The EDGeS project receives Community research funding
1
Specific security needs of Desktop Specific security needs of Desktop GridsGrids
• Desktop GridsDesktop Grids• EDGeS projectEDGeS project• Delegation for access to trusted Delegation for access to trusted resourcesresources
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 2
Specific security needs of Desktop Grids DG = Desktop Grid DG = Desktop Grid = = Loose grid scavenging idle resourcesLoose grid scavenging idle resources
Unit of Work = Application + Input DataUnit of Work = Application + Input Data
Grid User
Submits input data for an application
Requests Unit of Work
Sends Unit of Work
Application Manager
Certifies Application
Resource Owner(often volunteer)
Owns Resource
Sends back results
Accepts or Refusesan applicationon his resource
Grid Server withApplicationRepository
Computing Resource
(often Desktop Computer)Sends back results
Currently, for BOINC, both roles of ‘Application Manager’ and ‘Grid User’ are fulfilled by ‘BOINC Project Owners’.
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 3
Specific security needs of Desktop Grids DG = Desktop Grid DG = Desktop Grid = = Loose grid scavenging idle resourcesLoose grid scavenging idle resources
• Computing and Storage Resources are owned by various Computing and Storage Resources are owned by various Owners (it is often volunteer computing), but they are NOT Owners (it is often volunteer computing), but they are NOT managed and NOT authenticated.managed and NOT authenticated.
• Grid Servers are authenticated by a X509 certificate.Grid Servers are authenticated by a X509 certificate.• Users are authenticated by the Grid Servers, but NOT by the Users are authenticated by the Grid Servers, but NOT by the
Computing and Storage Resources.Computing and Storage Resources.• Executables are certified by managers of the Grid Servers.Executables are certified by managers of the Grid Servers.So :So : –– Resource Owners have to trust the Grid Servers, Resource Owners have to trust the Grid Servers,
–– BOINC sends each Work Unit to several ResourceBOINC sends each Work Unit to several Resource Owners, because BOINC does NOT fully trust them. Owners, because BOINC does NOT fully trust them.
• Order of magnitude can be 1 000 000 CPUs.Order of magnitude can be 1 000 000 CPUs.• Starving Computing Resources Starving Computing Resources pullpull Work Units from Grid Work Units from Grid
Servers.Servers.
Examples : BOINC, XtremWeb, xGrid, Examples : BOINC, XtremWeb, xGrid, OurGridOurGrid
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 4
Specific security needs of Desktop Grids
Presentation of the EDGeS projectPresentation of the EDGeS project
New FP7 project New FP7 project started on 01/01/2008started on 01/01/2008
• Integrate Service Grids Integrate Service Grids and Desktop Gridsand Desktop Grids
• Enable very large Enable very large number of computing number of computing resources resources (100K-1M processors)(100K-1M processors)
• Attract new scientific Attract new scientific communitiescommunities
• Provide a Grid Provide a Grid application application development development environmentenvironment
• Provide application Provide application repository and bridges repository and bridges for the execution in the for the execution in the SG-DG systemSG-DG system
WLCG (CERN)
EDGeS
gLite(EGEE)
ARC(NorduGrid)
Boinc(Berkeley)
XtremWeb(INRIA/IN2P3)
Xgrid(Apple)
Unicore(DEISA)
VDT(OSG)
Current
Future
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 5
Specific security needs of Desktop Grids
Presentation of the EDGeS projectPresentation of the EDGeS project
http://www.edges-grid.euhttp://www.edges-grid.eu
Now, Interoperation :Now, Interoperation :• Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb.Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb.• A MoU between EDGeS and EGEE has been signed on 23 Sept 2008.A MoU between EDGeS and EGEE has been signed on 23 Sept 2008.• XtremWeb users must have a X509 certificate, be registered in a VO XtremWeb users must have a X509 certificate, be registered in a VO
and submit their Jobs with a VOMS proxy.and submit their Jobs with a VOMS proxy.• BOINC Project Owners must have a X509 certificate, be registered in BOINC Project Owners must have a X509 certificate, be registered in
a VO and store a medium-term X509 proxy in a MyProxy server.a VO and store a medium-term X509 proxy in a MyProxy server.• All files must be transferred through the Input and Output All files must be transferred through the Input and Output
sandboxes.sandboxes.
