Part1 EGEE intro security

67 %
33 %
Information about Part1 EGEE intro security
Education

Published on June 20, 2007

Author: Aric85

Source: authorstream.com

http://egee.hu/grid05/index.php?m=3Introduction to EGEE and EGEE security:  http://egee.hu/grid05/index.php?m=3 Introduction to EGEE and EGEE security Introdution to EGEE andSecurity :  Introdution to EGEE and Security EGEE is funded by the European Union under contract IST-2003-508833 Norbert Podhorszki MTA SZTAKI Acknowledgement:  Acknowledgement This tutorial is based on the work of many people: Fabrizio Gagliardi, Flavia Donno and Peter Kunszt (CERN) the EDG developer team the EDG training team the NeSC training team the SZTAKI training team The Grid Vision:  The Grid: networked data processing centres and 'middleware' software as the 'glue' of resources. The Grid Vision What do we expect from the Grid?:  What do we expect from the Grid? Access to a world-wide virtual computing laboratory with almost infinite resources Possibility to organize distributed scientific communities in VOs Transparent access to distributed data and easy workload management Easy to use application interfaces CERN: Data intensive science in a large international facility:  CERN: Data intensive science in a large international facility Mont Blanc (4810 m) The Large Hadron Collider (LHC) The most powerful instrument ever built to investigate elementary particles physics Data Challenge: 10 Petabytes/year of data !!! 20 million CDs each year! Simulation, reconstruction, analysis: LHC data handling requires computing power equivalent to ~100,000 of today's fastest PC processors! Downtown Geneva The EGEE Project:  The EGEE Project www.eu-egee.org EU funded project (04/2004 – 03/2006) EGEE offers the largest production grid facility in the world open to many applications (HEP, BioMedical, generic) Existing production service based on LCG (derived from EDG software of FP5) Next generation open source web-services middleware being re-engineered taking into account production/ deployment/ management needs Well-defined, distributed support structure to provide eInfrastructure that is available to many application domains LCG-2/EGEE-0 Status April 2005 :  LCG-2/EGEE-0 Status April 2005 Total: andgt; 100 Sites ~12000 CPUs 6.5 PByte Cyprus Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) User Interface:  User Interface The initial point of access to the LCG-2 Grid is the User Interface This is a machine where LCG users have a personal account The user’s certificate is installed The UI is the gateway to Grid services It provides a Command Line Interface to perform the following basic Grid operations: list all the resources suitable to execute a given job; replicate and copy files; submit a job for execution on a Computing Element; show the status of one or more submitted jobs. retrieve the output of one or more finished jobs; cancel one or more jobs; One or more UIs are available at each site part of the LCG-2 Grid Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) Computing Element:  CPU:PIV RAM:2GB OS:Linux … Grid Gate node gatekeeper infoService CPU:PIV RAM:2GB OS:Linux CPU:PIV RAM:2GB OS:Linux CPU:PIV RAM:2GB OS:Linux Batch server A CE consist of homogeneous worker nodes Computing Element: entry point into a queue of a batch system information associated with a computing element is limited only to information relevant to the queue Resource details relates to the system Computing Element Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) Storage Element (SE):  Storage Element (SE) A Storage Element (SE) provides uniform access and services to large storage spaces. Each site includes at least one SE They use two protocols: GSIFTP for file transfer Remote File Input/Output (RFIO) for file access Storage Resource Manager (SRM) needs to take into account Transparent access to files (migration to/from disk pool) Space reservation (on demand and advance) File status notification Life time management Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) Information System (IS):  Information System (IS) The Information System (IS) provides information about the LCG-2 Grid resources and their status The current IS is based on LDAP (Lightweight Directory Access Protocol): a directory service infrastructure which is a specialized database optimized for reading, browsing and searching information. the LDAP schema used in LCG-2 implements the GLUE (Grid Laboratory for a Uniform Environment) Schema Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) Data Management:  Data Management In LCG, the data files are replicated: on a temporary basis, to many different sites depending on where the data is needed. The users or applications do not need to know where the data is located, they use logical files names the Data Management services are responsible for locating and accessing the data. Replication Services: Basic Functionality:  Storage Element Replication Services: Basic Functionality Replica Manager Replica Location Service Replica Metadata Catalog Storage Element Files have replicas stored at many Grid sites on Storage Elements. Each file has a unique Grid ID. Locations corresponding to the GUID are kept in the Replica Location Service. Users may assign aliases to the GUIDs. These are kept in the Replica Metadata Catalog. The Replica Manager provides atomicity for file operations, assuring consistency of SE and catalog contents. Main Logical Machine Types (Services) in LCG-2:  Main Logical Machine Types (Services) in LCG-2 User Interface (UI) Information Service (IS) Computing Element (CE) Frontend Node Worker Nodes (WN) Storage Element (SE) Replica Catalog (RC,RLS) Resource Broker (RB) Job Management:  Job Management The user interacts with Grid via a Workload Management System (WMS) The Goal of WMS is the distributed scheduling and resource management in a Grid environment. What does it allow Grid users to do? To submit their jobs To execute them on the 'best resources' The WMS tries to optimize the usage of resources To get information about their status To retrieve their output A Simple Configuration:  A Simple Configuration User Interface Resource Broker Replica Catalog Information Service Storage Element 1 Storage Element 2 Computing Element 1 Computing Element 2 'CLOSE' 'CLOSE' Slide23:  Security Introduction to Security:  Introduction to Security What aspects of security should we be concerned about? Authentication (Identification) Confidentiality (Privacy) Integrity (non-Tampering) Authorisation Also Accounting Delegation Non-Repudiation How do I login on the Grid ?:  How do I login on the Grid ? Distribution of resources: secure access is a basic requirement secure communication security across organisational boundaries single 'sign-on' for users of the Grid Two basic concepts: Authentication: Who am I? 'Equivalent' to a pass port, ID card etc. Authorisation: What can I do? Certain permissions, duties etc. Encrypting for Confidentiality:  Encrypting for Confidentiality Sending a message using asymmetric keys Encrypt message using Receiver’s public key Send encrypted message Receiver decrypts message using own private key Only someone with Receiver’s private key can decrypt message Sender space Receiver space Public space Hello World Receiver’s Public Key Public Key Private Key Receiver’s Public Key openssl hR3a rearj hR3a rearj hR3a rearj openssl Hello World 2 1 3 Signing for Authentication:  Signing for Authentication Encrypt message with Sender’s private key Send encrypted message Message is readable by ANYONE with Sender’s public key Receiver decrypts message with Sender’s public key Receiver can be confident that only someone with Sender’s private key could have sent the message Sender space Receiver space Public space Hello World Sender’s Public Key openssl n52krj rer n52krj rer n52krj rer openssl Hello World Public Key Private Key Sender’s Public Key openssl Hello World 1 3 4 2 Problem of Authentication:  Problem of Authentication What if the public key is stolen? Can the Receiver be sure that the Sender’s public key is really the Sender’s public key and not someone else’s? Sender space Receiver space Public space Hello World Attacker’s Public Key advertised as Sender’s Public Key openssl n52krj rer s76gthklds s76gthklds openssl You are a looser Public Key Private Key Sender’s Public Key openssl You are a looser 1 3 4 Attacker Public Key Private Key openssl You are a looser s76gthklds 1 2 Digital Certificates:  How can B be sure that A’s public key is really A’s public key and not someone else’s? A third party guarantees the correspondence between public key and owner’s identity, by signing a document which contains the owner’s identity and his public key (Digital Certificate) Both A and B must trust this third party Two models: X.509: hierarchical organization; PGP: 'web of trust'. Digital Certificates Certificate contents:  Certificate contents The certificate that you present to others contains: Your distinguished name (DN) your identifier Your public key anyone can send a secret message to you The identity of the CA who issued the certificate just a name Its expiry date the certificate’s expiry date (usually issued for one year) Digital signature of the CA which issued it the certificate encrypted with the CA’s private key Involved entities:  Involved entities User Certificate Authority Public key Private key certificate Resource (site offering services) Certificate Request:  Certificate Request Private Key encrypted on local disk Cert User generates public/private key pair. User send public key to CA along with proof of identity. CA confirms identity, signs certificate and sends back to user. Signed public key. X.509 certificates and authentication:  X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Certificate classification:  Certificate classification User certificate issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc. Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch Grid Security Infrastructure (GSI):  Grid Security Infrastructure (GSI) Globus ToolkitTM proposed and implements the Grid Security Infrastructure (GSI) Protocols and APIs to address Grid security needs GSI protocols extend standard public key protocols Standards: X.509 andamp; SSL/TLS Extensions: X.509 Proxy Certificates (single sign-on) andamp; Delegation Proxy Certificate: Short term, restricted certificate that is derived form a long-term X.509 certificate Signed by the normal end entity cert, or by another proxy Allows a process to act on behalf of a user Not encrypted and thus needs to be securely managed by file system Delegation:  Delegation Proxy creation can be recursive each time a new private key and new X.509 proxy certificate, signed by the original key Allows remote process to act on behalf of the user Avoids sending passwords or private keys across the network The proxy may be a 'Restricted Proxy': a proxy with a reduced set of privileges (e.g. cannot submit jobs).

Add a comment

Related presentations

Related pages

Services Grids: Current Activity & Requirements

Services Grids: Current Activity & Requirements Steven Newhouse, ... EGEE services for Information and Monitoring ... • Security – Mechanisms ...
Read more

Bal des Conscrits de Besse - EventsDiscovery.com

On vous propose de venir vous détendre avec nous le temps d'une soirée, que se soit pour faire une pause pendant vos révisions, de souffler après les ...
Read more

Usenet.nl – finest downloads since 1979

Access to the Usenet including free newsreader – get a @runtime@ free trial!
Read more

Google

Advertising Programmes Business Solutions +Google About Google Google.com © 2016 - Privacy - Terms. Search; Images; Maps; Play; YouTube; News; Gmail ...
Read more

Ontology Based Privacy Compliance | Hanene Boussi ...

Ontology Based Privacy Compliance. 246 Pages. Ontology Based Privacy Compliance. Uploaded by. Hanene Boussi. Views. connect to download. Get pdf. READ PAPER.
Read more

Classification and Characterization of Core Grid Protocols ...

Official Full-Text Publication: Classification and Characterization of Core Grid Protocols for Global Grid Computing on ResearchGate, the professional ...
Read more

2006年9月27日 随笔档案 - 狼爱上狸 - BlogJava

你可以在windows XP的C:Documents and Settings用户名Application DataMacromediaFlash Player#SecurityFlashPlayerTrust目录路径 ...
Read more

Auspice: automatic service planning in cloud/grid ...

Auspice: automatic service planning in cloud/grid environments. Download. Auspice: automatic service planning in cloud/grid environments. Uploaded by.
Read more

Registration - Usenet.nl

Registration. 1 / 3 Yes, I want to learn about other offers via the newsletter. I can cancel it at any time. ...
Read more