Introduction to Grid Security
|
|
- Abigail Walker
- 6 years ago
- Views:
Transcription
1 Introduction to Grid Security Mika Silander Helsinki Institute of Physics T Grid Technologies and Applications TKK,
2 Outline Background Functionality overview Virtual Organisations Certification Standardisation Security components Summary References 2
3 Background Traditional security solutions in a new context Challenges due to distributed environment and resources size of user community numerous collaborating but independent organisations amount of resources to be managed History Akenti, Legion, Globus, UNICORE... 3
4 Background/2 Organisations developing security solutions EGEE Middleware Security Working Group (MSWG) and JRA1 Security Group UNICORE KnowARC & NorduGrid Globus Alliance Organisations fostering security standardisation Open Grid Forum (OGF) Bodies defining security standards OASIS, WS-I, W3C, IETF 4
5 Functionality overview Authentication Single Sign-On (SSO) Delegation Authorisation Non-repudiation Integrity Confidentiality Logging & Auditing 5
6 Virtual Organisations 6
7 Virtual Organisations/2 Wikipedia definition A group of individuals or institutions who share the computing resources of a "grid" for a common goal Alleviates need for local account management Resources assigned to VO instead of individual user (account) Users become members of VOs A means for controlled resource sharing Life-cycles (both long and short) 7
8 Virtual Organisations/3 t from g/ s i l O rid.or Grid V Nordu ww.nordug w / rdugridvo No 8
9 OGSA Security initiative Part of the OGSA standard of OGF Assumption: grid collaborations span multiple administrative domains Defines a set of security services needed in grid middleware The services facilitate the administration, expression, publishing, discovery, communication, verification, enforcement and reconciliation of the security policy [6] Goal: to enable Virtual Organisations to enforce their securityrelated policy Leads to multiple policies being enforced concurrently 9
10 Functional capabilities of OGSA Security Illustration from [6]. 10
11 Authentication PKI and X.509 certificates Mutual authentication TLS/SSL communication channels OpenSSL Certificate Revocation Certificate Revocation Lists (CRLs) (Online Credential Status Protocol (OCSP)) 11
12 X.509v3 recap Adapted from [11]. 12
13 Mutual authentication Mutual authentication in SSL, adapted from [11]. 13
14 Certification Certificates for users and hosts X.509 certificates Host certificates Service certificates Certification authorities and policies Certification Practice Statements (see RFC 2527) European Union Grid Policy Management Authority (EU GridPMA) International Grid Trust Federation (IGTF) 14
15 International Grid Trust Federation TAGPMA EUGridPMA APGridPMA Figure from [16]. 15
16 Single Sign-On (SSO) Characteristics of a grid job: More resources may be needed dynamically Many intermediate services participate in the execution of a job Jobs often consist of several smaller subtasks Questions: is a grid user willing to: Type in the pass phrase of her private key to authenticate every time new services are contacted or when new resources are needed? Wait online between authentications when jobs may run for weeks? 16
17 Single Sign-On (SSO)/2 Authentication needs to be done automatically Login once, access multiple times a.k.a. Single Sign-On Solution: Grid users generate a short-lived X.509 proxy certificate using their long-term X.509 user certificate Client programmes use this proxy for all authentications 17
18 Single Sign-On (SSO)/3 Illustration adapted from [7]. 18
19 Grid Security Infrastructure (GSI) Provides Mutual authentication Single Sign-On Delegation Developed by Globus Relies on X.509 certificates for authentication Implements the Generic Security Services-API (GSS-API) Built on top of OpenSSL Required modifications to recognize proxy certificates 19
20 Grid Security Infrastructure (GSI)/2 OpenSSL Now with experimental proxy certificate support (see RFC 3820) GSI-OpenSSH A modified OpenSSH that accepts proxy certificates for authentication 20
21 Grid Security Infrastructure (GSI)/3 Command line tools: Grid-proxy-init Grid-proxy-info Grid-proxy-destroy Creating an RFC 3820 compliant proxy (SSO) ~]$ grid-proxy-init -rfc Your identity: /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander Enter GRID pass phrase for this identity: Creating proxy... Done Your proxy is valid until: Wed Jan 9 04:56:
22 Grid Security Infrastructure (GSI)/4 Contents of the RFC 3820 compliant proxy ~]$ grid-proxy-info subject : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander/CN= issuer : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander identity : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander type : RFC 3820 compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:59:58 Old legacy (GSI) style proxy [mika@pchip12 ~]$ grid-proxy-info subject : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander/CN=proxy issuer : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander identity : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:59:54 22
23 TrustManager An authentication module for X.509 certificate validation in Java applications Typically in Java clients and web service containers e.g. TomCat Maintained currently within EGEE-III as part of the glite middleware Features Proxy certificate support PEM format Periodic reloads of CRLs Periodic reloads of proxy certificates 23
24 Delegation Illustrations from [1]. 24
25 Delegation/2 Variants User-to-service Service-to-service (host-to-host) Types of delegated credentials Legacy (Globus GSI) Full & limited proxy RFC3820 compliant Components related to delegation GSI (non-ws), MyProxy, Globus TK4 delegation service, GridSite 25
26 Delegation protocol Illustration from [5]. 26
27 Multi-step delegation 27
28 MyProxy An online credential repository (OCR) service Manages a user's certificates (user or proxy) Users may later retrieve certificates for themselves, or, Offer them to a Grid portal acting on their behalf Delegates users' rights to Grid portals Portals simplify grid usage but need access rights to act on the user's behalf Portals request rights delegations from OCRs Uses GSI internally for mutual authentication of portals and users in interactions 28
29 MyProxy components MyProxy repository server Client tools myproxy-init, myproxy-logon (proxy certs) myproxy-store, myproxy-retrieve (long-term) myproxy-destroy Implementation languages Complete implementation in C Clients available in Java 29
30 MyProxy interactions initialisation Storing a long lifetime proxy certificate or end user certificate into MyProxy Illustrations from [4,5]. 30
31 MyProxy interactions retrieving a proxy credential Users for themselves, or, users for a web portal Illustrations from [4]. 31
32 MyProxy interactions credential renewal Long running jobs Illustration from [5]. 32
33 Delegation Service The Globus Toolkit v4 delegation component Similar to GSI delegation but in an OGSA style approach Caches delegated credentials for services hosted in the same web services container as the delegation service Supports credential refreshing and removal Notifies registered services about refreshes Supports further delegations 33
34 Delegation Service WSGRAM recap dele gat e it GRAM services del Delegation RFT ega te sudo bm job su local job con trol xfer request client compute element and service host(s) GRAM adapter compute element local sched. GridFTP user job FTP control FTP data GridFTP remote storage element(s) Illustration from [13]. 34
35 Trends in authentication Illustration from [14]. 35
36 Trends in authentication/2 From certificate based authentication to several alternate identity based authentication methods GridShib Shibboleth based authentication to Globus Short-Lived Certificate Service (SLCS) Temporary X.509 user certificates against Shibboleth account and password VOMS Attributes from Shibboleth (VASH) Transition towards SOA solutions E.g. Globus TK v4 Java WS Authentication & Authorisation module 36
37 Authorisation Local account based authorisation GSI LCAS/LCMAPS, glexec and SCAS In between authentication and authorization Virtual Organisation Membership Service (VOMS) Community Authorization Service (CAS) Grid Access Control List (GACL) Apache-inspired Access Control for storage systems, web services 37
38 GSI authorisation problem 38
39 GSI and Web Services Adapted from [12]. 39
40 glite LCAS/LCMAPS Local Centre Authorization Service (LCAS) Performs authorization before job is run on the local computing element Based on grid credentials of incoming job submission Local Credential MAPping Service (LCMAPS) Maps credentials to local accounts in computing elements: DN to unix account (like GSI gridmap-file) DN to dynamic pool accounts VOMS groups, roles, capabilities to UNIX groups DN to Kerberos and AFS tokens Maintains credential mappings of running jobs in an internal persistent Job Repository 40
41 glexec and LCAS/LCMAPS 41
42 SCAS+LCAS/LCMAPS 42
43 Grid Access Control List (GACL) Access control based on Grid identity XML based language for expressing ACLs in Storage Elements Apache inspired GACL definition files Per file basis:.gacl MyFileName Per directory basis:.gacl MyDirName On directory creation, default ACLs in file:.gacl 43
44 Grid Access Control List (GACL)/2 GACL file evaluation order 1).gacl MyFileOrDirName 2).gacl 3)../.gacl etc Structure of.gacl -files Who is allowed to do what <gacl> <entry> <who section> <what section> </entry> <entry> <who section> <what section> </entry> </gacl> 44
45 Grid Access Control List (GACL)/3 <any-user/> Who section Credentials or predefined users Implicit AND if several entries are given <person> <dn>/o=grid/ou=some.org/cn=john Smith</dn> </person> <dn-list> #a file containing a list of DNs <url>/etc/grid-security/allowedgacl_dns</url> </dn-list> <voms> <voms>dn of VOMS server</voms> <vo>vo name</vo> <group>group name</group> <role>role name</role> <capability>capability name</capability> </voms> 45
46 Grid Access Control List (GACL)/4 What section What section format: One allow section One deny section Denials override allowed operations Operations defined for Files Directories <allow> operation1 operation2... </allow> <deny> operation3 operation4... </deny> Example for a file: <allow> <read/> <write/> <list/> </allow> <deny> <admin/> </deny> GACL definition file itself 46
