GIN & PGI Security Profile · 02-03-2009 · • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning

GIN & PGI Security ProfileT d I t bilit R f M d lTowards an Interoperability Reference ModelMorris Riedel (FZJ – Jülich Supercomputing Centre & DEISA)OGF GIN & PGI Co-Chair

© 2008 Open Grid Forum

OGF IPR Policies ApplyOGF IPR Policies Apply

• “I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy.”g p p g j p y y• Intellectual Property Notices Note Well: All statements related to the activities of the OGF and

addressed to the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to:

h l• the OGF plenary session, • any OGF working group or portion thereof, • the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning under OGF auspices, • the OGF Editor or the document authoring and review process

• Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions.

• Excerpt from Appendix B of GFD-C.1: ”Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non-discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be

d d b th OGF S t i t d d il bl Th GFSG l di t th t f th recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification.”

• OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.

© 2008 Open Grid Forum 2

OutlineOutline


OutlineOutline

• OGF GIN & PGI Groups• OGF GIN & PGI Groups• Short introduction, relationship between both OGF groups

• GIN & PGI Security Profile• The big picture, security plumbings, missing links & tunings

• Security Profile Use Case• VOMS as Attribute Authority, WISDOM, VPH pre-studies,…VOMS as Attribute Authority, WISDOM, VPH pre studies,…

• Summary• References & Acknowledgements


OGF GIN & PGI GroupsOGF GIN & PGI Groups


GIN & PGI GroupsGIN & PGI Groups

• OGF Grid Interoperation Now (GIN)• OGF Grid Interoperation Now (GIN) Community Group• Cross-Grid use case applications that

require resources in more than one Grid

[2] GINOGF GINGroup

require resources in more than one Grid• (Often HTC and HPC interoperability)• Interoperation of multiple Grid

infrastructures based on workarounds

profiling &standardization

of gained infrastructures based on workarounds and small hacks / modifications

OGF P d ti G id I f t t

of gainedexperience

-pointer to • OGF Production Grid Infrastructure

(PGI) Working Group• Takes gained experience from

d ti i t f GIN i t t

[1] PGI

pointer to most relevant

standardization work

production interop of GIN into account• Standardization of a suitable set of

standards based on lessons learnedT i d fi iti & f i i

OGF PGIGroup


• Tunings, re-definition & focus on missing links between open standards

GIN & PGI @ OGF25GIN & PGI @ OGF25

• OGF Grid Interoperation Now (GIN)• OGF Grid Interoperation Now (GIN) Community Group• Update & Applications [2] GIN

OGF GINGroup

• Tuesday March 3rd • 2:00 pm - 3:30 pm• Location DaVinci

standardization of gained

experience • Location DaVinci

• OGF Production Grid Infrastructure

experience -

pointer to most relevant

(PGI) Working Group• Workshop to learn about PGI

Wednesda March 4th[1] PGIOGF PGI

most relevant standardization work

• Wednesday March 4th • 4:00 pm - 5:30 pm• Location Leopardi

OGF PGIGroup


Location Leopardi

The Big Picture (in progress)The Big Picture (in progress)


GIN & PGI Security ProfileGIN & PGI Security Profile


Security is orthogonal to layersSecurity is orthogonal to layers


[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperabilitybetween HTC- and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009

Orthogonal Security: PlumbingsOrthogonal Security: Plumbings


Plumbing II - AuthenticationPlumbing II Authentication


Plumbing III - AuthorizationPlumbing III Authorization


Still work to do…Still work to do…

• Big picture in (many) GIN production Grids & efforts• Big picture in (many) GIN production Grids & efforts

SOAP Message OASISWS-Security

SOAP Header

SOAP Body

IETF TLS

SAML

yExtension

P VO S t

SAMLAssertionOGF BES OGF JSDL + Ext.

ProxyExtensions

for attributes

VO Support

attributes

AttributeStatementelement

for attributesand

restrictions Contraintselement

Delegation of Rights


elementrestictions/constraints

Missing Links & TuningsMissing Links & Tunings


SAML Assertion ExampleSAML Assertion Example

• Using SAML Assertions to convey attributes of users• Using SAML Assertions to convey attributes of users

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion” … > <saml:Issuer> </saml:Issuer>saml:Issuer … /saml:Issuer<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum JuelichGmbH,O=GridGermany,C=DE

</saml:NameID></saml:Subject><saml:Conditions NotBefore="..." NotOnOrAfter="..." /> <saml:AttributeStatement><saml:AttributeStatement><saml:Attribute Name="group-membership-id" NameFormat="urn...">

