Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
GIN & PGI Security ProfileT d I t bilit R f M d lTowards an Interoperability Reference ModelMorris Riedel (FZJ – Jülich Supercomputing Centre & DEISA)OGF GIN & PGI Co-Chair
© 2008 Open Grid Forum
OGF IPR Policies ApplyOGF IPR Policies Apply
• “I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy.”g p p g j p y y• Intellectual Property Notices Note Well: All statements related to the activities of the OGF and
addressed to the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to:
h l• the OGF plenary session, • any OGF working group or portion thereof, • the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning under OGF auspices, • the OGF Editor or the document authoring and review process
• Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions.
• Excerpt from Appendix B of GFD-C.1: ”Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non-discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be
d d b th OGF S t i t d d il bl Th GFSG l di t th t f th recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification.”
• OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.
© 2008 Open Grid Forum 2
OutlineOutline
© 2008 Open Grid Forum 3
OutlineOutline
• OGF GIN & PGI Groups• OGF GIN & PGI Groups• Short introduction, relationship between both OGF groups
• GIN & PGI Security Profile• The big picture, security plumbings, missing links & tunings
• Security Profile Use Case• VOMS as Attribute Authority, WISDOM, VPH pre-studies,…VOMS as Attribute Authority, WISDOM, VPH pre studies,…
• Summary• References & Acknowledgements
© 2008 Open Grid Forum 4
OGF GIN & PGI GroupsOGF GIN & PGI Groups
© 2008 Open Grid Forum 5
GIN & PGI GroupsGIN & PGI Groups
• OGF Grid Interoperation Now (GIN)• OGF Grid Interoperation Now (GIN) Community Group• Cross-Grid use case applications that
require resources in more than one Grid
[2] GINOGF GINGroup
require resources in more than one Grid• (Often HTC and HPC interoperability)• Interoperation of multiple Grid
infrastructures based on workarounds
profiling &standardization
of gained infrastructures based on workarounds and small hacks / modifications
OGF P d ti G id I f t t
of gainedexperience
-pointer to • OGF Production Grid Infrastructure
(PGI) Working Group• Takes gained experience from
d ti i t f GIN i t t
[1] PGI
pointer to most relevant
standardization work
production interop of GIN into account• Standardization of a suitable set of
standards based on lessons learnedT i d fi iti & f i i
OGF PGIGroup
© 2008 Open Grid Forum 6
• Tunings, re-definition & focus on missing links between open standards
GIN & PGI @ OGF25GIN & PGI @ OGF25
• OGF Grid Interoperation Now (GIN)• OGF Grid Interoperation Now (GIN) Community Group• Update & Applications [2] GIN
OGF GINGroup
• Tuesday March 3rd • 2:00 pm - 3:30 pm• Location DaVinci
standardization of gained
experience • Location DaVinci
• OGF Production Grid Infrastructure
experience -
pointer to most relevant
(PGI) Working Group• Workshop to learn about PGI
Wednesda March 4th[1] PGIOGF PGI
most relevant standardization work
• Wednesday March 4th • 4:00 pm - 5:30 pm• Location Leopardi
OGF PGIGroup
© 2008 Open Grid Forum 7
Location Leopardi
The Big Picture (in progress)The Big Picture (in progress)
© 2008 Open Grid Forum 8
GIN & PGI Security ProfileGIN & PGI Security Profile
© 2008 Open Grid Forum 9
Security is orthogonal to layersSecurity is orthogonal to layers
© 2008 Open Grid Forum 10
[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperabilitybetween HTC- and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009
Orthogonal Security: PlumbingsOrthogonal Security: Plumbings
© 2008 Open Grid Forum 11
Plumbing II - AuthenticationPlumbing II Authentication
© 2008 Open Grid Forum 12
Plumbing III - AuthorizationPlumbing III Authorization
© 2008 Open Grid Forum 13
Still work to do…Still work to do…
• Big picture in (many) GIN production Grids & efforts• Big picture in (many) GIN production Grids & efforts
SOAP Message OASISWS-Security
SOAP Header
SOAP Body
IETF TLS
SAML
yExtension
P VO S t
SAMLAssertionOGF BES OGF JSDL + Ext.