In the future :In the future :• Interoperability using OGF standards, in order to bridge more Grids.Interoperability using OGF standards, in order to bridge more Grids.• Better support of grid file access Better support of grid file access (ByteIO, GridFTP)(ByteIO, GridFTP)..
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 6
EGEE
WMS
EDGeS 3G bridge
EGEE Plugin
1 for each (BOINC Project Owner, EGEE VO) pair
Queue Manager & Job DB
BOINC Handler1 for each (BOINC server,
BOINC Project Owner, EGEE VO) triple
Specific security needs of Desktop Grids
Bridge BOINC Bridge BOINC EGEE EGEE (WU = Work Unit)(WU = Work Unit)
WUi+1
WUi+2
WUi+3
Jobi+1
Jobi+1
Jobi+2
BOINC Server
Work Unit
BOINC Project Owner
Submission
MyProxy trusting EDGeS
3G bridgeMedium term X509 proxy
Config. file
DN of X509 proxy
Short term X509 proxy
VOMS Server
VOMS extensions
Job
H
andl
er
In
terf
ace
Grid
H
andl
er
Int
erfa
ce
BOINC jobwrapper client (simulating
a large BOINC computing resource)
3G job-wrapper
3G job-wrapper
VOMS proxy Retriever
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 7
Specific security needs of Desktop Grids
Bridge BOINC Bridge BOINC EGEE EGEE
Solution = Inside EDGeS bridge, marshalling of theSolution = Inside EDGeS bridge, marshalling of the BOINC Work Units into Job collections BOINC Work Units into Job collections
• For each (BOINC server, BOINC Project Owner, EGEE VO) For each (BOINC server, BOINC Project Owner, EGEE VO) triple, a separate Job Handler collects the BOINC Work Units triple, a separate Job Handler collects the BOINC Work Units and pand place them in a queue.lace them in a queue.
• For each (BOINC Project Owner, EGEE VO) pair, a separateFor each (BOINC Project Owner, EGEE VO) pair, a separate EGEE plugin :EGEE plugin :– Retrieves a short term X509 Proxy for the BOINC Project Owner from a
MyProxy server, and VOMS extensions from a VOMS server,
– Periodically processes new Work Units found in the queue :• It converts each Work Unit into an EGEE Job,• In order to reduce the usage of the EGEE WMS, it uses Collection possibili-
ties of EGEE to submit many Jobs in one request described using JDL.
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 8
EGEEEGEE
Specific security needs of Desktop Grids
Bridge XtremWeb Bridge XtremWeb EGEE EGEE
XtremWeb User
X509 proxy
VOMS proxy
Submits User Job with VOMS proxy
Sends back Job Status and Results
VOMS Server
XtremWeb Server
Submits mono-user Pilot Job with VOMS proxy
Gives Pilot Job Status
gLite WMS Computing Element
Pushes Pilot job
Mono-user Pilot Job
Requests only 1 User Job
Sends 1 User Job with same VOMS proxy
User Job
Gives Pilot Job Status
Sends back results directly
XtremWeb Bridge
Requests User Jobs
Sends User Jobs with VOMS proxy
Manages User Job status
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 9
Specific security needs of Desktop Grids
Bridge XtremWeb Bridge XtremWeb EGEE EGEE
Solution = XtremWeb bridge : Gliding with a mono-user Pilot JobSolution = XtremWeb bridge : Gliding with a mono-user Pilot Job1.1. A XtremWeb User submits to the XtremWeb server his User Job with a VOMS A XtremWeb User submits to the XtremWeb server his User Job with a VOMS
proxy.proxy.
2.2. At the request of the XtremWeb bridge, the XtremWeb server sends him the At the request of the XtremWeb bridge, the XtremWeb server sends him the User Job with the VOMS proxy.User Job with the VOMS proxy.
