Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

Slides:

Advertisements

Similar presentations

The Access Grid Ivan R. Judson 5/25/2004.

Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

GT 4 Security Goals & Plans Sam Meder

Enabling Secure Internet Access with ISA Server

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

MyProxy: A Multi-Purpose Grid Authentication Service

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

High Performance Computing Course Notes Grid Computing.

Grid Security. Typical Grid Scenario Users Resources.

Password?. Project CLASP: Common Login and Access rights across Services Plan

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

MGRID: Network Testing and Performance Charles J. Antonelli Center for Information Technology Integration University of Michigan.

Data Security in Local Networks using Distributed Firewalls

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Remote Networking Architectures

Understanding Active Directory

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Framework for Proposed TE and QoS Tests - Project Deliverables - * To demonstrate end-to-end traffic management across multiple domains using live Grid.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Network Testing and Performance Using SeRIF Charles J. Antonelli David Richter Olga Kornievskaia Nathan Gallaher Center for Information Technology Integration.

TeraPaths: A QoS Collaborative Data Sharing Infrastructure for Petascale Computing Research Bruce Gibbard & Dantong Yu High-Performance Network Research.

A Differentiated Services Implementation for High- Performance TCP Flows Volker Sander, Ian Foster, Alain Roy and Linda Winkler Forschungszentrum Jülich.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE II - Network Service Level Agreement (SLA) Establishment EGEE’07 Mary Grammatikou.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.

TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Applications Requirements Working Group HENP Networking Meeting June 1-2, 2001 Participants Larry Price Steven Wallace (co-ch)

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Module 9: Fundamentals of Securing Network Communication.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

DataTAG Research and Technological Development for a Transatlantic Grid Abstract Several major international Grid development projects are underway at.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

Multimedia and Networks. Protocols (rules) Rules governing the exchange of data over networks Conceptually organized into stacked layers – Application-oriented.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Module 10: Windows Firewall and Caching Fundamentals.

ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.

TeraPaths: A QoS Enabled Collaborative Data Sharing Infrastructure for Petascale Computing Research The TeraPaths Project Team Usatlas Tier 2 workshop.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

EGEE-II INFSO-RI Enabling Grids for E-sciencE End-to-End Service Level Agreement Provisioning and Monitoring for End-to-End QoS.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

A Distributed Resource Management Architecture that Supports Advance Reservations and Co-Allocation Presented by Alain Roy, University of Chicago With.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Secure Network Performance Testing using SeRIF Charles J. Antonelli Center for Information Technology Integration University of Michigan Laurence Kirchmeier.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Study course: “Computing clusters, grids and clouds” Andrey Y. Shevel

Data Security in Local Networks using Distributed Firewalls

Presentation transcript:

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA

Outline Background and motivation Security architecture of the current scheme Design of the authorization framework Modified authentication mechanism Video clip of the demo Reservation flow walk through

Background Grid computing is an initiative for advancement of distributed computing that enables flexible sharing of resources distributed among administrative domains GARA: General-purpose Architecture for Reservation and Allocation: Quality of Service reservation mechanism for different types of resources Project partners: University of Michigan (Physics, CITI), European Organization for Nuclear Research (CERN), Argonne National Laboratory (ANL), Merit, and others…

End to End Performance Reliable high-speed end to end network services are important to scientific collaborators –Video, audio, large data transfers Long haul networks demonstrate good performance due to overprovisioning The Last-mile is often a network bottleneck Reliable end-to-end network service is achieved by reserving network resources within end-point institution networks, coupled with the good performance of overprovisioned long haul networks.

Automated network reservation QoS functionality is a common feature in network hardware QoS configuration is currently done by hand We address the need for an automated network reservation system Security of all communications is vital Difficult security problem due to cross-domain nature of end-to-end network resource allocation

Project based on Globus GARA GARA is a GRID network reservation service GARA uses the PKI based Grid Security Infrastructure (GSI) for authentication and coarse authorization –Authentication uses long-term PK and short term proxy credentials –Authorization is controlled by an ACL-based flat file Our contributions: –Fine-grained cross-domain authorization –PK credentials based on Kerberos identity –Secure web interface

Cross-domain Authorization Use existing local group services –Avoid replicating data and management tasks Group name-space shared by domains –Local administrators manage group membership as usual KeyNote Policy Engine makes authorization decision Fine-grained authorization expressed in KeyNote policy rules –Group membership –Amount of bandwidth allowed –Time/duration of reservation

Local Domain Authorization Local GARA contacts local group service to see what groups a user is a member of Group membership passed into KeyNote along with reservation request parameters KeyNote compares input parameters to rules If authorized, the local GARA client: –Packages and signs username and group membership –Adds it to the reservation request that is forwarded to the remote site

Remote domain Authorization Remote GARA accepts and verifies the username/group membership from the wire Group membership is passed into KeyNote along with reservation request parameters KeyNote compares input parameters to the rules to make authorization decision If remote authorization fails, reservation at the previous node is cancelled.

Kerberos leveraged PKI: kx.509 Browser User KCT Web Server KCA Sign my short-term key SSL handshake (recorded) SSL transcript   Service ticket

Web server as proxy GARA client Local GARA KeyNote Remote GARA KeyNote Web Server GARA client Group Service Router Pool Signed group membership => Request group membership AFS PTS or LDAP

Demonstration: UMICH to CERN Multiple security realms AFS Protection Server (PTS) is used for the local group service MJPEG video conferencing application –10 MB/sec stream each way, 147ms round trip –RTP headers record packet loss statistics Iperf traffic generated at each end across video and audio receiving router interface Cisco 6506 at UMICH, Cisco 7500 at CERN

Demonstration: UMICH to CERN Note high quality video and audio Turn on Iperf traffic at one end to degrade video and audio signal Place a reservation in the near future (1 minute) for a short duration (20 seconds) Note degraded video and audio return to high quality during the 20 second reservation, in spite of competing traffic generation Note degraded video and audio return at the end of the reservation

Cisco 6506 GARA Service AFS PTS Group Service Web Server GARA Client KCA KCT/KDC Browser CITI.UMICH.EDU ATLAS.UMICH.EDU IGRID2002 GARA Service Cisco 7206 KINIT KX509 SSL RX GSI TELNET SSH MJpeg Host Reserved Video Conference “Big Picture”

Any Questions?

Demonstration: UMICH to CERN We demonstrated that a reservation failed if: –User not in correct group –Requested bandwidth out of bounds –Time of request is out of bounds

Future directions On going project extends the existing infrastructure to accommodate general web based network monitoring tools