Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Published byElmer Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore"— Presentation transcript:

1 Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore moore@sdsc.edu http://www.sdsc.edu/srb

2 Abstract National and international collaborations create shared collections that span multiple administrative domains. Shared collection are built using: Data virtualization, the management of collection properties independently of the storage system. Trust virtualization, the ability to assert authenticity and authorization independently of the underlying storage resources. What rights management are implied in trust virtualization? How are data integrity challenges met? How do you implement a “Deep Archive”?

3 State of the Art Technology Grid - workflow virtualization Manage execution of jobs (processes) independently of compute servers Data grid - data virtualization Manage properties of a shared collection independently of storage systems Semantic grid - information virtualization Reason across inferred attributes derived from multiple collections.

4 Shared Collections Purpose of SRB data grid is to enable the creation of a shared collection between two or more institutions Register digital entity into the shared collection Assign owner, access controls Assign descriptive, provenance metadata Manage audit trails, versions, replicas, backups Manage location mapping, containers, checksums Manage verification, synchronization Manage federation with other shared collections Manage interactions with storage systems Manage interactions with APIs

5 Trust Virtualization Collection owns the data that is registered into the data grid Data grid is a set of servers, installed at each storage repository Servers are installed under a SRB ID created for the shared collection All accesses to the data stored under the SRB ID are through the data grid Authentication and authorization are controlled by the data grid, independently of the remote storage system

6 Rights Management Shared collection approach Manage authentication of all users who will have privileges beyond that of public “read” Map users to groups Provide access controls on users and groups Virtual Organization Management approach (VOM) Authenticate users, and provide certificate asserting membership in a group Manage access controls on groups Provide rules for access based on membership in a group

7 Authentication / Authorization Collection owned data At each remote storage system, an account ID is created under which the data grid stores files User authenticates to the data grid Data grid checks access controls Data grid server authenticates to a remote data grid server Remote data grid server authenticates to the remote storage repository SRB servers return the data to the client

8 Authentication Mechanisms Grid Security Infrastructure PKI certificates Challenge-response mechanism No passwords sent over network Ticket Valid for specified time period or number of accesses Generic Security Service API Authentication of server to remote storage

9 Trust Implementation For authentication to work across multiple administrative domains Require collection-managed names for users For authorization to work across multiple administrative domains Require collection-managed names for files Result is that access controls remain invariant. They do not change as data is moved to different storage systems under shared collection control

10 Network Devices Access to data must handle security requirements of network devices Firewalls - typically requires access be initiated from within a firewall Network routers - location of data may change based on load leveling Private virtual network - location of data not known explicitly known Handled by creating network transport protocols to meet requirements of each network device

11 SRB server1 SRB agent SRB server2 Parallel mode Data Transfer – Server Initiated MCAT Sput -m SRB agent 1 2 3 4 5 6 srbObjPut + socket addr, port and cookie 1.Logical-to-Physical mapping 2. Identification of Replicas 3.Access & Audit Control Peer-to-peer Request Connect to client Data transfer R Server behind firewall

12 SRB server1 SRB agent SRB server2 Parallel mode Data Transfer – Client Initiated MCAT Sput -M SRB agent 1 4 2 3 6 7 srbObjPut 1.Logical-to-Physical mapping 2. Identification of Replicas 3.Access & Audit Control Return socket addr., port and cookie Connect to server Data transfer R 5 5 Client behind firewall

13 HIPAA Patient Confidentiality Access controls on data Access controls on metadata Access controls on storage systems Audit trails End-to-end encryption (manage keys) Localization of data to specific storage Access controls do not change when data is moved to another storage system under data grid control

14 Logical Name Spaces Storage Repository Storage location User name File name File context (creation date,…) Access constraints Data Access Methods (C library, Unix, Web Browser) Data access directly between application and storage repository using names required by the local repository

15 Logical Name Spaces Storage Repository Storage location User name File name File context (creation date,…) Access constraints Data Grid Logical resource name space Logical user name space Logical file name space Logical context (metadata) Control/consistency constraints Data Collection Data Access Methods (C library, Unix, Web Browser) Data is organized as a shared collection

16 Logical Resource Names Logical resource name represents multiple physical resources Writing to a logical resource name can result in: Replication - write completes when each physical resource has a copy Load leveling - write completes when the next physical resource in the list has a copy Fault tolerance - write completes when “k” of “n” resources have a copy Single copy - write is done to first disk at same IP address, then disk anywhere, then tape

17 Federation Between Data Grids Data Grid Logical resource name space Logical user name space Logical file name space Logical context (metadata) Control/consistency constraints Data Collection B Data Access Methods (Web Browser, DSpace, OAI-PMH) Data Grid Logical resource name space Logical user name space Logical file name space Logical context (metadata) Control/consistency constraints Data Collection A Access controls and consistency constraints on cross registration of digital entities