3.3. The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this VOMS proxy (job description in a VOMS proxy (job description in a JDLJDL).).
4.4. The gLite WMS pushes the Pilot Job to a Computing Element, which executes it.The gLite WMS pushes the Pilot Job to a Computing Element, which executes it.
5.5. The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and stops itself if it receives none.stops itself if it receives none.
6.6. The XtremWeb server verifies that the requested User Job has a VOMS proxy, The XtremWeb server verifies that the requested User Job has a VOMS proxy, and sends the User Job and the VOMS proxy to the Pilot Job.and sends the User Job and the VOMS proxy to the Pilot Job.
7.7. The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS proxy, and executes the User Job.proxy, and executes the User Job.
8.8. At the end of the User Job, the Pilot Job sends the Job results directly to the At the end of the User Job, the Pilot Job sends the Job results directly to the XtremWeb server, then stops itself.XtremWeb server, then stops itself.
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 10
Specific security needs of Desktop Grids
Bridge EGEE Bridge EGEE Desktop Grids Desktop Grids
EGEE
LCG-CE for
EDGeS
Gets EXE
Watches
Reports resourcesand performance
Pushes job
Checks EXE
Submits Job
Logs events
Gets VOMS proxy
Logs events
EDGeS
Application
Repository
EGEE
BDII
gLite
WMS
EGEE LB
EGEE VOMS
EGEE User
Sends output
Gets output
EDGeS3G bridge
Adds jobWatches
job
Desktop Grid plugin
Information
provider
GRAM Job
Manager
for EDGeS
Queue Manager
& Job DB
Generic Job WS Handler
Desktop Grid
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 11
Specific security needs of Desktop Grids
Bridges EGEE Bridges EGEE BOINC & XtremWeb BOINC & XtremWeb
Solution = Installation of a Solution = Installation of a LCG-CELCG-CE sending the EGEE Jobs to the sending the EGEE Jobs to the EDGeS bridge, which marshals them into Desktop Grid Jobs EDGeS bridge, which marshals them into Desktop Grid Jobs
• Information Provider Information Provider publishes information to the BDII according topublishes information to the BDII according to GLUE GLUE 1.31.3
• Customized Customized GRAMGRAM Job Manager (EGEE producer) Job Manager (EGEE producer)– Gets job information from wrapper– Checks if exe is validated in the EDGeS application repository (GEMLCA)– Checks if exe is supported by attached BOINC– Gets files from WMS– Adds job to 3G bridge job Database– Polls status of jobs in 3G bridge job Database– Gets results from 3G bridge and uploads them to Logging & Bookkeeping
• EDGeS 3G bridgeEDGeS 3G bridge– Manages jobs in the 3G bridge database– On events, updates entries in the 3G bridge database– Desktop Grid plugins
• BOINC plugin uses DC-API to generate BOINC Work Units• XtremWeb plugin generates XtremWeb Jobs
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 12
Specific security needs of Desktop Grids
Delegation for access to trusted Delegation for access to trusted resourcesresources
Jobs having to access trusted Jobs having to access trusted Resources require delegationResources require delegation
(through X509 proxies or SAML (through X509 proxies or SAML assertions)assertions)
Is it possible to provide delegation to Is it possible to provide delegation to untrusted Computing Resources of untrusted Computing Resources of
Desktop Grids ?Desktop Grids ?
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 13
Specific security needs of Desktop Grids – – DelegationDelegation
Current situation : NO restriction Current situation : NO restriction Full Full impersonationimpersonation
Acceptable only with Acceptable only with trustedtrusted computing resources computing resources
NOTNOT acceptable with acceptable with untrusteduntrusted (DG) computing (DG) computing resourcesresources
Grid User
Submits Job EGEE Computing
Element
Submits Job Trusted Worker Node
Trusted Data Access
Trusted Storage
ResourceFull
impersonationFull
impersonationFull
impersonation
Grid User
Submits Job EGEE Computing
Element
Submits Job Untrusted Worker Node
Untrusted Data Access
Trusted Storage
ResourceFull
impersonationFull
impersonationFull
impersonation
X509 proxy without
restrictions
X509 proxy without
restrictions
X509 proxy without
restrictions
X509 proxy without
restrictions
X509 proxy without
restrictions
X509 proxy without
restrictions
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 14
Specific security needs of Desktop Grids – – DelegationDelegation
Current situation : NO restriction Current situation : NO restriction Full Full impersonationimpersonation
By now, WITHOUT restrictions on delegation, X509 proxies By now, WITHOUT restrictions on delegation, X509 proxies permit full impersonation.permit full impersonation.
