Globus grid tutorial part 1 security and remote process creation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Globus Grid Tutorial Part 1: Security and Remote Process Creation PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

Globus Grid Tutorial Part 1: Security and Remote Process Creation. Goals of this Tutorial. Learn how to start a process on a remote resource Examples of applications that use this operation Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow)

Download Presentation

Globus Grid Tutorial Part 1: Security and Remote Process Creation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Globus grid tutorial part 1 security and remote process creation

Globus Grid TutorialPart 1:Security and Remote Process Creation


Goals of this tutorial

Goals of this Tutorial

  • Learn how to start a process on a remote resource

  • Examples of applications that use this operation

    • Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow)

    • Network enabled servers (e.g., NEOS, NetSolve)


Desktop supercomputing

Desktop Supercomputing

  • Seamlessly, from the desktop

    • Sign-on once

    • Locate available computers

    • Start computation on an appropriate system

    • Monitor progress

    • Get [subsampled] output files

    • Manipulate locally

  • E.g., astrophysics, chemistry, environmental models

  • Also WebFlow, LSA, others


Webflow grid interface

WebFlow Grid Interface

  • Dataflow computing interface to grid computing

    • Fox, Haupt: Syracuse

  • Globus services for

    • Authentication

    • Process creation and management

  • Applications include nanomaterials


Network enabled servers

Seamless access of remote resources

Examples: NEOS, NetSolve, Nimrod

Issues

Scheduling for real-time & high-throughput

Code management & security

Algorithm design

Network-Enabled Servers

??

“Solver X,

problem Y,

cost 100,

time 20 secs”

Application

Backend

Resource

broker

expertise

code


Problems

Problems

  • Security

    • How do we authenticate ourselves at the remote site?

  • Resource specification

    • How do we locate and request a resource?

  • Staging of code and data

    • How do we stage a user’s executables and data to the remote resource?

  • Computation

    • How do we start & manage computation?


The globus advantage

The Globus Advantage

  • Single sign-on for all resources

    • No need to keep track of accounts and passwords at multiple sites

    • No plaintext passwords

  • Uniform interface to various local scheduling mechanisms

    • LSF, NQE, LoadLeveler, fork, etc.

    • No need to learn and remember obscure command sequences at different sites

  • Support for staging, etc., also: see later


Authentication model

Authentication Model

  • Authentication is done on a “user” basis

    • Single authentication step allows access to all grid resources

  • No communication of plaintext passwords

  • Most sites will use conventional account mechanisms

    • You must have an account on a resource to use that resource

  • Sites may use “generic” Grid accounts

    • Not common, but Globus can deal with it


Grid security infrastructure

Grid Security Infrastructure

  • Based on public key technology

    • Standard X.509 certificate, same as certificates used for the Web

  • Each user has:

    • a Grid user id (called a Subject Name)

    • a private key (like a password)

    • a certificate signed by a Certificate Authority (CA)

  • A “gridmap” file at each site specifiesgrid-id to local-id mapping


Certificate based authentication

Certificate Based Authentication

  • User has a certificate, signed by a trusted “certificate authority” (CA)

    • Certificate contains users name and public key

    • Globus project operates a CA

  • User’s private key is used to encode a challenge string

  • Public key is used to decode the challenge

    • If you can decode it, you know the user

  • Treat your private key carefully!!

    • Private key is stored in encrypted form


User proxies

User Proxies

  • Minimize exposure of user’s private key

  • A temporary credential for use by our computations

    • We call this a user proxy certificate

    • Allows process to act on behalf of user

    • User-signed user proxy certificate stored in local file

  • Proxy’s private key is not encrypted

    • Rely on file system security, proxy certificate file must be readable only by the owner


Delegation

Delegation

  • Remote creation of a user proxy

  • Allows remote process to act on behalf of the user

  • Avoids sending passwords or private keys across the network


Single sign on via grid id

Single sign-onvia “grid-id”

User

User Proxy

Site 1

Process

Process

GRAM

GRAM

GSI

GSI

Process

Process

Ticket

Process

Process

Public Key

Kerberos

CREDENTIAL

Assignment of

credentials to

“user proxies”

Globus

Credential

Mutual

user-resource

authentication

Site 2

Mapping

to local ids

Authenticated

interprocess

communication

GSSAPI:

multiple

low-level

mechanisms

Certificate


Installing globus

Installing Globus

  • Before you can use Globus, you need to install the Globus client-side software

    • Installation and administration of server-side software is discussed later

  • Ftp the Globus software from:

    • ftp://ftp.globus.org/pub/globus

  • Follow the installation instructions at:

    • http://www.globus.org/software


Globus authentication setup

Globus Authentication Setup

  • Before you can run Globus applications:

    • Obtain a Grid certificate and key

    • Set up your environment so Globus knows where to find certificates and keys

    • Contact sites to set up local accounts and globusmap entries

    • Create proxy certificate for each application run

  • Documentation

    • http://www.globus.org/security


Obtaining a certificate

Obtaining a Certificate

  • The programgrid-cert-request is used to create an public/private key pair and unsigned certificate in ~/.globus/:

    • usercert_request.pem: Unsigned certificate file

    • userkey.pem: Encrypted private key file

      • Must be readable only by the owner

  • Mail usercert_request.pem to [email protected]

  • Receive a Globus-signed certificate

    Place in ~/.globus/usercert.pem

  • NCSA & NASA will use different approaches


Your new certificate

NTP is highly

recommended

Your New Certificate

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 28 (0x1c)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=US, O=Globus, CN=Globus Certification Authority

Validity

Not Before: Apr 22 19:21:50 1998 GMT

Not After : Apr 22 19:21:50 1999 GMT

Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69:

<snip>

b4:e1:54:e7:87:57:b7:d0:61

Exponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption

59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8:

<snip>

8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:


Certificate and key data

Sample usercert.pem:

Sample userkey.pem:

-----BEGIN CERTIFICATE-----

MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY <snip>

u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1

+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl

<snip>

et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=

-----END RSA PRIVATE KEY-----

Certificate and Key Data


Logging onto the grid

“Logging” onto the Grid

  • To run programs, authenticate to Globus:

    % grid-proxy-init

    Enter PEM pass phrase: ******

  • Creates a temporary, short-lived credential for use by our computations

    Private key is not exposed past grid-proxy-init

  • Options for grid-proxy-init:

    -hours <lifetime of credential>

    -bits <length of key>

    -help


Grid sign on with grid proxy init

Grid Sign-On With grid-proxy-init

User

certificate file

User Proxy

certificate file

Private Key

(Encrypted)

Pass

Phrase


Proxy information

Proxy Information

  • To get proxy information run grid-proxy-info

    % grid-proxy-info -subject

    /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster

  • Options for printing proxy information-subject-issuer-type-timeleft-strength-help

  • Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key>

    • Returns 0 status for true, 1 for false:


Sample gridmap file

Sample Gridmap File

  • Gridmap file maintained by Globus administrator

  • Entry maps Grid-id into local user name(s)

# Distinguished name Local

# username

"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg

"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost

"/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543

"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf


Remote startup mechanism

jobmanager

key

key

services

map

cert

cert

Remote Startup Mechanism

1. Exchange certificates, authenticate, delegate

2. Check gridmap file

3. Lookup service

4. Run service program (e.g. jobmanager)

4.

2.

3.

1.

client

gatekeeper


Simple job submission

Simple job submission

  • globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]


Globus job run beneath the covers

program

stdout

jobmanager

globus-job-run: Beneath the covers

1. Lookup Contact String

2. Build RSL string

3. Startup GASS server

4. Submit to request

3.

GASS

server

2.

Host

name

Contact

string

RSL

string

4.

1.

gatekeeper

MDS


Exercise 1 sign on remote process creation

Exercise 1Sign-On & Remote Process Creation

  • Use grid-proxy-init to create a proxy certificate:

    % grid-proxy-init

    Enter PEM pass phrase:

    ......................................+++++

    .....+++++

  • Use grid-proxy-info to query proxy:% grid-proxy-info -subject

  • Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp


Globus components being used

Globus Components Being Used

  • GRAM: Globus Resource Allocation Manager

    • Create process on remote resource, deal with local resource managers

  • MDS: Metacomputing Directory Service

    • Map machine name into GRAM contact string

  • GSI: Grid Security Infrastructure

    • Authenticate to remote system

  • GASS: Global Access to Secondary Storage

    • Redirect standard output


Globus components in action

gatekeeper

gatekeeper

gatekeeper

jobmanager

jobmanager

jobmanager

LSF

LoadLeveler

fork

P2

P1

P2

P1

P2

P1

Globus Components in Action

globus-job-run

GRAM


Summary

Summary

  • Grid security provides single sign-on capability

  • globus-job-run can be used to create a remote process

    • Difference between schedulers managed by Globus

    • Strong authentication provided

  • Remote process creation can be added to applications by using Globus services


Changes from 1 0 to 1 1

Changes from 1.0 to 1.1

  • Tools are renamed

    • globus-proxy-{init,destroy} is nowgrid-proxy-{init,destroy}

    • globus-{cert,certreq} is nowgrid-cert-{info,request}

  • Tools are added

    • grid-proxy-info

    • grid-cert-renew

    • grid-mapfile-{add,delete}-entry


  • Login