Download presentation
Presentation is loading. Please wait.
1
1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture, Cnes feedbacks Anne Jean-Antoine Piccolo
2
2 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Introduction A Grid architecture is such a distributed architecture. ëFrom a logical view, 4 sub–systems compose a grid: administration (software and hardware allocation & administration, VO management) job management (user requests analysis, resource allocation & status monitoring, workflow execution) job processing (storage and processing facilities, file handlers, data transfer tools) security (user access control, data flow security, event monitoring). Here, we focus on the security subsystem. ëSpecific security requirements analysis derived from CNES high level security requirements applicable to a CNES designed system defined on a distributed architecture allowing users from different organizations : - to work according to a collaborative schema - to share resources.
3
3 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Grid overall architecture (target)
4
4 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Security studies : the following methodology ëCNES led security studies based on the previous target architecture according to the classical methodology : 1. Consequences assessment : comparison between security criteria (availability, integrity, confidentiality, imputability) and sensitive levels (no impact, minor, major, critical, vital) for user data, grid management data and security data. 2. Threads analysis. 3. Risks analysis and a first security objective definition in term of network security, data and software integrity, processing control & monitoring, I&A, authorization, data flow, data protection, and so on … 4. Risks covered by security objectives ? 5. Security architecture : a first proposal => functional requirements in term of security (ISO/IEC 15408) 6. List of non recovered risks
5
5 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Global security needs to be reached ëNeeds issued from « Virtual Organization » : Protection of their resources (user data and software), Availability of the grid infrastructure hosting their resources (for user request processing). ëNeeds issued from providers of grid resources : Grid resource under full control of local administrators, Security of resources which are not provided for grids => need to isolate these resources regarding grid ones.
6
6 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (1/2) ëGrid use cases : user requests for accessing computing software implemented on CNES machines Previously known resources (software or data) before request processing, Resources have to be dynamically allocated step by step. user requests for accessing VO resources (software, data) and CNES resources (servers) resulting in data backward transfers (e.g. computing results) : a command flow in input and a data flow in output, user requests for accessing resources (software, data) located outside CNES. Resulting security concerns authentication of user requests and of jobs running on behalf of the user, integrity of software and data implemented on CNES resources, control of dynamically accessed resources, data in/out transfers, isolation of CNES resources regarding VOs, except of resources formally designated as accessible to users.
7
7 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Identification of Grid Context (2/2) Resource classification systems supporting tools and services devoted to grid utilization systems devoted to grid management: authentication, authorization, allocation, information user workstations located outside CNES network protocols for - Calling remote request - Cascading authentication (SSL/TLS with delegation) - Routing and localization service or node (OSPF, DNS) - Transferring files (e.g. ftp, gridftp) - Transferring data (e.g. http/SOAP) - Accessing security data (e.g. LDAP) - Information notification - communications between grid management services (depend on the grid middleware)
8
8 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Architecture overview : CS recommandations
9
9 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera over Globus GT4 : experiment configuration CNES local network IPCOP Objective : to experiment Globus through a firewall and test the security architecture feasibility (simulate an extra grid).
10
10 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 ëIf Globus is behind a firewall then some ports need to be opened : 2119 (gatekeeper), 2811 (gridftp) and 2135 (GIS). ëGlobus will also need a range of ports opened for GASS (Global Access to Secondary Storage) to inform Globus of the port range you need to set the GLOBUS_TCP_PORT_RANGE variable in “xinetd” files and user start up scripts. ëThe size of the port range depends on how many services are expected – generally a range of couple of thousand should be necessary.
11
11 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Summary of traffic characteristics for Globus GT4 (*) CEP: Controllable ephemeral port (*) TCP Transmission Control protocol
12
12 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department A Chistera processing demonstration CHISTERA Processing Synoptic of High Resolution Processing High resolution product Intermediate product ëIntegrated into the Spot 5 user ground segment
13
13 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master Image splitting Data sending and command monitoring Image gathering and assembly Data Reception Commands monitoring CHISTERA treatment Results sending Data transfer : globus-url-copy Control transfer : globus-job-run Slaves Data Reception Command monitoring CHISTERA treatment Result sending
14
14 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Master GT4 Client Data transfer : globus-url-copy Remote Processing : globus-job-run Slaves GRAM Server GridFTP Server GRAM Server GridFTP Server
15
15 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using GRAM Commands Open Ports: CEP CNES internal network
16
16 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master Image splitting Creation of job descriptions (XML) XML files sending Assembly XML file reception Container processing XML file reception Container processing XML job submission : globusrun-ws Slaves/Containers
17
17 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Master GridFTP Server GT4 Client GT4 web service container Soumission de job XML: globusrun-ws Slaves/Containers
18
18 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Chistera monitoring using web services WSRF Open Ports: 2811/tcp CEP CNES internal network
19
19 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Firewall consequences on transfer time : first results Image processingTransfer with FirewallTransfer without FirewallRatio (364x364) 280 s50 s17 s2.9 (12000 x 12000) 1950 s2446 s110 s22.2 ë Globus feasibility through cascading firewalls proved, ë Not very compliant with performance requirements (explain why ?) => a user recommendation can be to define a complete workflow avoiding several requests from outside
20
20 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CPU charge Spliting phaseAssembly Imalise1 Treatment Imalise2 Solex
21
21 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department CNES feedbacks ë Some technical results reached and a strong involvement of CS company in the R&D project, ë A promising technology for future distributed ground segment if we adjust architecture design and project needs, ë A good collaboration between the CS company and the Cnes security experts, ë Grid technology trends needs expertise in different fields : security, middleware, architecture design, … (not always available in our organization !), ë A weak involvement from the Cnes directors yet => a strong need to be supported if we want GRID succeeds and be used in our future projects.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.