Presentation is loading. Please wait.

Presentation is loading. Please wait.

UCS D OSG Summer School 2011 Single sign-on1 2011 OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego.

Published byMatilda Peters Modified over 7 years ago

Similar presentations

Presentation on theme: "UCS D OSG Summer School 2011 Single sign-on1 2011 OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego."— Presentation transcript:

1 UCS D OSG Summer School 2011 Single sign-on1 2011 OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego

2 UCS D OSG Summer School 2011 Single sign-on2 Summary of past lessons ● HTC is maximizing CPU use over long periods ● And getting lots of computation done ● DHTC is HTC over many sites ● Using an overlay system hides most of the change ● Grid and Cloud resources are really very similar ● Especially is you use them from inside an overlay system

3 UCS D OSG Summer School 2011 Single sign-on3 Single sign-on in OSG Introducing the Open Science Grid

4 UCS D OSG Summer School 2011 Single sign-on4 Scientific Grids ● Just a reminder ● Widely distributed (continent wide) ● Many participants O(1k+) – Just moderate trust (no way everybody knows everybody else) ● Many local HTC technologies – Joining sites may have existing infrastructure

5 UCS D OSG Summer School 2011 Single sign-on5 The Open Science Grid ● US+ wide scientific Grid ● With partner Grids from around the world (e.g. EGI) ● Sponsored jointly by NSF and DOE

6 UCS D OSG Summer School 2011 Single sign-on6 Some history ● Built on experience dating to the previous Millennium

7 UCS D OSG Summer School 2011 Single sign-on7 Who is part of OSG ● Heavily HEP dominated (LHC, Tevatron) ● They need it to do their science ● Followed by other physics communities (e.g. LIGO, RHIC) ● But also a healthy mix of other sciences ● Biology and chemistry related fields ● Math and CS related fields ● Engineering related fields

8 UCS D OSG Summer School 2011 Single sign-on8 OSG in numbers ● No sites: ~50 ● Ranging in size from ~10 cores to ~7k cores ● Small sites may have a 10% of a grad student running the system ● Large ones may have several dedicated sysadmins ● No of users: >10k ● Not all active at the same time ● But most of them have used OSG at least once

9 UCS D OSG Summer School 2011 Single sign-on9 Scale problem Requesting and managing an account at each site would be a lot of work!

10 UCS D OSG Summer School 2011 Single sign-on10 Is it really my problem? But I will be using an overlay system. I will only see my local submit system. Well, someone still needs to send the pilots. You think it works by magic? But why should I care? Why again did you come here??? You will need it for storage.

11 UCS D OSG Summer School 2011 Single sign-on11 Single sign-on in OSG Single sign-on using X.509 PKI

12 UCS D OSG Summer School 2011 Single sign-on12 Single sign-on ● The idea is simple ● The user should use the same mechanism to submit jobs to all O(100) sites Hi. I am Igor

13 UCS D OSG Summer School 2011 Single sign-on13 Passwords a non-starter ● We all know username/password is the preferred authentication mechanism ● Almost everybody use it! ● But not a good solution for distributed systems ● Uses a shared secret between the user and the service provider ● And secrets stay secret only if few entities know it – Sharing passwords between sites a bad idea! How many passwords do you have for all the Web pages you use?

14 UCS D OSG Summer School 2011 Single sign-on14 Adding an intermediary ● A better approach is to introduce a highly trusted intermediary ● Have been used in real life for ages ● e.g. States as issuers of IDs ● Getting the ID is lengthy, but easy afterwards Hi. Here is my ID Hi. I am Igor Hi. Here is my ID Use this ID

15 UCS D OSG Summer School 2011 Single sign-on15 Technical implementations ● Many technical solutions ● x.509 PKI ● Kerberos ● OpenID ● many more... ● All based on the same basic principle ● Each has strengths and weaknesses ● OSG standardized on x.509 Will not argue if it is the best one.

16 UCS D OSG Summer School 2011 Single sign-on16 x.509 PKI ● Based on public key cryptography ● A user has a (public,private) key pair – one encrypts, the other decrypts – similarly, one signs, the other verifies ● The highly trusted entity is called a Certification Authority (CA) ● The user is given a certificate ● Cert. has user name in it ● Cert. also contains the (pub,priv) key pair ● Cert. is signed by the CA private key You should have gotten one yesterday from DOEGrids

17 UCS D OSG Summer School 2011 Single sign-on17 x.509 authentication ● Sites have CA public key pre-installed ● User authenticates by signing a site provided string and providing the public part of the cert Hi, here is my pub cert Please sign $%@*& Here it is XYZ^@FR Igor's Cert Hi, Igor CA pub

18 UCS D OSG Summer School 2011 Single sign-on18 x.509 as single sign-on ● Use the same cert for all the sites Hi. Hi. I am Igor Hi. Use this cert

19 UCS D OSG Summer School 2011 Single sign-on19 Scheduler CE Job Hi... ehm... I am Igor Impersonation ● Sometimes your jobs need to impersonate you ● For example to access an FTP server FTP More on storag e tomorr ow How will this work?

