TG5: Data management in the inteliGrid project Krzysztof Kurowski
advertisement
TG5: Data management in the inteliGrid project Krzysztof Kurowski krzysztof.kurowski@man.poznan.pl Poznan Supercomputing and Networking Center, Poland www.inteligrid.com www.InteliGrid.com Agenda inteliGrid vision & challenges 2005 Data management issues on a fabric layer 2006 Data management issues within inteliGrid middleware services (a higher layer) 2006/2007 Data management issues of business level operations (the highest ontology layer) Step by step development and deployment Security and VO policy control enhancements Quick live demo Summary and future steps www.InteliGrid.com InteliGrid in numbers 6th Framework STREP project Budget ~2.5 m€ 360 person months, Duration 2.5 years 1.9.2004 – 28.2.2007 Partners LJU (coord), TUD, PSNC, VTT EPM, Conject, Sofistik OPB, ESoCE www.InteliGrid.com inteliGrid vision and challenges InteliGrid = interoperability of virtual organizations on a complex semantic grid One of the main goals in the inteliGrid project is to provide secure, flexible, and easy to use solutions for interoperability between distributed data resources, services and application tools required by various business processes within Virtual Organizations (VOs). End users do not want to expose databases, services, capability providers to all people (including hackers :-) in the Internet, but only to people from the same VO. Dynamic scenarios, for example: people, services, resource may join and leave the VO for a few days (not years) In order to fulfill strict security requirements taken from real business VO scenarios, the inteliGrid products will allow users to define a dynamic global security policies within the same VO and enforcing them through a consistent authentication, authorization and accounting infrastructure All inteliGrid products will be Open Source and based on widely accepted grid and semantic technologies, standards, specifications and service oriented architectures. www.InteliGrid.com What data resources do we have? Distributed resources within a VO Different Databases PostgreSQL MySQL File systems Object oriented databases (e.g. EPM) Service Providers (e.g. Conject) Various legacy applications and AEC modules need and generate input/output files (Linux and Win platforms) www.InteliGrid.com Why do we use existing open source solutions (5th FP)? We do not want to develop everything from scratch We do not have enough time, money and resources We would like to use and integrate existing (well accepted) grid and technologies and standards Some grid-related projects have developed a lot of useful infrastructure services and data management tools, in particular: Globus Pre-WS/GT4 (www.globus.org) OGSA-DAI (www.ogsadai.org.uk) GridLab products (www.gridlab.org) End users are not willing to use command line tools… even for data management of a fabric layer:-( We have to add new features and capabilites to meet inteliGrid requirements and use cases, also for data management (dynamic/secure VO scenarios) www.InteliGrid.com inteliGrid dream (December 2004) TUD PSNC LJU VO Administrator InteliGrid Collaborative Environment (Virtual Organization) www.InteliGrid.com SOFISTIK February 2005 CPUs Hard disk Firewalls www.InteliGrid.com Database Inlands of functionality February 2005 Construction island Engineering island Supercomputing island Will be used within VO Are transparent for end users www.InteliGrid.com June 2005 First InteliGrid middleware service Grid infrastructure services integrated with GAS (autorization) www.InteliGrid.com August 2005 Another InteliGrid middleware service for access and federation of various databases New virtual resources (databases) available in VO Integration with GAS (authorization) www.InteliGrid.com September 2005 MySQL mangart Commercial ASPs are trying to jump into our VO All channels and transactions are encrypted! PROBLEMS with GSI in OGSA-DAI / MySQL rage2 Progres rage2 www.InteliGrid.com November 2005 Broker service on the top of Globus www.InteliGrid.com Basic ontologies are available in Ontology service Dynamic on-line policy authorization control and enforcement in VO (December 2005) Users who have access rights to OGSA-DAI resources InteliGrid users OGSA-DAI Resources (MySQL, PostrgreSQL, Oracle, etc) www.InteliGrid.com OGSA-DAI Portlet JSR 168 Portlet based on GridSphere Framework Flexible XML based portal presentation description can be easily modified to create customized portal layouts Open-source and 100% free! :-) After GridLab PSNC maintains the core GS development www.InteliGrid.com Basic OGSA-DAI authorization model Advantages Closed system Disadvantages Very static model No dynamic VO support Only internal authorization possible www.InteliGrid.com OGSA-DAI PULL authorization model (e.g. CAS) Advantages VO support Fast model Disadvantages Static model (as long as proxy is valid) Consistent polices required in two places: CAS and Rolemapper Specific user security policy for OGSA-DAI can be seen by various system components www.InteliGrid.com OGSA-DAI PUSH authorization model (GAS approach) Advantages VO support Dynamic model Full security control in one place GAS (no changes in OGSADAI required) Real RBAC model (admin can change roles dynamically during execution) We did not modify spurces of OGSA-DAI Disadvantages Slow model (many iterations required) DOS attacks possible www.InteliGrid.com Technical details The OGSA-DAI service is secured by standard Globus security mechanism called security descriptor. Upon OGSA-DAI service startup the security descriptor location is being read from OGSA_DAI server-config.wsdd file. In the security-descriptor.xml we tell Globus to authenticate users via transport security, and to authorize them via our PDP (Policy Decision Point) called GAS PDP. In securitydescriptor.xml we only point, what class will be responsible for authorizing users - it must implement mehtods init (for getting initial configuration, e.g. GAS server URL) and isAuthorized (for returning authorization decision). Please note that any configuration variables GAS PDP should obtain (e.g. GAS server URL) must be placed in OGSA-DAI server-config.wsdd. When OGSA-DAI receives a request, isAuthorized method of GAS PDP is called to authorize the user. GAS PDP first asks GAS server whether user is entitled to access OGSA-DAI service. Upon successful response GAS PDP ask GAS once again whether user can perform requested action. This action may be of perform document (select, insert, update etc), listResources (for listing available data service resources) or property (e.g. databaseSchema). Currently we do not recognize the meaning of perform documents (whether it is select or update or insert etc). But it is possible… Uppon successful response (user is authorized to access OGSA-DAI service and entitled to perform some action), RoleMapper work is about to begin (if user requested some operation on database). In most cases RoleMapper file contains mapping between user's DN and database credentials. But when role-based authorization must be done, RoleMapper file contains mapping between role and database credentials. The role is obtained from the GAS server - RoleMapper asks GAS for the role of the user (giving GAS server user's DN). After the mapping OGSA-DAI data service connects to data service resource database and sends back to the user the response. www.InteliGrid.com inteliGrid (January 2006) www.InteliGrid.com inteliGrid (January 2006) Data management service provider (without gridFTP access) - UploadDocument - DownloadDocument TUD PSNC gridFTP enabled resources + OGSA-DAI LJU VO Administrator InteliGrid Collaborative Environment (Virtual Organization) www.InteliGrid.com SOFISTIK Summary Done „Is it possible to edit (add/remove <Users>) the databaseRoles.xml of a data resource at runtime and have it effected immediately without the need to restart the container?„ Larry Tan University of Stirling There are both advantages and disadvantages of different authorization models, but dynamic and fine-grained security mechanisms are required In progress JSR 168 OGSA-DAI Gridsphere Portlet Metadata, semantics and ontologies in/over OGSA-DAI Push from commercial partners to use new security protocols, e.g. SAML and XACLM (GAS provides SAML2.0 compliant interfaces, DRMAA Service Provider supports SAML2.0/Liberty Alliance) to deal with SSO scenarios SAML in OGSA-DAI WSI 2.1…? www.InteliGrid.com