47 Virtual Organisation Membership Service (VOMS)[10] What problem does VOMS address? Issues credentials vouching for users': group memberships roles capabilities Credentials are Attribute Certificates (RFC 3281) Embedded into user's proxy certificates Tagged as non-critical extensions Attributes themselves are single strings (Fully-Qualified Attribute Names) 47
48 Virtual Organisation Membership Service (VOMS)/2 Groups are hierarchical Roles A member of a subgroup is automatically a member of all the higher level containment groups Are inherited from ancestor groups: if user has role R in ancestor group and is member of a subgroup, he also possesses role R in the subgroup. The opposite does not hold. Capabilities Inheritance as in roles In practise, not used 48
49 Virtual Organisation Membership Service (VOMS)/3 User registration in VOMS User requests first an ordinary user certificate from a Certificate Authority VO membership (+roles, capabilities) is requested from the organisation running the VO Becoming a member of a VO takes effect only when the membership info is retrieved from VOMS (Attribute Certificate) It is up to Grid resource providers to decide whether or not to honour user attributes asserted by VOMS 49
50 Notes on VOMS VOMS doesn't support the delegation of users' attributes to other grid users nor services But: a group administrator may include new members to a group and this way give the group's access rights to further users VOMS supports non-repudiation in that all requests are logged VOMS helps implementing coarse-grained access control No target file names, job identifiers or the like are expressible 50
51 VOMS components Login service standalone for efficiency client: voms-proxy-init, ~-destroy, ~-info Administrative service for VO membership management Web service with API Command line and web user interface Migration tools gridmap-file to VOMS servers LDAP to VOMS servers 51
52 VOMS components/2 52
53 Login procedure with VOMS Illustration from [3]. 53
54 A proxy certificate with VOMS AC Illustration from [15]. 54
55 Login to multiple VOs Illustration from [3]. 55
56 Community Authorization Service (CAS) For a centralized access control of a VO's grid resources Issues authorization assertions (SAML) to users granting them access to resources Services enforce access control according to site policy (coarse grained) and CAS assertions according to VO policy (finer-grained) Currently, CAS assertions are recognised by the GridFTP service file level access control 56
57 Community Authorization Service (CAS)/2 Implementation adheres to WSRF standards Built on top of OpenSAML, language is Java CAS tools cas-proxy-init contacts a CAS server embeds the assertion returned by CAS into a proxy certificate cas-wrap runs a (grid) command with CAS credentials CAS credentials as originally created by cas-proxyinit 57
58 CAS assertion in a proxy certificate CAS Server User proxy Policy statement Community Signature What rights does the community grant to this user? CAS-maintained community policy database Resource Server Client User proxy Policy statement Community Signature What local policy applies to this user? Does the policy statement authorize the request? Local policy information Is this request authorized for the community? Illustration from [9]. 58
59 CAS assertion in a proxy certificate/2 Illustration from [8]. 59
60 VOMS vs. CAS model Illustration from [8]. 60
61 Trends in authorisation Further authorisation related components Globus Authorization Framework (Java WS A & A) glite Java Authorization Framework (gjaf) To be replaced by a new authorisation framework during summer 2009! Short-Lived Credential Service (SLCS) Short-lifetime certificates against account and password VOMS Attributes from SHibboleth (VASH) Privilege and Role Management Infrastructure Standards Validation (PERMIS) Towards SOA solutions Web Services security and related standards 61
62 Policy enforcement 62
63 XACML v2.0 XACML Data flow diagram [17]. 63
64 Trends in policy enforcement ARC v1 Policy enforcement in ARC v1 [14]. 64
65 Further Grid Security components Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) Dorian Grid Trust Service (GTS) Common Security Module (CSM) VOMRS VOMS Registration Service Grid Account Management Architecture (GAMA) GUMS Grid User Management System 65
66 Trends in Grid security Towards Service Oriented Architectures (SOA) From transport level security towards message-level security mechanisms SAML, XACML WS-Security XML Signature, XML Encryption WS-SecureConversation WS-Trust WS-Policy From identity based authorisation to identity and attribute based authorisation 66
67 Summary Grid security solutions build on existing, traditional security solutions Scale is the problem: Thousands of users, hundreds of virtual organisations Thousands of computers, clusters, storage systems Result: scalability problems of existing security solutions are tackled in various ways OGSA Security a kind of road map also for grid security development 67
68 Questions? Mika Silander & HIP,
