in selected grid infrastructures and using a subset of
play

> in Selected Grid Infrastructures and using a subset of the - PowerPoint PPT Presentation

Dec 25, 2023 •371 likes •905 views

Grid Technologies for AAI* > in Selected Grid Infrastructures and using a subset of the available technologies (2010) David Groep, Nikhef with graphics by many others from publicly available sources ... based on the ISGC2010 Security

  1. Grid Technologies for AAI* > in Selected Grid Infrastructures and using a subset of the available technologies (2010) David Groep, Nikhef with graphics by many others from publicly available sources ... based on the ISGC2010 Security Middleware presentation

  2. > > Grid is global > based around (dynamic) user r commun unit ities ies not around their home organisations > that may live long or be over quickly > deal with compute, data, visualisation, services, and more > and can consist of staff, students, technicians, … > 2 EGI-TF10 NREN-Grids workshop Sept. 2010

  3. A Typical Grid Scenario > > 3 EGI-TF10 NREN-Grids workshop Sept. 2010

  4. Non-interactive, autonomous work > > 4 EGI-TF10 NREN-Grids workshop Sept. 2010

  5. Or via portals > > Flexible portals acting on behalf of the user, > work-flow portals with canned applications > turn-around: min-hours > 5 EGI-TF10 NREN-Grids workshop Sept. 2010

  6. What drove the Grid AAI model > > Accommodate multiple sources for assertions > AuthN vs. AuthZ is a logical implementable separation > Accommodate delegation (disconnected operation) > Entities act on behalf of a user > Service providers do not know (or cannot fully trust) each other > Commensurate impact of resource compromise • compromise of small resource should have limited impact > Accommodate individual, independent researchers > collaboration without necessity to involve bureaucracy > Inspire enough trust for resource providers to relinquish per- user local registration and allow direct access to their systems > Has to work now (and has had to work since 2002!) > 6 EGI-TF10 NREN-Grids workshop Sept. 2010

  7. > Authentication (vs. Authorization) Obtaining trustworthy unique, persistent ID Delegation and proxies ‘GRID’ SECURITY MECHANISM FOUNDATIONS AND SCOPE > 7 EGI-TF10 NREN-Grids workshop Sept. 2010

  8. A coordinated trust fabric: IGTF > A ‘policy bridge’ infrastructure for authentication > Today there are 86 accredited authorities > From 54 countries or economic regions > Direct relying party (customer!) representation & influence > from countries … and major cross-national organisations > EG EGI > DEISA > wLCG > TERENA > PRAGMA (APGridPMA) > Teragrid (TAGPMA) > Open Science Grid (TAGPMA) > 8 EGI-TF10 NREN-Grids workshop Sept. 2010

  9. Authentication Policy Guidelines > IGTF established a single trust fabric, incorporating authorities using different techniques Profiles Common Elements   Classic PKI Unique Subject Naming  Real-time vetting  Identifier Association (F2F or TTP)  Publication & IPR  13 months life time  Contact and  SLCS incident response  Existing IdM databases  Auditability  100k – 1Ms life time  MICS  IdM Federation with F2F  managed, revocable, identity  13 months max https://www.eugridpma.org/guidelines/ > 9 EGI-TF10 NREN-Grids workshop Sept. 2010

  10. Hiding PKI internals from the User > > PKI is a great transport technology … … but a no -go for most users > How to hide the PKI internals? > do away with multiple ID checks by leveraging federations ( TERENA TCS, SWITCHaai, DFNaai ) > hide credential management in client tools ( jGridstart ) > use offer credential management as a service ( MyProxy ) > user does not see PKI that drives the infrastructure > 11 EGI-TF10 NREN-Grids workshop Sept. 2010

  11. A Federated PKI > Implementations: • DFN Grid CA • SWITCHaai SLCS > Use your federation ID • TERENA eScience Personal CA • CI Logon (Q4 2010) > ... to authenticate to a service • ARCS CA (end 2010) > ... that issues a certificate > ... recognised by the Grid today Outdated Graphic from: Jan Meijer, UNINETT > 12 EGI-TF10 NREN-Grids workshop Sept. 2010

  12. > Delegation RFC3820 AUT UTOMA MATED TAS ASKS, S, SE SERVI VICES, S, AN AND BROKERIN RING > 13 EGI-TF10 NREN-Grids workshop Sept. 2010

