Grid Security for the Cyber Science Infrastructure in Japan 28 - PowerPoint PPT Presentation

International Symposium on Grid Computing 2007 Grid Security for the Cyber Science Infrastructure in Japan 28 March 2007, Academia Sinica, Taipei, Taiwan Shinichi Mineo (National Institute of Informatics)

Outline � Introduction of CSI (Cyber Science Infrastructure) & NAREGI Grid Middleware � A Use Case in NAREGI and its Security Model � Security Features developed for NAREGI Middleware � A plan of Authorization Service � Summary & Open Issues

Cyber-Science Infrastructure for R & D Cyber-Science Infrastructure （ CSI) NII-REO (Repository of Electronic Journals and Online Publications International Infrastructural Collaboration GeNii (Global Environment for Virtual Labs Networked Intellectual Information) Live Collaborations Deployment of NAREGI Middleware Industry/Societal Feedback UPKI: National Research PKI Infrastructure SuperSINET and Beyond: Hokkaido-U ★ Lambda-based Academic Networking Backbone ★ ● Tohoku-U Kyoto-U ☆ ★ ★ ★ Tokyo-U Kyushu-U ★ ＮＩＩ Nagoya-U ★ Osaka-U （ Titech, Waseda-U, KEK, etc.) Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results

Super SINET provides 10 Gbps Backbone

Cyber-Science Infrastructure for R & D Cyber-Science Infrastructure （ CSI) NII-REO (Repository of Electronic Journals and Online Publications International Infrastructural Collaboration GeNii (Global Environment for Virtual Labs Networked Intellectual Information) Live Collaborations Deployment of NAREGI Middleware Industry/Societal Feedback UPKI: National Research PKI Infrastructure SuperSINET and Beyond: Hokkaido-U ★ Lambda-based Academic Networking Backbone ★ ● Tohoku-U Kyoto-U ☆ ★ ★ ★ Tokyo-U Kyushu-U ★ ＮＩＩ Nagoya-U ★ Osaka-U （ Titech, Waseda-U, KEK, etc.) Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results

UPKI : Three Layer Architecture UPKI : Three Layer Architecture Future plan Sign, Encrpt. NII Other OpenDomain Pub CA Pub CA PKI Webｻｰﾊﾞ S/MIME Webｻｰﾊﾞ S/MIME Webｻｰﾊﾞ S/MIME Webｻｰﾊﾞ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrpt. Auth, Sign, Encrpt. Campus A Univ. B Univ. CA CA PKI 学内用 学内用 学内用 学内用 EE EE Grid Computing A Univ. B Univ. Grid NAREGI CA NAREGI CA PKI Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Server, Student, Student, Super Computer Super Computer Faculty Faculty

Cyber-Science Infrastructure for R & D Cyber-Science Infrastructure （ CSI) NII-REO (Repository of Electronic Journals and Online Publications International Infrastructural Collaboration GeNii (Global Environment for Virtual Labs Networked Intellectual Information) Live Collaborations Deployment of NAREGI Middleware Industry/Societal Feedback UPKI: National Research PKI Infrastructure SuperSINET and Beyond: Hokkaido-U ★ Lambda-based Academic Networking Backbone ★ ● Tohoku-U Kyoto-U ☆ ★ ★ ★ Tokyo-U Kyushu-U ★ ＮＩＩ Nagoya-U ★ Osaka-U （ Titech, Waseda-U, KEK, etc.) Restructuring Univ. IT Research Resources Extensive On-Line Publications of Results

NAREGI Software Stack as of Beta ver. 2006 Grid-Enabled Nano-Applications (WP6) Grid PSE (WP3) Grid Vis (WP3) Grid Data Grid Programming (WP4) Grid Workflow (WP3) Packaging -Grid RPC Distributed -Grid MPI Super Scheduler Information Service (WP2) (WP1) (WP1) Globus 4 / NAREGI 4 / NAREGI - - WSRF + Services Core WSRF + Services Core Globus Grid VM (WP1) High Performance & Secure Grid Networking (WP5) - SuperSINET NII IMS KEK Univ. Centers Computing Centers & VOs

A Use Case : Job Submission with Reservation based Co-Allocation Workflow WFT, PSE, GVS, GridRPC Abstract JSDL Resource Information Super Query Client Service Scheduler DAI CIM Reservation based Reservation, Submission, Resource Query, Control… Co-Allocation Info. Concrete Concrete JSDL JSDL GridVM GridVM UR/RUS GridMPI Accounting Computing Resource Computing Resource

Requirements in AAA � Developed Authentication � PKI based user authentication NAREGI-CA to be � Compatible with GSI standards deployed in UPKI � Trust federation between CA’s Current Issues � Authorization � to be solved VO management for Inter-organizational collaboration � Interoperability with other Grid projects � Accounting � ID federation for authn, authz, and charging � With privacy protection! Future issues

