globus grid tutorial part 1 security and remote process creation
Download
Skip this Video
Download Presentation
Globus Grid Tutorial Part 1: Security and Remote Process Creation

Loading in 2 Seconds...

play fullscreen
1 / 30

Globus Grid Tutorial Part 1: Security and Remote Process Creation - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Globus Grid Tutorial Part 1: Security and Remote Process Creation. Goals of this Tutorial. Learn how to start a process on a remote resource Examples of applications that use this operation Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Globus Grid Tutorial Part 1: Security and Remote Process Creation' - alexa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
goals of this tutorial
Goals of this Tutorial
  • Learn how to start a process on a remote resource
  • Examples of applications that use this operation
    • Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow)
    • Network enabled servers (e.g., NEOS, NetSolve)
desktop supercomputing
Desktop Supercomputing
  • Seamlessly, from the desktop
    • Sign-on once
    • Locate available computers
    • Start computation on an appropriate system
    • Monitor progress
    • Get [subsampled] output files
    • Manipulate locally
  • E.g., astrophysics, chemistry, environmental models
  • Also WebFlow, LSA, others
webflow grid interface
WebFlow Grid Interface
  • Dataflow computing interface to grid computing
    • Fox, Haupt: Syracuse
  • Globus services for
    • Authentication
    • Process creation and management
  • Applications include nanomaterials
network enabled servers
Seamless access of remote resources

Examples: NEOS, NetSolve, Nimrod

Issues

Scheduling for real-time & high-throughput

Code management & security

Algorithm design

Network-Enabled Servers

??

“Solver X,

problem Y,

cost 100,

time 20 secs”

Application

Backend

Resource

broker

expertise

code

problems
Problems
  • Security
    • How do we authenticate ourselves at the remote site?
  • Resource specification
    • How do we locate and request a resource?
  • Staging of code and data
    • How do we stage a user’s executables and data to the remote resource?
  • Computation
    • How do we start & manage computation?
the globus advantage
The Globus Advantage
  • Single sign-on for all resources
    • No need to keep track of accounts and passwords at multiple sites
    • No plaintext passwords
  • Uniform interface to various local scheduling mechanisms
    • LSF, NQE, LoadLeveler, fork, etc.
    • No need to learn and remember obscure command sequences at different sites
  • Support for staging, etc., also: see later
authentication model
Authentication Model
  • Authentication is done on a “user” basis
    • Single authentication step allows access to all grid resources
  • No communication of plaintext passwords
  • Most sites will use conventional account mechanisms
    • You must have an account on a resource to use that resource
  • Sites may use “generic” Grid accounts
    • Not common, but Globus can deal with it
grid security infrastructure
Grid Security Infrastructure
  • Based on public key technology
    • Standard X.509 certificate, same as certificates used for the Web
  • Each user has:
    • a Grid user id (called a Subject Name)
    • a private key (like a password)
    • a certificate signed by a Certificate Authority (CA)
  • A “gridmap” file at each site specifiesgrid-id to local-id mapping
certificate based authentication
Certificate Based Authentication
  • User has a certificate, signed by a trusted “certificate authority” (CA)
    • Certificate contains users name and public key
    • Globus project operates a CA
  • User’s private key is used to encode a challenge string
  • Public key is used to decode the challenge
    • If you can decode it, you know the user
  • Treat your private key carefully!!
    • Private key is stored in encrypted form
user proxies
User Proxies
  • Minimize exposure of user’s private key
  • A temporary credential for use by our computations
    • We call this a user proxy certificate
    • Allows process to act on behalf of user
    • User-signed user proxy certificate stored in local file
  • Proxy’s private key is not encrypted
    • Rely on file system security, proxy certificate file must be readable only by the owner
delegation
Delegation
  • Remote creation of a user proxy
  • Allows remote process to act on behalf of the user
  • Avoids sending passwords or private keys across the network
single sign on via grid id
Single sign-onvia “grid-id”

User

User Proxy

Site 1

Process

Process

GRAM

GRAM

GSI

GSI

Process

Process

Ticket

Process

Process

Public Key

Kerberos

CREDENTIAL

Assignment of

credentials to

“user proxies”

