Xrootd proxies Andrew Hanushevsky
-
Upload
information-security-awareness-group -
Category
Technology
-
view
744 -
download
4
description
Transcript of Xrootd proxies Andrew Hanushevsky
xrootd Proxies
Andrew Hanushevsky (SLAC)
Middleware Security Group Meeting 5-6 June 2006
http://xrootd.slac.stanford.eduxrootd is largely funded by the US Department of Energy
Contract DE-AC02-76SF00515 with Stanford University
MWSG 5-6 June 2006 2: http://xrootd.slac.stanford.edu
Outline
xrootd Architecture OverviewTerms and ConceptsClustering
ProxiesSingle and double firewallsProxy clusters for scalability
Security transformations Conclusions & Acknowledgements
MWSG 5-6 June 2006 3: http://xrootd.slac.stanford.edu
authentication(gsi, krb5, etc)
Clustering(olbd)
lfn2pfnprefix encoding
Storage System(oss, drm/srm, etc)
authorization(name based)
File System(ofs, sfs, alice, etc)
Protocol (1 of n)(xrootd)
xrootd Plugin Architecture
Protocol Driver(XRD)
MWSG 5-6 June 2006 4: http://xrootd.slac.stanford.edu
Acronyms, Entities & Relationships
datadataxrootd
olbdxrootd
olbd
Data Clients
Redirectors
Data Servers
MM
SS
ctlctl
olbdolbdControl Network
Managers, Supervisors & Servers(resource info, file location)
xrootdxrootdData Network
(redirectors steer clients to dataData servers provide data)
MWSG 5-6 June 2006 5: http://xrootd.slac.stanford.edu
Cluster Architecture
Server
A cell is 1-to-64 entities (servers or cells)clustered around a cell manager
called a supervisor
A manager is an optionallyreplicated xrootd/olbd pairfunctioning as a root node
A server is an xrootd/olbdpair leaf node that
delivers data
Up to 64 servers or cells can connect
to a manager
MWSG 5-6 June 2006 6: http://xrootd.slac.stanford.edu
Single Level Switch
ClientClient RedirectorRedirector(Head Node)
Data ServersData Servers
open file XAA
BB
CC
go to C
open file X
Who has file X?
I have
ClusterClient sees all servers as Client sees all servers as xrootdxrootd data serversdata servers
2nd open X
go to C
RedirectorsRedirectorsCache fileCache filelocationlocation
MWSG 5-6 June 2006 7: http://xrootd.slac.stanford.edu
Two Level Switch
ClientClient
RedirectorRedirector(Head Node)
Data ServersData Serversopen file XAA
BB
CC
go to Copen file X
Who has file X?
I have
Cluster
Client sees all servers as Client sees all servers as xrootdxrootd data serversdata servers
SupervisorSupervisor(sub(sub--redirector)redirector)
Who has file X? DD
EE
FF
I havego to F
open file X
I have
MWSG 5-6 June 2006 8: http://xrootd.slac.stanford.edu
SLAC Configuration
client machinesclient machines
kan01 kan02 kan03 kan04 kanxx
bbr-olb03 bbr-olb04 kanolb-a
MWSG 5-6 June 2006 9: http://xrootd.slac.stanford.edu
Extending Access
Easy clustered local accessEveryone sees everyoneSimple configurationLow human overhead to maintain
Remote accessDifficult because of connection constraintsWant to make it humanly administrable
Critical to minimize cross-domain knowledge
Utilize the peer-to-peer nature of xrootd
MWSG 5-6 June 2006 10: http://xrootd.slac.stanford.edu
Proxies I (single firewall)
client machinesclient machines
data01 data02 data03 data04
proxy xrootd
IN2P3
INDRA11
3322
FirewallFirewall
olbd
MWSG 5-6 June 2006 11: http://xrootd.slac.stanford.edu
Scaling Proxies
Need to provide more than one proxySelection criteria for proxies?
Utilize natural rooted clusteringCreate proxy clustersAutomatically load balanceNo practical limit on number
MWSG 5-6 June 2006 12: http://xrootd.slac.stanford.edu
Proxy Clusters (single firewall)
client machinesclient machines
data01 data02 data03 data04
proxy managerxrootd
33
4455
FirewallFirewall
olbdolbd
proxy serverxrootd
11
22
MWSG 5-6 June 2006 13: http://xrootd.slac.stanford.edu
Dealing With Lockdowns
Double FirewallsReality sets in.
Incoming and outgoing traffic limited
Utilize peer-to-peer nature of rootedMaintains practical simplicity
Alternative not particularly appealingApplication controlled firewall
LBL and ANL models for gridFTP.Could use xrootd’s for this as well, though.
MWSG 5-6 June 2006 14: http://xrootd.slac.stanford.edu
Proxies II (double firewall, simplified)
client machinesclient machines
data01 data02 data03 data04
remote proxy xrootd
11
4433
FirewallsFirewalls
olbd
local proxy xrootd
22
MWSG 5-6 June 2006 15: http://xrootd.slac.stanford.edu
N-to-M Authentication issues
Clusters of proxies on each sideRandom server-server connectionsAuthentication key management issues
Complex because of size and interactionsWould like to simplify key distribution
Use a security transformationGSI to global session key
MWSG 5-6 June 2006 16: http://xrootd.slac.stanford.edu
Scalable Proxy Security
SLAC PROXY RAL PROXY
3
2 2
1
11 Authenticate & develop session key22 Distribute session key to authenticated subscribers33 Servers can log into each other using session key
Data ServersData Servers
MWSG 5-6 June 2006 17: http://xrootd.slac.stanford.edu
Extending Security Transforms
xrootd protocol allows security transformsRedirect can pass along a CGI string
Anyone can redirect!No practical redirect limit.
Allows security framework substitutionsMinimizes GSI intra-cluster overhead
MWSG 5-6 June 2006 18: http://xrootd.slac.stanford.edu
Security Transforms
client machinesclient machines
data01 data02 data03 data04
x-authxrootd
11
4433
olbd
GSI “proxy”xrootd
22
MWSG 5-6 June 2006 19: http://xrootd.slac.stanford.edu
Conclusion
xrootd has a security enabling architecture Protocol was designed with security in mindAccommodates security transforms
Server-to-serverClient-server
Very easy to administerCritical for maintaining security
MWSG 5-6 June 2006 20: http://xrootd.slac.stanford.edu
Acknowledgements
Software collaboratorsINFN/Padova: Fabrizio Furano, Alvise DorigaoRoot: Fons Rademakers, Gerri GanisAlice: Derek Feichtinger, Guenter Kickinger, Andreas PetersCornell: Gregory SharpSLAC: Jacek Becla, Tofigh Azemoon, Wilko Kroeger, Bill WeeksPrinceton: Pete Elmer
Operational collaboratorsBNL, CNAF, FZK, INFN, IN2P3, RAL, SLAC