400 likes | 615 Views
Security and Certification Issues in Grid Computing. Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer Science The University of Chicago http://www.mcs.anl.gov/~foster.
E N D
Security and Certification Issuesin Grid Computing Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer Science The University of Chicago http://www.mcs.anl.gov/~foster International Workshop on Certification and Security in E-Services (CSES 2002), Montreal, Canada, Aug 28
Partial Acknowledgements • Grid computing, Globus Project, and OGSA • Carl Kesselman @ USC/ISI, Steve Tuecke @ANL • Talented team of scientists and engineers at ANL, USC/ISI, elsewhere (see www.globus.org) • Open Grid Services Architecture (OGSA) • Karl Czajkowski @ USC/ISI, Jeff Nick, Steve Graham, Jeff Frey @ IBM, www.globus.org/ogsa • Grid security, OGSA Security, CAS • Frank Siebenlist, Von Welch, Laura Pearlman • Support from DOE, NASA, NSF, IBM, Microsoft
Overview • What is the Grid anyway? • And what’s it got to do with e-services? • Grid security & certification issues • Demands of virtual organizations—and Grid approach to addressing these demands • Implementation approach • Globus Toolkit & Grid Security Infrastructure • Open Grid Services Architecture (OGSA) • OGSA security architecture • Summary
Overview • What is the Grid anyway? • And what’s it got to do with e-services? • Grid security & certification issues • Demands of virtual organizations—and Grid approach to addressing these demands • Implementation approach • Globus Toolkit & Grid Security Infrastructure • Open Grid Services Architecture (OGSA) • OGSA security architecture • Summary
E-Science: The Original Grid Driver • Pre-electronic science • Theorize &/or experiment, in small teams • Post-electronic science • Construct and mine very large databases • Develop computer simulations & analyses • Access specialized devices remotely • Exchange information within distributed multidisciplinary teams • Need to manage dynamic, distributed infrastructures, services, and applications
And Thus: The Grid “Resource sharing & coordinated problem solving in dynamic, multi-institutional virtual organizations”
Human Models Grids at NASA: Aviation Safety Wing Models • Lift Capabilities • Drag Capabilities • Responsiveness Stabilizer Models Airframe Models • Deflection capabilities • Responsiveness Crew Capabilities - accuracy - perception - stamina - re-action times - SOPs Engine Models • Braking performance • Steering capabilities • Traction • Dampening capabilities • Thrust performance • Reverse Thrust performance • Responsiveness • Fuel Consumption Landing Gear Models
Life Sciences: Telemicroscopy DATA ACQUISITION PROCESSING,ANALYSIS ADVANCEDVISUALIZATION NETWORK COMPUTATIONALRESOURCES IMAGING INSTRUMENTS LARGE DATABASES
Galaxy cluster size distribution Chimera Virtual Data System + GriPhyN Virtual Data Toolkit + iVDGL Data Grid (many CPUs) Sloan Digital Sky Survey Analysis Size distribution of galaxy clusters? www.griphyn.org/chimera
~PBytes/sec ~100 MBytes/sec Offline Processor Farm ~20 TIPS There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size ~100 MBytes/sec Online System Tier 0 CERN Computer Centre ~622 Mbits/sec or Air Freight (deprecated) Tier 1 FermiLab ~4 TIPS France Regional Centre Germany Regional Centre Italy Regional Centre ~622 Mbits/sec Tier 2 Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS Caltech ~1 TIPS Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS HPSS HPSS HPSS HPSS HPSS ~622 Mbits/sec Institute ~0.25TIPS Institute Institute Institute Physics data cache ~1 MBytes/sec 1 TIPS is approximately 25,000 SpecInt95 equivalents Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Tier 4 Physicist workstations Data Grids for High Energy Physics
Resource Sharing within “VOs” is Not Unique to Science! • Fragmentation of enterprise infrastructure • Driven by cheap servers, fast nets, ubiquitous Internet, eBusiness workloads • Need to configure distributed collections of services to deliver specified QoS • Virtualization • Emerging service infrastructure, utility computing models, economies of scale • Services dynamically instantiated across device spectrum • B2B, B2C, C2C interactions
Distributed service management Resource & service aggregation Delivery of virtualized services with QoS guarantees Dynamic, secure service discovery & composition Virtualization andDistributed Service Management Larger, more integrated More connected Dynamically provisioned Less capable, integrated Less connected User service locus Device Continuum
Grid Computing Grid Computing By M. Mitchell Waldrop May 2002 Hook enough computers together and what do you get? A new kind ofutility that offers supercomputer processing on tap.Is Internet history about to repeat itself?
Challenging Technical Requirements • Dynamic formation and management of virtual organizations • Discovery & online negotiation of access to services: who, what, why, when, how • Configuration of applications and systems able to deliver multiple qualities of service • Management of distributed state within infrastructures, services, and applications • Open, extensible, evolvable infrastructure
Challenging Technical Requirements • Dynamic formation and management of virtual organizations • Discovery & online negotiation of access to services: who, what, why, when, how • Configuration of applications and systems able to deliver multiple qualities of service • Management of distributed state within infrastructures, services, and applications • Open, extensible, evolvable infrastructure Security and Certification Issues
Overview • What is the Grid anyway? • And what’s it got to do with e-services? • Grid security & certification issues • Demands of virtual orgs—and Grid approach to addressing these demands • Implementation approach • Globus Toolkit & Grid Security Infrastructure • Open Grid Services Architecture (OGSA) • OGSA security architecture • Summary
Grid Security & Certification • Challenges include • Dynamic group membership and trust relationships within virtual organizations • Complex computational structures extending beyond client-server: delegation • Mission-critical apps and valuable resources • Issues include • Cross-certification • Mechanisms and credentials • Distributed authorization • Secure logging and audit
No Cross- Domain Trust Trust Mismatch Cross “Certification” Issue Certification Certification Authority Authority Domain B Domain A Policy Policy Authority Authority Task Server Y Server X Sub-Domain A1 Sub-Domain B1
Cross-Certification • Cross-certification at corporate level difficult • Legal implications, liability, bureaucracy • Address trust at user/resource level! • Many business relationships do not require involvement of President/CEO … • Virtual organization as bridge • Federate through mutually trusted services • Local policy authorities rule … • Assertions language for trust relationships • WS-Trust, WS-Federation, WS-Policy
Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain B Task Server X Server Y Grid Solution:Use Virtual Organization as Bridge No Cross- Domain Trust Certification Domain A Federation Service common mechanism Virtual Organization Domain
Mechanism and Credential Issue • Different mechanisms & credentials • X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains) • X.509 attribute certs vs SAML assertions • Need for common mechanism • GSI-SecureConversation • Need for credential federation services • Obtain X.509 creds with Kerberos ticket • Obtain Kerberos ticket with X.509 creds • Cross X.509 or Kerberos domains/realms
Example:Kerberos-X.509 Federation • Requestor: Kerberos realm • Server: X.509-based domain (only authenticates requestors with X.509 creds) • VO provides Kerberos-CA federation service • Has Kerberos identity within requestor’s realm • Kerb-CA cert is trusted within server-side VO • Kerb-CA issues (short-lived) X.509-certs that assert requestor’s Kerberos principal name • Requestor’s runtime is “X.509-enabled” • Server’s access control policy within the VO is based on requestor’s Kerberos principal name
Kerberos-X.509 Federation Service Kerberos Realm X.509 Domain Kerberos-CA Svc Policy Authority Kerberos Ticket trusts Krb-CA issued certs enforcement on requestor's X.509 cert principal name X.509 secured protocol Requestor Server Virtual Organization Domain
Grid Authorization/Policy Issue • Resources may not know foreign requestors • Impairs fine-grained policy admin • Outsource policy admin to req’s sub-domain • Enables fine-grained policy • “Community Authorization Service” (CAS) • Resource owner sets course-grained policy rules for foreign domain on “CAS-identity” • CAS sets policy rules for its local users • Requestors obtain capabilities from their local CAS that get enforced at the resource
Community Authorization Service Domain A Domain B Sub-Domain B1 Sub-Domain A1 Policy Authority Community Authorization Svc enforcement CAS identity on CAS-identity and "trusted" requestor's capabilities capability assertions request + CAS assertions Server Requestor Virtual Organization Domain
Security Services & VO Requestor's Service Provider's Domain Domain Trust Trust Service Service Attribute Authorization Authorization Attribute Service Service Service Service Audit/ Audit/ Privacy Privacy Secure-Logging Secure-Logging Service Service Service Service Credential Credential Validation Validation Service Service Bridge/ Translation Service Service Requestor WS-Stub Secure Conversation WS-Stub Provider Application Application Credential Credential Validation Validation Service Service Authorization Authorization Service Service Attribute Attribute Service Service Trust Trust Service Service VO Domain
Secure Logging and Audit • Robust, secure audit infrastructure is essential for commercial Grid deployment • Natural audit “code-points” in OGSA runtime • User’s credentials, authorization decisions, invoked portTypes, parameter values, etc. • Allows for secure logging transparent and independent from applications • Standard call-outs to external security services • More relevant audit code-points • XML facilitates audit-entry filtering & mgmt
Transparent Audit Code-Points All service invocations and policy decisions within stubs are “natural” audit code-points
Overview • What is the Grid anyway? • And what’s it got to do with e-services? • Grid security & certification issues • Demands of virtual organizations—and Grid approach to addressing these demands • Implementation approach • Globus Toolkit, Grid Security Infrastruct. • Open Grid Services Architecture (OGSA) • OGSA security architecture • Summary
The Grid World: Current Status • Many major Grid projects in scientific & technical computing/research & education • Open source Globus Toolkit™ a de facto standard for major protocols & services • Simple protocols & APIs for authentication, discovery, access, etc.: infrastructure • Information-centric design • Large user and developer base • Multiple commercial support providers • Global Grid Forum: community & standards • Emerging Open Grid Services Architecture
Grid Security Infrastructure • Uniform authentication & authorization mechanisms in multi-institutional setting • Single sign-on, delegation, identity mapping • Public key tech, SSL/TLS, X.509, GSS-API • Internet/GGF drafts document extensions • Supporting infrastructure • Certificate Authorities • Online credential repository • Kerberos-X.509 federation server • Etc., etc., etc.
Single sign-on via “grid-id” & generation of proxy cred. Or: retrieval of proxy cred. from online repository Remote process creation requests* GSI-enabled GRAM server Authorize Map to local id Create process Generate credentials Ditto GSI-enabled GRAM server Process Process Communication* Local id Local id Kerberos ticket Restricted proxy Remote file access request* Restricted proxy User Proxy GSI-enabled FTP server Proxy credential Authorize Map to local id Access file * With mutual authentication GSI in Action: “Create Processes at A and B that Communicate & Access Files at C” User Site B (Unix) Site A (Kerberos) Computer Computer Site C (Kerberos) Storage system
Grid Evolution:Open Grid Services Architecture • Goals • Refactor Globus protocol suite to enable common base and expose key capabilities • Service orientation to virtualize resources and unify resources/services/information • Embrace key Web services technologies for standard IDL, leverage commercial efforts • Result = standard interfaces & behaviors for distributed system mgmt: the Grid service • Standardization within Global Grid Forum • Open source & commercial implementations
GridService (required) … other interfaces … (optional) Service data access Explicit destruction Soft-state lifetime Standard: - Notification - Authorization - Service creation - Service registry - Manageability - Concurrency + application-specific interfaces The Grid Service =Interfaces/Behaviors + Service Data Service data element Service data element Service data element Binding properties: - Reliable invocation - Authentication Implementation Hosting environment/runtime (“C”, J2EE, .NET, …)
WS Security ArchitectureCurrent/Proposed Specifications WS-Secure Conversation WS-Federation WS-Authorizatn Composable architecture “only use what you need” WS-Policy WS-Trust WS-Privacy today WS-Security time SOAP Foundation
Grid Security and OGSA • OGSA security roadmap defines a set of required services and indicates for each if • Is provided by WS Security specs • May be provided by WS Security specs • Requires standardized profile/mechanisms and/or extensions for WS Security specs • Addresses, for example • GSISecureConversation • Standardized policy services • Standardized audit services • Etc., etc., etc.
OGSA Security Components Intrusion Credential and Access Control Secure Audit & Identity Translation Detection Conversations Non-repudiation Enforcement ( ) Single Logon Anti-virus Management Mapping Authorization Service/End-point Privacy Policy Policy Rules Policy Policy Management (authorization, privacy, federation, etc) Policy Expression and Exchange Trust Model Secure Logging User Management Bindings Security Key (transport, protocol, message security) Management
Overview • What is the Grid anyway? • And what’s it got to do with e-services? • Grid security & certification issues • Demands of virtual organizations—and Grid approach to addressing these demands • Implementation approach • Globus Toolkit & Grid Security Infratructure • Open Grid Services Architecture (OGSA) • OGSA security architecture • Summary
Summary • The Grid: resource sharing & coordinated problem solving in virtual organizations • Challenging security & cert. requirements • OGSA security architecture addresses Grid certification, federation, bridging issues • Leverages WS Security standards & OGSA • Standardized security services, profiles, and mechanisms • Open source Globus Toolkit and commercial implementations
For More Information • The Globus Project™ • www.globus.org • Technical articles • www.mcs.anl.gov/~foster • Open Grid Services Arch. • www.globus.org/ogsa • Global Grid Forum • www.gridforum.org • Chicago, Oct 15-17