  13. Distributed Services in Grid > Example file transfer services 3. Register Replica Replica (via RRS) Manager Catalog using managed SRM-Clien t third-party copy via SRM-Clien t Users the SRM protocol 1.DATA Creation Network SRM-Clien t 4.SRM- 7.SRM- transfer COPY Retrieve COPY 2. SRM- of DATA Tier0 to data Tier1 to PUT Tier1 for analysis Tier2 Network 10.SRM-GET 8.SRM-PUT transfer SRM 5.SRM-GET SRM SRM of DATA 9.GridFTP ESTO (push mode) 6.GridFTP ERET (pull mode) Network Network transfer transfer Enstore Tier2 dCache cache CASTOR Storage archive files archive files Tier 2 stage files Center FNAL CERN Tier 1 Tier 0 SRM graphic: Timur Perelmutov and Don Petravick, Fermilab, US Example automatic workload distribution across many sites in a Grid > 14 EGI-TF10 NREN-Grids workshop Sept. 2010

  14. Delegating rights and privileges > > 15 EGI-TF10 NREN-Grids workshop Sept. 2010

  15. Delegation – why break the recursion? > > Mechanism to have someone, or some-thing – a program – act on your behalf > as yourself > with a (sub)set of your rights > Essential for the grid model to work > since the grid is highly dynamic and resources do not necessarily know about each other > only the user (and VO) can ‘grasp’ the current view of their grid > GSI-PKI (and now finally some recent SAML) define > GSI (PKI) through ‘proxy’ certificates (see RFC3820) > SAML through Subject Confirmation , linking to at least one key or name > 16 EGI-TF10 NREN-Grids workshop Sept. 2010

  16. Delegation, but to whom? > > RFC3820 – dynamic delegation via ‘proxy certs ’ > Subject name of the proxy derived from issuer “/DC=org/DC=example/CN=John Doe/CN=24623/CN=535431” is a proxy for user “/DC=org/DC=example/CN=John Doe” > Contains policy y constrai traints nts on delegati gation on > AuthZ based on end-entity + embedded attributes&policies > with SAML, delegation can be to any NameID > in RFC3820, these are called ‘independent proxies’ > 17 EGI-TF10 NREN-Grids workshop Sept. 2010

  17. Verifying authentication and X.509 > > ‘Conventional’ PKI engines in * nix domain > OpenSSL, Apache mod_ssl, nss > Java JCE providers, such as BouncyCastle > Perl, Python usually wrappers around OpenSSL > With proxy support > OpenSSL (0.9.8+) > Globus Toolkit (C, Java) > gLite proxyVerify library (LCMAPS) > gLite TrustManager on Java’s BouncyCastle > GridSite > and always ensure proxy policies are implemented & enforced > 18 EGI-TF10 NREN-Grids workshop Sept. 2010

  18. > Community organisation Proxies and delegation with attributes: VOMS Authorization with VOMS: autonomous, GUMS Towards a multi-authority world US USER COMM MMUN UNIT ITY MO MODELS > 19 EGI-TF10 NREN-Grids workshop Sept. 2010

  19. Authorization: VO representations > > VO * : directory (database) of members, groups, roles, attributes > based on identifiers issues at the AuthN stage > Membership information is to be conveyed to the resource providers > configured statically, out of band > in advance, by periodically pulling lists VO (LDAP) directories > in VO-signed assertions pushed with the request: VOMS, Community AuthZ Service > Push or pull assertions via SAML * this is the „EGI‟ or e -Infrastructure sense of VO, representing users. Other definitions at times include resources providers, in a more vertically oriented „silo‟ model > 20 EGI-TF10 NREN-Grids workshop Sept. 2010

  20. VOMS: the ‘proxy’ as a container > Virtual Organisation Management System (VOMS) > developed by INFN for EU DataTAG and EGEE > used by VOs in EGI, Open Science Grid, NAREGI, … > push-model signed VO membership tokens > using the traditional X.509 ‘proxy’ certificate for trans -shipment > fully backward-compatible with only-identity-based mechanisms > 21 EGI-TF10 NREN-Grids workshop Sept. 2010

  21. VOMS model > > 22 EGI-TF10 NREN-Grids workshop Sept. 2010

  22. GUMS model > > VO configuration replicated locally at the site > Here, pushed VOMS attributes are advisory only synchronizes Graphic: Gabriele Garzoglio, FNAL > 23 EGI-TF10 NREN-Grids workshop Sept. 2010

  23. Attributes from many sources > > In ‘conventional’ grids, all attributes assigned by VO > but there are many more attributes, and some of these may be very useful for grid grid structure was not too much different! > 24 EGI-TF10 NREN-Grids workshop Sept. 2010

  24. Towards a multi-authority world (AAI) > Interlinking of technologies can be done at various points 1. Authentication: linking (federations of) identity providers to the existing grid AuthN systems > ‘Short - Lived Credential Services’ translation bridges 2. Populate VO databases with UHO Attributes 3. Equip resource providers to also inspect UHO attributes 4. Expressing VO attributes as function of UHO attributes > and most probably many other options as well … Leads to assertions with multiple LoAs in the same decision > thus all assertions should carry their LoA > expressed in a way that’s recognisable > and the LoA attested to by ‘third parties’ (e.g. the federation) > 25 EGI-TF10 NREN-Grids workshop Sept. 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

> in Selected Grid Infrastructures (2010) David Groep, Nikhef with graphics by many others

> in Selected Grid Infrastructures (2010) David Groep, Nikhef with graphics by many others

Middleware Security > in Selected Grid Infrastructures (2010) David Groep, Nikhef with graphics by many others from publicly available sources ... Grid Security Middleware mechanisms for protecting the e-Infrastructure > International

1.76k views • 133 slides
Uniform access to heterogeneous Uniform access to heterogeneous grid infrastructures with grid

Uniform access to heterogeneous Uniform access to heterogeneous grid infrastructures with grid

Uniform access to heterogeneous Uniform access to heterogeneous grid infrastructures with grid infrastructures with ISGC 2008, Taiwan Sylvain Reynaud Plan Plan Introduction Infrastructure heterogeneity Interoperability solutions

580 views • 31 slides
HPC Infrastructures HPC Infrastructures Moreno Baricevic CNR-INFM DEMOCRITOS, Trieste NETTAB

HPC Infrastructures HPC Infrastructures Moreno Baricevic CNR-INFM DEMOCRITOS, Trieste NETTAB

Distributed Applications, Web Services, Tools and GRID Infrastructures for Bioinformatics HPC Infrastructures HPC Infrastructures Moreno Baricevic CNR-INFM DEMOCRITOS, Trieste NETTAB 2006 - Santa Margherita di Pula (CA) - July 10-13, 2006

820 views • 40 slides
SELECTED TOPICS IN DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Setting

SELECTED TOPICS IN DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Setting

1 SELECTED TOPICS IN DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Setting up the Grid Environment 2 Grid Environment Setup (Lab) 3 Install your certificate Copy XXXX.pem => ~/.globus/usercert.pem

363 views • 13 slides
Regional Climate Modelling using Grid Infrastructures S. K. Dash and Deepika Vaddi

Regional Climate Modelling using Grid Infrastructures S. K. Dash and Deepika Vaddi

Regional Climate Modelling using Grid Infrastructures S. K. Dash and Deepika Vaddi Acknowledgements: Stefano Cozzini, Filippo Giorgi, Abdus Salam ICTP Centre for Atmospheric Sciences Indian Institute of Technology Delhi Hauz Khas, New

623 views • 36 slides
About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables

About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables

BiG Grid HPC Cloud Beta Floris Sluiter SARA Computing and Networking services Amsterdam www.cloud.sara.nl About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables access to grid infrastructures for

495 views • 24 slides
Interoperation with Interoperation with Infrastructures: Infrastructures: NDGF-EGEE NDGF-EGEE

Interoperation with Interoperation with Infrastructures: Infrastructures: NDGF-EGEE NDGF-EGEE

Interoperation with Interoperation with Infrastructures: Infrastructures: NDGF-EGEE NDGF-EGEE Michael Grnager, PhD Technical Coordinator, NDGF International Symposium on Grid Computing 08 Taipei , April 11 th 2008 Outline Outline

616 views • 50 slides
Combined use of HPC resources and grid infrastructures with Everest cloud platform Oleg

Combined use of HPC resources and grid infrastructures with Everest cloud platform Oleg

Network Computing & Supercomputing Workshop, Russian Supercomputing Days 2015 Combined use of HPC resources and grid infrastructures with Everest cloud platform Oleg Sukhoroslov Institute for Information Transmission Problems (Moscow,

526 views • 14 slides
Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did

Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did

Open Smart Grid id Pla latform An Open source IoT platform for large infrastructures Why did we develop the Open Smart Grid Platform? The Open Smart Grid Platform architecture Use cases: Applications Smart Lighting Application

488 views • 9 slides
Recent Developments in Grid C Computing & e-infrastructures in i & i f i India

Recent Developments in Grid C Computing & e-infrastructures in i & i f i India

Recent Developments in Grid C Computing & e-infrastructures in i & i f i India Presented jointly by Prof PS Dhekne BARC Prof P.S. Dhekne, BARC and Dipak Singh, ERNET India April 22, 2009 Recent developments in Grid Computing

671 views • 31 slides
Experiences of the Virtual Experiences of the Virtual Community Grid Workgroup

