CROSSGRID VO SEC KD

Information about CROSSGRID VO SEC KD

Published on May 8, 2008

Author: Lassie

Source: authorstream.com

Content

Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project :  Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project Jesús Marco CrossGrid WP4 (International Testbed) Instituto de Física de Cantabria Consejo Superior de Investigaciones Científicas, CSIC Santander, SPAIN http://www.eu-crossgrid.org The EU CrossGrid Project:  The EU CrossGrid Project European Project ( ~5 M€, March 2002-2005) proposed to CPA9, 6th IST call, V FP Polish (Cracow & Poznan) / Spanish (CSIC & CESGA) / German (FZK) initiative with the support of CERN (thanks to Fab!) CYFRONET (Cracow) is the coordinator of the project (Michal Turala, project leader) Objectives: Extension of GRID in Europe, assuring interoperability with DataGrid Interactive Applications (“human in the loop”): Environmental fields (meteorology/air pollution, flooding) High Energy Physics (interactive analysis over distributed datasets) Medicine (vascular surgery preparation) Need: Develop corresponding middleware and tools Deploy on a pan-european testbed Partners: Poland (CYFRONET, PSNC, ICM, INP, INS), Spain (CSIC: IFCA, IFIC, RedIRIS, UAB, USC), Germany (FZK, USTUTT, TUM), Slovakia (II SAS), Ireland (TCD), Portugal (LIP), Austria (U.Linz), The Nederlands(UvA), Greece (DEMO, AuTH), Cyprus (UCY) Industry: Datamat (I), Algosystems (Gr) VO, SEC & KD in CrossGrid:  VO, SEC & KD in CrossGrid CrossGrid interactive applications require: Complex but Secure Virtual Organizations CrossGrid middleware provides a framework for development Friendly secure use: Roaming Access Server (Portal/Migrating Desktop) Scheduling for collaborative work to VO resources CrossGrid testbed: Relies on local site support for management and security uses Globus basic grid security: GSI follows EU-DataGrid in deployment for interoperability: Certification Authorities Virtual Organization LDAP Next: VOMS Knowledge Discovery: Development of Grid-adapted Data Mining Techniques accessing Distributed Databases with published Metadata Catalogs Flood management:  Flood management Goal: Flooding risk prediction Method: Cascade of simulations Meteorological Hydrological Hydraulic Virtual Organization Need Grid in interactive mode (simulation results for “what-if” ) seamlessly connect together experts, data and computing resources needed for quick decisions highly automated early warning system, based on hydro-meteorological (snowmelt) rainfall-runoff simulations Grid Security Infrastructure (GSI):  Grid Security Infrastructure (GSI) Globus Toolkit implements GSI protocols and APIs, to address Grid security needs GSI protocols extends standard well-known public key authentication protocols for authentication and message protection X.509 identity certificates SSL/TLS GSI supports standard API, GSSAPI, for supporting a number of applications SSH, GridFTP Grid Security Infrastructure (GSI):  Grid Security Infrastructure (GSI) GSI is: PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-on EU-DataGrid Security Services:  EU-DataGrid Security Services The CrossGrid Testbed:  The CrossGrid Testbed 16 sites (small & large) in 9 countries, connected through Géant + NReNs + Grid Services: EDG middleware (based on Globus) RB, VO, RC… UCY Nikosia DEMO Athens Auth Thessaloniki CYFRONET Cracow ICM & IPJ Warsaw PSNC Poznan CSIC IFIC Valencia UAB Barcelona CSIC-UC IFCA Santander CSIC RedIris Madrid LIP Lisbon USC Santiago TCD Dublin UvA Amsterdam FZK Karlsruhe Géant Computing resources:  Computing resources Site testbed LCFG configuration server User Interface Gatekeeper (Computing Element) Worker Nodes Storage Element 16 sites: 115 CPUs (Worker Nodes) 4 TB (Storage Elements) Grid services (LIP) Information Index Top MDS Information Server, points to site Information Servers Resource Broker Matchmaking and load balancing scheduler Replica Catalogue Database for physical replica file location Certificate Proxy Server Short lived certificates for long lived processes, used by RB Virtual Organization Server Database for user authentication (CROSSGRID VO) Monitoring Mapcenter: network monitoring system National Certification Authority machines CrossGrid CA page:  CrossGrid CA page Working on RA procedure :  Working on RA procedure VO server in CrossGrid:  VO server in CrossGrid Overview of VOMS:  Overview of VOMS MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert proxy cert proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request request focus is on VOMSdetails are in D7.6 Security Design VOMS Overview:  VOMS Overview Provides info about the user’s relationship with his VO(‘s) groups, roles (admin, student, ...), capabilities (free form string), temporal bounds Features single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; security: all client-server communications are secured and authenticated. VOMS Architecture:  VOMS Architecture DB JDBC GSI https vomsd voms-proxy-init mkgridmap DBI https VOMS server soap + SSL MySQL db – with history and audit records User query server and client (C++) Java Web Service based administration interface Perl client (batch processing) Web browser client (generic administrative tasks) Web server interface for mkgridmap User’s Authorization in EDG 2.x:  User’s Authorization in EDG 2.x VO-VOMS authentication & authorization info user cert (long life) VO-VOMS VO-VOMS VO-VOMS host cert (long life) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration registration LCAS edg-java-security Local Site Authorization:  Local Centre Authorization Service (LCAS) Handles authorization requests to local fabric authorization decisions based on proxy user certificate and job specification; supports grid-mapfile mechanism. Plug-in framework (hooks for external authorization plugins) allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db) plugin for VOMS (to process authorization data) Local Credential Mapping Service (LCMAPS) provides local credentials needed for jobs in fabric mapping based on user identity, VO affiliation, local site policy Local Site Authorization Knowledge Discovery:  Knowledge Discovery Will CrossGrid VO “export” or “discover” knowledge ? Likely for Meteo applications Partially only for HEP applications First step: extending KDD to the Grid environment: Data-mining on distributed databases (task 1.3-1.4, HEP & Meteo large databases) Distributed query using: Metadata + Replica catalogs Interactive Database Server modules (i.e. O/R DBMS, PAW) Queries in XML format Distributed via MPICH-G2 in master-slave scheme Mid-Large size databases, o(TB) Data-mining algorithms adapted to the Grid: Distributed Neural Network training Self-Organizing Maps Distributed also using MPICH-G2 Tests started ! Encouraging first results! Modeling, benchmarking, performance prediction (CrossGrid WP2 tools) Architecture:  Architecture Challenging issues to be discussed with other projects:  Challenging issues to be discussed with other projects On-line Authentication mechanisms? Proxy use for portals/roaming access User understanding of Virtual Organizations: Membership features Permanent storage (personal/group/vo/external) Optimal use (from accounting, scheduling to replication and resilience) Active Security Policies (Grid-patrols) Metadata publication for distributed databases Transition to OGSA/OGSI: Adapting current middleware OGSA-DAI use Distributed mechanisms (MPICH-G3?) New knowledge discovery mechanisms Summary:  Summary Virtual Organizations & Security are key points in the CrossGrid project Experience from real working testbed, thanks to the use of Globus GSI and EU-DataGrid middleware Considerable effort on deployment (CA,RA,VO, Sites management): an interoperable pan-european community (CrossGrid + DataGrid) VOMS (EDG) opens new possibilities for VO CrossGrid will make clear to the user the VO possibilities but also the security issues to assure a friendly environment: Portal proxy-based secure access also to be “almost transparent” User group and roles together with resource discovery and monitoring Knowledge discovery can be seen as a final ideal environment for specific application users, progressing along this direction: Data Mining on Distributed Databases prototypes being tested on a realistic Grid environment

