The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids...

The EDGeS project receives Community research funding

1

Specific security needs of Desktop Specific security needs of Desktop GridsGrids

• Desktop GridsDesktop Grids• EDGeS projectEDGeS project• Delegation for access to trusted Delegation for access to trusted resourcesresources

Etienne URBAH [email protected], Univ Paris-Sud, IN2P3/CNRS, Orsay, France

v1.2 2

Specific security needs of Desktop Grids DG = Desktop Grid DG = Desktop Grid = = Loose grid scavenging idle resourcesLoose grid scavenging idle resources

Unit of Work = Application + Input DataUnit of Work = Application + Input Data

Grid User

Submits input data for an application

Requests Unit of Work

Sends Unit of Work

Application Manager

Certifies Application

Resource Owner(often volunteer)

Owns Resource

Sends back results

Accepts or Refusesan applicationon his resource

Grid Server withApplicationRepository

Computing Resource

(often Desktop Computer)Sends back results

Currently, for BOINC, both roles of ‘Application Manager’ and ‘Grid User’ are fulfilled by ‘BOINC Project Owners’.


v1.2 3

Specific security needs of Desktop Grids DG = Desktop Grid DG = Desktop Grid = = Loose grid scavenging idle resourcesLoose grid scavenging idle resources

• Computing and Storage Resources are owned by various Computing and Storage Resources are owned by various Owners (it is often volunteer computing), but they are NOT Owners (it is often volunteer computing), but they are NOT managed and NOT authenticated.managed and NOT authenticated.

• Grid Servers are authenticated by a X509 certificate.Grid Servers are authenticated by a X509 certificate.• Users are authenticated by the Grid Servers, but NOT by the Users are authenticated by the Grid Servers, but NOT by the

Computing and Storage Resources.Computing and Storage Resources.• Executables are certified by managers of the Grid Servers.Executables are certified by managers of the Grid Servers.So :So : –– Resource Owners have to trust the Grid Servers, Resource Owners have to trust the Grid Servers,

–– BOINC sends each Work Unit to several ResourceBOINC sends each Work Unit to several Resource Owners, because BOINC does NOT fully trust them. Owners, because BOINC does NOT fully trust them.

• Order of magnitude can be 1 000 000 CPUs.Order of magnitude can be 1 000 000 CPUs.• Starving Computing Resources Starving Computing Resources pullpull Work Units from Grid Work Units from Grid

Servers.Servers.

Examples : BOINC, XtremWeb, xGrid, Examples : BOINC, XtremWeb, xGrid, OurGridOurGrid


v1.2 4

Specific security needs of Desktop Grids

Presentation of the EDGeS projectPresentation of the EDGeS project

New FP7 project New FP7 project started on 01/01/2008started on 01/01/2008

• Integrate Service Grids Integrate Service Grids and Desktop Gridsand Desktop Grids

• Enable very large Enable very large number of computing number of computing resources resources (100K-1M processors)(100K-1M processors)

• Attract new scientific Attract new scientific communitiescommunities

• Provide a Grid Provide a Grid application application development development environmentenvironment

• Provide application Provide application repository and bridges repository and bridges for the execution in the for the execution in the SG-DG systemSG-DG system

WLCG (CERN)

EDGeS

gLite(EGEE)

ARC(NorduGrid)

Boinc(Berkeley)

XtremWeb(INRIA/IN2P3)

Xgrid(Apple)

Unicore(DEISA)

VDT(OSG)

Current

Future


v1.2 5


Presentation of the EDGeS projectPresentation of the EDGeS project

http://www.edges-grid.euhttp://www.edges-grid.eu

Now, Interoperation :Now, Interoperation :• Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb.Ad-hoc bridges and interfaces between EGEE, BOINC and XtremWeb.• A MoU between EDGeS and EGEE has been signed on 23 Sept 2008.A MoU between EDGeS and EGEE has been signed on 23 Sept 2008.• XtremWeb users must have a X509 certificate, be registered in a VO XtremWeb users must have a X509 certificate, be registered in a VO

and submit their Jobs with a VOMS proxy.and submit their Jobs with a VOMS proxy.• BOINC Project Owners must have a X509 certificate, be registered in BOINC Project Owners must have a X509 certificate, be registered in

a VO and store a medium-term X509 proxy in a MyProxy server.a VO and store a medium-term X509 proxy in a MyProxy server.• All files must be transferred through the Input and Output All files must be transferred through the Input and Output

sandboxes.sandboxes.

