WP4: Grid applications for virtual organizations - IRIT

caddiepastData Management

Jan 31, 2013 (4 years and 8 months ago)

168 views

www.InteliGrid.com

Data Management

in Grid

VLDB
’06 Conference


Security and Performance Enhancements
to OGSA
-
DAI for Grid Data Virtualization


Marcin Admaski, Michal Kulczewski,

Krzysztof Kurowski
, Jarek Nabrzyski
, Ally Hume

krzysztof.kurowski@man.poznan.pl

Poznan Supercomputing and Networking Center, Poland

EPCC The University of Edinburgh, Scotland

www.inteligrid.com



www.InteliGrid.com

Agenda


inteliGrid vision & challenges


Data management problems/issues
within


a
fabric
G
rid layer


Data management problems/issues within
inteliGrid middleware

layer



Data management problems/issues within
business interoperability layer


InteliGrid VO development and deployment


Security

and Performance Tests


Summary and future steps



2005

2006

2007

www.InteliGrid.com

InteliGrid in numbers


6th Framework
STREP
project


Budget
~
2.
5

m



360 person months,


Duration 2.5 years 1.9.2004


28.2.2007


Partners


LJU (coord), TUD,
PSNC
, VTT


EPM, Conject, Sofistik


OPB, ESoCE

PSNC

www.InteliGrid.com

inteliGrid vision and challenges


InteliGrid = interoperability of virtual organizations on a complex semantic
grid = Grid + Semantic + VO


One of the main goals in the inteliGrid project is to provide
secure, flexible, and
easy to use solutions for interoperability between distributed data
resources, services and application

tools required by various business
processes within
Virtual Organizations

(VOs).


But… end users or service providers
do not want

to expose databases, services,
capability providers to all people (including hackers :
-
) in the Internet, but only to
people they trust (e.g. from the same VO).


Some InteliGrid requirements and scenarios:


people, services, resources may join and leave the VO for a few days (not years)


support the access to various types of resources and services (both computing and data
resources),


enable to define multiple collaborative groups within the VO,


support multiple credentials (originating from various trusted parties),


be as much as possible transparent to end users and applications,


use the existing security mechanisms, wherever possible,


be able to handle fine grained security privileges in a platform independent manner
(such privileges can range from single objects to multiple grid resources and entities of
separate administrative domains)

www.InteliGrid.com

VOs in Architecture
,

Engineering
and Construction (AEC) sector

TODAY: INFORMATION CHAOS

TOMORROW'S GOAL: INTEROPERABILITY

(one central VO server / service)

PAST: WITHOUT IT ;
-
)

www.InteliGrid.com

InteliGrid

approach


From the security perspective, a
VO

is a collection of individuals and
institutions that are defined according to a set of resource or data
sharing policy rules
. In other words, the VO is a dynamic collection of
individuals, institutions and distributed resources (data, processors,
storage, information, applications, etc.).


In order to
fulfill strict security requirements

based on real business
VO scenarios, all inteliGrid products
must
allow users and
service/resource owners to define a dynamic global security policies
within VOs and enforcing them through a consistent
Authentication,
Authorization
and

Accounting (AAA) infrastructure


Check out the following webpage:
http://testbed.inteligrid.com


www.InteliGrid.com

TUD

PSNC

SOFISTIK

LJU

VO Administrator

Dynamic InteliGrid Collaborative Environments

And Workspaces (Virtual Organizations)

I
nteliGrid dream
(December 2004 ;
-
)

networked VOs and on demand AEC services


www.InteliGrid.com

InteliGrid Physical Grid Resources

OGSA
-
DAI

OGSA
-
DAI

OGSA
-
DAI

OGSA
-
DAI

Open Network
(Internet)

www.InteliGrid.com

Heterogeneous data resources in
InteliGrid…


Distributed resources within
InteliGrid


Different Databases


PostgreSQL


MySQL


File systems


Object oriented databases (e.g. EPM)


Business
Service Providers* (e.g. Conject, EPM)


Various legacy applications* and AEC modules require and
generate input/output files


*
Running on both Linux and Win platforms



www.InteliGrid.com

Why do we use existing open source
solutions?


We did not want to develop everything from

scratch


We did not have
enough

time, money and resources


We wanted to
use and integrate

widely accepted and
mature grid technologies and standards


Some grid
-
related projects have developed already a
lot of useful infrastructure services and data
management tools, in particular:


Globus Pre
-
WS/GT4

(
www.globus.org
)


OGSA
-
DAI
(
www.ogsadai.org.uk
)


GridLab grid middleware services: GAS (
www.gridlab.org
)


We had to
add
new features and capabilities to meet
inteliGrid requirements and use cases, also for
data
management (dynamic/secure VO scenarios)


www.InteliGrid.com

InteliGrid architecture

www.InteliGrid.com

OGSA
-
DAI


OGSA
-
DAI services

can be used as
the basic primitives for creating
sophisticated higher
-
level services
that offer capabilities such as data
federation
,
distributed query
processing
, etc…



The
OGSA
-
DAI middleware

layer
can abstract away concerns such
concerns as database driver
technology, data formatting
techniques and delivery
mechanisms, etc
.

www.InteliGrid.com

Authentication

OGSA
-
DAI

OGSA
-
DAI

OGSA
-
DAI

OGSA
-
DAI

Open Network
(Internet)


Communication

between multi
-
domains over the Internet (various
OGSA
-
DAI services) within a networked VO must be well protected:


Many grid environments utilize a public key or asymmetric cryptography for
authentication of users, resources and service (
SSL/GSI
).


