security

Security

Daniel Mallmann [email protected]

MWSG meeting Amsterdam 14-15 December 2005

2

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Architecture Overview

Gateway

InternetInternet

Gateway

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

Client

3

Client

Java application User authentication via X.509 certificates Global or local list of Unicore sites (Usites) Connects to Gateway via SSL and

Unicore Protocol Layer (UPL) Job preparation

♦ Workflow management

♦ File management

♦ Abstract Job Object (AJO) generation

♦ Job signing

Job monitoring Job control

JobPreparation

JobMonitor

WorkflowManagement

Usites

Vsites

4

Client

InternetInternet

Gateway

Unicore Site list

Unicore Site list

SSL

Client

Client

5

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Gateway

Gateway

InternetInternet

Gateway

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

Gateway

6

Gateway

Authentication:♦ Connection only with valid certificates from accepted

Certification Authorities♦ Forwards client certificate to NJS for authorisation

Single point of entry for all Unicore services of the Usite♦ Only one open port

List of Vsites Connects to Vsites via UPL (SSL optional)

7

Gateway

InternetInternetClient

Gateway

SSL

VSite list

Vsite 2

NetworkJob

Supervisor

Vsite 1

NetworkJob

Supervisor

Vsite 3

NetworkJob

Supervisor

Firewall

8

Network Job Supervisor

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Gateway

InternetInternet

Gateway

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

NetworkJob

Supervisor

9


Checks integrity of jobs Authorises the user by Unicore User Data Base (UUDB)

♦ Mapping of Unicore user certificate to target system Xlogin

Forwards sub jobs to remote Vsites Translates abstract job into target system specific tasks

based on Incarnation Data Base (IDB) Transfers files to work directory on the target system via

socket connection Submits jobs to Target System Interface (TSI) via

socket connection

10


TargetSystem

Interface

NetworkJob

Supervisor

Gateway

IncarnationData Base

Unicore User

Data Base

NetworkJob

Supervisor

Gateway

InternetInternet

11

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Target System Interface

Gateway

InternetInternet

Gateway

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

TargetSystem

Interface

12


Interfaces between Unicore and the Grid resource Executes the specific tasks, translated by the NJS, or

submits them to the batch sub system Stores and sends files from/to the Unicore Client or

local directories Contains batch sub system, operating system and

installation specific code Runs as root

13

TargetSystem

Interface


NetworkJob

Supervisor

ShepardWorker Worker

BatchSub System

FileSystem

ApplicationOperating

System

14

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Multiside Job

Gateway

InternetInternet

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

Gateway

15

Secondary Network Job Supervisor

Primary Network Job Supervisor

SSLSSL

Client

Multiside Job

= User certificate = NJS certificate

Job

SubJob

Consigner♦ The entity (user client or NJS) that consigns a job or sub-job♦ Expressed by use in SSL connection

Endorser♦ The entity (user) that authorises the tasks to be performed♦ Expressed by signing of serialized AJO direct acyclic graph

16

Usite B

Vsite B2Vsite B1

Usite A

Vsite A1

Explicit Trust Delegation

Gateway

InternetInternet

TargetSystem

Interface

NetworkJob

Supervisor

TargetSystem

Interface

TargetSystem

Interface

NetworkJob

Supervisor

NetworkJob

Supervisor

Client

Gateway

Portal

17

SSL


SSL

PortalWS- Client(Browser)

Explicit Trust Delegation

Job

User: name

= User certificate = Portal certificate

User♦ New role besides consignor and endorser♦ Entity (user) on whose behalf tasks will be performed

Trusted Agents (Portal)♦ Added to the UUDB explicitly♦ Allowed to endorse AJO on behalf of users

18

UniGrids project

All components are being moved to stateful Web Services

♦ Based on the Open Grid Services Architecture (OGSA)♦ Compliant with the Web Services Resource Framework

Gateway handles multiple protocols

Web Service implementation of the UUDB

19

References

Unicore♦ Software: http://unicore.sourceforge.net♦ Whitepaper: http://www.unicore.org/ ...... documents/UNICOREPlus-Final-Report.pdf

Unicore Security♦ GGF Document GFD.18

“An Analysis of the UNICORE Security Model”http://www.gridforum.org/documents/GFD.18.pdf

UniGrids♦ http://www.unigrids.org

Explicit Trust Delegation♦ Fujitsu Scientific & Technical Journal, Special Issue: Grid Computing,

2004-12 (Vol.40, No.2) “Explicit Trust Delegation: Security for Dynamic Grids”http://www.fujitsu.com/downloads/MAG/vol40-2/paper12.pdf

security

Documents