Practical Distributed Authorization for GARA Andy Adamson and

Зарегистрируйтесь, чтобы просмотреть полный документ!

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA

Outline • • • Background and motivation Security architecture of the current scheme Design of the authorization framework Modified authentication mechanism Video clip of the demo Reservation flow walk through

Background • Grid computing is an initiative for advancement of distributed computing that enables flexible sharing of resources distributed among administrative domains • GARA: General-purpose Architecture for Reservation and Allocation: Quality of Service reservation mechanism for different types of resources • Project partners: University of Michigan (Physics, CITI), European Organization for Nuclear Research (CERN), Argonne National Laboratory (ANL), Merit, and others…

End to End Performance • Reliable high-speed end to end network services are important to scientific collaborators – Video, audio, large data transfers • Long haul networks demonstrate good performance due to overprovisioning • The Last-mile is often a network bottleneck • Reliable end-to-end network service is achieved by reserving network resources within end-point institution networks, coupled with the good performance of overprovisioned long haul networks.

Automated network reservation • Qo. S functionality is a common feature in network hardware • Qo. S configuration is currently done by hand • We address the need for an automated network reservation system • Security of all communications is vital • Difficult security problem due to cross-domain nature of end-to-end network resource allocation

Project based on Globus GARA • GARA is a GRID network reservation service • GARA uses the PKI based Grid Security Infrastructure (GSI) for authentication and coarse authorization – Authentication uses long-term PK and short term proxy credentials – Authorization is controlled by an ACL-based flat file • Our contributions: – Fine-grained cross-domain authorization – PK credentials based on Kerberos identity – Secure web interface

Cross-domain Authorization • Use existing local group services – Avoid replicating data and management tasks • Group name-space shared by domains – Local administrators manage group membership as usual • Key. Note Policy Engine makes authorization decision • Fine-grained authorization expressed in Key. Note policy rules – Group membership – Amount of bandwidth allowed – Time/duration of reservation

Local Domain Authorization • Local GARA contacts local group service to see what groups a user is a member of • Group membership passed into Key. Note along with reservation request parameters • Key. Note compares input parameters to rules • If authorized, the local GARA client: – Packages and signs username and group membership – Adds it to the reservation request that is forwarded to the remote site

Remote domain Authorization • Remote GARA accepts and verifies the username/group membership from the wire • Group membership is passed into Key. Note along with reservation request parameters • Key. Note compares input parameters to the rules to make authorization decision • If remote authorization fails, reservation at the previous node is cancelled.

Kerberos leveraged PKI: kx. 509 Service ticket Web Server SSL transcript KCT SSL handshake (recorded) Browser User Sign my short-term key KCA

Web server as proxy GARA client Web Server Signed group membership => GARA client Remote GARA Key. Note Router Pool Local GARA Key. Note Router Pool Request group membership Group Service AFS PTS or LDAP

Demonstration: UMICH to CERN • Multiple security realms • AFS Protection Server (PTS) is used for the local group service • MJPEG video conferencing application – 10 MB/sec stream each way, 147 ms round trip – RTP headers record packet loss statistics • Iperf traffic generated at each end across video and audio receiving router interface • Cisco 6506 at UMICH, Cisco 7500 at CERN

Demonstration: UMICH to CERN • Note high quality video and audio • Turn on Iperf traffic at one end to degrade video and audio signal • Place a reservation in the near future (1 minute) for a short duration (20 seconds) • Note degraded video and audio return to high quality during the 20 second reservation, in spite of competing traffic generation • Note degraded video and audio return at the end of the reservation

CITI. UMICH. EDU “Big Picture” KCT/KDC KINIT KCA KX 509 Browser SSL Web Server GARA Client IGRID 2002 GSI GARA Service GSI ATLAS. UMICH. EDU AFS PTS Group Service RX TELNET Cisco 7206 GARA Service MJpeg Host SSH Cisco 6506 MJpeg Host Reserved Video Conference

Any Questions? http: //www. citi. umich. edu/projects/qos

Demonstration: UMICH to CERN We demonstrated that a reservation failed if: – User not in correct group – Requested bandwidth out of bounds – Time of request is out of bounds

Future directions • On going project extends the existing infrastructure to accommodate general web based network monitoring tools

Скачать презентацию Practical Distributed Authorization for GARA Andy Adamson and

7374fc982f956c2bd12dfa15ca7d9fd9.ppt

Количество слайдов: 17