Security and Certification Issuesin Grid Computing
Ian Foster
Mathematics and Computer Science Division
Argonne National Laboratory
and
Department of Computer Science
The University of Chicago
http://www.mcs.anl.gov/~foster
International Workshop on Certification and Security in E-Services (CSES 2002), Montreal, Canada, Aug 28
2
[email protected] ARGONNE CHICAGO
Partial Acknowledgements
Grid computing, Globus Project, and OGSA Carl Kesselman @ USC/ISI, Steve Tuecke @ANL Talented team of scientists and engineers at ANL,
USC/ISI, elsewhere (see www.globus.org) Open Grid Services Architecture (OGSA)
Karl Czajkowski @ USC/ISI, Jeff Nick, Steve Graham, Jeff Frey @ IBM, www.globus.org/ogsa
Grid security, OGSA Security, CAS Frank Siebenlist, Von Welch, Laura Pearlman
Support from DOE, NASA, NSF, IBM, Microsoft
3
[email protected] ARGONNE CHICAGO
Overview
What is the Grid anyway? And what’s it got to do with e-services?
Grid security & certification issues Demands of virtual organizations—and Grid
approach to addressing these demands Implementation approach
Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security architecture
Summary
4
[email protected] ARGONNE CHICAGO
Overview
What is the Grid anyway? And what’s it got to do with e-services?
Grid security & certification issues Demands of virtual organizations—and Grid
approach to addressing these demands Implementation approach
Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security architecture
Summary
5
[email protected] ARGONNE CHICAGO
E-Science: The Original Grid Driver
Pre-electronic science Theorize &/or experiment, in small teams
Post-electronic science Construct and mine very large databases Develop computer simulations & analyses Access specialized devices remotely Exchange information within distributed
multidisciplinary teams Need to manage dynamic, distributed
infrastructures, services, and applications
6
[email protected] ARGONNE CHICAGO
And Thus: The Grid
“Resource sharing & coordinated problem solving in dynamic, multi-institutional virtual organizations”
7
[email protected] ARGONNE CHICAGO
•Lift Capabilities•Drag Capabilities•Responsiveness
•Deflection capabilities•Responsiveness
•Thrust performance•Reverse Thrust performance•Responsiveness•Fuel Consumption
•Braking performance•Steering capabilities•Traction•Dampening capabilities
Crew Capabilities- accuracy- perception- stamina- re-action times- SOPs
Engine Models
Airframe Models
Wing Models
Landing Gear Models
Stabilizer Models
Human Models
Grids at NASA: Aviation Safety
8
[email protected] ARGONNE CHICAGO
NETWORK
IMAGINGINSTRUMENTS
COMPUTATIONALRESOURCES
LARGE DATABASES
DATA ACQUISITIONPROCESSING,
ANALYSISADVANCED
VISUALIZATION
Life Sciences: Telemicroscopy
9
[email protected] ARGONNE CHICAGOwww.griphyn.org/chimera
Size distribution ofgalaxy clusters?
1
10
100
1000
10000
100000
1 10 100
Num
ber
of C
lust
ers
Number of Galaxies
Galaxy clustersize distribution
Chimera Virtual Data System+ GriPhyN Virtual Data Toolkit
+ iVDGL Data Grid (many CPUs)
Sloan Digital Sky Survey Analysis
10
[email protected] ARGONNE CHICAGO
Data Grids for High Energy Physics
Tier2 Centre ~1 TIPS
Online System
Offline Processor Farm
~20 TIPS
CERN Computer Centre
FermiLab ~4 TIPSFrance Regional Centre
Italy Regional Centre
Germany Regional Centre
InstituteInstituteInstituteInstitute ~0.25TIPS
Physicist workstations
~100 MBytes/sec
~100 MBytes/sec
~622 Mbits/sec
~1 MBytes/sec
There is a “bunch crossing” every 25 nsecs.
There are 100 “triggers” per second
Each triggered event is ~1 MByte in size
Physicists work on analysis “channels”.
Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server
Physics data cache
~PBytes/sec
~622 Mbits/sec or Air Freight (deprecated)
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Tier2 Centre ~1 TIPS
Caltech ~1 TIPS
~622 Mbits/sec
Tier 0Tier 0
Tier 1Tier 1
Tier 2Tier 2
Tier 4Tier 4
1 TIPS is approximately 25,000
SpecInt95 equivalents
11
[email protected] ARGONNE CHICAGO
Resource Sharing within “VOs” is Not Unique to Science!
Fragmentation of enterprise infrastructure Driven by cheap servers, fast nets, ubiquitous
Internet, eBusiness workloads Need to configure distributed collections of services
to deliver specified QoS Virtualization
Emerging service infrastructure, utility computing models, economies of scale
Services dynamically instantiated across device spectrum
B2B, B2C, C2C interactions
12
[email protected] ARGONNE CHICAGO
Virtualization andDistributed Service Management
Less capable, integratedLess connected
User service locus
Larger, more integratedMore connected
Dynamically provisioned Device Continuum
Resource &service
aggregation
Delivery of virtualized services with QoS
guaranteesDynamic, secureservice discovery
& composition
Distributed servicemanagement
13
[email protected] ARGONNE CHICAGO
Grid Computing
Grid ComputingBy M. Mitchell WaldropMay 2002
Hook enough computers together and what do you get? A new kind ofutility that offers supercomputer processing on tap.
Is Internet history about to repeat itself?
14
[email protected] ARGONNE CHICAGO
Challenging Technical Requirements
Dynamic formation and management of virtual organizations
Discovery & online negotiation of access to services: who, what, why, when, how
Configuration of applications and systems able to deliver multiple qualities of service
Management of distributed state within infrastructures, services, and applications
Open, extensible, evolvable infrastructure
15
[email protected] ARGONNE CHICAGO
Challenging Technical Requirements
Dynamic formation and management of virtual organizations
Discovery & online negotiation of access to services: who, what, why, when, how
Configuration of applications and systems able to deliver multiple qualities of service
Management of distributed state within infrastructures, services, and applications
Open, extensible, evolvable infrastructure
Securit
y and Certifica
tion Is
sues
16
[email protected] ARGONNE CHICAGO
Overview
What is the Grid anyway? And what’s it got to do with e-services?
Grid security & certification issues Demands of virtual orgs—and Grid approach
to addressing these demands Implementation approach
Globus Toolkit & Grid Security Infrastructure Open Grid Services Architecture (OGSA) OGSA security architecture
Summary
17
[email protected] ARGONNE CHICAGO
Grid Security & Certification Challenges include
Dynamic group membership and trust relationships within virtual organizations
Complex computational structures extending beyond client-server: delegation
Mission-critical apps and valuable resources Issues include
Cross-certification Mechanisms and credentials Distributed authorization Secure logging and audit
18
[email protected] ARGONNE CHICAGO
Trust
Mismatch
Cross “Certification” Issue
CertificationAuthority
CertificationAuthority
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
Task
Domain B
Sub-Domain A1 Sub-Domain B1
No Cross-
Domain Trust
19
[email protected] ARGONNE CHICAGO
Cross-Certification
Cross-certification at corporate level difficult Legal implications, liability, bureaucracy
Address trust at user/resource level! Many business relationships do not require
involvement of President/CEO … Virtual organization as bridge
Federate through mutually trusted services Local policy authorities rule …
Assertions language for trust relationships WS-Trust, WS-Federation, WS-Policy
20
[email protected] ARGONNE CHICAGO
Grid Solution:Use Virtual Organization as Bridge
Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
common mechanism
CertificationAuthority
Sub-Domain B1
Authority
FederationService
VirtualOrganization
Domain
No Cross-
Domain Trust
21
[email protected] ARGONNE CHICAGO
Mechanism and Credential Issue
Different mechanisms & credentials X.509 vs Kerberos, SSL vs GSSAPI,
X.509 vs. X.509 (different domains) X.509 attribute certs vs SAML assertions
Need for common mechanism GSI-SecureConversation
Need for credential federation services Obtain X.509 creds with Kerberos ticket Obtain Kerberos ticket with X.509 creds Cross X.509 or Kerberos domains/realms
22
[email protected] ARGONNE CHICAGO
