grid security for the cyber science infrastructure in...
TRANSCRIPT
Grid Security for the Cyber Science Infrastructure in Japan
Shinichi Mineo(National Institute of Informatics)
International Symposium on Grid Computing 2007
28 March 2007, Academia Sinica, Taipei, Taiwan
Outline
Introduction of CSI (Cyber Science Infrastructure) & NAREGI Grid MiddlewareA Use Case in NAREGI and its Security ModelSecurity Features developed for NAREGI MiddlewareA plan of Authorization ServiceSummary & Open Issues
Indu
stry
/Soc
ieta
l Fee
dbac
k
Inte
rnat
iona
l Inf
rast
ruct
ural
Col
labo
ratio
n
Restructuring Univ. IT Research ResourcesExtensive On-Line Publications of Results
Deployment of NAREGI Middleware
Virtual LabsLive Collaborations
Cyber-Science Infrastructure for R & D
UPKI: National Research PKI Infrastructure
Cyber-Science Infrastructure (CSI)
●★
★
★★★
★
★
☆
SuperSINET and Beyond: Lambda-based Academic Networking Backbone
Hokkaido-U
Tohoku-U
Tokyo-UNIINagoya-U
Kyoto-U
Osaka-U
Kyushu-U
(Titech, Waseda-U, KEK, etc.)
GeNii (Global Environment forNetworked Intellectual Information)
NII-REO (Repository of ElectronicJournals and Online Publications
Super SINET provides 10 Gbps Backbone
Indu
stry
/Soc
ieta
l Fee
dbac
k
Inte
rnat
iona
l Inf
rast
ruct
ural
Col
labo
ratio
n
Restructuring Univ. IT Research ResourcesExtensive On-Line Publications of Results
Deployment of NAREGI Middleware
Virtual LabsLive Collaborations
Cyber-Science Infrastructure for R & D
UPKI: National Research PKI Infrastructure
Cyber-Science Infrastructure (CSI)
●★
★
★★★
★
★
☆
SuperSINET and Beyond: Lambda-based Academic Networking Backbone
Hokkaido-U
Tohoku-U
Tokyo-UNIINagoya-U
Kyoto-U
Osaka-U
Kyushu-U
(Titech, Waseda-U, KEK, etc.)
GeNii (Global Environment forNetworked Intellectual Information)
NII-REO (Repository of ElectronicJournals and Online Publications
UPKI : UPKI : Three Layer ArchitectureThree Layer Architecture
EEEE
A Univ.NAREGI CA
EEEE
B Univ.NAREGI CA
Grid PKI
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
学内用学内用
A Univ.CA
EE学内用学内用
B Univ.CA
EE
CampusPKI
Auth, Sign, Encrpt. Auth, Sign, Encrpt.
Student,Faculty
Server, Super Computer
Student,Faculty
Server, Super Computer
WebサーバWebサーバ
NIIPub CA
Web Srv.WebサーバWebサーバ S/MIMES/MIME
OtherPub CA
S/MIMEWeb Srv.
OpenDomainPKI
S/MIMES/MIMES/MIME
Sign, Encrpt.
Future plan
Indu
stry
/Soc
ieta
l Fee
dbac
k
Inte
rnat
iona
l Inf
rast
ruct
ural
Col
labo
ratio
n
Restructuring Univ. IT Research ResourcesExtensive On-Line Publications of Results
Deployment of NAREGI Middleware
Virtual LabsLive Collaborations
Cyber-Science Infrastructure for R & D
UPKI: National Research PKI Infrastructure
Cyber-Science Infrastructure (CSI)
●★
★
★★★
★
★
☆
SuperSINET and Beyond: Lambda-based Academic Networking Backbone
Hokkaido-U
Tohoku-U
Tokyo-UNIINagoya-U
Kyoto-U
Osaka-U
Kyushu-U
(Titech, Waseda-U, KEK, etc.)
GeNii (Global Environment forNetworked Intellectual Information)
NII-REO (Repository of ElectronicJournals and Online Publications
Computing Centers & VOs
NII IMS KEK Univ. Centers
GlobusGlobus 4 / NAREGI 4 / NAREGI -- WSRF + Services CoreWSRF + Services Core
SuperSINET
Grid-Enabled Nano-Applications (WP6)
Grid PSE (WP3)Grid Programming
-Grid RPC-Grid MPI
(WP2)
Grid Vis (WP3)
Grid VM (WP1)
Packaging
DistributedInformation Service
(WP1)
Grid Workflow (WP3)
Super Scheduler(WP1)
-High Performance & Secure Grid Networking (WP5)
Data G
rid(W
P4)
NAREGI Software Stackas of Beta ver. 2006
Computing ResourceComputing Resource
GridVM
Accounting
CIM
UR/RUSGridVM
ResourceInfo.
