Distributed systems Lecture 8: PubSub; Security; NASD/AFS/Coda

Similar documents
Distributed systems Lecture 8: PubSub; Security; NASD/AFS/Coda. Dr Robert N. M. Watson

DrRobert N. M. Watson

File Locking in NFS. File Locking: Share Reservations

CSE 486/586: Distributed Systems

Distributed File Systems. Case Studies: Sprite Coda

Distributed Systems 8L for Part IB. Additional Material (Case Studies) Dr. Steven Hand

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9b: Distributed File Systems INTRODUCTION. Transparency: Flexibility: Slide 1. Slide 3.

Mobile Devices: Server and Management Lesson 07 Mobile File Systems and CODA

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

AN OVERVIEW OF DISTRIBUTED FILE SYSTEM Aditi Khazanchi, Akshay Kanwar, Lovenish Saluja

Distributed Systems 16. Distributed File Systems II

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

DISTRIBUTED SYSTEMS. Second Edition. Andrew S. Tanenbaum Maarten Van Steen. Vrije Universiteit Amsterdam, 7'he Netherlands PEARSON.

NFS: Naming indirection, abstraction. Abstraction, abstraction, abstraction! Network File Systems: Naming, cache control, consistency

Disconnected Operation in the Coda File System

Distributed Systems. Characteristics of Distributed Systems. Lecture Notes 1 Basic Concepts. Operating Systems. Anand Tripathi

Distributed Systems. Characteristics of Distributed Systems. Characteristics of Distributed Systems. Goals in Distributed System Designs

Distributed File Systems. CS 537 Lecture 15. Distributed File Systems. Transfer Model. Naming transparency 3/27/09

Chapter 4 Protection in General-Purpose Operating Systems

CS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:

Distributed Systems. Fall 2017 Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2017

KEY DISTRIBUTION AND USER AUTHENTICATION

3/4/14. Review of Last Lecture Distributed Systems. Topic 2: File Access Consistency. Today's Lecture. Session Semantics in AFS v2

CS 470 Spring Distributed Web and File Systems. Mike Lam, Professor. Content taken from the following:

Google Cluster Computing Faculty Training Workshop

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

1. Federation Participant Information DRAFT

Last time. Distributed systems Lecture 6: Elections, distributed transactions, and replication. DrRobert N. M. Watson

Radius, LDAP, Radius, Kerberos used in Authenticating Users

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

A Quick guide to AFS Simon Wilkinson school of Informatics University of Edinburgh

Today CSCI Coda. Naming: Volumes. Coda GFS PAST. Instructor: Abhishek Chandra. Main Goals: Volume is a subtree in the naming space

Today: Coda, xfs! Brief overview of other file systems. Distributed File System Requirements!

CS /15/16. Paul Krzyzanowski 1. Question 1. Distributed Systems 2016 Exam 2 Review. Question 3. Question 2. Question 5.

416 Distributed Systems. Distributed File Systems 4 Jan 23, 2017

Trusted Intermediaries

AIT 682: Network and Systems Security

Chapter 17: Distributed-File Systems. Operating System Concepts 8 th Edition,

Distributed Systems. Lec 10: Distributed File Systems GFS. Slide acks: Sanjay Ghemawat, Howard Gobioff, and Shun-Tak Leung

Network Security Essentials

Distributed File System

User Authentication. Modified By: Dr. Ramzi Saifan

Lecture 14: Distributed File Systems. Contents. Basic File Service Architecture. CDK: Chapter 8 TVS: Chapter 11

Chapter 18 Distributed Systems and Web Services

Bhaavyaa Kapoor Person #

Distributed File Systems. CS432: Distributed Systems Spring 2017

416 Distributed Systems. Distributed File Systems 2 Jan 20, 2016

Network File System (NFS)

Network File System (NFS)

Chapter 17: Distributed-File Systems. Operating System Concepts 8 th Edition,

Last Class: Web Caching. Today: More on Consistency

Outline Key Management CS 239 Computer Security February 9, 2004

Distributed systems. Lecture 6: distributed transactions, elections, consensus and replication. Malte Schwarzkopf

Background. 20: Distributed File Systems. DFS Structure. Naming and Transparency. Naming Structures. Naming Schemes Three Main Approaches

Communication. Distributed Systems Santa Clara University 2016

70-742: Identity in Windows Server Course Overview

Access Control Mechanisms

Canadian Access Federation: Trust Assertion Document (TAD)

Important Lessons. A Distributed Algorithm (2) Today's Lecture - Replication

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Important Lessons. Today's Lecture. Two Views of Distributed Systems

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Consistency: Relaxed. SWE 622, Spring 2017 Distributed Software Engineering

CS514: Intermediate Course in Computer Systems

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Example File Systems Using Replication CS 188 Distributed Systems February 10, 2015

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Product Brief. Circles of Trust.

Authenticating People and Machines over Insecure Networks

Software Security and Exploitation

Linearizability CMPT 401. Sequential Consistency. Passive Replication

Oracle Directory Services 11g: Administration

Radius, LDAP, Radius used in Authenticating Users

Distributed Systems Question Bank UNIT 1 Chapter 1 1. Define distributed systems. What are the significant issues of the distributed systems?

NFSv4 as the Building Block for Fault Tolerant Applications

Advanced Distributed Systems

Configuring the Oracle Network Environment. Copyright 2009, Oracle. All rights reserved.

Distributed Computing Environment (DCE)

Distributed Systems Fall 2009 Final

Sumy State University Department of Computer Science

CS555: Distributed Systems [Fall 2017] Dept. Of Computer Science, Colorado State University

Canadian Access Federation: Trust Assertion Document (TAD)

Distributed Systems. Chapman & Hall/CRC. «H Taylor S* Francis Croup Boca Raton London New York

Glamour: An NFSv4-based File System Federation

COMPUTER SCIENCE TRIPOS

Lecture 2 Distributed Filesystems

Announcements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

InCommon Federation: Participant Operational Practices

Extreme computing Infrastructure

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Distributed File Systems

A Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography

Distributed Systems. Lec 9: Distributed File Systems NFS, AFS. Slide acks: Dave Andersen

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

5 OAuth EssEntiAls for APi AccEss control layer7.com

Distributed File Systems: Concepts and Examples

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

Transcription:

Distributed systems Lecture 8: PubSub; Security; NASD/AFS/Coda DrRobert N. M. Watson 1 Last time Looked at replication in distributed systems Strong consistency: Approximately as if only one copy of object Requires considerable coordination on updates Transactional consistency & quorum systems Weak consistency: Allow clients to potentially read stale values Some guarantees can be provided (FIFO, eventual, session), but at additional cost to availability Amazon/Google case studies: Dynamo, MapReduce, BigTable, Spanner. 2 1

Publish- subscribe (PubSub) Get more flexibility with publish- subscribe: Publishers advertise and publish events Subscribers register interest in topics (i.e. properties of events) Event- service notifies subscribers of relevant published events Similar to reliable multicast, without ordering focus: Asynchronous structure Allows one- to- many communication Dynamic membership: publishers/subscribers joining/leaving Sometimes described as content- centric networking Engages not just hosts, but also network routers Focus is on data, not network messaging Reliability and persistency part of the programming model In effect the model being implemented by many Content Distribution Networks (CDNs) such as Akami, Netflix 3 Publish- subscribe: pros and cons PubSub useful for ad hoc systems such as embedded systems or sensor networks: Client(s) can listen for occasional events Don t need to define semantics of entire system in advance (e.g. what to do if get event <X>) Promoted in recent research for higher- level applications Leads to natural reactive programming: When <X>, <Y> occur then do <Z> Event- driven systems like Apama can help understand business processes in real- time But: Can be awkward to use if application doesn t fit And difficult to make perform well 4 2

Distributed- system security Distributed systems span administrative domains Natural to extend authentication, access control, audit, to distributed system, but can we: Distribute local notions of a user over many machines? Enforce system- wide properties such as personal data privacy? Allow systems operated by different parties to interact safely? Not require that networks be safe from monitoring/tampering? Tolerate compromise a subset of nodes in the system? Provide reliable service to most users even when under attack? Accept and tolerate nation- state actors as adversaries? For a system to offer secure services, it must be secure Trusted Computing Base (TCB) minimum software (or hardware) required for a system to be secure Deploy compartmentalization- style sandboxing structures 5 Access control Distributed systems may want to allow access to resources based on a security policy As with local systems, three key concepts: Identification: who you are (e.g. user name) Authentication: proving who you are (e.g. password) Authorization: determining what you can do Can consider authority to cover actions an authenticated subject may perform on objects Access Matrix = set of rows, one per subject, where each column holds allowed operations on some object 6 3

Recall: access- control matrix User 1 Object 1 Object 2 Object 3 +read User 2 +read +write +read Group 1 - read +read +write A(i, j) Rows represent principals (sometimes groups) Columns represent objects Cell(i, j) contain access rights of row i on object j Access matrix is typically large & sparse: Just keep non- NULL entries by column or by row Tricky questions How do you name/authenticate users, and who can administer groups? How do you compose conflicting access- control rules (e.g., user1 +read but group1 read)? What consistency properties do access control, groups, and users require? 7 Access control lists (ACLs) Keep columns: for each object, keep list of subjects and allowable access ACLs stored with objects (e.g. local filesystem) Key primitives: get/set Like a guest list on the door of a night club ACL change should (arguably) immediately grant/deny further access What does this mean for distributed systems? Or even local systems (e.g., UNIX) 8 4

Capabilities Capabilities are unforgeable tokens of authority Keep rows: for each subject S, keep list of objects / allowable accesses Capabilities stored with subjects (e.g. processes) Bit like a key or access card that you carry around Key primitive: delegation Client can delegate capabilities it holds to other clients (or servers) in the system to act on its behalf Downside: revocation may now be more complex 9 Access control in distributed systems Single systems often have small number of users (subjects) and large number of objects: E.g. a hundred of users in a Unix system Track subjects (e.g. users) and store ACLs with objects (e.g. files) Distributed systems are large & dynamic: Can have huge (and unknown?) number of users Interactions via network; no explicit log in or user processes Capability model is a more natural fit: Client presents capability with request for operation System only performs operation if capability checks out Avoid synchronous RPCs to check identities/policies Not mutually exclusive: ACLs can grant capabilities Can t trust nodes/links: use cryptography with secret keys 10 5

Cryptographic capabilities How can we make capabilities unforgeable? Capability server could issue capabilities User presents credentials (e.g., username, password) and requests capabilities representing specific rights E.g. capability server has secret key k and a one- way function f() Issues a capability <ObjID, access, f(k, ObjID, access) > Simple example is f(k,o,a) = SHA256(k o a) Client transmits capability with request If object server knows k, can check operation Can use same capability to access many servers And one server can use it on your behalf (e.g., web tier can request objects from storage tier on user s behalf) More mature scheme might use public key crypto (why?) 11 Distributed capability example: NASD 1. Client exchanges credentials for cryptographic capability to object File Manager File Manager accounts: UserID1, PW1 UserID2, PW2 Client 2. Client encloses capability with request to authorize it Block Server Block Server File Manager and Block Server agree on secret k Network- Attached Secure Disks (NASD) Gibson, et al 1997 (CMU) Clients access remote directly disks rather than via through servers File Manager grants client systems capabilities delegating direct access to objects on network- attached disks as directed by ACLs 12 6

Capabilities: pros and cons Relatively simple and pretty scalable Allow anonymous access (i.e. server does not need to know identity of client) And hence easily allows delegation However this also means: Capabilities can be stolen (unauthorized users) and are difficult to revoke (like someone cutting a copy of your house key) Can address these problems by: Having time- limited validity (e.g. 30 seconds) Incorporating version into capability, and storing version with the object: increasing version => revoke all access 13 Combining ACLs and capabilities Recall one problem with ACLs was inability to scale to large number of users (subjects) However in practice we may have a small- ish number of authority levels e.g. moderator versus contributor on chat site Role- Based Access Control (RBAC): Have (small- ish) well- defined number of roles Store ACLs at objects based on roles Allow subjects to enter roles according to some rules Issue capabilities which attest to current role 14 7