In the future :In the future :• Interoperability using OGF standards, in order to bridge more Grids.Interoperability using OGF standards, in order to bridge more Grids.• Better support of grid file access Better support of grid file access (ByteIO, GridFTP)(ByteIO, GridFTP)..


v1.2 6

EGEE

WMS

EDGeS 3G bridge

EGEE Plugin

1 for each (BOINC Project Owner, EGEE VO) pair

Queue Manager & Job DB

BOINC Handler1 for each (BOINC server,

BOINC Project Owner, EGEE VO) triple


Bridge BOINC Bridge BOINC EGEE EGEE (WU = Work Unit)(WU = Work Unit)

WUi+1

WUi+2

WUi+3

Jobi+1

Jobi+1

Jobi+2

BOINC Server

Work Unit

BOINC Project Owner

Submission

MyProxy trusting EDGeS

3G bridgeMedium term X509 proxy

Config. file

DN of X509 proxy

Short term X509 proxy

VOMS Server

VOMS extensions

Job

H

andl

er

In

terf

ace

Grid

H

andl

er

Int

erfa

ce

BOINC jobwrapper client (simulating

a large BOINC computing resource)

3G job-wrapper

3G job-wrapper

VOMS proxy Retriever


v1.2 7


Bridge BOINC Bridge BOINC EGEE EGEE

Solution = Inside EDGeS bridge, marshalling of theSolution = Inside EDGeS bridge, marshalling of the BOINC Work Units into Job collections BOINC Work Units into Job collections

• For each (BOINC server, BOINC Project Owner, EGEE VO) For each (BOINC server, BOINC Project Owner, EGEE VO) triple, a separate Job Handler collects the BOINC Work Units triple, a separate Job Handler collects the BOINC Work Units and pand place them in a queue.lace them in a queue.

• For each (BOINC Project Owner, EGEE VO) pair, a separateFor each (BOINC Project Owner, EGEE VO) pair, a separate EGEE plugin :EGEE plugin :– Retrieves a short term X509 Proxy for the BOINC Project Owner from a

MyProxy server, and VOMS extensions from a VOMS server,

– Periodically processes new Work Units found in the queue :• It converts each Work Unit into an EGEE Job,• In order to reduce the usage of the EGEE WMS, it uses Collection possibili-

ties of EGEE to submit many Jobs in one request described using JDL.


v1.2 8

EGEEEGEE


Bridge XtremWeb Bridge XtremWeb EGEE EGEE

XtremWeb User

X509 proxy

VOMS proxy

Submits User Job with VOMS proxy

Sends back Job Status and Results

VOMS Server

XtremWeb Server

Submits mono-user Pilot Job with VOMS proxy

Gives Pilot Job Status

gLite WMS Computing Element

Pushes Pilot job

Mono-user Pilot Job

Requests only 1 User Job

Sends 1 User Job with same VOMS proxy

User Job

Gives Pilot Job Status

Sends back results directly

XtremWeb Bridge

Requests User Jobs

Sends User Jobs with VOMS proxy

Manages User Job status


v1.2 9


Bridge XtremWeb Bridge XtremWeb EGEE EGEE

Solution = XtremWeb bridge : Gliding with a mono-user Pilot JobSolution = XtremWeb bridge : Gliding with a mono-user Pilot Job1.1. A XtremWeb User submits to the XtremWeb server his User Job with a VOMS A XtremWeb User submits to the XtremWeb server his User Job with a VOMS

proxy.proxy.

