130 likes | 278 Vues
Security in XtreemOS A Next Generation Grid Operating System Rutherford Appleton Laboratory, Science and Technology Facilities Council, U. K. Erica Y. Yang (On behalf of the XtreemOS security team: STFC, SAP, XLAB, ICT, ULM, INRIA) email: y.yang@rl.ac.uk. Introduction.
 
                
                E N D
Security in XtreemOS A Next Generation Grid Operating System Rutherford Appleton Laboratory, Science and Technology Facilities Council, U. K. Erica Y. Yang (On behalf of the XtreemOS security team: STFC, SAP, XLAB, ICT, ULM, INRIA) email: y.yang@rl.ac.uk
Introduction • XtreemOS is a European project with the objective to design, implement, evaluate and distribute an open source Grid operating system, named XtreemOS, which supports Grid applications and capable of running on a wide range of underlying platforms, from PCs, clusters to mobiles. • The goal is to provide an abstract interface to its underlying local physical resources, as a traditional OS does for a single computer. • Yet another … ? • What are the unique challenges that XtreemOS faces? • How does the XtreemOS approach differ from that adopted by existing Grid middleware? Second EchoGrid Workshop Beijing – 29 & 30 October 2007
XtreemOS Partners Second EchoGrid Workshop Beijing – 29 & 30 October 2007
XtreemOS Work Packages Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Requirements • Three actors are involved in a VO: • Domain administrator: maintain resources that are allowed to be integrated into a VO. They have ultimate control over what resources are available to a VO and its users. • VO administrator: compose VOs from resources provided by various domains, and they manage users and their permissions within VOs. • VO user: use VO resources under the regulation of domain administrators and of VO administrators. • Requirements for resource sharing and VO management • Users can have concurrent and independent associations with multiple VOs and sharing among different VOs must be supported. • To use VO resources, users do not need to have pre-existing local accounts in the domains belonging to a VO. • It must be possible to transfer data, files, directories between local and VO accounts. • Overlapping VOs are required: multiple VOs can be established on the same node. • VO management should be highly automated. • The lifetime of a VO must be guaranteed and the Quality of Service has to be respected even in the presence of runtime failures in a VO. • Requirements for security • Data confidentiality, integrity, and availability must be ensured. • A transaction framework is necessary, considering the distributed nature of the resources. • Single-sign on is required for users to access VO resources. • A secure audit service is needed to ensure the usage records cannot be repudiated. • Isolation of users, data, and services Second EchoGrid Workshop Beijing – 29 & 30 October 2007
The XtreemOS Approach • XtreemOS aims to provide native Virtual Organization (VO) support in the next generation Grids that involve scientific and commercial applications. Hence, • VO support has been taking into account from the very beginning of our design; and • It is possible to reduce the complexity and overheads introduced by layers of Grid middleware. • Enhance the transparency of utilizing Grid resources (computing, storage, and dynamicity) from end users’ perspective. • A VO can be seen as a temporary or permanent coalition of geographically dispersed entities (individuals, groups, organizational units or entire organizations) that pool resources, capabilities and information to achieve common objectives. There usually will be legal or contractual arrangements between the entities. The resources can be physical equipment such as computing or other facilities, or other capabilities such as knowledge, information or data. • VO Management (VOM) is a term covering all the infrastructural services that are needed to manage the entities, including users and resources, involved in a VO and ensure a consistent and coherent exploitation of the resources, capabilities, and information inside a VO under the governance of VO policies. • In XtreemOS, VO management is tightly coupled with major security issues, such as identity, attribute, credential, and policy management. Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Security Challenges • Thus, the security challenges can be classified into two categories: • General Grids security: • Interoperability with diverse VO frameworks and security models • Flexibility of policy languages • Scalability of management of dynamic VOs • Customizable levels of isolation • Strong access control, sharing and auditing needs • XtreemOS specific: • Flexible support of application execution models (batch/interactive) • Strong need for customizable security methods (e.g. light weight security protocols for mobile devices) • Uniform yet powerful security model that can support streamlined interactions between application execution management and file management and those between different XtreemOS flavors • Trustworthy bootstrapping of VO resources Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Ongoing security work • Credential management • Dynamic credential distribution and management • Flexible support for diverse authentication models • Policy management: A hierarchical distributed policy enforcement framework, including VO-level and node-level policies to • Support VO-wide coordinated resource usage and sharing • Ensure resource owners have the final control on the resource usage on their machines • Identity and attribute