69 References 1. Delegation and single sign-on (proxy certificates). Globus project documentation on GSI. Online 2. Globus project Grid Authentication and Authorisation Issues. Frohner, Á. OpenLAB Security Workshop presentation, CERN, An Online Credential Repository for the Grid: MyProxy. Novotny J., Tuecke S. & Welch V. In Proceedings of the 10th IEEE Symposium On High Performance Distributed Computing, The MyProxy online credential repository. Basney J., Humphrey M. & Welch V. In Software Practice and Experience, vol. 35, no. 9, p , 25 July The Open Grid Services Architecture, Version 1.5 (OGSA). Foster I., Kishimoto H., Savva A., Berry D., Grimshaw A., Horn B., Maciel F., Siebenlist F., Subramaniam R., Treadwell J. & Reich J. V. Technical Report, Open Grid Forum, September
70 References/2 7. Evaluation of the GLOBUS authentication architecture. Prelz F. INFN, Milano, Online 8. The Community Authorization Service: Status and Future. Pearlman L., Kesselman C., Welch V., Foster I. & Tuecke S. In Proceedings of CHEP'03, La Jolla, CA, USA, March, The Community Authorization Service: Status and Future. Foster I., Kesselman C., Pearlman L., Tuecke S. & Welch V. Presentation slides from presentation held in CHEP'03, La Jolla, CA, USA, March, VOMS, an Authorization System for Virtual Organizations. Alfieri R., Cecchini R., Ciaschini V., dell'agnello L., Frohner Á, Gianoli A., Lõrentey K. & Pataro F. Online SSL and TLS Essentials. Securing the Web. Thomas S. John Wiley & Sons, Globus Toolkit 4 Grid Security Infrastructure: A Standards Perspective. Globus security team. September, Online 70
71 References/3 13.Globus GRAM for Developers. Martin S. & Lane P. Argonne National Laboratory. Presentation in GlobusWorld Online: KnowARC Security Review. KnowARC Community, July, Online The Security and Information System in glite middleware. Fargetta M. University of Catania and ICEAGE. Presentation at the International Summer School of Grid Computing 2007, July 2007, Mariefred, Sweden. Online: Portals and Authentication. Groep D. EGEE'07 Conference presentation. NIKHEF, EGEE. Budapest, October extensible Access Control Markup Language (XACML) Version 2.0. Moore T. (ed.), OASIS, February,
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,
More informationGrid Authentication and Authorisation Issues. Ákos Frohner at CERN
Grid Authentication and Authorisation Issues Ákos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management:
More informationSLCS and VASH Service Interoperability of Shibboleth and glite
SLCS and VASH Service Interoperability of Shibboleth and glite Christoph Witzig, SWITCH (witzig@switch.ch) www.eu-egee.org NREN Grid Workshop Nov 30th, 2007 - Malaga EGEE and glite are registered trademarks
More informationCredentials Management for Authentication in a Grid-Based E-Learning Platform
Credentials Management for Authentication in a Grid-Based E-Learning Platform Felicia Ionescu, Vlad Nae, Alexandru Gherega University Politehnica of Bucharest {fionescu, vnae, agherega}@tech.pub.ro Abstract
More informationUsing the MyProxy Online Credential Repository
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on
More informationGrid Security Infrastructure
Grid Computing Competence Center Grid Security Infrastructure Riccardo Murri Grid Computing Competence Center, Organisch-Chemisches Institut, University of Zurich Oct. 12, 2011 Facets of security Authentication
More informationA Service Oriented Architecture for Authorization of Unknown Entities in a Grid Environment
A Service Oriented Architecture for Authorization of Unknown Entities in a Grid Environment J. RIVINGTON, R. KENT, A. AGGARWAL, P. PRENEY Computer Science Department University of Windsor 401 Sunset Avenue,
More informationGLOBUS TOOLKIT SECURITY
GLOBUS TOOLKIT SECURITY Plamen Alexandrov, ISI Masters Student Softwarepark Hagenberg, January 24, 2009 TABLE OF CONTENTS Introduction (3-5) Grid Security Infrastructure (6-15) Transport & Message-level
More informationIntegrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM
Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM Weide Zhang, David Del Vecchio, Glenn Wasson and Marty Humphrey Department of Computer Science, University
More informationGrid Computing Security
Anirban Chakrabarti Grid Computing Security With 87 Figures and 12 Tables Sprin g er Contents Preface Organization Acknowledgments v vi vii 1 Introduction 1 1.1 Background 1 1.2 Grid Computing Overview
More informationAuthentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline
More informationAuthorization Strategies for Virtualized Environments in Grid Computing Systems
Authorization Strategies for Virtualized Environments in Grid Computing Systems Xinming Ou Anna Squicciarini Sebastien Goasguen Elisa Bertino Purdue University Abstract The development of adequate security
More informationA Multipolicy Authorization Framework for Grid Security
A Multipolicy Authorization Framework for Grid Security Bo Lang,,2 Ian Foster,,3 Frank Siebenlist,,3 Rachana Ananthakrishnan, Tim Freeman,3 Mathematics and Computer Science Division, Argonne National Laboratory,
More informationGrids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan
Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1 TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security
More informationGSI Online Credential Retrieval Requirements. Jim Basney
GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify
More information30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy
Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy Why the Grid? Science is becoming increasingly digital and needs to deal with increasing amounts of
More informationAn authorization Framework for Grid Security using GT4
www.ijcsi.org 310 An authorization Framework for Grid Security using GT4 Debabrata Singh 1, Bhupendra Gupta 2,B.M.Acharya 3 4, Sarbeswar Hota S O A University, Bhubaneswar Abstract A Grid system is a Virtual
More information3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids
3rd UNICORE Summit, Rennes, 28.08.2007 Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids Valerio Venturi, Morris Riedel, Shiraz Memon, Shahbaz Memon, Frederico Stagni, Bernd
More informationDeploying the TeraGrid PKI
Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu
More informationGrid Security: The Globus Perspective
Grid Security: The Globus Perspective GlobusWORLD 2005 Feb 7-11, Boston, MA Frank Siebenlist - ANL (franks@mcs.anl.gov) Von Welch - NCSA (welch@ncsa.uiuc.edu) http://www.globus.org/ Outline Part One: Von
More informationGrid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen
Grid Computing 7700 Fall 2005 Lecture 16: Grid Security Gabrielle Allen allen@bit.csc.lsu.edu http://www.cct.lsu.edu/~gallen Required Reading Chapter 16 of The Grid (version 1), freely available for download
More informationCILogon Project
CILogon Project GlobusWORLD 2010 Jim Basney jbasney@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by
More informationUNICORE Globus: Interoperability of Grid Infrastructures
UNICORE : Interoperability of Grid Infrastructures Michael Rambadt Philipp Wieder Central Institute for Applied Mathematics (ZAM) Research Centre Juelich D 52425 Juelich, Germany Phone: +49 2461 612057
More informationPolicy Based Dynamic Negotiation for Grid Services Authorization
Policy Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, and Wolfgang Nejdl L3S Research Center and University of Hannover, Germany {constandache,olmedilla,nejdl}@l3s.de
More informationUSING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE
USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE David Chadwick 1, Sassa Otenko 1, Von Welch 2 1 ISI, University of Salford, Salford, M5 4WT, England. 2 National Center
More informationA Roadmap for Integration of Grid Security with One-Time Passwords
A Roadmap for Integration of Grid Security with One-Time Passwords April 18, 2004 Jim Basney, Von Welch, Frank Siebenlist jbasney@ncsa.uiuc.edu, franks@mcs.anl.gov, vwelch@ncsa.uiuc.edu 1 Introduction
More informationCredential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003
Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Credential Management Enrollment:
More informationThe Community Authorization Service: Status and Future
The Authorization Service: Status and Future L. Pearlman, C. Kesselman USC Information Sciences Institute, Marina del Rey, CA V. Welch, I. Foster, S. Tuecke Argonne National Laboratory, Argonne, IL Virtual
More informationManaging Grid Credentials
Managing Grid Credentials Jim Basney http://www.ncsa.uiuc.edu/~jbasney/ Senior Research Scientist Grid and Security Technologies National Center for Supercomputing Applications
More informationGlobus Toolkit Firewall Requirements. Abstract
Globus Toolkit Firewall Requirements v0.3 8/30/2002 Von Welch Software Architect, Globus Project welch@mcs.anl.gov Abstract This document provides requirements and guidance to firewall administrators at
More informationGrid Technologies for AAI*
Grid Technologies for AAI* in Selected Grid Infrastructures and using a subset of the available technologies (2010) David Groep, Nikhef with graphics by many others from publicly available sources... based
More informationGlobus GTK and Grid Services
Globus GTK and Grid Services Michael Rokitka SUNY@Buffalo CSE510B 9/2007 OGSA The Open Grid Services Architecture What are some key requirements of Grid computing? Interoperability: Critical due to nature
More informationGAMA: Grid Account Management Architecture
GAMA: Grid Account Management Architecture Karan Bhatia, Sandeep Chandra, Kurt Mueller San Diego Supercomputer Center {karan,chandras,kurt}@sdsc.edu Abstract Security is a critical component of grid systems
More informationEnabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI
EGEE security pitch Olle Mulmo EGEE Chief Security Architect KTH, Sweden www.eu-egee.org Project PR www.eu-egee.org EGEE EGEE is the largest Grid infrastructure project in the World? : 70 leading institutions
More informationGrid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen
Grid Computing 7700 Fall 2005 Lecture 5: Grid Architecture and Globus Gabrielle Allen allen@bit.csc.lsu.edu http://www.cct.lsu.edu/~gallen Concrete Example I have a source file Main.F on machine A, an
More informationA Grid Authorization Model for Science Gateways
A Grid Authorization Model for Science Gateways Tom Scavo National Center for Supercomputing Applications 1205 W. Clark St., Room 1008 Urbana, IL 61801 USA +1 217 265 8759 tscavo@ncsa.uiuc.edu Von Welch
More informationDavid Chadwick, University of Kent Linying Su, University of Kent 9 July 2008
GWD-R-P OGSA-Authz David Chadwick, University of Kent Linying Su, University of Kent 9 July 2008 Use of WS-TRUST and SAML to access a Credential Validation Service Status of This Document This document
More informationXPOLA An Extensible Capability-based Authorization Infrastructure for Grids
XPOLA An Extensible Capability-based Authorization Infrastructure for Grids Liang Fang and Dennis Gannon Computer Science Department, Indiana University, Bloomington, IN 47405 Frank Siebenlist Mathematics
More informationDIRAC Distributed Secure Framework
DIRAC Distributed Secure Framework A Casajus Universitat de Barcelona E-mail: adria@ecm.ub.es R Graciani Universitat de Barcelona E-mail: graciani@ecm.ub.es on behalf of the LHCb DIRAC Team Abstract. DIRAC,
More informationTroubleshooting Grid authentication from the client side
Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies
More informationJ. Basney, NCSA Category: Experimental October 10, MyProxy Protocol
GWD-E J. Basney, NCSA Category: Experimental October 10, 2005 MyProxy Protocol Status of This Memo This memo provides information to the Grid community. Distribution is unlimited. Copyright Notice Copyright
More informationEUROPEAN MIDDLEWARE INITIATIVE
EUROPEAN MIDDLEWARE INITIATIVE VOMS CORE AND WMS SECURITY ASSESSMENT EMI DOCUMENT Document identifier: EMI-DOC-SA2- VOMS_WMS_Security_Assessment_v1.0.doc Activity: Lead Partner: Document status: Document
More informationSupporting Secure Ad-hoc User Collaboration in Grid Environments
Supporting Secure Ad-hoc User Collaboration in Grid Environments HPDC11 Paper Abstract Markus Lorch, Dennis Kafura Department of Computer Science Virginia Tech Contact e-mail: mlorch@vt.edu Abstract We
More informationGuidelines on non-browser access
Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-JRA1.4F https://aarc-project.eu/wp-content/uploads/2017/03/aarc-jra1.4f.pdf 1 Table of Contents 1 Introduction
More informationDCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification
DCCKI Interface Design Specification and DCCKI Repository Interface Design Specification 1 INTRODUCTION Document Purpose 1.1 Pursuant to Section L13.13 of the Code (DCCKI Interface Design Specification),
More informationDIRAC distributed secure framework
Journal of Physics: Conference Series DIRAC distributed secure framework To cite this article: A Casajus et al 2010 J. Phys.: Conf. Ser. 219 042033 View the article online for updates and enhancements.
More informationTHEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap
THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap Arnie Miles Georgetown University adm35@georgetown.edu http://thebes.arc.georgetown.edu The Thebes middleware project was
More informationAn XACML Attribute and Obligation Profile for Authorization Interoperability in Grids
GWD-C Federated Security fed-sec@ogf.org Rachana Ananthakrishnan, Argonne National Laboratory Gabriele Garzoglio, Fermilab Oscar Koeroo, Nikhef March 11, 2012 Protocol version 1.2 An XACML Attribute and
More informationCILogon. Federating Non-Web Applications: An Update. Terry Fleury
Federating Non-Web Applications: An Update Terry Fleury tfleury@illinois.edu This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings,
More information[GSoC Proposal] Securing Airavata API
[GSoC Proposal] Securing Airavata API TITLE: Securing AIRAVATA API ABSTRACT: The goal of this project is to design and implement the solution for securing AIRAVATA API. Particularly, this includes authenticating
More informationAn OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b
UK Workshop on Grid Security Experiences, Oxford 8th and 9th July 2004 An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b
More informationGoal. TeraGrid. Challenges. Federated Login to TeraGrid
Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials
More informationGrid Middleware and Globus Toolkit Architecture
Grid Middleware and Globus Toolkit Architecture Lisa Childers Argonne National Laboratory University of Chicago 2 Overview Grid Middleware The problem: supporting Virtual Organizations equirements Capabilities
More informationTroubleshooting Grid authentication from the client side
System and Network Engineering RP1 Troubleshooting Grid authentication from the client side Adriaan van der Zee 2009-02-05 Abstract This report, the result of a four-week research project, discusses the
More informationA Guanxi Shibboleth based Security Infrastructure for e-social Science
A Guanxi Shibboleth based Security Infrastructure for e-social Science Wei Jie 1 Alistair Young 2 Junaid Arshad 3 June Finch 1 Rob Procter 1 Andy Turner 3 1 University of Manchester, UK 2 UHI Millennium
More informationBy Ian Foster. Zhifeng Yun
By Ian Foster Zhifeng Yun Outline Introduction Globus Architecture Globus Software Details Dev.Globus Community Summary Future Readings Introduction Globus Toolkit v4 is the work of many Globus Alliance
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationAAI in EGI Current status
AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication
More informationIntroduction to GT3. Introduction to GT3. What is a Grid? A Story of Evolution. The Globus Project
Introduction to GT3 The Globus Project Argonne National Laboratory USC Information Sciences Institute Copyright (C) 2003 University of Chicago and The University of Southern California. All Rights Reserved.