20 UCS D OSG Summer School 2011 Single sign-on20 Impersonation problem ● The problem is that the job does not have your private key ● And it should not, if it is to remain “private” (remember, secrets only stay secret if few entities know about it) ● So it cannot impersonate you ● We have similar problems in real life, too ● e.g. attorney representing you in court ● Nobody will buy it that he is you, yet he can speak on your behalf

21 UCS D OSG Summer School 2011 Single sign-on21 Scheduler CE Job FTP Proxy delegation ● The job is indeed not you ● Create a certificate for the job ● And send it in the job sandbox Proxy ~= Job cert

22 UCS D OSG Summer School 2011 Single sign-on22 Proxy risks ● You are sending private keys with the job ● You risk that they be stolen ● To mitigate this risk, the proxy lifetime should be very limited ● Say, a few hours ● But long enough to do the needed work Risk mitigation can be annoying! More on security Thursday

23 UCS D OSG Summer School 2011 Single sign-on23 Delegation and overlays ● Not really any different ● Still need priv keys on the remote CPU ● But you may exploit the additional control you have ● e.g. Condor will automatically shorten proxy lifetime and re-delegate as needed

24 UCS D OSG Summer School 2011 Single sign-on24 Are we done yet? Why should any site give you access to their CPUs? (or disks)

25 UCS D OSG Summer School 2011 Single sign-on25 Do I really care? But I will be using an overlay system. All I need is contacting my local sysadmin. YOU AGAIN!!! Someone still needs to send the pilots! Just kidding And don't forget about storage.

26 UCS D OSG Summer School 2011 Single sign-on26 Single sign-on in OSG Tiered authorization or Introduction to Virtual Organizations

27 UCS D OSG Summer School 2011 Single sign-on27 Authentication vs. Authorization ● Just because you can authenticate yourself, it does not mean you are authorized, too ● e.g. your drivers license tells who you are, but does not allow you to enter a nuclear plant ● x.509 PKI only covers authentication ● Tells the site who you are

28 UCS D OSG Summer School 2011 Single sign-on28 Authorization in OSG ● Each site in OSG decides autonomously which users to authorize ● Nobody in OSG can force a site to let a user in (but we can ask) ● The problem, again, is scale ● Over 10,000 users! If each site had to worry about every single user, very few users would be authorized!

29 UCS D OSG Summer School 2011 Single sign-on29 Adding roles ● Sites want to operate on higher level concepts ● Some kind of attribute ● Like in real life ● Think about passport vs driver's license ● Both tell a cop who you are (and to 1 st approx. are issued by the same entity) ● But the driver's license tells him you are allowed to use a car, too – “Class:C”

30 UCS D OSG Summer School 2011 Single sign-on30 Attribute authority ● Like before, we need someone trustworthy to issue attributes ● Sites cannot just trust whatever the user says! ● In the case of driver's license it was the DMV ● In OSG, the attribute authority is called the Virtual Organization (VO) ● And the service issuing the attributes VOMS ● Based on issuing augmented x.509 proxies

31 UCS D OSG Summer School 2011 Single sign-on31 VO and VOMS ● VO decides who is worthy of an attribute ● Site decides based on that attribute Hi. Hi. I work in CMS Hi. Use this proxy VOMS Register I need a CMS proxy Hi, CMS user

32 UCS D OSG Summer School 2011 Single sign-on32 OSG VOs in numbers ● O(10) VOs ● Typically one per scientific domain e.g. CMS, ATLAS, SBGrid, LIGO, … ● But we have regional VOs as well e.g. Holland Computing Center (HCC), Fermigrid ● OSG operates an “Engage VO” for new users until there is an appropriate VO for them ● Sites typically support a set of VOs ● And all the users inside those VOs (although they don't need to)

33 UCS D OSG Summer School 2011 Single sign-on33 Are we done yet? Yes. At least for now. More details Thursday

34 UCS D OSG Summer School 2011 Single sign-on34 Copyright statement ● This presentation contains images copyrighted by ToonClipart.com ● These images have been licensed to Igor Sfiligoi for use in his presentations ● Any other use of them is prohibited

Download ppt "UCS D OSG Summer School 2011 Single sign-on1 2011 OSG Summer School Single sign-on in Open Science Grid by Igor Sfiligoi University of California San Diego."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.

Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.

Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

Similar presentations

Ads by Google