management • Support interoperability with diverse security models and VO frameworks • Allow integration with existing identity and attribute authorities • VO membership management: • Provide back-end support to the Credential Distribution Authority service • Offer an interface to allow management of VO membership • Accounting service to • Aim to provide a real-time picture of resource consumption in a VO scale • Assist enforcement of VO-wide resource control measurements • A new type of delegation model to • Take advantage of the dynamic credential management infrastructure that XtreemOS supports • Reduce the potential problems (e.g. performance and length of keyring entries) in the proxy certificate based delegation model Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Security Mechanisms • Authentication • First release will be based on GSI • Subsequent releases should make use of a lightweight security protocol and be based on the new delegation model • Secure Communication • Transport Layer Security (TLS) • Also looking into a lightweight security protocol for mobile devices • Authorization • VO level policy enforcement • Node level fine-grained access control based on VO credentials and local policies • Accounting • Real-time accounting service based on an event-driving communication infrastructure • Isolation • First release will be based on the Linux account management system (UID/GID) so that users’ real identity can be hidden in the local namespace. • Subsequent releases will look into the possibility of providing interfaces to support virtualization technologies for strong isolation. • Delegation • First release will be proxy-certificate based delegation model (the globus model) • Subsequent releases will be based on the XtreemOS delegation model. Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Security for Application Execution IDS (Identity Service) Accounting Service CDA (Credential Distribution Authority) VOPS (VO-level Policy Service) AttrS (Attribute Service) 7. Accounting info X-VOMS (Membership Service) ResMng Authentication By verifying XOS-cert 4.1 3. VO policy decisions 1. XOS-Cert 4. Negotiation request JobMng 4.2 Local Policy Checking 5. Negotiation result 2. Create job Client Interface 6.1 ExecMng Allocate UID/GID 6. Job submission User 6.2 setuid() and exec … Xsub -vo esvo -group testing -role programmer 6.3 Update accounting service Client Resource Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Summary • This talk describes the security work undertaking by the XtreemOS project which has concentrated on developing and understanding requirements and performing initial security architecture design. This work is on going. • The initial implementation of XtreemOS is under testing and will soon undergo the integration phase. This will then be tested on a variety of use cases and further refined. • The security services described in this talk will be detailed in the 2nd specification which shall be made public early next year. • Further extensions to the specification are planned, including: mechanisms for federated authentication, further refinement and formal verification of the lightweight security protocol, the delegation model and a systematic evaluation framework. • Also, security assurance of the implemented services will be checked against recognized security criteria and systematic threat analysis will be further performed. Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Node Level Enforcement • XtreemOS uses PAM (Pluggable Authentication Modules) to adapt to different VO models and reduce kernel code changes. • Local user accounts are allocated dynamically on a resource node to match the actual global users exploiting that node. • The dynamic allocation of user accounts ensures XtreemOS scalability and reduce the complexity of VO management. • XtreemOS stores user security tickets in the kernel session keyring. • Fine grain access control is supported by node-level mechanisms via external policy services or via Linux kernel through the LSM (Linux Security Module) framework. Second EchoGrid Workshop Beijing – 29 & 30 October 2007
Related Work • Grid Security Infrastructure (GSI), MyProxy • Community Authorization Service (CAS) - Globus • An exemplar approach to provide fine-grain access control at nodes by pushing policy decisions to them • It is comparatively easy to create dynamic VOs using the CAS model (as nodes are not aware of new VOs so long as it trusts the CAS server sending out the CAS certificates). However, • Depending of level of granularity required, it is not always easy to figure out what resources users need to use in advance. • CAS is for a “community”. Hence, it is not clear how logging and auditing can be enforced on an individual user basis. • Virtual Organization Membership Service (VOMS) - EGEE • An exemplar approach to take users’ VO attributes into the node-level policy decision process • Adopted by large scale production Grids, especially in Europe. However, • It is not easy to figure out what privileges a user has at a given time for a certain job as authorization decisions are often a joint decision between the VOMS server (contributing VOMS credentials) and nodes (specifying local policies). • To specify node policies, nodes have to be VO aware. However, managing such knowledge consistently and coherently can become a potential scalability problem. Especially, it makes it difficult to introduce new user attributes and dynamically create new Vos. • Agora in China National Grid (CNGrid) • Crown security ? Second EchoGrid Workshop Beijing – 29 & 30 October 2007