Experiences of the Virtual Experiences of the Virtual Community Grid Workgroup

Experiences of the Virtual Experiences of the Virtual Community Grid Workgroup Community Grid Workgroup Panel Grid Infrastructures in Latin America Panel Grid Infrastructures in Latin America and their Role in Fostering

415 views • 12 slides
Design and Simulation Issues for Secure Power Networks as Resilient Smart Grid Infrastructures

Design and Simulation Issues for Secure Power Networks as Resilient Smart Grid Infrastructures

November 2015 Design and Simulation Issues for Secure Power Networks as Resilient Smart Grid Infrastructures Prof. O. A. Mohammed mohammed@fiu.edu Tel: 305-321-5622 Energy Systems Research Laboratory Department of Electrical & Computer

1.02k views • 26 slides
GRAS: a Research and Development Framework for Grid and P2P Infrastructures Martin Quinson

GRAS: a Research and Development Framework for Grid and P2P Infrastructures Martin Quinson

GRAS: a Research and Development Framework for Grid and P2P Infrastructures Martin Quinson martin.quinson@loria.fr Nancy University / LORIA (France) Parallel and Distributed Computing and Systems (PDCS 2006) November 13, 2006 Context

1.23k views • 43 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
5/13/2019 Kit for New Parents DISTRIBUTION 1 Vicki Law Kit for New Parents Distributor 2

5/13/2019 Kit for New Parents DISTRIBUTION 1 Vicki Law Kit for New Parents Distributor 2

5/13/2019 Kit for New Parents DISTRIBUTION 1 Vicki Law Kit for New Parents Distributor 2 Introducing Vicki Law Non profit executive with 30 years of experience Worked for Girl Scouts of the USA in Napa and Solano counties;

406 views • 11 slides
Genetic structuring of Genetic structuring of spotted gums spotted gums Merv Shepherd Merv

Genetic structuring of Genetic structuring of spotted gums spotted gums Merv Shepherd Merv

Genetic structuring of Genetic structuring of spotted gums spotted gums Merv Shepherd Merv Shepherd Shabana Kasam Kasam Shabana Gary Ablett Ablett Gary Joel Ochieng Ochieng Joel Allison Crawford Allison Crawford Sub-tropical

776 views • 44 slides
10/13/2019 Tips to develop more mature feeding patterns Working with children at meals Extra

10/13/2019 Tips to develop more mature feeding patterns Working with children at meals Extra

10/13/2019 Tips to develop more mature feeding patterns Working with children at meals Extra slides from Swigert Swigert 2019 2 SPOON Posture and position Be sure the child is in a stable and upright position initial trials

295 views • 4 slides
Model-Based Teeth Reconstruction Chenglei Wu 2 , Derek Bradley 1 , Pablo Garrido 3 , Michael

Model-Based Teeth Reconstruction Chenglei Wu 2 , Derek Bradley 1 , Pablo Garrido 3 , Michael

Model-Based Teeth Reconstruction Chenglei Wu 2 , Derek Bradley 1 , Pablo Garrido 3 , Michael Zollhfer 3 , Christian Theobalt 3 , Markus Gross 1,2 , Thabo Beeler 1 1 Disney Research 2 ETH Zurich 3 Max Planck Institute for Informatics MOTIVATION

1.48k views • 100 slides
Proverbs Series Lesson #026 August 4, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Proverbs Series Lesson #026 August 4, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Proverbs Series Lesson #026 August 4, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. Prov. 14:12, There is a way that seems right to a man, but its end is the way of death. Proverbs Guide for Skillful Living

235 views • 19 slides
Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor

Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor

Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor Wang <nanbor@txcorp.com> Gabriele Garzoglio <garzoglio@fnal.gov> Balamurali Ananthan <bala@txcorp.com> Steven Timm

460 views • 23 slides
SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management in samba 2.0 Smbpasswd is used mainly for password storage No other password database backend Smbpasswd stores the unix user name and uid

450 views • 17 slides
Application of STREAMFINDER onto ESA/Gaia DR2 w/ Rodrigo A. Ibata and Nicolas F. Martin

Application of STREAMFINDER onto ESA/Gaia DR2 w/ Rodrigo A. Ibata and Nicolas F. Martin

Stellar Stream map of the Milky Way Halo : Application of STREAMFINDER onto ESA/Gaia DR2 w/ Rodrigo A. Ibata and Nicolas F. Martin @kmalhan07 Khyati Malhan PhD Student Supervisor: Dr. Rodrigo Ibata Stellar Streams Pal 5 stream. Discovered by

479 views • 26 slides

More recommend