Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
The Globus Striped GridFTP Framework and Server Bill Allcock 1 (presenting) John Bresnahan 1 Raj Kettimuthu 1 Mike Link 2 Catalin Dumitrescu 2 Ioan Raicu.
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
GT 4 Security Goals & Plans Sam Meder
Enabling Secure Internet Access with ISA Server
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
High Performance Computing Course Notes Grid Computing.
Lecture 23 Internet Authentication Applications
GridFTP: File Transfer Protocol in Grid Computing Networks
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Layer 7- Application Layer
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
FTP File Transfer Protocol. Introduction transfer file to/from remote host client/server model  client: side that initiates transfer (either to/from.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
1 Computer Communication & Networks Lecture 27 Application Layer: Electronic mail and FTP Waleed.
Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.
Globus GridFTP: What’s New in 2007 Raj Kettimuthu Argonne National Laboratory and The University of Chicago.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
University of Kaiserslautern Department of Computer Science Integrated Communication Systems ICSY License4Grid: Adopting DRM for Licensed.
Topaz : A GridFTP extension to Firefox M. Taufer, R. Zamudio, D. Catarino, K. Bhatia, B. Stearn University of Texas at El Paso San Diego Supercomputer.
Reliable Data Movement using Globus GridFTP and RFT: New Developments in 2008 John Bresnahan Michael Link Raj Kettimuthu Argonne National Laboratory and.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Globus GridFTP and RFT: An Overview and New Features Raj Kettimuthu Argonne National Laboratory and The University of Chicago.
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
FP6−2004−Infrastructures−6-SSA CNGrid Middleware GOSv2 Yongjian Wang BUAA – Beijing, China Interoperability workshop of euchinagrid Beijing,
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
LEGS: A WSRF Service to Estimate Latency between Arbitrary Hosts on the Internet R.Vijayprasanth 1, R. Kavithaa 2,3 and Raj Kettimuthu 2,3 1 Coimbatore.
Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey.
GridFTP GUI: An Easy and Efficient Way to Transfer Data in Grid
CEOS Working Group on Information Systems and Services - 1 Data Services Task Team Discussions on GRID and GRIDftp Stuart Doescher, USGS WGISS-15 May 2003.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Globus Data Storage Interface (DSI) - Enabling Easy Access to Grid Datasets Raj Kettimuthu, ANL and U. Chicago DIALOGUE Workshop August 2, 2005.
New Development Efforts in GridFTP Raj Kettimuthu Math & Computer Science Division, Argonne National Laboratory, Argonne, IL 60439, U.S.A.
A Sneak Peak of What’s New in Globus GridFTP John Bresnahan Michael Link Raj Kettimuthu (Presenting) Argonne National Laboratory and The University of.
PARALLEL AND DISTRIBUTED PROGRAMMING MODELS U. Jhashuva 1 Asst. Prof Dept. of CSE om.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Computing Clusters, Grids and Clouds Globus data service
Third Party Transfers & Attribute URI ideas
Study course: “Computing clusters, grids and clouds” Andrey Y. Shevel
File Transfer Protocol
IIS.
Grid Security Infrastructure
Computer Networks Protocols
Presentation transcript:

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1 Argonne National Laboratory, Argonne, IL USA 2 Computation Institute, The University of Chicago, Chicago, IL USA 3 Department of Computer Science, The University of Chicago, Chicago, IL USA 4 Beihang University, Beijing, China Background A session is established when the client initiates a TCP connection to the port on which the server is listening. The first thing that must happen is an authentication per RFC By default, the client presents a delegated proxy certificate, and the server must present a host (or user) certificate issued by a CA trusted by the client. If authentication is not successful, the connection is dropped. If authentication is successful, an authorization callout is invoked to verify authorization; determine the local user id as which the request should be executed. Typically, the local user id is obtained from a Globus gridmapfile, which contains a mapping of Distinguished Name (DN) in user’s certificate to local user ids. Server does a setuid to the local user id as determined by the authorization callout. If authorization succeeds, the control channel has been established and the rest of the control channel protocol exchange can proceed. Abstract GridFTP protocol defines general purpose mechanism for secure, reliable, high- performance data movement. Globus implementation of GridFTP has a modular structure that supports multiple security options, multiple transport protocols, coordinated data transfer utilizing multiple computer nodes at the source and destination, and other desirable features. The Globus GridFTP design provides support for secure authentication of control channel requests via Grid Security Infrastructure (GSI), Kerberos or SSH security mechanism. In this work, we develop a mechanism to reduce the security overhead in authenticating and authorizing the users to perform GridFTP transfers in portal environments. Implementation We develop enhancements to GridFTP to avoid the overhead by reusing a single control channel for multiple file transfer operations (from the one or more users). The portal would use a single proxy certificate for all the users. Currently, the SAML assertions are embedded in the proxy certificate that is used by the client to authenticate to the GridFTP server. The objective is to provide the GridFTP clients with the ability to specify a SAML-assertion per GridFTP data transfer command while reusing the existing established session between the client and the GridFTP server. The proposed solution is to use the GridFTP SITE command to let the client communicate a SAML assertion to the GridFTP server where it will be used for the next authorization decision in the authorization call-out. Any subsequent SITE directive that communicates a new SAML assertion will substitute and therefore override the previous one, which will allow the next GridFTP commands to use the last SAML assertion that was communicated. A new command SITE AUTHZ_ASSERT has been added to the Globus GridFTP framework. A new API has been added to the Globus FTP client library that allows the passing of SAML assertion to the GridFTP server.For third party transfers, clients may have to send different security assertions to the source and destination. Support for sending different assertions to source and destination GridFTP servers has also been added. Motivation In environments with large number of users, services such as Community Authorization Service (CAS) and Virtual Organization Management Service (VOMS) have been developed to address the scalability issues with the Globus gridmapfile approach. These services allow for multiple users to have the same Distinguished Name (DN) and encode in Security Assertion Markup Language (SAML) assertions (that are embedded as extensions in proxy certificate) the specific files that a user is authorized to read and/or write. These services also maintain the permissions of users in a virtual organization and the individual sites do not have to have a large number of user accounts and/or maintain long gridmapfiles. Consider a web portal where multiple users logon and initiate third party data transfers between two remote nodes. It is quite possible that more than one user want to move data between the same pair of sites. Each user either has his own individual certificate or gets a community certificate from a service such as CAS or VOMS that has his permissions embedded as a SAML assertion. Either way each user’s certificate is different and a separate control channel. If a separate control channel is needed for each user, it is quite difficult for the portal to cache the control channels and reuse it.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.