Trust Chain supported by UPKI CA for CA for Grid PKI Campus PKI Certs Inf. ISSUE CSR ISSUE EE Cert in CSR EE Cert in I C Card I C Card EE Cert for GRID Campus PKI Grid PKI Domain Domain

VO Management in NAREGI A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. service_x service_c service_a service_y VO domain user 1 user p ( VO Manager ) Virtual Organization Services and Users are Contract A Contract B exposed in a Virtual Organization service_b service_x service_c service_z user 3 user q service_a service_y PKI domain user 2 user p user 1 user r Organization B Organization A

VOMS-type VO Management developed in EGEE CRL CA/RA DN,VO, Group, roll, capability MK-gridmapfile DN > pseudo accounts VOMS Gridmap GACL file Policy Decision LCAS Point User GRAM Grid Job Submission Proxy Cert User Cert + VO EGEE Grid site X.509AC

VOMS-type VO Management adopted in NAREGI CRL CA/RA Information DN,VO info Account Mapping Service Policy VOMS Gridmap Policy Information file file Point Grid Job Submission User GRAM Managed by Grid VM the Super Proxy Cert User Cert Scheduler + VO Policy Decision & Enforcement NAREGI Grid site Point

Job Management in NAREGI Resource Reservation Work Flow Description & Job Submission GridVM Super User Scheduler (SS) User/Resource Information Information Service (IS)

To Realize It … � In addition to the standard Grid Security, � Super Scheduler (SS) must represent end users � Delegation of Proxy Certs to SS � Reliable and easy key store and VO Attribute Control must be supported � Private key store and VOMS handling are troublesome for end users

Delegation of Proxy Certs to SS : using the Second MyProxy MyProxy MyProxy2 USER NAREGI SS Portal GridVM

Delegation Procedure -1 ① Job-WF :Workflow Description ② Job-Hash=hash (Job-WF) ③ Pass Phrase =Job-Hash MyProxy2 ④ user-id =unique Id for Job-WF ⑤ myproxy-init(user-id, Pass Phrase) NAREGI SS Portal GridVM ⑥ send Job-WF

Delegation Procedure -2 ⑦ subtract user-id from Job-WF ⑧ Pass Phrase=hash(job-WF) ⑨ myproxy-get-delegation(user-id, MyProxy2 Pass Phrase) Delete the used Proxy Cert ⑩ Globus Job submission NAREGI SS Portal ⑪ AuthN &AuthZ of users GridVM ⑫ Job submission to the local scheduler according to the Authz policy

Security model of Job Submission Resource reservation &Job submission Workflow Description User on GridVM Super Scheduler NAREI Portal (SS) GSI GSI Receive User/Resource Information Store Proxy Proxy Certs Certs GSI MyProxy Information 2 Service (IS)

Trust Chain in NAREGI Security Model CA MyProxy2 GridVM EE Certificate Proxy Cert Proxy Cert Proxy Cert Proxy Cert Signature Job Description Hash Value Super Scheduler User

Private key Store and VOMS Handling CA VOMS ③ Request for Attr. Cert, ④ Store in the Proxy Cert MyProxy ⑤ Delegation to MyProxy Attr. Cert Attr. Cert Proxy Cert Proxy Cert EE Cert ① Get EE Cert ② Get Proxy Cert by ⑥ Get Proxy Cert proxy-init command from NAREGI Portal User ⑦ Job Submission

Private Key Store and VO Attribute Control by End Users � Difficult for end users to understand PKI and proper handling of certs � High Risk in handling certs by end users themselves � Prefer to use Grid computing without special environment such as GT � Need Unique naming Method for proxy certs stored in MyProxy

NAREGI developed One-stop service by User Management Server (UMS) CA VOMS UMS MyProxy Attr. Cert Attr. Cert Proxy Cert Proxy Cert EE Cert NAREGI User Portal

Grid Job Submission using UMS ② Select menu to make Proxy Cert with VO attr. And ③ Store the Proxy Cert with VOMS store it to MyProxy VOMS VO Attri. To MyProxy2 MyProxy MyProxy VOMS VOMS Proxy delegation Proxy Certificate Certificate MyProxy2 MyProxy2 User Management User Management Server(UMS) VOMS Server(UMS) VOMS Proxy Proxy VOMS User Certificate VOMS Certificate Proxy Certificate Proxy Certificate Certificate delegation delegation Private Key Grid Jobs delegation GridVM Client Environment Client Environment The Super WFT Scheduler (SS) SS client Users VOMS VOMS GridVM Portal Proxy VOMS PSE Proxy VOMS Log in Services Certificate Proxy Certificate Proxy Workflow Certificate Certificate GVS GridVM (WF) ① Log in to the Portal ④ SS analyzes WF and submits jobs