Security and Certification Issues in Grid Computing Ian Foster Mathematics and Computer Science...

Security and Certification Issuesin Grid Computing

Ian Foster

Mathematics and Computer Science Division

Argonne National Laboratory

and

Department of Computer Science

The University of Chicago

http://www.mcs.anl.gov/~foster

International Workshop on Certification and Security in E-Services (CSES 2002), Montreal, Canada, Aug 28

2

[email protected] ARGONNE CHICAGO

Partial Acknowledgements

Grid computing, Globus Project, and OGSA Carl Kesselman @ USC/ISI, Steve Tuecke @ANL Talented team of scientists and engineers at ANL,

USC/ISI, elsewhere (see www.globus.org) Open Grid Services Architecture (OGSA)

Karl Czajkowski @ USC/ISI, Jeff Nick, Steve Graham, Jeff Frey @ IBM, www.globus.org/ogsa

Grid security, OGSA Security, CAS Frank Siebenlist, Von Welch, Laura Pearlman

Support from DOE, NASA, NSF, IBM, Microsoft

3


Overview

What is the Grid anyway? And what’s it got to do with e-services?

Grid security & certification issues Demands of virtual organizations—and Grid

approach to addressing these demands Implementation approach

Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security architecture

Summary

4


Overview





Summary

5


E-Science: The Original Grid Driver

Pre-electronic science Theorize &/or experiment, in small teams

Post-electronic science Construct and mine very large databases Develop computer simulations & analyses Access specialized devices remotely Exchange information within distributed

multidisciplinary teams Need to manage dynamic, distributed

infrastructures, services, and applications

6


And Thus: The Grid

“Resource sharing & coordinated problem solving in dynamic, multi-institutional virtual organizations”

7


•Lift Capabilities•Drag Capabilities•Responsiveness

•Deflection capabilities•Responsiveness

•Thrust performance•Reverse Thrust performance•Responsiveness•Fuel Consumption

•Braking performance•Steering capabilities•Traction•Dampening capabilities

Crew Capabilities- accuracy- perception- stamina- re-action times- SOPs

Engine Models

Airframe Models

Wing Models

Landing Gear Models

Stabilizer Models

Human Models

Grids at NASA: Aviation Safety

8


NETWORK

IMAGINGINSTRUMENTS

COMPUTATIONALRESOURCES

LARGE DATABASES

DATA ACQUISITIONPROCESSING,

ANALYSISADVANCED

VISUALIZATION

Life Sciences: Telemicroscopy

9

[email protected] ARGONNE CHICAGOwww.griphyn.org/chimera

Size distribution ofgalaxy clusters?

1

10

100

1000

10000

100000

1 10 100

Num

ber

of C

lust

ers

Number of Galaxies

Galaxy clustersize distribution

Chimera Virtual Data System+ GriPhyN Virtual Data Toolkit

+ iVDGL Data Grid (many CPUs)

Sloan Digital Sky Survey Analysis

10


Data Grids for High Energy Physics

Tier2 Centre ~1 TIPS

Online System

Offline Processor Farm

~20 TIPS

CERN Computer Centre

FermiLab ~4 TIPSFrance Regional Centre

Italy Regional Centre

Germany Regional Centre

InstituteInstituteInstituteInstitute ~0.25TIPS

Physicist workstations

~100 MBytes/sec

~100 MBytes/sec

~622 Mbits/sec

~1 MBytes/sec

There is a “bunch crossing” every 25 nsecs.

There are 100 “triggers” per second

Each triggered event is ~1 MByte in size

Physicists work on analysis “channels”.

Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server

Physics data cache

~PBytes/sec

~622 Mbits/sec or Air Freight (deprecated)




Caltech ~1 TIPS

~622 Mbits/sec

Tier 0Tier 0

Tier 1Tier 1

Tier 2Tier 2

Tier 4Tier 4

1 TIPS is approximately 25,000

SpecInt95 equivalents

11


Resource Sharing within “VOs” is Not Unique to Science!

Fragmentation of enterprise infrastructure Driven by cheap servers, fast nets, ubiquitous

Internet, eBusiness workloads Need to configure distributed collections of services

to deliver specified QoS Virtualization

Emerging service infrastructure, utility computing models, economies of scale

Services dynamically instantiated across device spectrum

B2B, B2C, C2C interactions

12


Virtualization andDistributed Service Management

Less capable, integratedLess connected

User service locus

Larger, more integratedMore connected

Dynamically provisioned Device Continuum

Resource &service

aggregation

Delivery of virtualized services with QoS

guaranteesDynamic, secureservice discovery

& composition

Distributed servicemanagement

13


Grid Computing

Grid ComputingBy M. Mitchell WaldropMay 2002

Hook enough computers together and what do you get? A new kind ofutility that offers supercomputer processing on tap.

