Practical Distributed Authorization for
GARA
Andy Adamson and Olga Kornievskaia
Center for Information Technology Integration
University of Michigan, USA
Outline
•
•
•
•
•
•
Background and motivation
Security architecture of the current scheme
Design of the authorization framework
Modified authentication mechanism
Video clip of the demo
Reservation flow walk through
Background
• Grid computing is an initiative for advancement
of distributed computing that enables flexible
sharing of resources distributed among
administrative domains
• GARA: General-purpose Architecture for
Reservation and Allocation: Quality of Service
reservation mechanism for different types of
resources
• Project partners: University of Michigan (Physics,
CITI), European Organization for Nuclear
Research (CERN), Argonne National Laboratory
(ANL), Merit, and others…
End to End Performance
• Reliable high-speed end to end network services
are important to scientific collaborators
– Video, audio, large data transfers
• Long haul networks demonstrate good
performance due to overprovisioning
• The Last-mile is often a network bottleneck
• Reliable end-to-end network service is achieved
by reserving network resources within end-point
institution networks, coupled with the good
performance of overprovisioned long haul
networks.
Automated network reservation
• QoS functionality is a common feature in network
hardware
• QoS configuration is currently done by hand
• We address the need for an automated network
reservation system
• Security of all communications is vital
• Difficult security problem due to cross-domain
nature of end-to-end network resource allocation
Project based on Globus GARA
• GARA is a GRID network reservation service
• GARA uses the PKI based Grid Security
Infrastructure (GSI) for authentication and coarse
authorization
– Authentication uses long-term PK and short term
proxy credentials
– Authorization is controlled by an ACL-based flat file
• Our contributions:
– Fine-grained cross-domain authorization
– PK credentials based on Kerberos identity
– Secure web interface
Cross-domain Authorization
• Use existing local group services
– Avoid replicating data and management tasks
• Group name-space shared by domains
– Local administrators manage group membership as
usual
• KeyNote Policy Engine makes authorization
decision
• Fine-grained authorization expressed in KeyNote
policy rules
– Group membership
– Amount of bandwidth allowed
– Time/duration of reservation
Local Domain Authorization
• Local GARA contacts local group service to see
what groups a user is a member of
• Group membership passed into KeyNote along
with reservation request parameters
• KeyNote compares input parameters to rules
• If authorized, the local GARA client:
– Packages and signs username and group membership
– Adds it to the reservation request that is forwarded to
the remote site
Remote domain Authorization
• Remote GARA accepts and verifies the
username/group membership from the wire
• Group membership is passed into KeyNote
along with reservation request parameters
• KeyNote compares input parameters to the
rules to make authorization decision
• If remote authorization fails, reservation at
the previous node is cancelled.
Kerberos leveraged PKI: kx.509
Service ticket
Web
Server
SSL transcript
KCT
SSL handshake
(recorded)
Browser
User
Sign my short-term key
KCA
Web server as proxy GARA client
Web Server
Signed group membership =>
GARA client
Remote GARA
KeyNote
Router Pool
Local GARA
KeyNote
Router Pool
Request group membership
Group
Service
AFS PTS
or
LDAP
Demonstration: UMICH to CERN
• Multiple security realms
• AFS Protection Server (PTS) is used for the local
group service
• MJPEG video conferencing application
– 10 MB/sec stream each way, 147ms round trip
– RTP headers record packet loss statistics
• Iperf traffic generated at each end across video
and audio receiving router interface
• Cisco 6506 at UMICH, Cisco 7500 at CERN
Demonstration: UMICH to CERN
• Note high quality video and audio
• Turn on Iperf traffic at one end to degrade video
and audio signal
• Place a reservation in the near future (1 minute)
for a short duration (20 seconds)
• Note degraded video and audio return to high
quality during the 20 second reservation, in spite
of competing traffic generation
• Note degraded video and audio return at the end
of the reservation
CITI.UMICH.EDU
“Big
Picture”
KCT/KDC
KINIT
KCA
KX509
KX509
Browser
SSL
IGRID2002
Web Server
GARA Client
GSI
GARA Service
GSI
ATLAS.UMICH.EDU
TELNET
Cisco 7206
AFS PTS
Group Service
RX
GARA Service
MJpeg Host
SSH
Cisco 6506
MJpeg Host
Reserved Video Conference
Any Questions?
http://www.citi.umich.edu/projects/qos
Demonstration: UMICH to CERN
We demonstrated that a reservation failed if:
– User not in correct group
– Requested bandwidth out of bounds
– Time of request is out of bounds
Future directions
• On going project extends the existing
infrastructure to accommodate general web
based network monitoring tools