Скачать презентацию APAN Grid-Middleware Workshop 2006 Grid security in NAREGI project Скачать презентацию APAN Grid-Middleware Workshop 2006 Grid security in NAREGI project

eddddc9611a392807a4b7341d543c364.ppt

  • Количество слайдов: 15

APAN Grid-Middleware Workshop 2006 Grid security in NAREGI project July 19, 2006 National Institute of APAN Grid-Middleware Workshop 2006 Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo

Cyber. Science Infrastructure for Advanced Science (by NII)  To Innovate Academia and Industry Cyber. Cyber. Science Infrastructure for Advanced Science (by NII)  To Innovate Academia and Industry Cyber. Science Infrastructure Virtual Organization For science Scientific Repository UPKI Human Resource Development and strong organization Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers 京都大学 ★ ★ 九州大学 ★ 大阪大学 北海道大学 ● ★ 名古屋大学 ★ ★ 東北大学 ☆ ★ NII 東京大学 (東京 業大学、早稲田大学、高エネ ルギー加速器研究機構等) Publication of scientific results from academia Global Contribution Industry Liaison and Social Benefit NAREGI Middleware

Super SINET provides 10 Gbps Backbone Super SINET provides 10 Gbps Backbone

Grid for enabling Collaborative Computing To realize heterogeneous large scale computational environment To share Grid for enabling Collaborative Computing To realize heterogeneous large scale computational environment To share Large and expensive devices and data bases Security is a key issue to be solved! Experiments using special devices Experimental Devices A Virtual Organization Overseas Lab B Analysis using Super Computers Researchers University A Super Computer Super SINET Domestic Lab C Researchers Search in Data Bases Data Base Server Researchers

NAREGI Software Stack (Beta ver. 2006) Grid-Enabled Nano-Applications (WP 6) Grid Workflow (WP 3) NAREGI Software Stack (Beta ver. 2006) Grid-Enabled Nano-Applications (WP 6) Grid Workflow (WP 3) Distributed Information Service (WP 1) Super Scheduler (WP 1) Globus 4 / NAREGI - WSRF + Services Core Grid VM (WP 1) High -Performance & Secure Grid Networking (WP 5) Super. SINET NII IMS KEK Computing Centers & VOs Univ. Centers Data Grid (WP 4) Packaging Grid Programming -Grid RPC -Grid MPI (WP 2) Grid PSE (WP 3) Grid Vis (WP 3)

A Use Case : Job Submission with Reservation based Co-Allocation WFT, PSE, GVS, Grid. A Use Case : Job Submission with Reservation based Co-Allocation WFT, PSE, GVS, Grid. RPC Workflow Abstract JSDL Client Resource Query Super Scheduler DAI Reservation, Submission, Query, Control… Reservation based Co-Allocation Concrete JSDL Grid. VM CIM Resource Info. Grid. VM UR/RUS Grid. MPI Computing Resource Information Service Computing Resource Accounting

Security Requirements in AAA • Authentication – PKI based user authentication – Compatible with Security Requirements in AAA • Authentication – PKI based user authentication – Compatible with GSI standards – Trust federation between CA’s • Authorization – VO management for Inter-organizational collaboration – Interoperable with other Grid projects • Accounting – ID federation for authorization & traceability – With privacy protection! Developed NAREGI-CA to be deployed in UPKI Current Issues to be solved Future issues

Virtual Organization and Security Domain Definition of VO on GGF   ・CAS (Community Authorization Service) Virtual Organization and Security Domain Definition of VO on GGF   ・CAS (Community Authorization Service)   ・VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. service_x service_c service_a user 1 (VO Manager) Contract A Virtual Organization Services and Users are exposed in a Virtual Organization Contract B service_b user 2 user 3 user 1 service_a VO domain service_y user p service_x service_c Organization A user p user q user r service_y Organization B service_z PKI domain

VOMS-type VO Management developed in EGEE CRL CA/RA DN, VO, Group, roll, capability MK-gridmapfile VOMS-type VO Management developed in EGEE CRL CA/RA DN, VO, Group, roll, capability MK-gridmapfile DN > pseudo accounts VOMS Gridmap file GACL LCAS User Cert Policy Decision Point GRAM Proxy Cert + VO X. 509 AC Grid Job Submission EGEE Grid site

VOMS-type VO Management adopted in NAREGI CRL CA/RA DN, VO info VOMS Certificates handling VOMS-type VO Management adopted in NAREGI CRL CA/RA DN, VO info VOMS Certificates handling is too hard for users User Cert Proxy Cert + VO Information Service Policy Information Point Grid Job Submission Managed by the Super Scheduler Account Mapping Gridmap file Policy file GRAM Grid VM Policy Decision & Enforcement NAREGI Grid site Point

Job Submission mechanism in NAREGI Middleware b version VOMS Integrated and easy handling of Job Submission mechanism in NAREGI Middleware b version VOMS Integrated and easy handling of VOMS and My. Proxy WF Credential is a user proxy cert passed through to the SS with the delegation protocol My. Proxy delegation VOMS Proxy Certificate WF Credential Repository VOMS User Management Server(UMS) User Certificate Proxy Certificate VOMS Proxy Certificate delegation Private Key delegation Users Log in WFT Portal Services PSE GVS VOMS Proxy Certificate SS client Client Environment Grid Jobs The Super Scheduler (SS) Workflow (WF) VOMS Proxy Certificate Grid. VM The SS receives WF and deploys Grid jobs

NAREGI’s Solution for VO and Job Management • Adoption of VOMS for VO management NAREGI’s Solution for VO and Job Management • Adoption of VOMS for VO management – Using proxy certificates with VO attributes for the interoperability with EGEE – Grid. VM is used instead of LCAS/LCMAPS • Integration of My. Proxy and VOMS servers – with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal – using g. Lite implemented at UMS to connect VOMS server • Development of Workflow Credential Repository – User Proxy Certificates are used as Workflow Credential to realize GSI delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as My. Proxy. – The Super Scheduler converts security protocols of job signature to GSI delegation.

Open Issues on VO Management • Current Issues on VO management – VOMS platform Open Issues on VO Management • Current Issues on VO management – VOMS platform • g. Lite is running on GT 2, while NAREGI middleware on GT 4 – Grid. VM • Interoperability of authorization policy with other Grid projects is to be realized. – Proxy certificate renewal • Need to invent a new mechanism • Future plan – Cooperation with GGF security area members to realize interoperability with each other. – A proposal of new VO management methodology and trial of reference implementation.

Auth. N&Auth. Z Services in the future OCSP/ XKMS CRL CA/RA Policy Information Point Auth. N&Auth. Z Services in the future OCSP/ XKMS CRL CA/RA Policy Information Point Policy Decision Point LDAP VO Management My. Proxy Cert of User Cert Log in Authentication &Authorization Service SAML+XACML Policy Web Server Enforcement Grid Job Point Super Scheduler Submission GRAM (Grid VM)

Summary • NAREGI at first has developed reliable authentication system, which will be deployed Summary • NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. • VO management was the second target and VOMS has been adopted for interoperability with EGEE. • NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. • ID management is still remaining an open issue. Grid. Shib or Liberty Alliance may be considered.