Therefore, when sending jobs, it is acceptable to send along Therefore, when sending jobs, it is acceptable to send along such X509 proxies :such X509 proxies :– only to TRUSTED computing resources (for example Worker Nodes of
local or EGEE clusters), because the storage resources must trust that the computing resource will only access to data described in the job,
– but NOT to UNTRUSTED computing resources (for example from a public Desktop Grid), because they could then have access to all user data.
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 15
Specific security needs of Desktop Grids – – DelegationDelegation
Under development : X509 Proxies with Under development : X509 Proxies with RestrictionsRestrictions
Improved security with Improved security with trustedtrusted computing resources computing resources
Could also be acceptable with Could also be acceptable with untrusteduntrusted computing computing resourcesresources
Grid User
Submits Job EGEE Computing
Element
Submits Job Trusted Worker Node
Trusted Data Access
Trusted Storage
ResourceRestricted
impersonationRestricted
impersonationRestricted
impersonation
Grid User
Submits Job EGEE Computing
Element
Submits Job Untrusted Worker Node
Trusted Data Access
Trusted Storage
ResourceRestricted
impersonationRestricted
impersonationRestricted
impersonation
X509 proxy with
restrictions
X509 proxy with
restrictions
X509 proxy with
restrictions
X509 proxy with
restrictions
X509 proxy with
restrictions
X509 proxy with
restrictions
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 16
Specific security needs of Desktop Grids – – DelegationDelegation
Under development : X509 Proxies with Under development : X509 Proxies with RestrictionsRestrictions
When sending jobs, it could be acceptable to send X509 proxies containing When sending jobs, it could be acceptable to send X509 proxies containing restriction attributes about data access to UNTRUSTED computing restriction attributes about data access to UNTRUSTED computing resources (for example from a public Desktop Grid), because :resources (for example from a public Desktop Grid), because :– In order to get access to data, computing resources have to present to storage
resources the full X509 proxy, INCLUDING ALL restriction attributes.– Storage resources are then able to refuse data access if restriction attributes
forbid it,– Data that the jobs have to read are easily protected against corruption or deletion
by using restriction attributes setting those data as read-only.– Malicious computing resources can always corrupt data on which they have write
access, but they can already write false data in the Output Sandbox of jobs anyway.
If these restriction attributes are really implemented, enforced and If these restriction attributes are really implemented, enforced and considered secure enough, this would permit computing resources of considered secure enough, this would permit computing resources of Desktop Grids to access storage resources of EGEE Storage Elements Desktop Grids to access storage resources of EGEE Storage Elements (using SRM, GridFTP, …), with a great impact on EDGeS JRA3.(using SRM, GridFTP, …), with a great impact on EDGeS JRA3.
Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France
v1.2 17
Specific security needs of Desktop Grids – – DelegationDelegation
Access to untrusted Storage Resources of Access to untrusted Storage Resources of Desktop GridsDesktop Grids
Could access of trusted Computing Could access of trusted Computing Resources to untrusted Storage Resources to untrusted Storage
Resources Resources of Desktop Grids be acceptable ?of Desktop Grids be acceptable ?
EDGeS is studying the issue. We can get advices from you and Jesus EDGeS is studying the issue. We can get advices from you and Jesus LUNA.LUNA.
Grid User
Submits Job EGEE Computing
Element
Submits Job Trusted Worker Node
Untrusted Data Access
Untrusted Storage
ResourceX509 proxy X509 proxy NO X509
proxy