ProxyExtensions
for attributes
VO Support
attributes
AttributeStatementelement
for attributesand
restrictions Contraintselement
Delegation of Rights
© 2008 Open Grid Forum 1414
elementrestictions/constraints
Missing Links & TuningsMissing Links & Tunings
© 2008 Open Grid Forum 15
SAML Assertion ExampleSAML Assertion Example
• Using SAML Assertions to convey attributes of users• Using SAML Assertions to convey attributes of users
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion” … > <saml:Issuer> </saml:Issuer>saml:Issuer … /saml:Issuer<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum JuelichGmbH,O=GridGermany,C=DE
</saml:NameID></saml:Subject><saml:Conditions NotBefore="..." NotOnOrAfter="..." /> <saml:AttributeStatement><saml:AttributeStatement><saml:Attribute Name="group-membership-id" NameFormat="urn...">
<saml:AttributeValue type="xs:string"> /deisa/group-interop g
</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement>
© 2008 Open Grid Forum 16
…</saml:Assertion>
Missing Links & RefinementMissing Links & Refinement
• n SAML Assertions in SOAP Messages (WS-Security)• n SAML Assertions in SOAP Messages (WS-Security)
<soap:Envelope xmlns:soap="...„><soap:Header>soap:Header
<wsse:Security wsse="...„><saml:Assertion xmlns:saml="...">… </saml:Assertion xmlns:saml="..."> (n times)
</wsse:Security></soap:Header><soap:Body>...</ B d ></soap:Body>
</soap:Envelope>
• Define structure and common semantics of attributes• Define structure and common semantics of attributes• Attributes states the position of a user in a VO (e.g. role, group,…)• E.g. Approach /VONAME/GROUPNAME
E A h /VONAME XYZ/GENERALCAPABILITY XYZ
© 2008 Open Grid Forum 17
• E.g. Approach /VONAME=XYZ/GENERALCAPABILITY=XYZ…
Restricted DelegationRestricted Delegation
• Proxies & SAML Assertions are used in production Grids• Proxies & SAML Assertions are used in production Grids• But most Grid and e-science infrastructures operate on a security
paradigm of ‘full impersonification delegation of rights’• “If I delegate someone to buy me a toaster he is actually allowed• If I delegate someone to buy me a toaster he is actually allowed
to buy me a car – there are no restrictions what exactly to do”
• ‘Proxies are not bad’ standardProxy
• Proxies are not bad standard• But the way proxies are used on
the infrastructures is “bad”
extensionwith restrictions
• Restrictions within proxies can be added into proxy extensions
• ‘SAML assertions are not bad’ standardSAML
Assertion• SAML assertions have same drawback
when no constraints are provided• Restrictions within SAML assertions
Assertioncontraintselement
© 2008 Open Grid Forum 18
• Restrictions within SAML assertions can be coded in SAML assertions contraints parts
Security Profile Use CaseSecurity Profile Use Case
© 2008 Open Grid Forum 19
Retrieve attributes from VOMSRetrieve attributes from VOMS
• Virtual Organization Membership Service (VOMS)• Virtual Organization Membership Service (VOMS)• Acts as an attribute authority releasing signed attributes• (Shibboleth is also an attribute authority that might be used)
Att ib t t t th iti f i VO ( l t )• Attributes state the position of a user in a VO (role, group, etc.)
© 2008 Open Grid Forum 20
Context Comp. ActivitiesContext Comp. Activities
• Base: Computational activities using OGSA-BES & JSDL• Base: Computational activities using OGSA-BES & JSDL• Secure cross-Grid job submission using open standards
for authentication and attribute-based authorization• IETF X.509 Certificates• OGF Open Grid Services Architecture (OGSA) Basic Execution
Services (BES) & Job Submission Description Language (JSDL)• OASIS Security Assertion Markup Language (SAML)
[3] M i Ri d l t l ‘I t ti f W ld Wid P d ti S i I f t t
© 2008 Open Grid Forum 21
[3] Morris Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures, Concurrency and Computation: Practice and Experience, OGF Special Issue, 2008
Application Use Case WISDOMScientific Application named as WISDOM Workflow
GridSphere portal clients gLite UI UNICORE Rich Client
Application Use Case WISDOM
GridSphere portal clients, gLite UI, UNICORE Rich Client
Attribute Authority
SAML Interface
Attribute AuthorityVOMS
OGSA-BES Interface
Grid MiddlewareLit ith CREAM BES SRM InterfaceWS DAIS Interface
OGSA-BES Interface
Grid MiddlewareUNICORE ith BESgLite with CREAM-BES
Security Policies
with gridmaps
GLUE-based
information
Data Management
withDCache
SRM InterfaceWS-DAIS Interface
MetaData Catalogs for
Logical/PhysicalMappings
UNICORE with BESSecurity Policies
(e.g. XACML)
GLUE-based
informationDCacheMappings
based onAMGACommon
Environmentfarming job
using Autodock
Common Environment
massively parallel jobs with AMBER
GridFTP Interface
HTC Ressourcewithin EGEE
HPC Ressourcewithin DEISA
Storage Resources(e.g. tape archives, robots)
Executed on worker nodes DEISA Modules with AMBER