Example:Kerberos-X.509 Federation
Requestor: Kerberos realm Server: X.509-based domain (only authenticates
requestors with X.509 creds) VO provides Kerberos-CA federation service
Has Kerberos identity within requestor’s realm Kerb-CA cert is trusted within server-side VO
Kerb-CA issues (short-lived) X.509-certs that assert requestor’s Kerberos principal name
Requestor’s runtime is “X.509-enabled” Server’s access control policy within the VO is based on
requestor’s Kerberos principal name
23
[email protected] ARGONNE CHICAGO
Kerberos-X.509 Federation Service
Kerberos Realm
Requestor
X.509 Domain
X.509 secured protocol
VirtualOrganization
Domain
Kerberos-CA Svc
X.509 cert
Kerberos Ticket trusts Krb-CAissued certs
Server
PolicyAuthority
enforcement onrequestor's
principal name
24
[email protected] ARGONNE CHICAGO
Grid Authorization/Policy Issue
Resources may not know foreign requestors Impairs fine-grained policy admin
Outsource policy admin to req’s sub-domain Enables fine-grained policy “Community Authorization Service” (CAS)
Resource owner sets course-grained policy rules for foreign domain on “CAS-identity”
CAS sets policy rules for its local users Requestors obtain capabilities from their local
CAS that get enforced at the resource
25
[email protected] ARGONNE CHICAGO
Community Authorization Service
Domain A
PolicyAuthority
Domain B
Sub-Domain A1 Sub-Domain B1
CAS identity"trusted"
Requestor
Server
request +CAS assertions
VirtualOrganization
Domain
capabilityassertions
CommunityAuthorization Svc enforcement
on CAS-identity andrequestor's capabilities
26
[email protected] ARGONNE CHICAGO
Security Services & VO
RequestorApplication
VODomain
CredentialValidation
Service
AuthorizationService
Requestor'sDomain
Service Provider'sDomain
Audit/Secure-Logging
Service
AttributeService
TrustService
ServiceProvider
Application
Bridge/Translation
Service
PrivacyService
CredentialValidation
Service
AuthorizationService
Audit/Secure-Logging
Service
AttributeService
TrustService
PrivacyService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
WS-StubWS-Stub Secure Conversation
27
[email protected] ARGONNE CHICAGO
Secure Logging and Audit
Robust, secure audit infrastructure is essential for commercial Grid deployment
Natural audit “code-points” in OGSA runtime User’s credentials, authorization decisions, invoked
portTypes, parameter values, etc. Allows for secure logging transparent and
independent from applications Standard call-outs to external security services
More relevant audit code-points XML facilitates audit-entry filtering & mgmt
28
[email protected] ARGONNE CHICAGO
Transparent Audit Code-Points
RequestorApplication
VODomain
CredentialValidation
Service
AuthorizationService
Requestor'sDomain
Service Provider'sDomain
Audit/Secure-Logging
Service
AttributeService
TrustService
ServiceProvider
Application
Bridge/Translation
Service
PrivacyService
CredentialValidation
Service
AuthorizationService
Audit/Secure-Logging
Service
AttributeService
TrustService
PrivacyService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
CredentialValidation
Service
AuthorizationService
AttributeService
TrustService
WS-StubWS-Stub Secure Conversation
All service invocations and policy decisions within stubs are “natural” audit code-points
29
[email protected] ARGONNE CHICAGO
Overview
What is the Grid anyway? And what’s it got to do with e-services?
Grid security & certification issues Demands of virtual organizations—and Grid
approach to addressing these demands Implementation approach
Globus Toolkit, Grid Security Infrastruct. Open Grid Services Architecture (OGSA) OGSA security architecture
Summary
30
[email protected] ARGONNE CHICAGO
The Grid World: Current Status Many major Grid projects in scientific & technical
computing/research & education Open source Globus Toolkit™ a de facto standard for
major protocols & services Simple protocols & APIs for authentication, discovery,
access, etc.: infrastructure Information-centric design Large user and developer base Multiple commercial support providers
Global Grid Forum: community & standards Emerging Open Grid Services Architecture
31
[email protected] ARGONNE CHICAGO
Grid Security Infrastructure
Uniform authentication & authorization mechanisms in multi-institutional setting
Single sign-on, delegation, identity mapping Public key tech, SSL/TLS, X.509, GSS-API
Internet/GGF drafts document extensions Supporting infrastructure
Certificate Authorities Online credential repository Kerberos-X.509 federation server Etc., etc., etc.
