Download - Security
2
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Architecture Overview
Gateway
InternetInternet
Gateway
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
Client
3
Client
Java application User authentication via X.509 certificates Global or local list of Unicore sites (Usites) Connects to Gateway via SSL and
Unicore Protocol Layer (UPL) Job preparation
♦ Workflow management
♦ File management
♦ Abstract Job Object (AJO) generation
♦ Job signing
Job monitoring Job control
JobPreparation
JobMonitor
WorkflowManagement
Usites
Vsites
4
Client
InternetInternet
Gateway
Unicore Site list
Unicore Site list
SSL
Client
Client
5
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Gateway
Gateway
InternetInternet
Gateway
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
Gateway
6
Gateway
Authentication:♦ Connection only with valid certificates from accepted
Certification Authorities♦ Forwards client certificate to NJS for authorisation
Single point of entry for all Unicore services of the Usite♦ Only one open port
List of Vsites Connects to Vsites via UPL (SSL optional)
7
Gateway
InternetInternetClient
Gateway
SSL
VSite list
Vsite 2
NetworkJob
Supervisor
Vsite 1
NetworkJob
Supervisor
Vsite 3
NetworkJob
Supervisor
Firewall
8
Network Job Supervisor
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Gateway
InternetInternet
Gateway
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
NetworkJob
Supervisor
9
Network Job Supervisor
Checks integrity of jobs Authorises the user by Unicore User Data Base (UUDB)
♦ Mapping of Unicore user certificate to target system Xlogin
Forwards sub jobs to remote Vsites Translates abstract job into target system specific tasks
based on Incarnation Data Base (IDB) Transfers files to work directory on the target system via
socket connection Submits jobs to Target System Interface (TSI) via
socket connection
10
Network Job Supervisor
TargetSystem
Interface
NetworkJob
Supervisor
Gateway
IncarnationData Base
Unicore User
Data Base
NetworkJob
Supervisor
Gateway
InternetInternet
11
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Target System Interface
Gateway
InternetInternet
Gateway
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
TargetSystem
Interface
12
Target System Interface
Interfaces between Unicore and the Grid resource Executes the specific tasks, translated by the NJS, or
submits them to the batch sub system Stores and sends files from/to the Unicore Client or
local directories Contains batch sub system, operating system and
installation specific code Runs as root
13
TargetSystem
Interface
Target System Interface
NetworkJob
Supervisor
ShepardWorker Worker
BatchSub System
FileSystem
ApplicationOperating
System
14
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Multiside Job
Gateway
InternetInternet
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
Gateway
15
Secondary Network Job Supervisor
Primary Network Job Supervisor
SSLSSL
Client
Multiside Job
= User certificate = NJS certificate
Job
SubJob
Consigner♦ The entity (user client or NJS) that consigns a job or sub-job♦ Expressed by use in SSL connection
Endorser♦ The entity (user) that authorises the tasks to be performed♦ Expressed by signing of serialized AJO direct acyclic graph
16
Usite B
Vsite B2Vsite B1
Usite A
Vsite A1
Explicit Trust Delegation
Gateway
InternetInternet
TargetSystem
Interface
NetworkJob
Supervisor
TargetSystem
Interface
TargetSystem
Interface
NetworkJob
Supervisor
NetworkJob
Supervisor
Client
Gateway
Portal
17
SSL
Network Job Supervisor
SSL
PortalWS- Client(Browser)
Explicit Trust Delegation
Job
User: name
= User certificate = Portal certificate
User♦ New role besides consignor and endorser♦ Entity (user) on whose behalf tasks will be performed
Trusted Agents (Portal)♦ Added to the UUDB explicitly♦ Allowed to endorse AJO on behalf of users
18
UniGrids project
All components are being moved to stateful Web Services
♦ Based on the Open Grid Services Architecture (OGSA)♦ Compliant with the Web Services Resource Framework
Gateway handles multiple protocols
Web Service implementation of the UUDB
19
References
Unicore♦ Software: http://unicore.sourceforge.net♦ Whitepaper: http://www.unicore.org/ ...... documents/UNICOREPlus-Final-Report.pdf
Unicore Security♦ GGF Document GFD.18
“An Analysis of the UNICORE Security Model”http://www.gridforum.org/documents/GFD.18.pdf
UniGrids♦ http://www.unigrids.org
Explicit Trust Delegation♦ Fujitsu Scientific & Technical Journal, Special Issue: Grid Computing,
2004-12 (Vol.40, No.2) “Explicit Trust Delegation: Security for Dynamic Grids”http://www.fujitsu.com/downloads/MAG/vol40-2/paper12.pdf