GCRC Meeting 2004
Introduction to the Gridand Security
Philip Papadopoulos
An Introduction to the Grid
Definition – Grid software allows a user to assembleremote resources and treat them as if they werelocal
•Uses a scalable security model
•Does not require centralized administration
•Does not require sites to give up administrative control oftheir resource
Simple Example
•A Morphometric BIRN researcher wants to test a newimage segmentation program on brain image data.
The computing cluster is in San Diego
The Brain Data is physically stored at centers in Harvard, UCI, andDuke
What a Grid Is not
It’s not free computing
It does not replace large-scale “supercomputers”
Putting your resource on the grid does not meananybody can use it
Note: Grid and “Cyberinfrastructure” are two wordsthat describe the same thing
How is a Grid different from the Web ?
Feature
Web
Grid
PhysicalConnections
Ethernet, ATM,SONET, …
Same
UserIdentification
Managed persite
Single Sign On
ProgramAccess
Web Browser(http protocol)
Multipleprograms andprotocols
Searching
Google
Well-definedmeta data anddatabases
Starting User-definedPrograms
Not Supported
Very Flexible
Abridged History of Distributed Computing
Classification by administrative domain
1980 Single administrative domain
SUN NFS (file sharing)
Yellow Pages (authentication)
Remote shell (task creation)
1990 Virtual User Administrative Domain
A user logs onto various machines and runs software that makesthese appear as a single system
•Example PVM (Parallel Virtual Machine)
Mid 90’s - Clusters
Message passing (MPI) used for communication
Usually a single administrative domain
Abridged History Continued
Mid 90’s. Cooperating (Mutual Trust) Domains
Kerberos and CORBA
Trust is administered centrally
Late 90’s. Grid Systems
Public Key Certificates identified individual users.
•All or nothing domain trust not needed
Mechanisms for interprocess communication neededre-visting
More like Virtual User Domains early 90’s but with amore scalable security model
Example: Globus, Avaki, United Devices, SETI@home
Clusters - The New Workstation
Commodity CPUs
Supercomputer-classperformance
Easily replicated to form adistributed grid of computing andstorage
Canonical IT platform for Biology
You may want/need access tocluster located at another site
One of many clusters atUCSD. 256 Programs
“Wrapping” Resources for Symmetry
Grid Interface
Grid User
SitePolicies
Grid Interface
Standard Internet Network
SitePolicies
Grid Interface
SitePolicies
Grid Interface
SitePolicies
Grid Interface
Grid Interface
Grid User
Grid Interface provides security, identity
Mapping, resource access/abstraction
How Grid Computing has Evolved
The Grid interface has evolved from scripts to aservices based architecture
Service - a resource that has a well-definedprogrammatic interface that can be called remotely
A Web Service – a resource that can be calledremotely using SOAP (Simple Object Access Protocol).
•Example: google in your web browser toolbar
A Grid Service – uses SOAP or other protocols witha defined authentication interface
Application – software that utilizes one or moreservices to work on the grid
What are Some Key Issues?
Some programs need to be re-engineered to workwith non-local resources
Many programs need to explicitly carry a securitycredential (and not rely on a single administrativedomain for implied authentication)
A culture of sharing resources and data amongcolleagues needs to be developed
Robustness of underlying grid middleware is beingimproved – (government investment, privateinvestment) – but improvements are still needed
Summary
There is no magic program that takes existing codeand makes it work with the grid.
Grid (or cyberinfrastructure) is an evolution of theweb
•Security explicitly addressed
•Services programming model requires some change toapplications
Benefits
•Utilizing and bridging remote resources is analogousbringing critical knowledge and information to you.
GCRC Meeting 2004
Grid Security
Philip Papadopoulos
What is Grid Security?
Cooperating entities accept a cryptographicallysecure identification certificate
The certificate uniquely identifies a user or aresource
•Think of it as a passport
A resource interprets a presented certificate todetermine whether access should be granted
GSI
GSI – Grid Security Infrastructure
A Certificate Authority creates a grid identity for auser (or resource)
•X.509 Certificate
A resource provider decides which CertificateAuthorities it will trust
•https websites use Verisign, Thawte, Other Commercialand Private Certificates.
When a user signs on to the grid a time-limited proxyis generated.
•It is the proxy that is interpreted by a site
Simplified Grid Services
Client
(Requestor)
read rawdata;
call.setTargetObjectURI("urn:gtomo-svc")
call.setMethodName(“backproject")
Call.setParams(“unprocesseddata”,rawdata)
result = Response.getReturnValue();
GSI
Processed
Response
1. client formats request(parameters + security)
2. Provider startsinstance of service forclient
3. Results returned overnet
Backproject
instance
Formatted
Request
Service
Provider
http://nbcr.ucsd.edu
Grid services leverages webservice infrastructure
Enable Workflows in a GridService-Oriented Environment
Interface
CCDB
Back-
project
GSI Proxy
User Sign on
Art/Blobs
Osaka U.
PACI Resources
Ucsd.edu
Common Security, discovery, and instantiationframework of Grid services enables constructionof complex workflows that crosses domains
Pros and Cons of Grid Certificates
X.509 proxies allow us to program workflows andmaintain a secure identity
•This is known as single sign on
User management of certificates can beburdensome
•Online certificate “banks” can simplify this
Software systems have to be modified to acceptcertificates for authentication
The certificate is only identity management, decidingwhat a user can do (authorization) still needs work.
Like any new software, management isn’t 0
•But, projects like BIRN are significantly easing thistransition