Reservation, Submission,Query, Control…
Client
ConcreteJSDL
ConcreteJSDL
WorkflowAbstract
JSDLSuper
SchedulerInformation
ServiceDAI
ResourceQuery
Reservation basedCo-Allocation
GridMPI
WFT, PSE, GVS, GridRPC
A Use Case : Job Submission with Reservation based Co-Allocation
Future issues
Current Issues to be solved
Developed NAREGI-CA to be deployed in UPKI
AuthenticationPKI based user authenticationCompatible with GSI standardsTrust federation between CA’s
AuthorizationVO management for Inter-organizational collaboration Interoperability with other Grid projects
AccountingID federation for authn, authz, and chargingWith privacy protection!
Requirements in AAA
Campus PKI Domain
Grid PKI Domain
Trust Chain supported by UPKI
EE Cert for GRID
CA for Campus PKI
CA for Grid PKI
EE Cert in IC Card
EE Cert in IC Card
CSR
ISSUE CSR
ISSUE
Certs Inf.
Virtual Organization
user 1(VO Manager)
service_cservice_a
Services and Users are exposed in a Virtual Organization
Organization A
service_cservice_b
service_auser 2
user 3user 1
Contract A
service_x
service_yuser p
service_zservice_x
service_yuser p
user quser r
Organization B
Contract B
PKI domain
VO domain
VO Management in NAREGI
A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.
User
CA/RA
VOMS
Proxy Cert+ VOUser Cert
CRL
Grid JobSubmission
VOMS-type VO Managementdeveloped in EGEE
DN,VO, Group, roll, capability
GRAM
MK-gridmapfile
Gridmapfile GACL
LCAS
EGEE Grid site
DN > pseudo accounts
Policy Decision
Point
X.509AC
User
CA/RA
VOMS
GRAM
Proxy Cert+ VOUser Cert
CRL
Grid JobSubmission
Managed by the Super Scheduler
Account Mapping
Gridmapfile
Policyfile
NAREGI Grid site
DN,VO info
VOMS-type VO Management adopted in NAREGI
Grid VM
Information Service
Policy Decision & Enforcement
Point
Policy Information
Point
User/Resource Information
Work Flow Description Resource Reservation & Job Submission
Super Scheduler (SS)
User GridVM
Information Service (IS)
Job Management in NAREGI
To Realize It …In addition to the standard Grid Security,Super Scheduler (SS) must represent end users
Delegation of Proxy Certs to SSReliable and easy key store and VO Attribute Control must be supported
Private key store and VOMS handling are troublesome for end users
USER NAREGI Portal
SS
GridVM
MyProxy MyProxy2
Delegation of Proxy Certs to SS :using the Second MyProxy
NAREGI Portal
SS
GridVM
MyProxy2
Delegation Procedure -1
①Job-WF :Workflow Description②Job-Hash=hash (Job-WF)③Pass Phrase =Job-Hash④user-id =unique Id for Job-WF⑤myproxy-init(user-id, Pass Phrase)
⑥send Job-WF
NAREGI Portal
SS
GridVM
MyProxy2
Delegation Procedure -2
⑦subtract user-id from Job-WF⑧ Pass Phrase=hash(job-WF)⑨myproxy-get-delegation(user-id, Pass Phrase)Delete the used Proxy Cert⑩Globus Job submission
⑪AuthN &AuthZ of users⑫Job submission to the local scheduler according to the Authz policy
Workflow DescriptionResource reservation &Job submission
Super Scheduler (SS)
User on NAREI Portal
GridVM
Information Service (IS)
MyProxy2
Store Proxy Certs
Receive Proxy Certs
Security model of Job Submission
User/Resource InformationGSI
GSI
GSI
Trust Chain in NAREGI Security Model
CA
EE Certificate
Proxy Cert
Signature
Proxy Cert
Proxy Cert Proxy Cert
Job Description Hash Value
UserSuper Scheduler
MyProxy2 GridVM
User
CA
EE Cert
MyProxy
Proxy Cert
Attr. Cert
Proxy Cert
Attr. Cert
VOMS
Private key Store and VOMS Handling
①Get EE Cert
②Get Proxy Cert by proxy-init command
③Request for Attr. Cert, ④Store in the Proxy Cert
⑤Delegation to MyProxy
⑥Get Proxy Cert from NAREGI Portal
⑦Job Submission
Private Key Store and VO Attribute Control by End Users