Is Internet history about to repeat itself?

14


Challenging Technical Requirements

Dynamic formation and management of virtual organizations

Discovery & online negotiation of access to services: who, what, why, when, how

Configuration of applications and systems able to deliver multiple qualities of service

Management of distributed state within infrastructures, services, and applications

Open, extensible, evolvable infrastructure

15


Challenging Technical Requirements

Dynamic formation and management of virtual organizations

Discovery & online negotiation of access to services: who, what, why, when, how

Configuration of applications and systems able to deliver multiple qualities of service

Management of distributed state within infrastructures, services, and applications

Open, extensible, evolvable infrastructure

Securit

y and Certifica

tion Is

sues

16


Overview


Grid security & certification issues Demands of virtual orgs—and Grid approach

to addressing these demands Implementation approach


Summary

17


Grid Security & Certification Challenges include

Dynamic group membership and trust relationships within virtual organizations

Complex computational structures extending beyond client-server: delegation

Mission-critical apps and valuable resources Issues include

Cross-certification Mechanisms and credentials Distributed authorization Secure logging and audit

18


Trust

Mismatch

Cross “Certification” Issue

CertificationAuthority


Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

Task

Domain B

Sub-Domain A1 Sub-Domain B1

No Cross-

Domain Trust

19


Cross-Certification

Cross-certification at corporate level difficult Legal implications, liability, bureaucracy

Address trust at user/resource level! Many business relationships do not require

involvement of President/CEO … Virtual organization as bridge

Federate through mutually trusted services Local policy authorities rule …

Assertions language for trust relationships WS-Trust, WS-Federation, WS-Policy

20


Grid Solution:Use Virtual Organization as Bridge

Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

common mechanism


Sub-Domain B1

Authority

FederationService

VirtualOrganization

Domain

No Cross-

Domain Trust

21


Mechanism and Credential Issue

Different mechanisms & credentials X.509 vs Kerberos, SSL vs GSSAPI,

X.509 vs. X.509 (different domains) X.509 attribute certs vs SAML assertions

Need for common mechanism GSI-SecureConversation

Need for credential federation services Obtain X.509 creds with Kerberos ticket Obtain Kerberos ticket with X.509 creds Cross X.509 or Kerberos domains/realms

22


Example:Kerberos-X.509 Federation

Requestor: Kerberos realm Server: X.509-based domain (only authenticates

requestors with X.509 creds) VO provides Kerberos-CA federation service

Has Kerberos identity within requestor’s realm Kerb-CA cert is trusted within server-side VO

Kerb-CA issues (short-lived) X.509-certs that assert requestor’s Kerberos principal name

Requestor’s runtime is “X.509-enabled” Server’s access control policy within the VO is based on

requestor’s Kerberos principal name

23


Kerberos-X.509 Federation Service

Kerberos Realm

Requestor

X.509 Domain

X.509 secured protocol

VirtualOrganization

Domain

Kerberos-CA Svc

X.509 cert

Kerberos Ticket trusts Krb-CAissued certs

Server

PolicyAuthority

enforcement onrequestor's

principal name

24


Grid Authorization/Policy Issue

Resources may not know foreign requestors Impairs fine-grained policy admin

Outsource policy admin to req’s sub-domain Enables fine-grained policy “Community Authorization Service” (CAS)

Resource owner sets course-grained policy rules for foreign domain on “CAS-identity”

CAS sets policy rules for its local users Requestors obtain capabilities from their local

CAS that get enforced at the resource

25


Community Authorization Service

Domain A

PolicyAuthority

Domain B

Sub-Domain A1 Sub-Domain B1

CAS identity"trusted"

Requestor

Server

request +CAS assertions

VirtualOrganization

Domain

capabilityassertions

CommunityAuthorization Svc enforcement

on CAS-identity andrequestor's capabilities

26


Security Services & VO

RequestorApplication

VODomain

CredentialValidation

Service

AuthorizationService

Requestor'sDomain

Service Provider'sDomain

Audit/Secure-Logging

Service

AttributeService

TrustService

ServiceProvider

Application

Bridge/Translation

Service

PrivacyService


Service



Service

AttributeService

TrustService

PrivacyService


Service


AttributeService

TrustService


Service


AttributeService

TrustService

WS-StubWS-Stub Secure Conversation

27


Secure Logging and Audit

Robust, secure audit infrastructure is essential for commercial Grid deployment

Natural audit “code-points” in OGSA runtime User’s credentials, authorization decisions, invoked

portTypes, parameter values, etc. Allows for secure logging transparent and

independent from applications Standard call-outs to external security services

More relevant audit code-points XML facilitates audit-entry filtering & mgmt

28


Transparent Audit Code-Points

RequestorApplication

VODomain


Service


Requestor'sDomain

Service Provider'sDomain


Service

AttributeService

TrustService

ServiceProvider

Application

Bridge/Translation

Service

PrivacyService


Service



Service

AttributeService

TrustService

PrivacyService


Service


AttributeService

TrustService


Service


AttributeService

TrustService

WS-StubWS-Stub Secure Conversation

All service invocations and policy decisions within stubs are “natural” audit code-points