2.2. At the request of the XtremWeb bridge, the XtremWeb server sends him the At the request of the XtremWeb bridge, the XtremWeb server sends him the User Job with the VOMS proxy.User Job with the VOMS proxy.

3.3. The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this The XtremWeb bridge submits to a gLite WMS a mono-user Pilot Job with this VOMS proxy (job description in a VOMS proxy (job description in a JDLJDL).).

4.4. The gLite WMS pushes the Pilot Job to a Computing Element, which executes it.The gLite WMS pushes the Pilot Job to a Computing Element, which executes it.

5.5. The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and The mono-user Pilot Job requests 1 User Job from the XtremWeb server, and stops itself if it receives none.stops itself if it receives none.

6.6. The XtremWeb server verifies that the requested User Job has a VOMS proxy, The XtremWeb server verifies that the requested User Job has a VOMS proxy, and sends the User Job and the VOMS proxy to the Pilot Job.and sends the User Job and the VOMS proxy to the Pilot Job.

7.7. The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS The Pilot Job verifies that the received VOMS proxy is the same as its own VOMS proxy, and executes the User Job.proxy, and executes the User Job.

8.8. At the end of the User Job, the Pilot Job sends the Job results directly to the At the end of the User Job, the Pilot Job sends the Job results directly to the XtremWeb server, then stops itself.XtremWeb server, then stops itself.


v1.2 10


Bridge EGEE Bridge EGEE Desktop Grids Desktop Grids

EGEE

LCG-CE for

EDGeS

Gets EXE

Watches

Reports resourcesand performance

Pushes job

Checks EXE

Submits Job

Logs events

Gets VOMS proxy

Logs events

EDGeS

Application

Repository

EGEE

BDII

gLite

WMS

EGEE LB

EGEE VOMS

EGEE User

Sends output

Gets output

EDGeS3G bridge

Adds jobWatches

job

Desktop Grid plugin

Information

provider

GRAM Job

Manager

for EDGeS

Queue Manager

& Job DB

Generic Job WS Handler

Desktop Grid


v1.2 11


Bridges EGEE Bridges EGEE BOINC & XtremWeb BOINC & XtremWeb

Solution = Installation of a Solution = Installation of a LCG-CELCG-CE sending the EGEE Jobs to the sending the EGEE Jobs to the EDGeS bridge, which marshals them into Desktop Grid Jobs EDGeS bridge, which marshals them into Desktop Grid Jobs

• Information Provider Information Provider publishes information to the BDII according topublishes information to the BDII according to GLUE GLUE 1.31.3

• Customized Customized GRAMGRAM Job Manager (EGEE producer) Job Manager (EGEE producer)– Gets job information from wrapper– Checks if exe is validated in the EDGeS application repository (GEMLCA)– Checks if exe is supported by attached BOINC– Gets files from WMS– Adds job to 3G bridge job Database– Polls status of jobs in 3G bridge job Database– Gets results from 3G bridge and uploads them to Logging & Bookkeeping

• EDGeS 3G bridgeEDGeS 3G bridge– Manages jobs in the 3G bridge database– On events, updates entries in the 3G bridge database– Desktop Grid plugins

• BOINC plugin uses DC-API to generate BOINC Work Units• XtremWeb plugin generates XtremWeb Jobs


v1.2 12


Delegation for access to trusted Delegation for access to trusted resourcesresources

Jobs having to access trusted Jobs having to access trusted Resources require delegationResources require delegation

(through X509 proxies or SAML (through X509 proxies or SAML assertions)assertions)

Is it possible to provide delegation to Is it possible to provide delegation to untrusted Computing Resources of untrusted Computing Resources of

Desktop Grids ?Desktop Grids ?


v1.2 13

Specific security needs of Desktop Grids – – DelegationDelegation

Current situation : NO restriction Current situation : NO restriction Full Full impersonationimpersonation

Acceptable only with Acceptable only with trustedtrusted computing resources computing resources

NOTNOT acceptable with acceptable with untrusteduntrusted (DG) computing (DG) computing resourcesresources

Grid User

Submits Job EGEE Computing

Element

Submits Job Trusted Worker Node

Trusted Data Access

Trusted Storage

ResourceFull

impersonationFull

impersonationFull

impersonation

Grid User


Element

Submits Job Untrusted Worker Node

Untrusted Data Access

Trusted Storage

ResourceFull

impersonationFull

impersonationFull

impersonation

X509 proxy without

restrictions

X509 proxy without

restrictions

X509 proxy without

restrictions

X509 proxy without

restrictions

X509 proxy without

restrictions

X509 proxy without

restrictions


v1.2 14


Current situation : NO restriction Current situation : NO restriction Full Full impersonationimpersonation

By now, WITHOUT restrictions on delegation, X509 proxies By now, WITHOUT restrictions on delegation, X509 proxies permit full impersonation.permit full impersonation.

Therefore, when sending jobs, it is acceptable to send along Therefore, when sending jobs, it is acceptable to send along such X509 proxies :such X509 proxies :– only to TRUSTED computing resources (for example Worker Nodes of

local or EGEE clusters), because the storage resources must trust that the computing resource will only access to data described in the job,

– but NOT to UNTRUSTED computing resources (for example from a public Desktop Grid), because they could then have access to all user data.


v1.2 15


Under development : X509 Proxies with Under development : X509 Proxies with RestrictionsRestrictions

Improved security with Improved security with trustedtrusted computing resources computing resources

Could also be acceptable with Could also be acceptable with untrusteduntrusted computing computing resourcesresources

Grid User


Element


Trusted Data Access

Trusted Storage

ResourceRestricted

impersonationRestricted


impersonation

Grid User


Element

Submits Job Untrusted Worker Node

Trusted Data Access

Trusted Storage

ResourceRestricted



impersonation

X509 proxy with

restrictions

X509 proxy with

restrictions

X509 proxy with

restrictions

X509 proxy with

restrictions

X509 proxy with

restrictions

X509 proxy with

restrictions


v1.2 16


Under development : X509 Proxies with Under development : X509 Proxies with RestrictionsRestrictions

When sending jobs, it could be acceptable to send X509 proxies containing When sending jobs, it could be acceptable to send X509 proxies containing restriction attributes about data access to UNTRUSTED computing restriction attributes about data access to UNTRUSTED computing resources (for example from a public Desktop Grid), because :resources (for example from a public Desktop Grid), because :– In order to get access to data, computing resources have to present to storage

resources the full X509 proxy, INCLUDING ALL restriction attributes.– Storage resources are then able to refuse data access if restriction attributes

forbid it,– Data that the jobs have to read are easily protected against corruption or deletion

by using restriction attributes setting those data as read-only.– Malicious computing resources can always corrupt data on which they have write

access, but they can already write false data in the Output Sandbox of jobs anyway.

If these restriction attributes are really implemented, enforced and If these restriction attributes are really implemented, enforced and considered secure enough, this would permit computing resources of considered secure enough, this would permit computing resources of Desktop Grids to access storage resources of EGEE Storage Elements Desktop Grids to access storage resources of EGEE Storage Elements (using SRM, GridFTP, …), with a great impact on EDGeS JRA3.(using SRM, GridFTP, …), with a great impact on EDGeS JRA3.


v1.2 17


Access to untrusted Storage Resources of Access to untrusted Storage Resources of Desktop GridsDesktop Grids

Could access of trusted Computing Could access of trusted Computing Resources to untrusted Storage Resources to untrusted Storage

Resources Resources of Desktop Grids be acceptable ?of Desktop Grids be acceptable ?

EDGeS is studying the issue. We can get advices from you and Jesus EDGeS is studying the issue. We can get advices from you and Jesus LUNA.LUNA.

Grid User


Element


Untrusted Data Access

Untrusted Storage

ResourceX509 proxy X509 proxy NO X509

proxy

The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids...

Documents

Transcript of The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids...