Grid Security

1
Grid Security

• Steve Tuecke
• Argonne National Laboratory

2
Overview

• The Grid Concept
• Community Authorization
• Implementation Approach

3
The Grid Concept
4
Grid Computing

• Enable communities (virtual organizations) to
  share geographically distributed resources as
  they pursue common goalsin the absence of
  central control, omniscience, trust relationships
• Via investigations of
• New applications that become possible when
  resources can be shared in a coordinated way
• Protocols, algorithms, persistent infrastructure
  to facilitate sharing

5
The Grid The Web on Steroids
Grid Flexible, high-perf access to all
significant resources
On-demand creation of powerful virtual computing
systems
6
Grid Communities and ApplicationsNSF National
Technology Grid
7
Grid Communities ApplicationsOnline
Instrumentation
Advanced Photon Source
wide-area dissemination
desktop VR clients with shared controls
real-time collection
archival storage
tomographic reconstruction
DOE X-ray grand challenge ANL, USC/ISI, NIST,
U.Chicago
8
Grid Communities and ApplicationsMathematicians
Solve NUG30

• Communityan informal collaboration of
  mathematicians and computer scientists
• Condor-G delivers 3.46E8 CPU seconds in 7 days
  (peak 1009 processors) in U.S. and Italy (8
  sites)
• Solves NUG30 quadratic assignment problem

14,5,28,24,1,3,16,15, 10,9,21,2,4,29,25,22, 13,26,
17,30,6,20,19, 8,18,7,27,12,11,23
MetaNEOS Argonne, Iowa, Northwestern, Wisconsin
9
Grid Communities and ApplicationsNetwork for
Earthquake Eng. Simulation

• NEESgrid national infrastructure to couple
  earthquake engineers with experimental
  facilities, databases, computers, each other
• On-demand access to experiments, data streams,
  computing, archives, collaboration

NEESgrid Argonne, Michigan, NCSA, UIUC, USC
10
Grid Communities ApplicationsData Grids for
High Energy Physics
Image courtesy Harvey Newman, Caltech
11
Grid Communities and ApplicationsHome Computers
Evaluate AIDS Drugs

• Community
• 1000s of home computer users
• Philanthropic computing vendor (Entropia)
• Research group (Scripps)
• Common goal advance AIDS research

12
Broader Context

• Grid Computing has much in common with major
  industrial thrusts
• Business-to-business, Peer-to-peer, Application
  Service Providers, Internet Computing,
• Distinguished primarily by more sophisticated
  sharing modalities
• E.g., run program X at site Y subject to
  community policy P, providing access to data at Z
  according to policy Q
• Secondarily by unique demands of advanced
  high-performance systems

13
The Globus Project

• Started in 1995 (I-WAY software)
• Globus RD
• Definition of Grid architecture
• Grid protocols, services, APIs
• Security, resource mgmt, data access,
  information, communication, etc.
• Development of Globus Toolkit
• Large user base among tool developers in
  production Grids
• Open source
• Numerous application projects
• Outreach leadership

14
More Details

• www.globus.org
• The Anatomy of the Grid Enabling Scalable
  Virtual Organizations
• Foster, Kesselman, Tuecke
• www.globus.org/research/papers/anatomy.pdf

15
Community Authorization
16
Community Properties

• 100s of resource providers, 1000s of users
• N users from many institutions, worldwide
• M independent resource providers which contribute
  resources to one or more communities
• How to avoid N X M trust relationships?
• Resource providers grant/sell to communities
• Grant bulk access to community
• Community representative handles fine grained
  authorization and prioritization within bulk
  grants
• Users may combine community resources with own
  resources to solve problems
• Various services carrying out requests of users

17
Capability Based Solution

• A community service administrator, which
• Maintains user membership to the community.
• Maintains resource service agreements to
  community.
• Maintains access control database, granting users
  access to (part of) resources, based on community
  policies and priorities.
• May employ groups, roles, etc.
• Issues capabilities to community members (users)
  to grant them access to resources.
• User presents capability directly to resource to
  claim service.
• AAAArch push model