Difficult for end users to understand PKI and proper handling of certsHigh Risk in handling certs by end users themselvesPrefer to use Grid computing without special environment such as GTNeed Unique naming Method for proxy certs stored in MyProxy
NAREGI PortalUser
CA
EE Cert
UMS MyProxy
Proxy Cert
Attr. Cert
Proxy Cert
Attr. Cert
VOMS
NAREGI developed One-stop service by User Management Server (UMS)
Grid Job Submission using UMS
VOMSVOMS
MyProxyMyProxyVOMSProxy
Certificate
VOMSProxy
Certificate
User ManagementServer(UMS)
User ManagementServer(UMS)
VOMSProxy
Certificate
VOMSProxy
Certificate
UserCertificate
PrivateKey
Client EnvironmentClient Environment
Portal Services
WFT
PSE
GVS
VOMSProxy
Certificate
VOMSProxy
Certificate
SS
clie
ntThe Super
Scheduler (SS)VOMSProxy
Certificate
VOMSProxy
Certificate
GridVM
GridVM
GridVM
MyProxy2MyProxy2VOMSProxy
Certificate
VOMSProxy
Certificate
Users
②Select menu to make Proxy Cert with VO attr. And
store it to MyProxy
Log in Workflow(WF)
③Store the Proxy Cert with VO Attri. To MyProxy2
delegation
delegation
Grid Jobsdelegationdelegation
④SS analyzes WF and submits jobs
①Log in to the Portal
Now We are developing AuthZ ServiceBased on SAML 2.0 & XACML 2.0 with GT4.0 AuthZ Framework
NAREGI’s XACML profile (A Plan)Subject Attributes:
Maps of VOMS attributes in XACLM Subject AttributesNeeds standardized attribute IDs for well-known types of credentials such as VOMS attribute certificate
Resource Attributes:RAFM enables flexible resource attribute retrieval from the request message content to SPTo support for authorization for WS-Resource or finer-grained resource, this kind of mechanism is needed
Action Attributes:Maps GT4.0 AuthZ Framework Property to an XACML Action Attributewsa:Action may also work well
Security Architecture - Overview
CANAREGI-CA
Credential Management
MyProxyVO Membership Management
VOMSAuthorization
NAREGI-AuthZ(Proto-type)
InformationService
NAREGICA
Portal
WFT
PSE
GVS
SS
clie
nt
Super Scheduler
MyProxyMyProxy
loglog--ininUser CertificateUser Certificate
Resources InfoResources Infoincl. VOincl. VO
ResourceResource
GridVMlocal Info.local Info.incl. VOincl. VO
DelegationService
Resource Info.Resource Info.(Incl. VO info)(Incl. VO info)
DataGrid
AuthZService
DataGrid
AuthZPolicy
Repository
AuthZPolicy
Repository
VO Management
PDP
PEP&SP(incl. CVS)
PA
ProxyCertificate
ProxyCertificate
ProxyCertificate
ProxyCertificate
ProxyCertificate
ProxyCertificate
ProxyCertificate
ProxyCertificate
VO Attr. Mgmt.
VOMSVOMS
Renewal RenewalGSI
GSIGSI
GSI
GSIGSI
GSI
PDP
PA
Site ManagementLocal AuthZ
ServiceLocal
AuthZ PolicyRepository
LocalAuthZ PolicyRepository
AA
PEP&SP
PIP
So far, we came…
Privacy Services
Authorization ServicesTrust
Services
Attribute Services
Audit/Source-Logging Services
Credential Validation Services
Bridge/Translation Services
Authentication Identity Mapping
Credential Conversion
VO Policy
The Open Grid Services Architecture, Version 1.0
UPKI
NAREGI/VOMS
UPKI(TBD)
UPKI(TBD)
Summary & Open Issues
CSI is composed of High-speed Backbone NW, UPKI, Grid middleware and various services on it.NAREGI at first has developed reliable AuthN system to be deployed in UPKI.As VO mgt, VOMS has been adopted for interoperability with EGEE. Now NAERGI is developing AuthZ service based on SAML 2.0 & XACML 2.0 with GT4.0 AuthZ Framework.ID mgt and Accounting are still remaining open issues to be designed jointly with all the stakeholders in CSI. Security is a key issue for CSI, which will integrate the next generation peta-sale computing facilities to innovate Academia and Industry in Japan.