Transcript additions
Grid Security: Authentication
•
•
Most Grids rely on a Public Key Infrastructure system for issuing credentials.
Users are issued long term public and private keys (~ 1 year or more) that are signed by
a recognized Certificate Authority.
– You can run your own CA and determine your own policy for issuing credentials.
– You decide which CAs to trust.
•
The long term keys are used to issue short term user certificates (~12 hours)
– MyProxy is online certificate issuing software.
– Short term certificates are used to authenticate to both pre-Web Service Globus daemons
(GRAM, GridFTP, etc) as well as Globus (and other) Web Services.
•
Typically, both pre- and Web Service Globus tools are used to provide direct access to
remote computers.
– Access user file systems, launches jobs on supercomputers through queuing systems, etc.
•
Single sign-on (SSO):
– once you get a certificate, you can access all machines in the grid
– subject to access controls.
•
Delegation: in connection with SSO
– delegated credentials are created on remote resources as the user asks for them.
– These credentials can also be used to access resources (now twice removed from the original
certifcate)
– Are traceable back to the original owner.
Authorization
• Authorization determines what you are allowed to do after you
are authenticated.
• Several Grid authorization systems exist.
– CAS: introduces in Globus Toolkit 3,
• Usually associated with non-Web Service Globus tools.
– WS AA: part of the Globus Toolkit 4.
• Based on SAML
– PERMIS: a certificate-based system describing policy
– Shibboleth: normally used in US academic institutions
• Users can request resources anonymously to support privacy laws
• Must federate (i.e. “all Big 10 students are allowed to see each other’s online
libraries”)
• Work currently going on to couple this to Grid authentication.
• PERMIS and Shibboleth are part of the NMI EDITS software
suite.
Web Service Security and Grids
• Web Services have two sorts of security:
– Transport layer: SSL or TLS for point-to-point security.
– Message-level security: for securing the message itself, regardless of
the transport.
• Message-level security is defined by WS-Security
specification.
– See extensive notes here:
http://grids.ucs.indiana.edu/ptliupages/presentations/WStutorialjuly04/
• WS-SecureConversation: used to speed up multiple message
exchanges by establishing symmetric secret keys and security
contexts.
• SAML: XML markup language used to exchange security
attributes.
– Typically attributes describe authorization permissions.
Globus Toolkit 4 Overview
• GT4 is a Web Services based framework for deploying and
managing services.
• GT 4 downloads include
–
–
–
–
–
A Web Service container that extends Apache Axis.
Several service implementations, described on next slide.
Legacy, non-Web Service (but still popular) tools from GT 2.
Command line client tools and libraries.
Security mechanisms based on Public Key Infrastructure, Web
Service security, and internet standards.
Code Execution Services
• Grid Resource Allocation and Management (GRAM) can be used to
launch and manage one or more jobs.
• An XML job description language allows you to specify a sequence of
command and file operations.
• Coupled with the Reliable File Transfer service for increased fault
tolerance in multi-step jobs.
• Uses WS-Addressing, WS-Notification, and WSRF to manage state
long-lived command operations.
• Can be extended with plugins to support batch queuing systems
– PBS, LSF, Sun Grid Engine, etc.
• GRAM can also be coupled with Condor for more sophisticated “metascheduling” on several machines.
• GRAM uses several security mechanisms
Data Management
• GridFTP is a high performance data transfer system that couples to the
local file system.
– Can be used to upload, download, and crossload data between several
machines.
– GridFTP is pre-Web Service
• Reliable File Transfer Service is a Web Service that builds on GridFTP
to support batch file transfers.
– Uses WS-Addressing, WS-Notification, and WSRF to manage state longlived file transfer operations.
– See upcoming slides.
• OGSA-DAI is a related project of the UK e-Science program that
provides uniform access to XML and relational data bases.
– Uses document oriented Web Services to exchange “activity” documents
that can specify data base interaction workflows.
Resource Monitoring
• GT4 implements Web Service specifications (Web
Services Resource Framework and WS-Notification).
– Spec writing led by IBM and Globus
– These specs are going through the OASIS standardization process.
• Resources and services publish XML-based descriptions of
themselves.
• Other entities can obtain information on resources (and
changes in their status) by two means
– Querying the service
– Subscribing to notifications from the service
Building New Services
• Globus provides Java, C, and Python web service
containers.
• You can write and deploy services in the container
of your choice.
• Globus containers implement WS-I compliant
support for WSDL, SOAP, and WS-Security.
• They also implement WS-Addressing, WSNotification, and WSRF.
– Note that the last two are their own specs
– And WS-Addressing changes frequently so there are
compatibility concerns.
Writing Clients
• Globus provides some tool support to simplify
client development.
– Client stub generation tools for Globus service WSDL.
• The Java COG kit also provides client tools that
interact with most known versions of the Globus
toolkit
– Primarily GT 2 and GT 4.
– GT 3 bindings exist but are likely to be deprecated.
Condor Overview
• Condor is a workload/scheduling system.
– Schedulers for Linux clusters, similar to PBS
and LSF
– “Cycle scavengers” for heterogeneous
collections of idle workstations.
• Concentrates on “high throughput
computing”
– Getting the most jobs through the system in a
week rather than most FLOPS.
Condor and Globus
• The Globus Grid Resource Allocation and Management (GRAM)
service is a general way to interact with remote operating systems.
– Unix fork, various schedulers like PBS and LSF.
• Condor has a scheduler plug-in for GRAM.
– Use GRAM to launch Condor jobs.
– Use GRAM job description languages to specify your job.
– So Globus users can use Condor
• Condor and GRAM interactions can also be reversed.
–
–
–
–
“Condor-G”
Use Condor to launch GRAM jobs.
Use Condor job description mechanisms (“classads”).
So Condor users can use Globus.