29


Overview




Globus Toolkit, Grid Security Infrastruct. Open Grid Services Architecture (OGSA) OGSA security architecture

Summary

30


The Grid World: Current Status Many major Grid projects in scientific & technical

computing/research & education Open source Globus Toolkit™ a de facto standard for

major protocols & services Simple protocols & APIs for authentication, discovery,

access, etc.: infrastructure Information-centric design Large user and developer base Multiple commercial support providers

Global Grid Forum: community & standards Emerging Open Grid Services Architecture

31


Grid Security Infrastructure

Uniform authentication & authorization mechanisms in multi-institutional setting

Single sign-on, delegation, identity mapping Public key tech, SSL/TLS, X.509, GSS-API

Internet/GGF drafts document extensions Supporting infrastructure

Certificate Authorities Online credential repository Kerberos-X.509 federation server Etc., etc., etc.

32


Site A(Kerberos)

Site B (Unix)

Site C(Kerberos)

Computer

User

Single sign-on via “grid-id”& generation of proxy cred.

Or: retrieval of proxy cred.from online repository

User ProxyProxy

credential

Computer

Storagesystem

Communication*

GSI-enabledFTP server

AuthorizeMap to local idAccess file

Remote fileaccess request*

GSI-enabledGRAM server

GSI-enabledGRAM server

Remote processcreation requests*

* With mutual authentication

Process

Kerberosticket

Restrictedproxy

Process

Restrictedproxy

Local id Local id

AuthorizeMap to local idCreate processGenerate credentials

Ditto

GSI in Action: “Create Processes at A and B that Communicate & Access Files at C”

33


Grid Evolution:Open Grid Services Architecture

Goals Refactor Globus protocol suite to enable common

base and expose key capabilities Service orientation to virtualize resources and unify

resources/services/information Embrace key Web services technologies for standard

IDL, leverage commercial efforts Result = standard interfaces & behaviors for

distributed system mgmt: the Grid service Standardization within Global Grid Forum Open source & commercial implementations

34


The Grid Service =Interfaces/Behaviors + Service Data

Servicedata

element

Servicedata

element

Servicedata

element

Implementation

GridService(required)Service data access

Explicit destructionSoft-state lifetime

… other interfaces …(optional) Standard:

- Notification- Authorization- Service creation- Service registry- Manageability- Concurrency

+ application-specific interfaces

Binding properties:- Reliable invocation- Authentication

Hosting environment/runtime(“C”, J2EE, .NET, …)

35


WS Security ArchitectureCurrent/Proposed Specifications

Composable architecture

“only use what you

need”

SOAP FoundationSOAP Foundation

WS-SecurityWS-Security

WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy

WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizatnWS-Authorizatn

tim

e

today

36


Grid Security and OGSA

OGSA security roadmap defines a set of required services and indicates for each if Is provided by WS Security specs May be provided by WS Security specs Requires standardized profile/mechanisms and/or

extensions for WS Security specs Addresses, for example

GSISecureConversation Standardized policy services Standardized audit services Etc., etc., etc.

37


Bindings Security(transport, protocol, message security)

Credential and Identity Translation

( Single Logon)

User Management

Key Management

Intrusion Detection

Service/End-point Policy

Audit &Non-repudiation

Anti-virus Management

Secure Logging

Trust M

odel

AuthorizationPolicy

Privacy Policy

Secure Conversations

Policy Expression and Exchange

Policy Management(authorization,

privacy, federation, etc)

MappingRules

Access ControlEnforcement

OGSA Security Components

38


Overview




Globus Toolkit & Grid Security Infratructure Open Grid Services Architecture (OGSA) OGSA security architecture

Summary

39


Summary

The Grid: resource sharing & coordinated problem solving in virtual organizations

Challenging security & cert. requirements OGSA security architecture addresses Grid

certification, federation, bridging issues Leverages WS Security standards & OGSA Standardized security services, profiles, and

mechanisms Open source Globus Toolkit and commercial

implementations

40


The Globus Project™ www.globus.org

Technical articles www.mcs.anl.gov/~foster

Open Grid Services Arch. www.globus.org/ogsa

Global Grid Forum www.gridforum.org Chicago, Oct 15-17

For More Information

Security and Certification Issues in Grid Computing Ian Foster Mathematics and Computer Science...

Documents

Transcript of Security and Certification Issues in Grid Computing Ian Foster Mathematics and Computer Science...