transparencies
advertisement
Security Daniel Mallmann d.mallmann@fz-juelich.de MWSG meeting Amsterdam 14-15 December 2005 Architecture Overview Client Internet Gateway Usite A Vsite A1 Client Usite B Vsite B1 Gateway Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 2 Client Java application User authentication via X.509 certificates Global or local list of Unicore sites (Usites) Connects to Gateway via SSL and Unicore Protocol Layer (UPL) Job preparation ♦ Workflow management Job Preparation ♦ File management ♦ Abstract Job Object (AJO) generation Job ♦ Job signing Monitor Job monitoring Job control Usites Workflow Management Vsites 3 Client Unicore Site list Client Internet SSL Gateway Client Unicore Site list 4 Gateway Client Internet Gateway Usite A Vsite A1 Gateway Usite B Vsite B1 Gateway Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 5 Gateway Authentication: ♦ Connection only with valid certificates from accepted Certification Authorities ♦ Forwards client certificate to NJS for authorisation Single point of entry for all Unicore services of the Usite ♦ Only one open port List of Vsites Connects to Vsites via UPL (SSL optional) 6 Gateway SSL Internet Client Firewall VSite list Vsite 1 Network Job Supervisor Gateway Vsite 2 Network Job Supervisor Vsite 3 Network Job Supervisor 7 Network Job Supervisor Client Internet Gateway Usite A Vsite A1 Network Gateway Job Usite B Vsite B1 Supervisor Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 8 Network Job Supervisor Checks integrity of jobs Authorises the user by Unicore User Data Base (UUDB) ♦ Mapping of Unicore user certificate to target system Xlogin Forwards sub jobs to remote Vsites Translates abstract job into target system specific tasks based on Incarnation Data Base (IDB) Transfers files to work directory on the target system via socket connection Submits jobs to Target System Interface (TSI) via socket connection 9 Network Job Supervisor Internet Unicore User Data Base Gateway Gateway Network Job Supervisor Network Job Supervisor Incarnation Data Base Target System Interface 10 Target System Interface Client Internet Gateway Usite A Vsite A1 Target System Usite B Vsite B1 Interface Gateway Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 11 Target System Interface Interfaces between Unicore and the Grid resource Executes the specific tasks, translated by the NJS, or submits them to the batch sub system Stores and sends files from/to the Unicore Client or local directories Contains batch sub system, operating system and installation specific code Runs as root 12 Target System Interface Network Job Supervisor Worker Shepard Worker Target System Interface Batch Sub System Application Operating System File System 13 Multiside Job Client Internet Gateway Usite A Gateway Usite B Vsite A1 Vsite B1 Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 14 Multiside Job Consigner ♦ The entity (user client or NJS) that consigns a job or sub-job ♦ Expressed by use in SSL connection Endorser ♦ The entity (user) that authorises the tasks to be performed ♦ Expressed by signing of serialized AJO direct acyclic graph Client Job Sub Primary Network Job Supervisor SSL Secondary Network Job Supervisor SSL Job = User certificate = NJS certificate 15 Explicit Trust Delegation Client Portal Internet Gateway Usite A Gateway Usite B Vsite A1 Vsite B1 Vsite B2 Network Job Supervisor Network Job Supervisor Network Job Supervisor Target System Interface Target System Interface Target System Interface 16 Explicit Trust Delegation User ♦ New role besides consignor and endorser ♦ Entity (user) on whose behalf tasks will be performed Trusted Agents (Portal) ♦ Added to the UUDB explicitly ♦ Allowed to endorse AJO on behalf of users WS- Client (Browser) Portal SSL Job Network Job Supervisor SSL User: name = User certificate = Portal certificate 17 UniGrids project All components are being moved to stateful Web Services ♦ Based on the Open Grid Services Architecture (OGSA) ♦ Compliant with the Web Services Resource Framework Gateway handles multiple protocols Web Service implementation of the UUDB 18 References Unicore ♦ Software: http://unicore.sourceforge.net ♦ Whitepaper: http://www.unicore.org/ ... ... documents/UNICOREPlus-Final-Report.pdf Unicore Security ♦ GGF Document GFD.18 “An Analysis of the UNICORE Security Model” http://www.gridforum.org/documents/GFD.18.pdf UniGrids ♦ http://www.unigrids.org Explicit Trust Delegation ♦ Fujitsu Scientific & Technical Journal, Special Issue: Grid Computing, 2004-12 (Vol.40, No.2) “Explicit Trust Delegation: Security for Dynamic Grids” http://www.fujitsu.com/downloads/MAG/vol40-2/paper12.pdf 19