32
[email protected] ARGONNE CHICAGO
Site A(Kerberos)
Site B (Unix)
Site C(Kerberos)
Computer
User
Single sign-on via “grid-id”& generation of proxy cred.
Or: retrieval of proxy cred.from online repository
User ProxyProxy
credential
Computer
Storagesystem
Communication*
GSI-enabledFTP server
AuthorizeMap to local idAccess file
Remote fileaccess request*
GSI-enabledGRAM server
GSI-enabledGRAM server
Remote processcreation requests*
* With mutual authentication
Process
Kerberosticket
Restrictedproxy
Process
Restrictedproxy
Local id Local id
AuthorizeMap to local idCreate processGenerate credentials
Ditto
GSI in Action: “Create Processes at A and B that Communicate & Access Files at C”
33
[email protected] ARGONNE CHICAGO
Grid Evolution:Open Grid Services Architecture
Goals Refactor Globus protocol suite to enable common
base and expose key capabilities Service orientation to virtualize resources and unify
resources/services/information Embrace key Web services technologies for standard
IDL, leverage commercial efforts Result = standard interfaces & behaviors for
distributed system mgmt: the Grid service Standardization within Global Grid Forum Open source & commercial implementations
34
[email protected] ARGONNE CHICAGO
The Grid Service =Interfaces/Behaviors + Service Data
Servicedata
element
Servicedata
element
Servicedata
element
Implementation
GridService(required)Service data access
Explicit destructionSoft-state lifetime
… other interfaces …(optional) Standard:
- Notification- Authorization- Service creation- Service registry- Manageability- Concurrency
+ application-specific interfaces
Binding properties:- Reliable invocation- Authentication
Hosting environment/runtime(“C”, J2EE, .NET, …)
35
[email protected] ARGONNE CHICAGO
WS Security ArchitectureCurrent/Proposed Specifications
Composable architecture
“only use what you
need”
SOAP FoundationSOAP Foundation
WS-SecurityWS-Security
WS-PolicyWS-Policy WS-TrustWS-Trust WS-PrivacyWS-Privacy
WS-SecureWS-SecureConversationConversation WS-FederationWS-Federation WS-AuthorizatnWS-Authorizatn
tim
e
today
36
[email protected] ARGONNE CHICAGO
Grid Security and OGSA
OGSA security roadmap defines a set of required services and indicates for each if Is provided by WS Security specs May be provided by WS Security specs Requires standardized profile/mechanisms and/or
extensions for WS Security specs Addresses, for example
GSISecureConversation Standardized policy services Standardized audit services Etc., etc., etc.
37
[email protected] ARGONNE CHICAGO
Bindings Security(transport, protocol, message security)
Credential and Identity Translation
( Single Logon)
User Management
Key Management
Intrusion Detection
Service/End-point Policy
Audit &Non-repudiation
Anti-virus Management
Secure Logging
Trust M
odel
AuthorizationPolicy
Privacy Policy
Secure Conversations
Policy Expression and Exchange
Policy Management(authorization,
privacy, federation, etc)
MappingRules
Access ControlEnforcement
OGSA Security Components
38
[email protected] ARGONNE CHICAGO
Overview
What is the Grid anyway? And what’s it got to do with e-services?
Grid security & certification issues Demands of virtual organizations—and Grid
approach to addressing these demands Implementation approach
Globus Toolkit & Grid Security Infratructure Open Grid Services Architecture (OGSA) OGSA security architecture
Summary
39
[email protected] ARGONNE CHICAGO
Summary
The Grid: resource sharing & coordinated problem solving in virtual organizations
Challenging security & cert. requirements OGSA security architecture addresses Grid
certification, federation, bridging issues Leverages WS Security standards & OGSA Standardized security services, profiles, and
mechanisms Open source Globus Toolkit and commercial
implementations
40
[email protected] ARGONNE CHICAGO
The Globus Project™ www.globus.org
Technical articles www.mcs.anl.gov/~foster
Open Grid Services Arch. www.globus.org/ogsa
Global Grid Forum www.gridforum.org Chicago, Oct 15-17
For More Information