How Grid Security works in GEO Sciences_Naotaka ... - PRAGMA Grid

righteousgaggleData Management

Jan 31, 2013 (4 years and 6 months ago)

151 views





1





1

http://www.geogrid.org/





www.geogrid.org

1

How Grid Security works
in GEO Sciences

N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi

AIST

Oct. 28, 2009 GEO Workshop / PRAGMA17

Hanoi





2

2





http://www.geogrid.org

2

What is Grid Security



Who am I? / Who are they?

Grid Security Infrastructure (GSI)


What can I do? / What can they do?

Virtual Organization Membership
Service (VOMS)





3

3





http://www.geogrid.org

3

GEO Grid VO

Design

Identity





4

4





http://www.geogrid.org

4

Requirements

Credential Management:

Non
-
secure users often manage their
private keys for PKI / GSI credentials
without careful planning.

Authentication methods:

Must accommodate existing, settled
authentication methods, OpenID,
Shibboleth, username and password, user
credential, etc.

Portal Development:

Must accommodate existing application
portals written by PHP, Perl, Python, Java
Servlet, etc.






5

5





http://www.geogrid.org

5

Tsukuba
-
GAMA

Tsukuba
-
GAMA Authentication Flow for PKI / GSI

User

username

and

password

VOMS

Credential

Repository

My Proxy

Repository

Online CA

VO

Management

Credential

Management

OpenID

user

credential

VO Portal

PHP,

Perl,

Python, etc...

VOMS

Proxy

Certificate

End

Entity

Certificate

My Proxy


CA

VO

attribute

Language

Free

Portal

Development
:


Must

accommodate

existing

application

portals

written

by

PHP,

Perl,

Python,

Java

Servlet,

etc
.


Provides

Apache,

Servlet,

and

GridSphere

authentication

modules,

in

order

to

support

any

language
.

Credential

Management
:


Non
-
secure

users

often

manage

their

private

keys

for

PKI

/

GSI

without

careful

planning
.


Manages

user

credentials

on

the

server

side,

instead

of

leaving

it

to

inexperienced

users
.

Independencefrom

Authentication

methods
:


Must

accommodate

existing,

settled

authentication

methods,

OpenID,

Shibboleth,

username

and

password,

user

credential,

etc
.


Generates

Grid

credentials

from

any

method
.

Proxy Certificate

OUR SOLUTION:

TSUKUBA
-
GAMA





7

7





http://www.geogrid.org

7

http://www.geogrid.org/

DEMO 1:

TSUKUBA
-
GAMA

LOGIN
PRAGMA VO

PORTAL

(GRIDSPHERE)





8

8





http://www.geogrid.org

8

Demo Environments
-

login

Credential

Repository

PRAGMA VOMS

PRAGMA VO portal

http://gfm49.apgrid.org/gridsphere/

USER

voms

proxy cert

2. generategloubs

proxy certificate

1. input username and pass of user cert

3. add voms attribute

4. register proxy cert





9

9





http://www.geogrid.org

9

Identity

Attribute





10

10





http://www.geogrid.org

10

http://www.geogrid.org/

DEMO 2:

TSUKUBA
-
GAMA

LOGIN
TESTVO

PORTAL

(GRIDSPHERE)





11

11





http://www.geogrid.org

11

Same Identity

Different Attribute





12

12





http://www.geogrid.org

12

GEO Grid VO

Design

PRAGMA VO

TEST VO

I’m here





13

13





http://www.geogrid.org

13

GSI w/ VOMS

PRAGMA VO Portal

(GridSphere,

Perl, PHP, Java etc.)

TEST VO Portal

Credential Repository

(MyProxy Repository)

Online
-
CA

(MyProxy CA)

PRAGMA
-
VO

(VOMS)

GHZ
-
VO

(VOMS)

Sign Certificate

VO member

management

Share

Account





15

15





http://www.geogrid.org

15

http://www.geogrid.org/

EXAMPLE SCENARIO:

SATELLITE DATABASE
FEDERATION





16

16





http://www.geogrid.org

16

OGSA
-
DAI

Demo environment

ASTER

@Japan

PALSAR

@Japan

MODIS

@Japan

Formosat2

@Taiwan

/PRAGMA/Geo

/PRAGMA/Geo

/TESTVO

/GHZ

NONE (FREE)





17

17





http://www.geogrid.org

17

http://www.geogrid.org/

DEMO 3: SIMS

SATELLITE DATABASE
FEDERATION





18

18





http://www.geogrid.org

18


Database Server

(Sybase)



FORMOSAT
-
2

Application

Server

OGSA
-

DAI

Globus

SQL

w/ JDBC

NSPO@TW


Database Server

(PostgreSQL)



ASTER

MODIS



OGSA
-

DAI

SQL

w/ JDBC

OGSA
-

DAI

Globus

AIST@JP

AIST



OGSA
-
DAI Client

Integration Framework

with OGSA
-
DAI

Java Program

SQL

SQL

SQL

SQL

SQL

SIMS portlet


-

query data


-

create web page which


shows thumbnail images

VOMS

VOMS

SIMS





19

19





http://www.geogrid.org

19

SIMS


Search
R
esults

MODIS

FORMOSAT
-
2

ASTER





20

20





http://www.geogrid.org

20

http://www.geogrid.org/

DEMO 4:

LANGUAGE FREE

PORTAL DEVELOPMENT





21

21





http://www.geogrid.org

21

http://www.geogrid.org/

DEMO 4
-
1:

PORTAL DEVELOPMENT

(OPENLAYERS)





22

22





http://www.geogrid.org

22

https://portal/OGCProxy?
\


URL=
https://gridsite/..../service

https://gridsite/..../service

User

Contents

ACL:


/testvo.geogrid.org/aster

GridSite

VOMS Proxy

VO Name

Group

OGCProxy

OGCProxy is a broker
portlet

forwarding users'
requests to backend
OGC services.

providing freely
development
environment of client
application.


OGCProxy





23

23





http://www.geogrid.org

23

ASTER + Formosat2 / OpenLayers

ASTER / Japan

Formosat2 / Taiwan





24

24





http://www.geogrid.org

24

http://www.geogrid.org/

DEMO 4
-
2:

PORTAL DEVELOPMENT

(PHP, PERL, ...)





25

25





http://www.geogrid.org

25

Web Portal Development

apache_ahtn_myproxy module

PHP, Perl, Phython, etc.

Servlet basic authentication module

Java Servlet

GridSphere authentication module





26

26





http://www.geogrid.org

26

http://www.geogrid.org/

DEMO 5:

INDEPENDENCE FROM
AUTHENTICATION
METHODS





27

27





http://www.geogrid.org

27

http://www.geogrid.org/

DEMO 5
-
1:

INDEPENDENCE FROM
AUTHENTICATION
METHODS:

(OPENID)





28

28





http://www.geogrid.org

28

User

Password

for OpenID

OpenID Server

VO member

DB

VOMS server

MyProxy CA

-

Account DB

-

Credential Repository

Web Portal

Request short
-
lived

credential

VOMS proxy

OpenID URL

OpenID authentication module





29

29





http://www.geogrid.org

29

http://www.geogrid.org/

DEMO 5
-
1:

INDEPENDENCE FROM
AUTHENTICATION
METHODS:

(CREDENTIAL)





30

30





http://www.geogrid.org

30

Credential Login

Tsukuba
-
GAMA Authentication Flow for PKI / GSI

User

username

and

password

VOMS

Credential

Repository

My Proxy

Repository

Online CA

VO

Management

Credential

Management

OpenID

user

credential

VO Portal

PHP,

Perl,

Python, etc...

VOMS

Proxy

Certificate

End

Entity

Certificate

My Proxy


CA

VO

attribute

Language

Free

Portal

Development
:


Must

accommodate

existing

application

portals

written

by

PHP,

Perl,

Python,

Java

Servlet
,

etc
.


Provides

Apache,

Servlet
,

and

GridSphere

authentication

modules,

in

order

to

support

any

language
.

Credential

Management
:


Non
-
secure

users

often

manage

their

private

keys

for

PKI

/

GSI

without

careful

planning
.


Manages

user

credentials

on

the

server

side,

instead

of

leaving

it

to

inexperienced

users
.

Independencefrom

Authentication

methods
:


Must

accommodate

existing,

settled

authentication

methods,

OpenID,

Shibboleth,

username

and

password,

user

credential,

etc
.


Generates

Grid

credentials

from

any

method
.





31

31





http://www.geogrid.org

31

Compare Identity

Identity

Same VO

Credential Login

OpenID Login





32

32





http://www.geogrid.org

32

Conclusions

Tsukuba
-
GAMA Authentication Flow for PKI / GSI

User

username

and

password

VOMS

Credential

Repository

My Proxy

Repository

Online CA

VO

Management

Credential

Management

OpenID

user

credential

VO Portal

PHP,

Perl,

Python, etc...

VOMS

Proxy

Certificate

End

Entity

Certificate

My Proxy


CA

VO

attribute

Language Free Portal Development:


-

GridSphere / Satellite database
federation


-

Geographical portal / OpenLayers


-

PHP, Perl

Credential Management:


-

User does not need to manage
their credentials

Independencefrom Authentication methods:


-

Username and Password


-

OpenID


-

Globus credential





33

33





http://www.geogrid.org

33

http://www.geogrid.org/

THANK YOU

To be released NEXT month!





34

34





http://www.geogrid.org

34

http://www.geogrid.org/

DEMO 6:

ACCOUNT CREATION





35

35





http://www.geogrid.org

35

Account Creation

Account DB

(GAMA)

VO

(VOMS)

VO portal

http://testvo.geogrid.org/gridsphere/

Account Portal

http://testvo.geogrid.org:9443/gridsphere

USER

1. Request an account

Account Admin

2. Approve

3. Activate an account

VO Admin

4. Register the user to


the VO

4. Import the user’s account


information to the VO