An overview of the EGEE infrastructure and middleware EGEE is funded by the European Union under contract IST-2003-508833 Emmanuel Medernach Based on a.

Slides:

Advertisements

Similar presentations

CHEP 2000, Roberto Barbera Roberto Barbera (*) GENIUS: a Web Portal for the GRID Meeting Grid.it, Bologna, (*) work in collaboration.

Advertisements

Introduction of Grid Security

Data Management Expert Panel - WP2. WP2 Overview.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

High Performance Computing Course Notes Grid Computing.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

A Computation Management Agent for Multi-Institutional Grids

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

INFSO-RI Enabling Grids for E-sciencE EGEE Middleware The Resource Broker EGEE project members.

10 April 2003Deploy Grid in Israel Universities1 Deploy Grid testbed in Israel universities Lorne Levinson David Front Weizmann Institute.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Basic Grid Job Submission Alessandra Forti 28 March 2006.

DataGrid Kimmo Soikkeli Ilkka Sormunen. What is DataGrid? DataGrid is a project that aims to enable access to geographically distributed computing power.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

EGEE is a project funded by the European Union under contract IST The GENIUS portal Roberto Barbera University of Catania and INFN SEE-GRID.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Computational grids and grids projects DSS,

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Module 9: Fundamentals of Securing Network Communication.

Training and the NGS Mike Mineter

EGEE is a project funded by the European Union under contract IST The GENIUS portal Roberto Barbera University of Catania and INFN First Latinamerican.

Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.

Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,

CLRC and the European DataGrid Middleware Information and Monitoring Services The current information service is built on the hierarchical database OpenLDAP.

MTA SZTAKI Hungarian Academy of Sciences Introduction to Grid portals Gergely Sipos

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

EGEE-0 / LCG-2 middleware Practical.

INFSO-RI Enabling Grids for E-sciencE GILDA and GENIUS Guy Warner NeSC Training Team An induction to EGEE for GOSC and the NGS NeSC,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Alexandre Duarte CERN IT-GD-OPS UFCG LSD 1st EELA Grid School.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

13th EELA Tutorial, La Antigua, 18-19, October E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA

EGEE is a project funded by the European Union under contract IST GENIUS and GILDA: a status report Roberto Barbera NA4 Generic Applications.

Bob Jones – Project Architecture - 1 March n° 1 Project Architecture, Middleware and Delivery Schedule Bob Jones Technical Coordinator, WP12, CERN.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Overview of gLite, the EGEE middleware Mike Mineter Training Outreach Education National.

EGEE is a project funded by the European Union under contract IST GENIUS and GILDA Guy Warner NeSC Training Team Induction to Grid Computing.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

The EDG Testbed Deployment Details

Authentication, Authorisation and Security

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Presentation transcript:

An overview of the EGEE infrastructure and middleware EGEE is funded by the European Union under contract IST Emmanuel Medernach Based on a talk from Flavia Donno

Goals To introduce the major components of the EGEE grid Architecture Middleware Organisation

Overview Enabling Grid Computing: architecture + middleware + infrastructure Authentication and Authorization Information services The major components of the infrastructure The software stack EGEE grid organisation

What are the characteristics of a Grid system? Numerous Resources Ownership by Mutually Distrustful Organizations & Individuals Potentially Faulty Resources Different Security Requirements & Policies Required Resources are Heterogeneous Geographically Separated Different Resource Management Policies Connected by Heterogeneous, Multi-Level Networks

What are the characteristics of a Grid system? GRID

Virtual organisations An EGEE user must belong to a VO A VO Controls access to specified resources Usually comprises geographically distributed people Requires the ability to know who has done what, and who will not be allowed to do it again…. Security. Current VO’s: HEP communities, biology, astronomy,…

How do I login on the Grid ? Distribution of resources: secure access is a basic requirement secure communication security across organisational boundaries single “sign-on" for users of the Grid Two basic concepts: Authentication: Who am I? “Equivalent” to a pass port, ID card etc. Authorisation: What can I do? Certain permissions, duties etc.

Security in the Grid In industry, several security standards exist: Public Key Infrastructure (PKI) PKI keys SPKI keys (focus on authorisation rather than certificates) RSA Secure Socket Layer (SSL) SSH keys Kerberos Need for a common security standard for Grid services Above standards do not meet all Grid requirements (e.g. delegation, single sign-on etc.) Grid community mainly uses X.509 PKI for the Internet Well established and widely used (also for www, , etc.)