Role- based access control (RBAC) General idea is very powerful Separates { principal role }, { role privilege } Developers of individual services only need to focus on the rights associated with a role Easily handles evolution (e.g. an individual moves from being an undergraduate to an alumnus) Possible to have sophisticated rules for role entry: e.g. enter different role according to time of day or entire role hierarchy (1B student <= CST student) or parametric/complex roles ( the doctor who is currently treating you ) 15 Single- system sign on Distributed systems involve many machines Frustrating to have to authenticate to each one! Single- system sign- on: security with lower user burden E.g. Kerberos, Microsoft Active Directory let you authenticate to a single domain controller Bootstrap via a password / private key+certificate on smart card Get a session key and a ticket (~= a capability) Ticket is for access to the ticket- granting server (TGS) When wish to e.g. log on to another machine, or access a remote volume, s/w asks TGS for a ticket for that resource Notice: principals might could be users or services Other wide- area federated schemes Multi- realm Kerberos, OpenID, Shibboleth 16 8

AFS and Coda Two 1990s CMU distributed file systems that helped create our understanding of distributed- system scalability, security, AFS: Andrew File System campus- wide scalability Coda: Add write replication, weakly connected or fully disconnected operation for mobile clients Scale distributed file systems to global scale using a concurrent and distributed- system ideas Developed due to NFS scalability failures RPC, close- to- open semantics, pure and impure names, explicit cache management, security, version vectors, optimistic concurrency, quorums, multicast, 17 The Andrew File System (AFS) Carnegie Mellon University (1980s) address performance, scalability, security weaknesses of NFS Global- scale distributed filesystem /afs/cs.cmu.edu/user/rnw/public_html/index.html, /afs/ibm.com/public Cells transparently incorporate dozens or hundreds of servers Clients transparently merge namespaces and hide file replication/migration effects Authentication/access control w/kerberos, distributed group servers Cryptographic protection of all communications Mature non- POSIX filesystem semantics (close- to- open, ACLs) Still in use at large institutions today; open sourced as OpenAFS Inspiration many aspects of Distributed Computing Environment (DCE), Microsoft s Distributed File System (DFS), and NFSv4 18 9

AFS3 per- cell architecture Client- server and server- server RPC Ubik quorum database for authentication, DB server volume location, and group membership DB server Ubik quorum Namespace partitioned into volumes; e.g., databases /afs/cmu.edu/user/rnw/public_html traverses four volumes Unique ViceIDs: {CellID, VolumeID, FID} Volume servers allow limited redundancy File server or higher- performance bulk file I/O: read- write on a single server (~rnw) File server read- only replicas on multiple servers (/bin) File server Inter- server snapshotting allows in- use File server pool volumes to be migrated transparently (with client help) 19 DB server File server Persistent client- side caching in AFS / Synthesized /afs namespace afs usr andrew.cmu.edu athena.mit.edu cache AFS implements persistent caches on client- side disks Vnode operations on remote files are redirected to local container files for local I/O performance Non- POSIX close- to- open semantics allow writes to be sent to the server only on close() 20 a a c c Local cache files b b 10

AFS callback promises Client 1 Client 2 a 2 a 1 a 2 File server Client 3 a 1 Servers issue callback promises on files held in client caches When a file server receives a write- close() from one client, it issues callbacks to invalidate copies in other client caches Unlike NFS, no synchronous RPC is required when opening a cached file: if callback is not been broken, cache is fresh However, client write- close() is synchronous: can t return until callbacks acknowledged by other clients why? 21 The Coda File System Developed at Carnegie Mellon University in the 1990s Starting point: open- sourced AFS2 from IBM Improve availability: optimistic replication, offline mode: Improve availability through read- write replication Improve performance for weakly connected clients Support mobile (sometimes) fully disconnected clients Exploit network features to improve performance: Multicast RPC to efficiently send RPCs to groups of servers Exchange weaker consistency for stronger availability Version vectors for directories, files identify write conflicts Required users to resolve some conflicts with mixed results? Surprising result: /unplug network to make builds go faster It is faster to journal changes to local disk (offline) and reconcile later than synchronously write to distributed filesystem (online) 22 11

Summary (1) Distributed systems are everywhere Core problems include: Inherently concurrent systems Any machine can fail as can the network (or parts of it) And we have no notion of global time Despite this, we can build systems that work Basic interactions are request- response Can build synchronous RPC/RMI on top of this Or asynchronous message queues or pub/sub 23 Summary (2) Coordinating actions of larger sets of computers requires higher- level abstractions Process groups and ordered multicast Consensus protocols, and Replication and Consistency Various middleware packages (e.g. CORBA, EJB) provide implementations of many of these: But worth knowing what s going on under the hood Recent trends towards even higher- level: MapReduce and friends 24 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback