1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST...

1

1

http://www.geogrid.org/

www.geogrid.org

1

How Grid Security works How Grid Security works in GEO Sciencesin GEO Sciences

N. Yamamoto, Y. Tanaka, I. Kojima, S. SekiguchiAIST

Oct. 28, 2009 GEO Workshop / PRAGMA17Hanoi

22

http://www.geogrid.org

2

What is Grid SecurityWhat is Grid Security

Who am I? / Who are they?Grid Security Infrastructure (GSI)

What can I do? / What can they do?Virtual Organization Membership Service (VOMS)

33


3

GEO Grid VO DesignGEO Grid VO Design

Identity

44


4

RequirementsRequirements

Credential Management:Non-secure users often manage their private keys for PKI / GSI credentials without careful planning.

Authentication methods:Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.

Portal Development:Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc.

55


5

Tsukuba-GAMATsukuba-GAMA

Tsukuba-GAMA Authentication Flow for PKI / GSITsukuba-GAMA Authentication Flow for PKI / GSI

User

usernameand

password

VOMS

CredentialRepositoryMy Proxy

Repository

Online CA

VO Management

CredentialManagement

OpenID

usercredential

VO Portal

PHP,Perl,

Python, etc...

VOMSProxyCertificate

End EntityCertificate

My Proxy CA

VO attribute

Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language.

Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning.

Manages user credentials on the server side, instead of leaving it to inexperienced users.

Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.

Generates Grid credentials from any method.

Proxy CertificateOUR SOLUTION:OUR SOLUTION:TSUKUBA-GAMATSUKUBA-GAMA

77


7


DEMO 1:DEMO 1:TSUKUBA-GAMATSUKUBA-GAMA

LOGIN LOGIN PRAGMA VOPRAGMA VO PORTAL PORTAL(GRIDSPHERE)(GRIDSPHERE)

88


8

Demo Environments - loginDemo Environments - login

CredentialRepository

PRAGMA VOMS

PRAGMA VO portalhttp://gfm49.apgrid.org/gridsphere/

USER

vomsproxy cert

2. generategloubsproxy certificate

1. input username and pass of user cert

3. add voms attribute

4. register proxy cert

99


9

Identity

Attribute

1010


10


DEMO 2:DEMO 2:TSUKUBA-GAMATSUKUBA-GAMA

LOGIN LOGIN TESTVOTESTVO PORTAL PORTAL(GRIDSPHERE)(GRIDSPHERE)

1111


11

Same Identity

Different Attribute

1212


12

GEO Grid VO DesignGEO Grid VO Design

PRAGMA VO TEST VO

I’m here

1313


13

GSI w/ VOMSGSI w/ VOMS

PRAGMA VO Portal(GridSphere,

Perl, PHP, Java etc.)

PRAGMA VO Portal(GridSphere,

Perl, PHP, Java etc.)

TEST VO PortalTEST VO Portal

Credential Repository(MyProxy Repository)Credential Repository(MyProxy Repository)

Online-CA(MyProxy CA)

Online-CA(MyProxy CA)

PRAGMA-VO(VOMS)

PRAGMA-VO(VOMS)

GHZ-VO(VOMS)GHZ-VO(VOMS)

Sign Certificate

VO membermanagement

ShareAccount

1515


15


EXAMPLE SCENARIO:EXAMPLE SCENARIO:SATELLITE DATABASE SATELLITE DATABASE

FEDERATIONFEDERATION

1616


16

OGSA-DAI

Demo environmentDemo environment

ASTER@Japan

PALSAR@Japan

MODIS@Japan

Formosat2@Taiwan

/PRAGMA/Geo/PRAGMA/Geo/TESTVO /GHZ NONE (FREE)

1717


17


DEMO 3: SIMSDEMO 3: SIMSSATELLITE DATABASE SATELLITE DATABASE

FEDERATIONFEDERATION

1818


18

Database Server(Sybase)

FORMOSAT-2

Application Server OGSA-

DAI

Globus

SQLw/ JDBC

NSPO@TW

Database Server(PostgreSQL)