More informationAuthentication and Authorization Mechanisms for Multi-domain Grid Environments
Authentication and Authorization Mechanisms for Multi-domain Grid Environments Linda A. Cornwall, Jens Jensen and David P. Kelsey CCLRC, Rutherford Appleton Laboratory, United Kingdom Ákos Frohner CERN,
More informationGrid Programming: Concepts and Challenges. Michael Rokitka CSE510B 10/2007
Grid Programming: Concepts and Challenges Michael Rokitka SUNY@Buffalo CSE510B 10/2007 Issues Due to Heterogeneous Hardware level Environment Different architectures, chipsets, execution speeds Software
More informationEGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/
More informationIntroduction to Programming and Computing for Scientists
Oxana Smirnova (Lund University) Programming for Scientists Lecture 4 1 / 44 Introduction to Programming and Computing for Scientists Oxana Smirnova Lund University Lecture 4: Distributed computing Most
More informationNew trends in Identity Management
New trends in Identity Management Peter Gietz, DAASI International GmbH peter.gietz@daasi.de Track on Research and Education Networking in South East Europe, Yu Info 2007, Kopaionik, Serbia 14 March 2007
More informationGROWL Scripts and Web Services
GROWL Scripts and Web Services Grid Technology Group E-Science Centre r.j.allan@dl.ac.uk GROWL Collaborative project (JISC VRE I programme) between CCLRC Daresbury Laboratory and the Universities of Cambridge
More information- C3Grid Stephan Kindermann, DKRZ. Martina Stockhause, MPI-M C3-Team
A Collaborative Environment for Climate Data Handling - Stephan Kindermann, DKRZ Martina Stockhause, MPI-M C3-Team 10.06. 2008 Motivation Model Output Data + Observation Data + TeraByte Analysis Data Expected
More informationRB-GACA: A RBAC based Grid Access Control Architecture
RB-GACA: A RBAC based Grid Access Control Architecture Weizhong Qiang, Hai Jin, Xuanhua Shi, Deqing Zou, Hao Zhang Cluster and Grid Computing Lab Huazhong University of Science and Technology, Wuhan, 430074,
More informationImproving Grid User's Privacy with glite Pseudonymity Service
Improving Grid User's Privacy with glite Pseudonymity Service Henri Mikkonen, Joni Hahkala and John White 5 th EGEE User Forum 12-16 April 2010 Uppsala, Sweden www.eu-egee.org EGEE and glite are registered
More informationEGEE and Interoperation
EGEE and Interoperation Laurence Field CERN-IT-GD ISGC 2008 www.eu-egee.org EGEE and glite are registered trademarks Overview The grid problem definition GLite and EGEE The interoperability problem The
More informationInterfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory
Interfacing Operational Grid Security to Site Security Eileen Berman Fermi National Accelerator Laboratory Introduction Computing systems at Fermilab belong to one of two large enclaves The General Computing
More informationLesson 13 Securing Web Services (WS-Security, SAML)
Lesson 13 Securing Web Services (WS-Security, SAML) Service Oriented Architectures Module 2 - WS Security Unit 1 Auxiliary Protocols Ernesto Damiani Università di Milano element This element
More informationA VO-friendly, Community-based Authorization Framework
A VO-friendly, Community-based Authorization Framework Part 1: Use Cases, Requirements, and Approach Ray Plante and Bruce Loftis NCSA Version 0.1 (February 11, 2005) Abstract The era of massive surveys
More informationShibGrid: Shibboleth Access for the UK National Grid Service
ShibGrid: Shibboleth Access for the UK National Grid Service David Spence, Neil Geddes, Jens Jensen, Andrew Richards and Matthew Viljoen CCLRC Rutherford Appleton Laboratory D.R.Spence@rl.ac.uk, J.Jensen@rl.ac.uk,
More informationNew open source CA development as Grid research platform.
New open source CA development as Grid research platform. National Research Grid Initiative in Japan Takuto Okuno. 1 About NAREGI PKI Group (WP5) 2 NAREGI Authentication Service Perspective To develop
More informationRole-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2007 Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
More informationThe PRIMA Grid Authorization System
The PRIMA Grid Authorization System Markus Lorch and Dennis Kafura {mlorch@vt.edu, kafura@cs.vt.edu} Department of Computer Science Virginia Tech Blacksburg, VA 24061 Abstract PRIMA, a system for PRIvilege
More informationglite Java Authorisation Framework (gjaf) and Authorisation Policy coordination
glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination Yuri Demchenko University of Amsterdam MWSG meeting EGEE 06 Conference, September 27, 2006, Geneve www.eu-egee.org EGEE and
More informationClassification and Characterization of Core Grid Protocols for Global Grid Computing
1 Classification and Characterization of Core Grid s for Global Grid Computing Harshad B. Prajapati and Vipul K. Dabhi Abstract Grid computing has attracted many researchers over a few years, and as a
More informationStell, A.J. and Sinnott, R.O. and Watt, J.P. (2005) Comparison of advanced authorisation infrastructures for grid computing. In, International Symposium on High Performance Computing Systems and Applications
More informationGlobus Toolkit 4 Execution Management. Alexandra Jimborean International School of Informatics Hagenberg, 2009
Globus Toolkit 4 Execution Management Alexandra Jimborean International School of Informatics Hagenberg, 2009 2 Agenda of the day Introduction to Globus Toolkit and GRAM Zoom In WS GRAM Usage Guide Architecture
More informationHardware Tokens in META Centre
MWSG meeting, CERN, September 15, 2005 Hardware Tokens in META Centre Daniel Kouřil kouril@ics.muni.cz CESNET Project META Centre One of the basic activities of CESNET (Czech NREN operator); started in
More informationGrid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia
Grid services Dusan Vudragovic dusan@phy.bg.ac.yu Scientific Computing Laboratory Institute of Physics Belgrade, Serbia Sep. 19, 2008 www.eu-egee.org Set of basic Grid services Job submission/management
More informationA Simplified Access to Grid Resources for Virtual Research Communities
Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA (1-3), Marco FARGETTA (3,*) and Riccardo ROTONDO (2) (1) Department
More informationglite Grid Services Overview
The EPIKH Project (Exchange Programme to advance e-infrastructure Know-How) glite Grid Services Overview Antonio Calanducci INFN Catania Joint GISELA/EPIKH School for Grid Site Administrators Valparaiso,
More informationTechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko Outline TechSec WG liaison with CSIRT community! Results and developments
More informationKent Academic Repository
Kent Academic Repository Full text document (pdf) Citation for published version Chadwick, David W. and Zhao, Gansen and Otenko, Sassa and Laborde, Romain and Su, Linying and Nguyen, Tuan Anh (2006) Building
More informationLeveraging the InCommon Federation to access the NSF TeraGrid
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign jbasney@ncsa.uiuc.edu
More informationGrid Computing Middleware. Definitions & functions Middleware components Globus glite
Seminar Review 1 Topics Grid Computing Middleware Grid Resource Management Grid Computing Security Applications of SOA and Web Services Semantic Grid Grid & E-Science Grid Economics Cloud Computing 2 Grid
More informationOGCE User Guide for OGCE Release 1
OGCE User Guide for OGCE Release 1 1 Publisher s Note Release 2 begins the migration to open standards portlets. The following has been published by the Open Grids Computing Environment: OGCE Release 2
More informationglexec: gluing grid computing to the Unix world
glexec: gluing grid computing to the Unix world David Groep 1, Oscar Koeroo 1, Gerben Venekamp 1 1 Nikhef, P.O. Box 41882, NL 1009 DB Amsterdam, The Netherlands E-mail: grid-mw-security@nikhef.nl Abstract.
More informationDay 1 : August (Thursday) An overview of Globus Toolkit 2.4
An Overview of Grid Computing Workshop Day 1 : August 05 2004 (Thursday) An overview of Globus Toolkit 2.4 By CDAC Experts Contact :vcvrao@cdacindia.com; betatest@cdacindia.com URL : http://www.cs.umn.edu/~vcvrao
More informationNetwork Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004
Network Working Group Request for Comments: 3820 Category: Standards Track S. Tuecke ANL V. Welch NCSA D. Engert ANL L. Pearlman USC/ISI M. Thompson LBNL June 2004 Status of this Memo Internet X.509 Public
More informationSingle Sign-On in In-VIGO: Role-based Access via Delegation Mechanisms Using Short-lived User Identities
Single Sign-On in In-VIGO: Role-based Access via Delegation Mechanisms Using Short-lived User Identities Sumalatha Adabala, Andréa Matsunaga, Maurício Tsugawa, Renato Figueiredo, José A. B. Fortes ACIS
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationThe glite middleware. Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 Enabling Grids for E-sciencE
The glite middleware Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 John.White@cern.ch www.eu-egee.org EGEE and glite are registered trademarks Outline glite distributions Software
More informationJohn Heimann Director, Security Product Management Oracle Corporation
John Heimann Director, Security Product Management Oracle Corporation Oracle9i Application Server v2 Security What s an Application Server? Development and deployment environment Web(HTML,XML,SOAP) J2EE
More informationDavid Chadwick, University of Kent Linying Su, University of Kent 11 June 2008
GWD-R-P OGSA-Authz David Chadwick, University of Kent Linying Su, University of Kent 11 June 2008 Use of WS-TRUST and SAML to access a CVS Status of This Document This document provides information to
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationEnterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape
Enterprise SOA Experience Workshop Module 8: Operating an enterprise SOA Landscape Agenda 1. Authentication and Authorization 2. Web Services and Security 3. Web Services and Change Management 4. Summary
More informationSecurity in distributed metadata catalogues
Security in distributed metadata catalogues Nuno Santos 1, and Birger Koblitz 2 1 Distributed Systems Laboratory, Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerland 2 European Organization
More information