18
Community Authorization (1)
Community Authorization Service
Site A Resources
User 1
1 Obtain capability for service
Site B Resources
User 2
2 Request service
User N
Site M Resources
19
Community Authorization (2)
Community Authorization Service
Site A Resources
User 1
2 Obtain capability for services, on
behalf of user 2
Site B Resources
User 2
1 Delegate user proxy
Request Manager
3 Request services
User N
Site M Resources
20
Community Authorization (3)
Community Authorization Service
Site A Resources
User 1
2 Obtain capabilities for services, on
behalf of user 2
Site B Resources
User 2
Request Planner
1 Delegate user proxy
3 Delegate capabilities
User N
Site M Resources
4 Request services
Task Manager
21
Implementation Approach
22
Grid Security Infrastructure (GSI)

• Authentication and message protection
• Extensions to existing standard protocols APIs
• Standards SSL/TLS, X.509, GSS-API
• Extensions for single sign-on and delegation
• Internet X.509 PKI Impersonation Proxy
  Certificate Profile
• TLS Delegation Protocol
• Globus Toolkit reference implementation of GSI
• OpenSSL GSS-API delegation
• Tools and services to interface to local security
• Simple ACLs SSLK5 PKINIT for access to K5,
  AFS, etc.
• Tools for credential management
• Login, logout, cert request, smartcards, cred
  repository, etc.

23
X.509 Proxy Certificate Overview

• To support single sign-on and delegation
• Proxy Certificate (PC) is signed by End Entity
  Certificate (EEC) or another Proxy Certificate
• We are NOT using an EEC to as if it were a CA
• CA performs two functions 1) Assigns a name (or
  identity), and 2) Binds the name to the a key.
• PC only does 2. It binds the name to an proxy
  key.
• PC inherits its name from its signing EEC
• Subject name used for two purposes 1) Path
  discovery validation, and 2) To hold the
  assigned name.
• In a PC, the subject is used only for 1, path
  discovery
• TLS Delegation Protocol draft defines how to
  create a remote Proxy Certificate

24
Features Of This Approach

• Ease of integration
• Requires only a small change to path validation
• SSL/TLS requires no protocol change to use PC
• Authorization based on identity still works
• Ease of use
• Enables single sign-on credential repositories
• Protection of EEC private key
• Single sign-on delegation w/o sharing EEC keys
• Limits consequences of a compromised key
• Can restrict PC (e.g. lifetime, uses, etc.)
• Compromised PC does not compromise EEC

25
Implementation Status

• Globus Toolkits Grid Security Infrastructure
  (GSI) has used similar approach for 4 years
• GSI GSS-API X.509 PC SSL delegation
• Integrated into numerous Grid tools (C Java)
• Globus Toolkit, Condor, SRB, MPI, ssh/SecureCRT,
  FTP, etc.
• Adopted by 100s of sites, 1000s of users
• NCSA, NPACI, NASA IPG, DOE Science Grid, European
  Datagrid, GriPhyN (Phyics Grids), NEESgrid
  (Earthquake Engineering Grid)
• Global Grid Forum IETF effort to move GSI
  forward through cleanup, better integration with
  standards, technical specifications, etc.
• http//www.gridforum.org/security/gsi

26
Capabilities

• By extending a Proxy Certificate to hold a
  restriction policy, one can build a form of
  capability
• Currently, the holder of a users proxy
  credential allows that holder to impersonate the
  user, to access any resources available to the
  user
• But can extend the proxy credential to contain a
  restriction policy
• E.g. Holder of this proxy can only start a
  process on resource X, and read users file Y.

27
Community Authorization Service

• CAS has its own identity certificate
• It is this CAS identity that is known to
  resources
• User authenticates with CAS using users identity
  certificates (or proxy of identity certificate)
• User requests access to a community resource(s)
• CAS delegates back to user a restricted proxy
  credential from the CAS identity credential
• User authenticates with resource using this CAS
  identity

28
Resource Checking of Capability

• Authentication from client is with the CAS
  identity
• Resource sees the community identity
• Though an X.509 extension in the capability may
  include users identity, etc. for audit purposes
• Resource maps CAS identity to local account and
  privileges
• E.g. A Unix account, with a given file system
  quota
• Different communities map to different accounts
• For each request, resource evaluates the request
  against the policy contained in the CAS
  restricted proxy certificate that was used to
  authenticate.

29
Accounting

• CAS inserts GUID into capability, which is used
  for
• Accounting Resources can log consumption using
  this GUID. CAS can recombine with log of issued
  capabilities to reconstruct full accounting info.
• Requires protocol for propagation of accounting
  info
• Usage enforcement Restriction policy in
  capability may include usage constraints.
  Resource can track and enforce such constraints
  using the GUID, including across multiple
  requests using the same capability.