Globus

Credential

Mutual

user-resource

authentication

Site 2

Mapping

to local ids

Authenticated

interprocess

communication

GSSAPI:

multiple

low-level

mechanisms

Certificate

installing globus
Installing Globus
  • Before you can use Globus, you need to install the Globus client-side software
    • Installation and administration of server-side software is discussed later
  • Ftp the Globus software from:
    • ftp://ftp.globus.org/pub/globus
  • Follow the installation instructions at:
    • http://www.globus.org/software
globus authentication setup
Globus Authentication Setup
  • Before you can run Globus applications:
    • Obtain a Grid certificate and key
    • Set up your environment so Globus knows where to find certificates and keys
    • Contact sites to set up local accounts and globusmap entries
    • Create proxy certificate for each application run
  • Documentation
    • http://www.globus.org/security
obtaining a certificate
Obtaining a Certificate
  • The programgrid-cert-request is used to create an public/private key pair and unsigned certificate in ~/.globus/:
    • usercert_request.pem: Unsigned certificate file
    • userkey.pem: Encrypted private key file
      • Must be readable only by the owner
  • Mail usercert_request.pem to [email protected]
  • Receive a Globus-signed certificate

Place in ~/.globus/usercert.pem

  • NCSA & NASA will use different approaches
your new certificate
NTP is highly

recommended

Your New Certificate

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 28 (0x1c)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=US, O=Globus, CN=Globus Certification Authority

Validity

Not Before: Apr 22 19:21:50 1998 GMT

Not After : Apr 22 19:21:50 1999 GMT

Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69:

b4:e1:54:e7:87:57:b7:d0:61

Exponent: 65537 (0x10001)

Signature Algorithm: md5WithRSAEncryption

59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8:

8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:

certificate and key data
Sample usercert.pem:

Sample userkey.pem:

-----BEGIN CERTIFICATE-----

MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY

u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1

+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl

et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=

-----END RSA PRIVATE KEY-----

Certificate and Key Data
logging onto the grid
“Logging” onto the Grid
  • To run programs, authenticate to Globus:

% grid-proxy-init

Enter PEM pass phrase: ******

  • Creates a temporary, short-lived credential for use by our computations

Private key is not exposed past grid-proxy-init

  • Options for grid-proxy-init:

-hours

-bits

-help

grid sign on with grid proxy init
Grid Sign-On With grid-proxy-init

User

certificate file

User Proxy

certificate file

Private Key

(Encrypted)

Pass

Phrase

proxy information
Proxy Information
  • To get proxy information run grid-proxy-info

% grid-proxy-info -subject

/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster

  • Options for printing proxy information-subject -issuer-type -timeleft-strength -help
  • Options for scripting proxy queries-exists -hours -exists -bits
    • Returns 0 status for true, 1 for false:
sample gridmap file
Sample Gridmap File
  • Gridmap file maintained by Globus administrator
  • Entry maps Grid-id into local user name(s)

# Distinguished name Local

# username

"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg

"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost

"/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543

"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf

remote startup mechanism
jobmanager

key

key

services

map

cert

cert

Remote Startup Mechanism

1. Exchange certificates, authenticate, delegate

2. Check gridmap file

3. Lookup service

4. Run service program (e.g. jobmanager)

4.

2.

3.

1.

client

gatekeeper

simple job submission
Simple job submission
  • globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]
globus job run beneath the covers
program

stdout

jobmanager

globus-job-run: Beneath the covers

1. Lookup Contact String

2. Build RSL string

3. Startup GASS server

4. Submit to request

3.

GASS

server

2.

Host

name

Contact

string

RSL

string

4.

1.

gatekeeper

MDS

exercise 1 sign on remote process creation
Exercise 1Sign-On & Remote Process Creation
  • Use grid-proxy-init to create a proxy certificate:

% grid-proxy-init

Enter PEM pass phrase:

......................................+++++

.....+++++

  • Use grid-proxy-info to query proxy:% grid-proxy-info -subject
  • Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
globus components being used
Globus Components Being Used
  • GRAM: Globus Resource Allocation Manager
    • Create process on remote resource, deal with local resource managers
  • MDS: Metacomputing Directory Service
    • Map machine name into GRAM contact string
  • GSI: Grid Security Infrastructure
    • Authenticate to remote system
  • GASS: Global Access to Secondary Storage
    • Redirect standard output
globus components in action
gatekeeper

gatekeeper

gatekeeper

jobmanager

jobmanager

jobmanager

LSF

LoadLeveler

fork

P2

P1

P2

P1

P2

P1

Globus Components in Action

globus-job-run

GRAM

summary
Summary
  • Grid security provides single sign-on capability
  • globus-job-run can be used to create a remote process
    • Difference between schedulers managed by Globus
    • Strong authentication provided
  • Remote process creation can be added to applications by using Globus services
changes from 1 0 to 1 1
Changes from 1.0 to 1.1
  • Tools are renamed
    • globus-proxy-{init,destroy} is nowgrid-proxy-{init,destroy}
    • globus-{cert,certreq} is nowgrid-cert-{info,request}
  • Tools are added
    • grid-proxy-info
    • grid-cert-renew
    • grid-mapfile-{add,delete}-entry
ad