Related presentations


Other presentations created by Lassie

Presentation Accenture
12. 03. 2008
0 views

Presentation Accenture

Taxation
19. 10. 2007
0 views

Taxation

population
21. 10. 2007
0 views

population

19 sethusamudram ppt
30. 09. 2007
0 views

19 sethusamudram ppt

sample seminar
02. 05. 2008
0 views

sample seminar

Oral Radiology
02. 05. 2008
0 views

Oral Radiology

Rainfall
07. 04. 2008
0 views

Rainfall

Andrew
19. 02. 2008
0 views

Andrew

campaigns and elections
07. 01. 2008
0 views

campaigns and elections

Emergency Planning
03. 10. 2007
0 views

Emergency Planning

stjerna 060307
09. 10. 2007
0 views

stjerna 060307

ElectiveWkshpGoalSet
10. 10. 2007
0 views

ElectiveWkshpGoalSet

p5animals
12. 10. 2007
0 views

p5animals

RT
12. 10. 2007
0 views

RT

pinarsut
13. 10. 2007
0 views

pinarsut

Lecture19 Ch19 111405
15. 10. 2007
0 views

Lecture19 Ch19 111405

Poster APS summary
16. 10. 2007
0 views

Poster APS summary

david ingleby
17. 10. 2007
0 views

david ingleby

Ole Lund
23. 10. 2007
0 views

Ole Lund

acmmm02
24. 10. 2007
0 views

acmmm02

rebecca
11. 12. 2007
0 views

rebecca

HHH Scandale
17. 10. 2007
0 views

HHH Scandale

1 WMO
19. 10. 2007
0 views

1 WMO

Great Britain
02. 11. 2007
0 views

Great Britain

ENYA
02. 11. 2007
0 views

ENYA

5AlpaShah
06. 11. 2007
0 views

5AlpaShah

Rectoria Panama 2006
25. 10. 2007
0 views

Rectoria Panama 2006

L10a 4345 Sp02
07. 11. 2007
0 views

L10a 4345 Sp02

Shahriar
15. 11. 2007
0 views

Shahriar

lakshmi wireless
15. 11. 2007
0 views

lakshmi wireless

CONTEMPORARY DANCE LESSONS
23. 11. 2007
0 views

CONTEMPORARY DANCE LESSONS

price iso 15926 as owl
07. 11. 2007
0 views

price iso 15926 as owl

acute 060718 neuroemergencies
23. 10. 2007
0 views

acute 060718 neuroemergencies

The Olmec
21. 11. 2007
0 views

The Olmec

wetlands inventory
03. 01. 2008
0 views

wetlands inventory

plainChairdesign
04. 01. 2008
0 views

plainChairdesign

Polymorphic Robotics at ISI
07. 01. 2008
0 views

Polymorphic Robotics at ISI

t Campout with Foodborne Illness
07. 01. 2008
0 views

t Campout with Foodborne Illness

poly web cast
15. 10. 2007
0 views

poly web cast

MTAC 11 06v1 03georgewright
06. 11. 2007
0 views

MTAC 11 06v1 03georgewright

awmapres041905
31. 10. 2007
0 views

awmapres041905

Insecta
23. 10. 2007
0 views

Insecta

ficci wo pictures
29. 12. 2007
0 views

ficci wo pictures

Modelos de control Ley 24156
22. 10. 2007
0 views

Modelos de control Ley 24156

severe wx
07. 10. 2007
0 views

severe wx

Egypt presentation salem 2nd
21. 10. 2007
0 views

Egypt presentation salem 2nd

nursinghome
29. 11. 2007
0 views

nursinghome

IMechE 19th May
15. 10. 2007
0 views

IMechE 19th May

EGEE Summer School 2007
17. 10. 2007
0 views

EGEE Summer School 2007

Carolyn
31. 12. 2007
0 views

Carolyn

4 Systematic chemistry web cec
16. 02. 2008
0 views

4 Systematic chemistry web cec

hsearch
20. 11. 2007
0 views

hsearch

kimkidu
24. 02. 2008
0 views

kimkidu

IntroMiscConcl
27. 02. 2008
0 views

IntroMiscConcl

dutchhistoryfordummi es
27. 02. 2008
0 views

dutchhistoryfordummi es

hansen2
29. 10. 2007
0 views

hansen2

sciencenews
29. 09. 2007
0 views

sciencenews

Running a vegetarian campaign
04. 03. 2008
0 views

Running a vegetarian campaign

D3 NomuraResearch
25. 03. 2008
0 views

D3 NomuraResearch

presentationkpimchan ThaiAirways
30. 03. 2008
0 views

presentationkpimchan ThaiAirways

ch19 Kreitner 2004 6e OB
08. 04. 2008
0 views

ch19 Kreitner 2004 6e OB

indiapres110606
14. 04. 2008
0 views

indiapres110606

MMM CEO
18. 04. 2008
0 views

MMM CEO

ch26 hedgingrisk
16. 04. 2008
0 views

ch26 hedgingrisk

myCH14
07. 05. 2008
0 views

myCH14

Prescribed Fire at UNF
02. 01. 2008
0 views

Prescribed Fire at UNF

md apr quality82604 mtan
30. 04. 2008
0 views

md apr quality82604 mtan

bowles
01. 05. 2008
0 views

bowles

PSRS partI
02. 05. 2008
0 views

PSRS partI

pres1
02. 05. 2008
0 views

pres1

Waittimes presentation e
02. 05. 2008
0 views

Waittimes presentation e

ae8 eman over
26. 02. 2008
0 views

ae8 eman over

CH 9
04. 01. 2008
0 views

CH 9

Horton ALA Moving Mountains
29. 02. 2008
0 views

Horton ALA Moving Mountains

remsim
01. 11. 2007
0 views

remsim

CERLS
16. 10. 2007
0 views

CERLS

forum creativite5
23. 10. 2007
0 views

forum creativite5

Ceanothus
14. 12. 2007
0 views

Ceanothus

Pollard
24. 10. 2007
0 views

Pollard

Typology 7mfamelev
02. 11. 2007
0 views

Typology 7mfamelev

ST3
24. 10. 2007
0 views

ST3

UNITROL Service Nov2006 Aend A
19. 10. 2007
0 views

UNITROL Service Nov2006 Aend A

energetech
17. 04. 2008
0 views

energetech

Presentaton
23. 10. 2007
0 views

Presentaton

LTCOPhistoryandresp
03. 10. 2007
0 views

LTCOPhistoryandresp

schmerge experimental results
21. 11. 2007
0 views

schmerge experimental results

martemiyanov
27. 09. 2007
0 views

martemiyanov

Lecture9 JF
16. 10. 2007
0 views

Lecture9 JF

helen meeks
02. 10. 2007
0 views

helen meeks

11 Gatorpops
17. 12. 2007
0 views

11 Gatorpops

Mol gen 9910
16. 10. 2007
0 views

Mol gen 9910