<saml:AttributeValue type="xs:string"> /deisa/group-interop g

</saml:AttributeValue></saml:Attribute>

</saml:AttributeStatement>


…</saml:Assertion>

Missing Links & RefinementMissing Links & Refinement

• n SAML Assertions in SOAP Messages (WS-Security)• n SAML Assertions in SOAP Messages (WS-Security)

<soap:Envelope xmlns:soap="...„><soap:Header>soap:Header

<wsse:Security wsse="...„><saml:Assertion xmlns:saml="...">… </saml:Assertion xmlns:saml="..."> (n times)

</wsse:Security></soap:Header><soap:Body>...</ B d ></soap:Body>

</soap:Envelope>

• Define structure and common semantics of attributes• Define structure and common semantics of attributes• Attributes states the position of a user in a VO (e.g. role, group,…)• E.g. Approach /VONAME/GROUPNAME

E A h /VONAME XYZ/GENERALCAPABILITY XYZ


• E.g. Approach /VONAME=XYZ/GENERALCAPABILITY=XYZ…

Restricted DelegationRestricted Delegation

• Proxies & SAML Assertions are used in production Grids• Proxies & SAML Assertions are used in production Grids• But most Grid and e-science infrastructures operate on a security

paradigm of ‘full impersonification delegation of rights’• “If I delegate someone to buy me a toaster he is actually allowed• If I delegate someone to buy me a toaster he is actually allowed

to buy me a car – there are no restrictions what exactly to do”

• ‘Proxies are not bad’ standardProxy

• Proxies are not bad standard• But the way proxies are used on

the infrastructures is “bad”

extensionwith restrictions

• Restrictions within proxies can be added into proxy extensions

• ‘SAML assertions are not bad’ standardSAML

Assertion• SAML assertions have same drawback

when no constraints are provided• Restrictions within SAML assertions

Assertioncontraintselement


• Restrictions within SAML assertions can be coded in SAML assertions contraints parts

Security Profile Use CaseSecurity Profile Use Case


Retrieve attributes from VOMSRetrieve attributes from VOMS

• Virtual Organization Membership Service (VOMS)• Virtual Organization Membership Service (VOMS)• Acts as an attribute authority releasing signed attributes• (Shibboleth is also an attribute authority that might be used)

Att ib t t t th iti f i VO ( l t )• Attributes state the position of a user in a VO (role, group, etc.)


Context Comp. ActivitiesContext Comp. Activities

• Base: Computational activities using OGSA-BES & JSDL• Base: Computational activities using OGSA-BES & JSDL• Secure cross-Grid job submission using open standards

for authentication and attribute-based authorization• IETF X.509 Certificates• OGF Open Grid Services Architecture (OGSA) Basic Execution

Services (BES) & Job Submission Description Language (JSDL)• OASIS Security Assertion Markup Language (SAML)

[3] M i Ri d l t l ‘I t ti f W ld Wid P d ti S i I f t t


[3] Morris Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures, Concurrency and Computation: Practice and Experience, OGF Special Issue, 2008

Application Use Case WISDOMScientific Application named as WISDOM Workflow

GridSphere portal clients gLite UI UNICORE Rich Client

Application Use Case WISDOM

GridSphere portal clients, gLite UI, UNICORE Rich Client

Attribute Authority

SAML Interface

Attribute AuthorityVOMS

OGSA-BES Interface

Grid MiddlewareLit ith CREAM BES SRM InterfaceWS DAIS Interface

OGSA-BES Interface

Grid MiddlewareUNICORE ith BESgLite with CREAM-BES

Security Policies

with gridmaps

GLUE-based

information

Data Management

withDCache

SRM InterfaceWS-DAIS Interface

MetaData Catalogs for

Logical/PhysicalMappings

UNICORE with BESSecurity Policies

(e.g. XACML)

GLUE-based

informationDCacheMappings

based onAMGACommon

Environmentfarming job

using Autodock

Common Environment

massively parallel jobs with AMBER

GridFTP Interface

HTC Ressourcewithin EGEE

HPC Ressourcewithin DEISA

Storage Resources(e.g. tape archives, robots)

Executed on worker nodes DEISA Modules with AMBER

© 2008 Open Grid Forum 22[5] Morris Riedel et al., ‘Improving e-Science with Interoperability of the e-Infrastructures EGEE and DEISA,Proceedings of the 31st International Convention MIPRO 2008

Application Use Case VPHScientific Application (e.g. bloodflow simulation HemeLB)