ASTER MODIS

OGSA-DAI

SQLw/ JDBC

OGSA-DAI

Globus

AIST@JP

AIST

OGSA-DAI Client

Integration Frameworkwith OGSA-DAI

Java Program

SQ

L

SQ

L

SQL SQL SQL

SIMS portlet - query data - create web page which shows thumbnail images

VOMSVOMS VOMSVOMS

SIMSSIMS

1919


19

SIMS – Search ResultsSIMS – Search Results

MODISFORMOSAT-2

ASTER

2020


20


DEMO 4:DEMO 4:LANGUAGE FREELANGUAGE FREE

PORTAL DEVELOPMENTPORTAL DEVELOPMENT

2121


21


DEMO 4-1:DEMO 4-1:PORTAL DEVELOPMENTPORTAL DEVELOPMENT

(OPENLAYERS)(OPENLAYERS)

2222


22

https://portal/OGCProxy?\ URL=https://gridsite/..../service

https://gridsite/..../service

User

ContentsACL: /testvo.geogrid.org/aster

GridSite

VOMS Proxy

VO Name Group

OGCProxyOGCProxy

OGCProxy is a broker portlet

forwarding users' requests to backend OGC services.providing freely development environment of client application.

OGCProxy

2323


23

ASTER + Formosat2 / OpenLayersASTER + Formosat2 / OpenLayers

ASTER / Japan

Formosat2 / Taiwan

2424


24


DEMO 4-2:DEMO 4-2:PORTAL DEVELOPMENTPORTAL DEVELOPMENT

(PHP, PERL, ...)(PHP, PERL, ...)

2525


25

Web Portal DevelopmentWeb Portal Development

apache_ahtn_myproxy modulePHP, Perl, Phython, etc.

Servlet basic authentication moduleJava Servlet

GridSphere authentication module

2626


26


DEMO 5:DEMO 5:INDEPENDENCE FROM INDEPENDENCE FROM

AUTHENTICATION AUTHENTICATION METHODSMETHODS

2727


27


DEMO 5-1:DEMO 5-1:INDEPENDENCE FROM INDEPENDENCE FROM

AUTHENTICATION AUTHENTICATION METHODS:METHODS:(OPENID)(OPENID)

2828


28

User

Passwordfor OpenID

OpenID Server

VO memberDB

VOMS server

MyProxy CA

- Account DB- Credential Repository

Web Portal

Request short-livedcredential

VOMS proxy

OpenID URL

OpenID authentication moduleOpenID authentication module

2929


29


DEMO 5-1:DEMO 5-1:INDEPENDENCE FROM INDEPENDENCE FROM

AUTHENTICATION AUTHENTICATION METHODS:METHODS:

(CREDENTIAL)(CREDENTIAL)

3030


30

Credential LoginCredential Login


User

usernameand

password

VOMS


Repository

Online CA

VO Management


OpenID

usercredential

VO Portal

PHP,Perl,

Python, etc...



My Proxy CA

VO attribute

Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language.

Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning.

Manages user credentials on the server side, instead of leaving it to inexperienced users.

Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.

Generates Grid credentials from any method.

3131


31

Compare IdentityCompare Identity

Identity

Same VO

Credential Login

OpenID Login

3232


32

ConclusionsConclusions


User

usernameand

password

VOMS


Repository

Online CA

VO Management


OpenID

usercredential

VO Portal

PHP,Perl,

Python, etc...



My Proxy CA

VO attribute

Language Free Portal Development: - GridSphere / Satellite database federation - Geographical portal / OpenLayers - PHP, Perl

Credential Management: - User does not need to manage their credentials

Independencefrom Authentication methods: - Username and Password - OpenID - Globus credential

3333


33


THANK YOUTHANK YOU

To be released NEXT month!

3434


34


DEMO 6:DEMO 6:ACCOUNT CREATIONACCOUNT CREATION

3535


35

Account CreationAccount Creation

Account DB(GAMA)

VO(VOMS)

VO portalhttp://testvo.geogrid.org/gridsphere/

Account Portalhttp://testvo.geogrid.org:9443/gridsphere

USER

1. Request an account

Account Admin

2. Approve

3. Activate an account

VO Admin

4. Register the user to the VO

4. Import the user’s account information to the VO

1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST...

Documents

Transcript of 1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST...