Grid Security for the Cyber Science Infrastructure in Japan 28 - - PowerPoint PPT Presentation

Grid Security for the Cyber Science Infrastructure in Japan

Shinichi Mineo (National Institute of Informatics)

International Symposium on Grid Computing 2007 28 March 2007, Academia Sinica, Taipei, Taiwan

Outline

Introduction of CSI (Cyber Science Infrastructure) & NAREGI Grid Middleware A Use Case in NAREGI and its Security Model Security Features developed for NAREGI Middleware A plan of Authorization Service Summary & Open Issues

Industry/Societal Feedback International Infrastructural Collaboration

Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results Deployment of NAREGI Middleware

Virtual Labs Live Collaborations

Cyber-Science Infrastructure for R & D

UPKI: National Research PKI Infrastructure Cyber-Science Infrastructure （CSI)

• ★

★ ★ ★ ★ ★ ★ ☆

SuperSINET and Beyond: Lambda-based Academic Networking Backbone

Hokkaido-U Tohoku-U Tokyo-U ＮＩＩ Nagoya-U Kyoto-U Osaka-U Kyushu-U

（Titech, Waseda-U, KEK, etc.)

GeNii (Global Environment for Networked Intellectual Information) NII-REO (Repository of Electronic Journals and Online Publications

Super SINET provides 10 Gbps Backbone

Industry/Societal Feedback International Infrastructural Collaboration

Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results Deployment of NAREGI Middleware

Virtual Labs Live Collaborations

Cyber-Science Infrastructure for R & D

UPKI: National Research PKI Infrastructure Cyber-Science Infrastructure （CSI)

• ★

★ ★ ★ ★ ★ ★ ☆

SuperSINET and Beyond: Lambda-based Academic Networking Backbone

Hokkaido-U Tohoku-U Tokyo-U ＮＩＩ Nagoya-U Kyoto-U Osaka-U Kyushu-U

（Titech, Waseda-U, KEK, etc.)

GeNii (Global Environment for Networked Intellectual Information) NII-REO (Repository of Electronic Journals and Online Publications

UPKI : UPKI : Three Layer Architecture

Three Layer Architecture

EE EE A Univ. NAREGI CA EE EE B Univ. NAREGI CA

Grid PKI

Grid Computing Proxy Proxy Proxy EE Proxy Proxy Proxy EE 学内用 学内用 A Univ. CA EE 学内用 学内用 B Univ. CA EE

Campus PKI

Auth, Sign, Encrpt. Auth, Sign, Encrpt.

Student, Faculty Server, Super Computer Student, Faculty Server, Super Computer

Webｻｰﾊﾞ Webｻｰﾊﾞ NII Pub CA Web Srv. Webｻｰﾊﾞ Webｻｰﾊﾞ S/MIME S/MIME Other Pub CA S/MIME Web Srv.

OpenDomain PKI

S/MIME S/MIME S/MIME Sign, Encrpt. Future plan

Industry/Societal Feedback International Infrastructural Collaboration

Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results Deployment of NAREGI Middleware

Virtual Labs Live Collaborations

Cyber-Science Infrastructure for R & D

UPKI: National Research PKI Infrastructure Cyber-Science Infrastructure （CSI)

• ★

★ ★ ★ ★ ★ ★ ☆

SuperSINET and Beyond: Lambda-based Academic Networking Backbone

Hokkaido-U Tohoku-U Tokyo-U ＮＩＩ Nagoya-U Kyoto-U Osaka-U Kyushu-U

（Titech, Waseda-U, KEK, etc.)

GeNii (Global Environment for Networked Intellectual Information) NII-REO (Repository of Electronic Journals and Online Publications

Computing Centers & VOs

NII IMS

KEK

• Univ. Centers

Globus Globus 4 / NAREGI 4 / NAREGI -

• WSRF + Services Core

WSRF + Services Core SuperSINET

Grid-Enabled Nano-Applications (WP6) Grid PSE (WP3) Grid Programming

• Grid RPC
• Grid MPI

(WP2) Grid Vis (WP3) Grid VM (WP1)

Packaging

Distributed Information Service (WP1) Grid Workflow (WP3) Super Scheduler (WP1)

• High Performance & Secure Grid Networking (WP5)

Data Grid (WP4)

NAREGI Software Stack

as of Beta ver. 2006

Computing Resource Computing Resource

GridVM

Accounting

CIM UR/RUS GridVM

Resource Info. Reservation, Submission, Query, Control…

Client

Concrete JSDL Concrete JSDL

Workflow

Abstract JSDL

Super Scheduler Information Service DAI

Resource Query Reservation based Co-Allocation

GridMPI

WFT, PSE, GVS, GridRPC

A Use Case : Job Submission with Reservation based Co-Allocation

Future issues Current Issues to be solved Developed NAREGI-CA to be deployed in UPKI

• Authentication
• PKI based user authentication
• Compatible with GSI standards
• Trust federation between CA’s
• Authorization
• VO management for

Inter-organizational collaboration

• Interoperability with other Grid projects
• Accounting
• ID federation for authn, authz, and charging
• With privacy protection!

Requirements in AAA

Campus PKI Domain Grid PKI Domain

Trust Chain supported by UPKI

EE Cert for GRID CA for Campus PKI CA for Grid PKI EE Cert in I C Card EE Cert in I C Card CSR ISSUE CSR ISSUE Certs Inf.

Virtual Organization

user 1 (VO Manager)

service_c service_a

Services and Users are exposed in a Virtual Organization

Organization A

service_c service_b service_a

user 2 user 3 user 1

Contract A

service_x service_y

user p

service_z service_x service_y

user p user q user r

Organization B

Contract B

PKI domain VO domain

VO Management in NAREGI

A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.

User CA/RA VOMS Proxy Cert + VO User Cert CRL Grid Job Submission

VOMS-type VO Management developed in EGEE

DN,VO, Group, roll, capability GRAM MK-gridmapfile Gridmap file GACL LCAS EGEE Grid site DN > pseudo accounts

Policy Decision Point

X.509AC

User CA/RA VOMS GRAM Proxy Cert + VO User Cert CRL Grid Job Submission Managed by the Super Scheduler Account Mapping Gridmap file Policy file NAREGI Grid site DN,VO info

VOMS-type VO Management adopted in NAREGI

Grid VM Information Service

Policy Decision & Enforcement Point Policy Information Point

User/Resource Information Work Flow Description Resource Reservation & Job Submission

Super Scheduler (SS) User GridVM Information Service (IS)

Job Management in NAREGI

To Realize It …

In addition to the standard Grid Security, Super Scheduler (SS) must represent end users

Delegation of Proxy Certs to SS

Reliable and easy key store and VO Attribute Control must be supported

Private key store and VOMS handling are troublesome for end users

USER NAREGI Portal SS GridVM MyProxy MyProxy2

Delegation of Proxy Certs to SS : using the Second MyProxy

NAREGI Portal SS GridVM MyProxy2

Delegation Procedure -1

①Job-WF :Workflow Description ②Job-Hash=hash (Job-WF) ③Pass Phrase =Job-Hash ④user-id =unique Id for Job-WF ⑤myproxy-init(user-id, Pass Phrase) ⑥send Job-WF

NAREGI Portal SS GridVM MyProxy2

Delegation Procedure -2

⑦subtract user-id from Job-WF ⑧ Pass Phrase=hash(job-WF) ⑨myproxy-get-delegation(user-id, Pass Phrase) Delete the used Proxy Cert ⑩Globus Job submission ⑪AuthN &AuthZ of users ⑫Job submission to the local scheduler according to the Authz policy

Workflow Description Resource reservation &Job submission

Super Scheduler (SS) User on NAREI Portal GridVM Information Service (IS) MyProxy 2

Store Proxy Certs Receive Proxy Certs

Security model of Job Submission

User/Resource Information GSI GSI GSI

Trust Chain in NAREGI Security Model

CA EE Certificate Proxy Cert Signature Proxy Cert Proxy Cert Proxy Cert Job Description Hash Value User Super Scheduler MyProxy2 GridVM

User CA EE Cert MyProxy Proxy Cert

• Attr. Cert

Proxy Cert

• Attr. Cert

VOMS

Private key Store and VOMS Handling

①Get EE Cert ②Get Proxy Cert by proxy-init command ③Request for Attr. Cert, ④Store in the Proxy Cert ⑤Delegation to MyProxy ⑥Get Proxy Cert from NAREGI Portal ⑦Job Submission

Private Key Store and VO Attribute Control by End Users

Difficult for end users to understand PKI and proper handling of certs High Risk in handling certs by end users themselves Prefer to use Grid computing without special environment such as GT Need Unique naming Method for proxy certs stored in MyProxy

NAREGI Portal User CA EE Cert UMS MyProxy Proxy Cert

• Attr. Cert

Proxy Cert

• Attr. Cert

VOMS

NAREGI developed One-stop service by User Management Server (UMS)

Grid Job Submission using UMS

VOMS VOMS MyProxy MyProxy

VOMS Proxy Certificate VOMS Proxy Certificate

User Management Server(UMS) User Management Server(UMS)

VOMS Proxy Certificate VOMS Proxy Certificate User Certificate Private Key

Client Environment Client Environment Portal Services WFT PSE GVS

VOMS Proxy Certificate VOMS Proxy Certificate

SS client The Super Scheduler (SS)

VOMS Proxy Certificate VOMS Proxy Certificate

GridVM GridVM GridVM MyProxy2 MyProxy2

VOMS Proxy Certificate VOMS Proxy Certificate

Users ②Select menu to make Proxy Cert with VO attr. And store it to MyProxy Log in Workflow (WF) ③Store the Proxy Cert with VO Attri. To MyProxy2 delegation delegation Grid Jobs delegation delegation ④SS analyzes WF and submits jobs ①Log in to the Portal

Now We are developing AuthZ Service

Based on SAML 2.0 & XACML 2.0 with GT4.0 AuthZ Framework

• NAREGI’s XACML profile (A Plan)
• Subject Attributes:
• Maps of VOMS attributes in XACLM Subject Attributes
• Needs standardized attribute IDs for well-known types of

credentials such as VOMS attribute certificate

• Resource Attributes:
• RAFM enables flexible resource attribute retrieval from the request

message content to SP

• To support for authorization for WS-Resource or finer-grained

resource, this kind of mechanism is needed

• Action Attributes:
• Maps GT4.0 AuthZ Framework Property to an XACML Action

Attribute

• wsa: Action may also work well

Security Architecture - Overview

• CA
• NAREGI-CA
• Credential

Management

• MyProxy
• VO Membership

Management

• VOMS
• Authorization
• NAREGI-AuthZ

(Proto-type)

Information Service NAREGI CA Portal WFT PSE GVS SS client Super Scheduler MyProxy MyProxy log log-

• in

in User Certificate User Certificate

Resources Info Resources Info

• incl. VO
• incl. VO

Resource Resource GridVM

local Info. local Info.

• incl. VO
• incl. VO

Delegation Service Resource Info. Resource Info. (Incl. VO info) (Incl. VO info) DataGrid AuthZ Service DataGrid AuthZ Policy Repository AuthZ Policy Repository

VO Management

PDP PEP&SP (incl. CVS) PA

Proxy Certificate Proxy Certificate Proxy Certificate Proxy Certificate Proxy Certificate Proxy Certificate Proxy Certificate Proxy Certificate

VO Attr. Mgmt. VOMS VOMS Renewal

Renewal

GSI GSI GSI GSI GSI GSI GSI

PDP PA

Site Management

Local AuthZ Service Local AuthZ Policy Repository Local AuthZ Policy Repository AA PEP&SP PIP

So far, we came…

Privacy Services Authorization Services Trust Services Attribute Services Audit/Source- Logging Services Credential Validation Services Bridge/ Translation Services Authentication Identity Mapping Credential Conversion VO Policy

The Open Grid Services Architecture, Version 1.0

UPKI NAREGI/ VOMS UPKI(TBD) UPKI(TBD)

Summary & Open Issues

• CSI is composed of High-speed Backbone NW, UPKI, Grid

middleware and various services on it.

• NAREGI at first has developed reliable AuthN system to be

deployed in UPKI.

• As VO mgt, VOMS has been adopted for interoperability

with EGEE.

• Now NAERGI is developing AuthZ service based on SAML

2.0 & XACML 2.0 with GT4.0 AuthZ Framework.

• ID mgt and Accounting are still remaining open issues to

be designed jointly with all the stakeholders in CSI.

• Security is a key issue for CSI, which will integrate the

next generation peta-sale computing facilities to innovate Academia and Industry in Japan.