PKI – Basic overview Public Key Infrastructure (also called asymmetric cryptography) One primary advantage: it is generally easier than distributing secret keys securely, as required in symmetric keys ciphertext c = E e (m) m = D d (c). public key e private key d encryption transformation E e decryption transformation D d wishing to send a message m to A: applies the decryption transformation Entity A (Alice) Entity B (Bob) public key private key

Involved entities User Certificate Authority Public key Private key certificate CA Resource (site offering services)

X.509 alias ISO/IEC/ITU X.509 certificate includes: User identification (someone’s subject name) Public key A “signature” from a Certificate Authority (CA) that: Proves that the certificate came from the CA. Warranty for the subject name Warranty for the binding of the public key to the subject

Grid Security Infrastructure (GSI) Globus Toolkit TM proposed and implements the Grid Security Infrastructure (GSI) Protocols and APIs to address Grid security needs GSI protocols extend standard public key protocols Standards: X.509 & SSL/TLS Extensions: X.509 Proxy Certificates (single sign-on) & Delegation GSI extends standard GSS-API (Generic Security Service) The GSS-API is the IETF standard for adding authentication, delegation, message integrity, and message confidentiality to applications. Proxy Certificate: Short term, restricted certificate that is derived form a long-term X.509 certificate Signed by the normal end entity cert, or by another proxy Allows a process to act on behalf of a user Not encrypted and thus needs to be securely managed by file system

Authorisation Requirements Detailed user rights need to be centrally managed and assigned User can have certain group membership and roles Involved parties: Resource providers (RP, provides access to the resource) keep full control on access rights traceability user level (not VO level) Virtual Organisation (VO) of the user (member of a certain group should have same access rights independent of resource) Agreement required between resource providers and VO RPs evaluate authorisation granted by VO to a user and map into local credentials to access resources Need tool to manage membership for large VOs (10,000 users)

Authentication and Authorization UI JDL 1 Authentication Authorization 2 3 User CA VO Service

Security Summary Security is important for Grid middleware: In particular in commercial use Security solutions need to be integrated from the very beginning Grid security relies on PKI Requires: authentication & authorization Basic entities: Users – CA (Certificate Authorities) – Resource Providers

The middleware EGEE middleware built upon toolkits provides generic Grid services: Information Job submission Data management Security Logging Monitoring EGEE supports computation and data storage by multiple virtual organisations

The grid software stack Grid Application Layer Collective Services Underlying Grid Services Fabric services Infrastructure Fabric Grid APPLICATIONS GLOBUS CondorG (VDT) MIDDLEWARE APPLICATIONS

Situation on a Grid

Features of a grid information system Provides information on both: The Grid itself Mainly for the middleware packages The user may query it to understand the status of the Grid Grid applications For users Flexible architecture Able to cope with nodes in a distributed environment with an unreliable network Dynamic addition and deletion of information producers Security system able to address the access to information at a fine level of granularity Allow new data types to be defined Scaleable Good performance Standards based

Situation on a Grid Info Service Information Providers Replica Catalog

Information Services Hardware: EDG Information Service Information Providers Data: Replica Catalog LDAP (release 1.4) RLS (release 2.0) Software & Services: EDG Grid Services: Information Service –MDS –R-GMA Application Services: Currently only EDG applications directly supported Machine Types: Information Service (IS) Top level MDS R-GMA registry Replica Catalog (RC, RLS)

EDG Information Providers EDG information providers Software that provides information about resources and infrastructure Provided by the developer of a service or the responsible for the resource

Main EDG Grid Services Authentication & Authorization Job submission service Resource Broker Replica Management EDG-Replica-Manager Mass storage system support Monitoring

Main Logical Machine Types User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB)

A Simple Testbed Configuration User Interface Resource Broker Replica Catalog Information Service Storage Element 1 Storage Element 2 Computing Element 1 Computing Element 2 “CLOSE”

The lifecycle of an EGEE job UI JDL Logging & Book-keeping ResourceBroker Job Submission Service StorageElement ComputingElement InformationService Job Status ReplicaCatalogue DataSets info Author. &Authen. Job Submit Event Job Query Job Status Input “sandbox” Input “sandbox” + Broker Info Globus RSL Output “sandbox” Job Status Publish grid-proxy-init Expanded JDL SE & CE info

Main Services per Machine Type DaemonUIISCE (frontend) WNSERLSRB Globus Gatekeeper RLS-LRC RLS-RMC GridFTP R-GMA R-GMA GOUT R-GMA GIN Broker (Network server, job control) CondorG Job submission Logging & Bookkeeping Local Logger CRL Update Grid mapfile Update RFIO EDG-SE

EGEE EGEE is distinctive because of the emphasis on : Production quality of service Multiple virtual organisations

Training/demo service Permanent need for tutorials, demonstrations etc. Cannot disturb production system, or guarantee pre- production Ideally need dedicated (small) service Kept in an operational state Need sufficient resources to be available (another testbed!) Currently fulfilled by GILDA service

Conclusions The EGEE Grid requires resources, an infrastructure and middleware that allows for: Authentication and Authorization Information services Job and Data Management Monitoring and fault recovery We have seen the main components of the EGEE Grid Service and Organization EGEE is VO based The Grid Operations Management Structure monitors and controls the overall functionality The EGEE tutorials ensure training at all levels with hands- on on the GILDA dedicated testbed