© 2008 Open Grid Forum 22[5] Morris Riedel et al., ‘Improving e-Science with Interoperability of the e-Infrastructures EGEE and DEISA,Proceedings of the 31st International Convention MIPRO 2008
Application Use Case VPHScientific Application (e.g. bloodflow simulation HemeLB)
Application Hosting Environment (AHE) as scientific specific Client technology
Application Use Case VPH
Application Hosting Environment (AHE) as scientific-specific Client technology
MyProxy Interface
OGSA-BES Interface
OMII-UK Grid Middleware StackG idSAM ith CREAM BES
OGSA-BES Interface
Grid MiddlewareUNICORE ith BES
Credential Repo.MyProxy
GridSAM with CREAM-BESSecurity Policies
with gridmaps
GLUE-based
information
UNICORE with BESSecurity Policies
(e.g. XACML)
GLUE-based
information
Common Environment
massively parallel jobs
with HemeLB
Common Environment
massively parallel jobs with HemeLB
GridFTP Interface
HPC Ressourcewithin NGS
HPC Ressourcewithin DEISA
Storage Resources(e.g. tape archives, robots)
with HemeLBDEISA Modules with HemeLB
© 2008 Open Grid Forum 23Peter Coveney, Stefan Zasada, Morris Riedel, Johannes Reetz, et al., Preparation for the Virtual Physiological Human (VPH) project that requires interoperability of numerous Grids
SummarySummary
© 2008 Open Grid Forum 24
SummarySummary
• Security is orthogonal to other Grid services and non-trivial• Security is orthogonal to other Grid services and non-trivial• Different plumbings allow flexibility by still defining concrete usage
• OGF GIN is established to act as a forum for all that are i t t d i i t bilit & i t tiinterested in interoperability & interoperation
• Lessons learned drawn from world-wide GIN interop* efforts lead to the spin-off standardization activitiy PGIp y• PGI works to satisfy the demand of an world-wide Infrastructure
Interoperability Reference Model (IIRM) based on standards• IIRM is like a trimmed down version of OGSAIIRM is like a trimmed down version of OGSA
• History of computer science shows that often complex architectures were less used than their trimmed down versions (cp. TCP vs. ISO/OSI, XML vs. SGML)( p , )
• More limited than OGSA, but more usable model today• Join the OGF GIN & PGI Group to meet interop* experts
• Contribute to United Federation of Production Grid Infrastructures
© 2008 Open Grid Forum 25
• Contribute to United Federation of Production Grid Infrastructures
ReferencesReferences
© 2008 Open Grid Forum 26
ReferencesReferences
[1] OGF Production Grid Infrastructure Working Group[1] OGF Production Grid Infrastructure Working Grouphttp://www.ogf.org/gf/group_info/view.php?group=pgi-wg
[2] OGF Grid Interoperation Now Community Grouphttp://www.ogf.org/gf/group info/view.php?group=gin-cgp g g g g p_ p p g p g g
[3] M. Riedel et al., Interoperation of World-Wide Production e-Science Infrastructures, accepted for publication in Concurrency and Computation: Practice and Experience Journal, 2008
[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperability between HTC-and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009
[9] M Ri d l A S M M S M D M ll A St it F W lf Th Li t V[9] M. Riedel, A.S. Memon, M.S. Memon, D. Mallmann, A. Streit, F.Wolf, Th. Lippert, V. Venturi, P. Andreetto, M. Marzolla, A. Ferraro, A. Ghiselli, F. Hedman, Zeeshan A. Shah, J. Salzemann, A. Da Costa, V. Breton, V. Kasam, M. Hofmann-Apitius, D. Snelling, S. van de Berghe, V. Li, S. Brewer, A. Dunlop, N. De Silvag, g , , , p,Improving e-Science with Interoperability of the e-Infrastructures EGEE and DEISAProceedings of the 31st International Convention MIPRO, Conference on Grid and Visualization Systems (GVS), May 2008, Opatija, Croatia, Croatian Society for Information and Comm nication Technolog Electronics and Microelectronics ISBN
© 2008 Open Grid Forum 27
Information and Communication Technology, Electronics and Microelectronics, ISBN 978-953-233-036-6, pages 225 - 231
AcknowledgementsAcknowledgements
© 2008 Open Grid Forum 28
Morris: AcknowledgementsMorris: Acknowledgements
• Morris Travel and Participation in OGF is funded by…p y
• Distributed European Infrastructure for Supercomputing Applications (DEISA)
• DEISA2 is funded by the European Commission• DEISA2 is funded by the European Commission in FP7 under grant agreement RI-222919,grant period: May 1st 2008 – April 30th 2011
• Jülich Supercomputing Centre (JSC)of Forschungszentrum Jülich (FZJ)of Forschungszentrum Jülich (FZJ) in the HELMHOLTZ association
© 2008 Open Grid Forum 29
Full Copyright NoticeFull Copyright Notice
Copyright (C) Open Grid Forum (2009). All Rights Reserved. py g ( ) p ( ) g
This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it orothers, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on allthat the above copyright notice and this paragraph are included on all such copies and derivative works.
Th li it d i i t d b t l d ill t bThe limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.
© 2008 Open Grid Forum 30