18 Authentication across Zones Follow Shibboleth model A user is assigned a “home” zone User identity is Home-zone:Domain:User-ID All authentications are done by the “home” zone

19 User Authentication Z1:D1:U1 Z2 Z1 Connect Challenge/Response Validation of Challenge Response

20 User Authentication Z1:D1:U1 Z2 Z1 Connect Challenge/Response Validation of Challenge Response Z3 Forward

21 Deep Archive Z2Z1 Z3 Z2:D2:U2 Register Z3:D3:U3 Register Pull Pull Firewall Server initiated I/O DeepArchive StagingZone Remote Zone No access by Remote zones PVN

22 NARA Persistent Archive NARAU MdSDSC MCAT Original data at NARA, data replicated to U Md Replicated copy at U Md for improved access, load balancing and disaster recovery Deep archive at SDSC, no user access, data pulled from NARA Demonstrate preservation environment Authenticity Integrity Management of technology evolution Mitigation of risk of data loss Replication of data Federation of catalogs Management of preservation metadata Scalability Types of data collections Size of data collections Federation of Three Independent Data Grids

23 For more Information on Storage Resource Broker Data Grid Reagan W. Moore moore@sdsc.edu http://www.sdsc.edu/srb/

Download ppt "Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore"

Similar presentations

National Partnership for Advanced Computational Infrastructure San Diego Supercomputer Center Data Grids for Collection Federation Reagan W. Moore University.

National Partnership for Advanced Computational Infrastructure San Diego Supercomputer Center Data Grids for Collection Federation Reagan W. Moore University.
Www.ogf.org OGF-23 iRODS Metadata Grid File System Reagan Moore San Diego Supercomputer Center.

OGF-23 iRODS Metadata Grid File System Reagan Moore San Diego Supercomputer Center.
© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
Data Grid: Storage Resource Broker Mike Smorul. SRB Overview Developed at San Diego Supercomputing Center. Provides the abstraction mechanisms needed.

Data Grid: Storage Resource Broker Mike Smorul. SRB Overview Developed at San Diego Supercomputing Center. Provides the abstraction mechanisms needed.
NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Particle Physics Data Grid PPDG Data Handling System Reagan.

NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Particle Physics Data Grid PPDG Data Handling System Reagan.
San Diego Supercomputer Center NARA Research Prototype Persistent Archive Building Preservation Environments with Data Grid Technology (NARA Research Prototype.

San Diego Supercomputer Center NARA Research Prototype Persistent Archive Building Preservation Environments with Data Grid Technology (NARA Research Prototype.
San Diego Supercomputer CenterNational Partnership for Advanced Computational Infrastructure1 Grid Based Solutions for Distributed Data Management Reagan.

San Diego Supercomputer CenterNational Partnership for Advanced Computational Infrastructure1 Grid Based Solutions for Distributed Data Management Reagan.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
A Very Brief Introduction to iRODS

A Very Brief Introduction to iRODS
PREMIS in Thought: Data Center for LC Digital Holdings Ardys Kozbial, Arwen Hutt, David Minor February 11, 2008.

PREMIS in Thought: Data Center for LC Digital Holdings Ardys Kozbial, Arwen Hutt, David Minor February 11, 2008.
Security Requirements for Shared Collections Storage Resource Broker Reagan W. Moore

Security Requirements for Shared Collections Storage Resource Broker Reagan W. Moore
Www.gridforum.org GGF-17 Astro Workshop Preservation Environment Working Group Officers: Bruce Barkstrom (NASA Langley) Reagan Moore (SDSC) Goals  Demonstrate.

GGF-17 Astro Workshop Preservation Environment Working Group Officers: Bruce Barkstrom (NASA Langley) Reagan Moore (SDSC) Goals  Demonstrate.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Applying Data Grids to Support Distributed Data Management Storage Resource Broker Reagan W. Moore Ian Fisk Bing Zhu University of California, San Diego.

Applying Data Grids to Support Distributed Data Management Storage Resource Broker Reagan W. Moore Ian Fisk Bing Zhu University of California, San Diego.
Brief Overview of Major Enhancements to PAWN. Producer – Archive Workflow Network (PAWN) Distributed and secure ingestion of digital objects into the.

Brief Overview of Major Enhancements to PAWN. Producer – Archive Workflow Network (PAWN) Distributed and secure ingestion of digital objects into the.
Robust Tools for Archiving and Preserving Digital Data Joseph JaJa, Mike Smorul, and Mike McGann Institute for Advanced Computer Studies Department of.

Robust Tools for Archiving and Preserving Digital Data Joseph JaJa, Mike Smorul, and Mike McGann Institute for Advanced Computer Studies Department of.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
UMIACS PAWN, LPE, and GRASP data grids Mike Smorul.

UMIACS PAWN, LPE, and GRASP data grids Mike Smorul.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Similar presentations

Ads by Google