According to the basics of
PKI

cryptography, each resources on the Grid
has a key pair, a public and a private key (for users and OGSA
-
DAI
services).


Encryption

is performed using the public key while decryption and digital
signature is performed with the private key.


InteliGrid provides
X.509 certificates

for identification and
authentication purposes for all operation performed on OGSA
-
DAI
services and underlying data resources (relational and XML
databases, file systems, etc. )


SSO
must be supported

www.InteliGrid.com

Basic OGSA
-
DAI authorization model


Advantages


Closed system


Disadvantages


Very static model


No dynamic VO
support


Only internal
authorization possible

Authentication
and encryption
based on
GSI/SSL

Authorization
based on a flat
mapper file

Example: imagine a federation of 1000 databases

www.InteliGrid.com

OGSA
-
DAI PUSH authorization model

(e.g. CAS, VOMS)


Advantages


VO support


Fast model


Disadvantages


Static model (as long
as proxy is valid)


Consistent polices
required in two places:
CAS and Rolemapper


Specific user security
policy for OGSA
-
DAI
can be seen by
various system
components

www.InteliGrid.com

OGSA
-
DAI PULL authorization model

(InteliGrid approach)


Advantages


VO support


Dynamic model


Full security control in
one place GAS


(no changes in OGSA
-
DAI required)


Real RBAC model
(admin can change
roles dynamically
during execution)


We did not modify
sources of OGSA
-
DAI


Disadvantages


Slow model (many
iterations required)


DoS attacks possible



Authorization
based on security
decisions taken
from GAS

VO Administrator

www.InteliGrid.com

GAS: Gridge Authorization Service


GAS is an authorization service
which provides a universal way of
defining the security policy

for the
whole networked VO, independently
of technologies used at lower levels.
GAS is able to


Add/Modify VO security policies
within GAS by using a nice web
-
based administrative interface


generate the authorization decision
for users or inteliGrid middleware
services (
including OGSA
-
DAI
)


PULL authorization model


generate part of the security policy
for users or inteliGrid middleware
services


PUSH authorization
model

OGSA
-
DAI

OGSA
-
DAI

OGSA
-
DAI

-
Cash services

-
Replication services

-




www.InteliGrid.com

Dynamic on
-
line policy authorization
control and enforcement in VO
s


InteliGrid users

OGSA
-
DAI Resources

(MySQL, PostrgreSQL, Oracle, etc)

Users who have

access rights to

OGSA
-
DAI resources

www.InteliGrid.com

Accounting


Accounting has
close ties

to authentication and authorization
because of the certainty in which they identify the entity to be
associated with the accounting data.


This is particularly important in the areas of
security audits,
intrusion detection
, etc.



On the other hand, by using the accounting statistics we may
introduce various billing or charging policies, e.g.
pay
-
per
-
use


Please observe that, in contrast to
access control and
authorization
, which are binary, charging or billing in the VO
could be quantitative; so the question then becomes

how much
access to grant a user to a resource, rather than simply whether
to grant access or not



Commercialization process of InteliGrid next year… hopefully ;
-
)

www.InteliGrid.com

Performance tests (1)


The performance of every OGSA
-
DAI query was measured in
two ways: after the
container

restart

(marked with the grey
color) and while the container was
running

for

some time.
Average values of different security mechanisms used by

Tomcat

and
Globus Toolkit 4

containers are presented below:

www.InteliGrid.com

Performance tests (2)


In our tests an example SQL

statement has been
used to query to the MySQL database to deliver

10 000 rows

in the CSV format as a file transferred
over SOAP attachments.


4.3

www.InteliGrid.com

Performance tests (3)


P
erformance among different OGSA
-
DAI
authorization

m
echanisms
are presented
.

www.InteliGrid.com

Summary


So many
different views

on virtual organizations…


There are both advantages and disadvantages of
AAA
, but
dynamic and fine
-
grained security control and management are
key issues

in networked VOs


InteliGrid solutions and problems
are generic
and will be

available

for free


Metadata,
semantics

and
ontologies

within/over OGSA
-
DAI to
simplify and speed up the integration of distributed business
processes


Push from commercial partners to use new security protocols,
e.g.
SAML
and XACLM (GAS provides SAML2.0 compliant
interfaces, DRMAA Service Provider supports SAML2.0/Liberty
Alliance) to deal with SSO scenarios


Push from commercial partners to adopt accounting mechanisms
and come up with new
business models


Online demo

;
-
)



www.InteliGrid.com

Thank you!


krzysztof.kurowski@man.poznan.pl