1 / 19

Security

Security. Daniel Mallmann d.mallmann@fz-juelich.de MWSG meeting Amsterdam 14-15 December 2005. Architecture Overview. Client. Internet. Client. Gateway. Gateway. Usite A. Usite B. Vsite A1. Vsite B1. Vsite B2. Network Job Supervisor. Network Job Supervisor. Network Job Supervisor.

heinz
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Daniel Mallmann d.mallmann@fz-juelich.de MWSG meeting Amsterdam 14-15 December 2005

  2. Architecture Overview Client Internet Client Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  3. Client • Java application • User authentication via X.509 certificates • Global or local list of Unicore sites (Usites) • Connects to Gateway via SSL and Unicore Protocol Layer (UPL) • Job preparation • Workflow management • File management • Abstract Job Object (AJO) generation • Job signing • Job monitoring • Job control JobPreparation WorkflowManagement Usites JobMonitor Vsites

  4. Client Unicore Site list Client Internet SSL Gateway Client Unicore Site list

  5. Gateway Client Internet Gateway Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  6. Gateway • Authentication: • Connection only with valid certificates from accepted Certification Authorities • Forwards client certificate to NJS for authorisation • Single point of entry for all Unicore services of the Usite • Only one open port • List of Vsites • Connects to Vsites via UPL (SSL optional)

  7. Gateway Internet SSL Client Firewall VSite list Gateway Vsite 1 Vsite 2 Vsite 3 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor

  8. Network Job Supervisor Client Internet NetworkJobSupervisor Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  9. Network Job Supervisor • Checks integrity of jobs • Authorises the user by Unicore User Data Base (UUDB) • Mapping of Unicore user certificate to target system Xlogin • Forwards sub jobs to remote Vsites • Translates abstract job into target system specific tasks based on Incarnation Data Base (IDB) • Transfers files to work directory on the target system via socket connection • Submits jobs to Target System Interface (TSI) via socket connection

  10. Network Job Supervisor Internet Gateway Gateway NetworkJobSupervisor NetworkJobSupervisor Unicore User Data Base IncarnationData Base TargetSystemInterface

  11. Target System Interface Client Internet TargetSystemInterface Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  12. Target System Interface • Interfaces between Unicore and the Grid resource • Executes the specific tasks, translated by the NJS, or submits them to the batch sub system • Stores and sends files from/to the Unicore Client or local directories • Contains batch sub system, operating system and installation specific code • Runs as root

  13. Target System Interface NetworkJobSupervisor TargetSystemInterface Worker Worker Shepard BatchSub System Application OperatingSystem FileSystem

  14. Multiside Job Client Internet Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  15. Job SSL SSL SubJob Multiside Job • Consigner • The entity (user client or NJS) that consigns a job or sub-job • Expressed by use in SSL connection • Endorser • The entity (user) that authorises the tasks to be performed • Expressed by signing of serialized AJO direct acyclic graph Primary Network Job Supervisor Client Secondary Network Job Supervisor = User certificate = NJS certificate

  16. Explicit Trust Delegation Portal Client Internet Gateway Gateway Usite A Usite B Vsite A1 Vsite B1 Vsite B2 NetworkJobSupervisor NetworkJobSupervisor NetworkJobSupervisor TargetSystemInterface TargetSystemInterface TargetSystemInterface

  17. SSL Job User: name SSL Explicit Trust Delegation • User • New role besides consignor and endorser • Entity (user) on whose behalf tasks will be performed • Trusted Agents (Portal) • Added to the UUDB explicitly • Allowed to endorse AJO on behalf of users WS- Client(Browser) Portal Network Job Supervisor = User certificate = Portal certificate

  18. UniGrids project • All components are being moved to stateful Web Services • Based on the Open Grid Services Architecture (OGSA) • Compliant with the Web Services Resource Framework • Gateway handles multiple protocols • Web Service implementation of the UUDB

  19. References • Unicore • Software: http://unicore.sourceforge.net • Whitepaper: http://www.unicore.org/ ...... documents/UNICOREPlus-Final-Report.pdf • Unicore Security • GGF Document GFD.18 “An Analysis of the UNICORE Security Model”http://www.gridforum.org/documents/GFD.18.pdf • UniGrids • http://www.unigrids.org • Explicit Trust Delegation • Fujitsu Scientific & Technical Journal, Special Issue: Grid Computing, 2004-12 (Vol.40, No.2) “Explicit Trust Delegation: Security for Dynamic Grids”http://www.fujitsu.com/downloads/MAG/vol40-2/paper12.pdf

More Related