3, 2005BRIITE Meeting: The Globus Toolkit61 GTs GGFs Authorization Call-Out Support l GGFs OGSA-Authz WG: Use of SAML for OGSA Authorization u Authorization service specification u Extends SAML spec for use in WS-Grid u Recently standardized by GGF l Conformant call-out integrated in GT u Transparently called through configuration l Permis interoperability u Ready for GT4! l Futures… u SAML2.0 compliance … XACML2.0-SAML2.0 profile

Nov 3, 2005BRIITE Meeting: The Globus Toolkit62 GT-XACML Integration l eXtensible Access Control Markup Language (XACML) u OASIS standard u Open source implementations l XACML: sophisticated policy language l Globus Toolkit ships with XACML runtime u Integrated in every client and server build on GT u Turned-on through configuration l …can be called transparently from runtime and/or explicitly from application… l …and were using the XACML-model for our Authz Processing Framework…

Nov 3, 2005BRIITE Meeting: The Globus Toolkit63 GTs Assertion Processing Problem l VOMS/Permis/X509/Shibboleth/SAML/Kerberos identity/attribute assertions l XACML/SAML/CAS/XCAP/Permis/ProxyCert authorization assertions l Assertions can be pushed by client, pulled from service, or locally available l Policy decision engines can be local and/or remote l Delegation of Rights is required feature implemented through many different means GT-runtime has to mix and match all policy information and decisions in a consistent manner…

Nov 3, 2005BRIITE Meeting: The Globus Toolkit64 Delegation of Rights Complexity Can Bob have glass of lemonade? Sure, Bob is my friend Ivan Ivans policy: I dont know any Bob…(?) I do know John, Mary, Carol, Olivia, … Can I have glass of lemonade? Bob Carol Carols policy: Bob is my friend and Ill share my lemonade with him Olivias policy: If Carol likes Bob, I hate him! Marys policy: I like Bob a little bit Lucys policy: I sometimes like Carol Anns policy: I like Ivan very much! Joggers policy: Id like a glass too Johns policy: I dont like girls Bills policy: Lemonade is bad for you Frostys policy: Only share lemonade with ice Aunts policy: Sharing is good Lauras policy: Share if he pays! Davids policy: Ask Laura Accountants policy: Only if he signs here Ritas policy: No lemonade after eight Neighbor's policy: Lets party! Emmas policy: Only on his birthday Ivan: HELP (non-normative evaluated decision) Ivan

Nov 3, 2005BRIITE Meeting: The Globus Toolkit65 What are the Grid/P2P issues with distributed authorization? (1) l Many different parties want to express their opinion about each others access rights u Anybody can say anything about anyone else l Expressed in many different languages u Enforcement of single policy language impossible/not-desirable l Some parties can be asked about their opinion u Expose themselves as an AuthZ-oracle (PDP) l Other parties send their opinion as statements u Authenticated policy/decision statements/assertions expressed in their favorite language

Nov 3, 2005BRIITE Meeting: The Globus Toolkit66 What are the Grid/P2P issues with distributed authorization? (2) l Some of that advise is from parties youve never met before u So they must be empowered by those you do know… l Some advise does not apply, is mal-formed, malicious, fake, erroneous, …. u …often you do not know that by looking at them… l Different parties will use different names for the same subject u Need identity federation for mapping l Different parties will use different groups/roles in their policy expressions u Only the group/role that is actually used in a relevant policy expression is of interest…

Nov 3, 2005BRIITE Meeting: The Globus Toolkit67 Attribute Collection Framework

Nov 3, 2005BRIITE Meeting: The Globus Toolkit68 GTs Authorization Processing Model (1) l Use of a Policy Decision Point (PDP) abstraction that conceptually resembles the one defined for XACML. u Normalized request context and decision format u Modeled PDP as black box authorization decision oracle l After validation, map all attribute assertions to XACML Request Context Attribute format l Create mechanism-specific PDP instances for each authorization assertion and call-out service l The end result is a set of PDP instances where the different mechanisms are abstracted behind the common PDP interface.

Nov 3, 2005BRIITE Meeting: The Globus Toolkit69 GTs Authorization Processing Model (2) l The Master-PDP orchestrates the querying of each applicable PDP instance for authorization decisions. l Pre-defined combination rules determine how the different results from the PDP instances are to be combined to yield a single decision. l The Master-PDP is to find delegation decision chains by asking the individual PDP instances whether the issuer has delegated administrative rights to other subjects. l the Master-PDP can determine authorization decisions based on delegated rights without explicit support from the native policy language evaluators.

Nov 3, 2005BRIITE Meeting: The Globus Toolkit70 GT Authorization Framework (1)

Nov 3, 2005BRIITE Meeting: The Globus Toolkit71 GT Authorization Framework (2) AAA/PERMIS/XACML PDP AAA token AAA PDP

Nov 3, 2005BRIITE Meeting: The Globus Toolkit72 GT Authorization Framework (3)

Nov 3, 2005BRIITE Meeting: The Globus Toolkit73 GT Authorization Framework (3) l Master-PDP accessed all mechanism-specific PDPs through same Authz Query Interface u SAML-XACML-2 profile l Master PDP acts like XACML Combinator u Permit-Overrides rules l Negative permissions are evil… l Delegation-chains found through exhaustive search u …with optimization to evaluate cheap decisions first… l Blacklist-PDPs are consulted separately u Statically configured, call-out only PDPs u Deny-Overrides only for the blacklist-PDPs… l Pragmatic compromise to keep admin simple

Nov 3, 2005BRIITE Meeting: The Globus Toolkit74 Big Picture & Conclusion l GT4 is security buzzword compliant! u …probably the most full-featured-security ws-toolkit… l WebServices technologies provide low-level plumbing u following all relevant standards l Portals growing as a user interface u Clients use http-browsers, … but portals will use WS-protocols! u PURSE, ESG, GridSite, LEAD Portal, … l New Deployment Paradigms (GridLogon, VMs) u Driven by inability to protect… l Authorization still the big focus u unification framework needed to support different mechanisms and formats => GT4.2 u Required for fine-grained VO-policy

Nov 3, 2005BRIITE Meeting: The Globus Toolkit75 Q?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.