Application Hosting Environment (AHE) as scientific specific Client technology

Application Use Case VPH

Application Hosting Environment (AHE) as scientific-specific Client technology

MyProxy Interface

OGSA-BES Interface

OMII-UK Grid Middleware StackG idSAM ith CREAM BES

OGSA-BES Interface

Grid MiddlewareUNICORE ith BES

Credential Repo.MyProxy

GridSAM with CREAM-BESSecurity Policies

with gridmaps

GLUE-based

information

UNICORE with BESSecurity Policies

(e.g. XACML)

GLUE-based

information

Common Environment

massively parallel jobs

with HemeLB

Common Environment

massively parallel jobs with HemeLB

GridFTP Interface

HPC Ressourcewithin NGS

HPC Ressourcewithin DEISA

Storage Resources(e.g. tape archives, robots)

with HemeLBDEISA Modules with HemeLB

© 2008 Open Grid Forum 23Peter Coveney, Stefan Zasada, Morris Riedel, Johannes Reetz, et al., Preparation for the Virtual Physiological Human (VPH) project that requires interoperability of numerous Grids

SummarySummary


SummarySummary

• Security is orthogonal to other Grid services and non-trivial• Security is orthogonal to other Grid services and non-trivial• Different plumbings allow flexibility by still defining concrete usage

• OGF GIN is established to act as a forum for all that are i t t d i i t bilit & i t tiinterested in interoperability & interoperation

• Lessons learned drawn from world-wide GIN interop* efforts lead to the spin-off standardization activitiy PGIp y• PGI works to satisfy the demand of an world-wide Infrastructure

Interoperability Reference Model (IIRM) based on standards• IIRM is like a trimmed down version of OGSAIIRM is like a trimmed down version of OGSA

• History of computer science shows that often complex architectures were less used than their trimmed down versions (cp. TCP vs. ISO/OSI, XML vs. SGML)( p , )

• More limited than OGSA, but more usable model today• Join the OGF GIN & PGI Group to meet interop* experts

• Contribute to United Federation of Production Grid Infrastructures


• Contribute to United Federation of Production Grid Infrastructures

ReferencesReferences


ReferencesReferences

[1] OGF Production Grid Infrastructure Working Group[1] OGF Production Grid Infrastructure Working Grouphttp://www.ogf.org/gf/group_info/view.php?group=pgi-wg

[2] OGF Grid Interoperation Now Community Grouphttp://www.ogf.org/gf/group info/view.php?group=gin-cgp g g g g p_ p p g p g g

[3] M. Riedel et al., Interoperation of World-Wide Production e-Science Infrastructures, accepted for publication in Concurrency and Computation: Practice and Experience Journal, 2008

[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperability between HTC-and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009

[9] M Ri d l A S M M S M D M ll A St it F W lf Th Li t V[9] M. Riedel, A.S. Memon, M.S. Memon, D. Mallmann, A. Streit, F.Wolf, Th. Lippert, V. Venturi, P. Andreetto, M. Marzolla, A. Ferraro, A. Ghiselli, F. Hedman, Zeeshan A. Shah, J. Salzemann, A. Da Costa, V. Breton, V. Kasam, M. Hofmann-Apitius, D. Snelling, S. van de Berghe, V. Li, S. Brewer, A. Dunlop, N. De Silvag, g , , , p,Improving e-Science with Interoperability of the e-Infrastructures EGEE and DEISAProceedings of the 31st International Convention MIPRO, Conference on Grid and Visualization Systems (GVS), May 2008, Opatija, Croatia, Croatian Society for Information and Comm nication Technolog Electronics and Microelectronics ISBN


Information and Communication Technology, Electronics and Microelectronics, ISBN 978-953-233-036-6, pages 225 - 231

AcknowledgementsAcknowledgements


Morris: AcknowledgementsMorris: Acknowledgements

• Morris Travel and Participation in OGF is funded by…p y

• Distributed European Infrastructure for Supercomputing Applications (DEISA)

• DEISA2 is funded by the European Commission• DEISA2 is funded by the European Commission in FP7 under grant agreement RI-222919,grant period: May 1st 2008 – April 30th 2011

• Jülich Supercomputing Centre (JSC)of Forschungszentrum Jülich (FZJ)of Forschungszentrum Jülich (FZJ) in the HELMHOLTZ association


Full Copyright NoticeFull Copyright Notice

Copyright (C) Open Grid Forum (2009). All Rights Reserved. py g ( ) p ( ) g

This document and translations of it may be copied and furnished to others and derivative works that comment on or otherwise explain it orothers, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on allthat the above copyright notice and this paragraph are included on all such copies and derivative works.

Th li it d i i t d b t l d ill t bThe limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.


Documents

GIN & PGI Security Profile · 02-03-2009 · • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning