globus-tutorial

Saep

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

66 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Saep
Nombre de lectures	32
Langue	English

Extrait

The Globus Toolkit™
A Guide to
A software toolkit addressing key technical
problems in the development of Grid enabled
The Globus Toolkit™
tools, services, and applications
– Offer a modular “bag of technologies”
– Enable incremental development of grid-
enabled tools and applications
The Globus Project™
– Implement standard Grid protocols and APIs
Argonne National Laboratory
USC Information Sciences Institute – Make available under liberal open source
license
http://www.globus.org/
Copyright (c) 2002 University of Chicago and The University of Southern California. All Rights Reserved.
This presentation is licensed for use under the terms of the Globus Toolkit Public License.
See http://www.globus.org/toolkit/download/license.html for the full text of this license. Guide to the Globus Toolkit™
March 17, 2002 2
Page 1
General Approach Key Protocols
Define Grid protocols & APIs The Globus Toolkit™ centers around four
key protocols
– Protocol-mediated access to remote resources
– Connectivity layer:
– Integrate and extend existing standards
> Security: Grid Security Infrastructure (GSI)
– “On the Grid” = speak “Intergrid” protocols
– Resource layer:
Develop a reference implementation
> Resource Management: Grid Resource Allocation
– Open source Globus Toolkit Management (GRAM)
> Information Services: Grid Resource Information
– Client and server SDKs, services, tools, etc.
Protocol (GRIP)
Grid-enable wide variety of tools
> Data Transfer: Grid File Transfer Protocol (GridFTP)
– Globus Toolkit, FTP, SSH, Condor, SRB, MPI, …
Also key collective layer protocols
Learn through deployment and applications
– Info Services, Replica Management, etc.
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 3 March 17, 2002 4
Page 2
Role of APIs
While we focus heavily on protocols, the
Globus Toolkit is an implementation, and
The Globus Toolkit™:
as such requires APIs
APIs
– Globus Toolkit implemented in C
– Great effort has gone into implementing
robust, consistent, and flexible APIs
APIs in other languages also available
– E.g. Java & Python CoG Kits
Guide to the Globus Toolkit™
March 17, 2002 6
Page 3
Three Types of API/SDK Portability and Convenience API
Portability and convenience API/SDKs globus_common
– Module activation/deactivation
API/SDKs implementing the four key
Connectivity and Resource layer protocols – Threads, mutual exclusion, conditions
– Callback/event driver
Collective layer API/SDKs
– Libc wrappers
– Convenience modules (list, hash, etc).
This tutorial focuses primarily on the
functionality available in #2 and #3
Developer tutorial includes in-depth API
discussions of all three
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 7 March 17, 2002 8
Page 4
Connectivity APIs
globus_io
– TCP, UDP, IP multicast, and file I/O
The Globus Toolkit™:
– Integrates GSI security
– Asynchronous and synchronous interfaces
Security
– Attribute based control of behavior
Nexus (Deprecated)
– Higher level, active message style comms
– Built on globus_io, but without security
MPICH-G2
– High level, MPI (send/receive) interface
– Built on globus_io and native MPI
Guide to the Globus Toolkit™
March 17, 2002 9
Page 5
Security Terminology Why Grid Security is Hard
Resources being used may be valuable & the
Authentication: Establishing identity
problems being solved sensitive
Authorization: Establishing rights
Resources are often located in distinct
Message protection
administrative domains
– Message integrity
– Each resource has own policies & procedures
– confidentiality
Set of resources used by a single computation
Non-repudiation
may be large, dynamic, and unpredictable
Digital signature
– Not just client/server, requires delegation
Accounting
It must be broadly available & applicable
Certificate Authority (CA)
– Standard, well-tested, well-understood
protocols; integrated with wide variety of tools
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 11 March 17, 2002 12
Page 6GSI in Action
“Create Processes at A and B
that Communicate & Access Files at C”
Grid Security Requirements
Single sign-on via “grid-id”
& generation of proxy cred. User Proxy
User View Resource Owner View
Proxy
User
Or: retrieval of proxy cred.
credential
1) Easy to use
1) Specify local access control
from online repository
Remote process 2) Single sign-on
2) Auditing, accounting, etc.
creation requests*
3) Run applications
3) Integration w/ local system
GSI-enabled Authorize Ditto GSI-enabled
Site A ftp,ssh,MPI,Condor,Web,…
Kerberos, AFS, license mgr.
Site B
GRAM server Map to local id GRAM server
(Kerberos)
(Unix)
Create process 4) User based trust model
4) Protection from compromised
Generate credentials
Computer Computer
resources
5) Proxies/agents (delegation)
Process
Process
Local id
Communication*
Local id
Developer View
Kerberos Restricted
Remote file
Restricted
ticket proxy
proxy
access request* API/SDK with authentication, flexible message protection,
GSI-enabled
flexible communication, delegation, ...
Site C
FTP server
(Kerberos)
Direct calls to various security functions (e.g. GSS-API)
Authorize
* With mutual authentication
Map to local id Or security integrated into higher-level SDKs:
Storage
Access file
system
E.g. GlobusIO, Condor-G, MPICH-G2, HDF5, etc.
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 13 March 17, 2002 14
Page 7
Candidate Standards Grid Security Infrastructure (GSI)
Extensions to standard protocols & APIs
Kerberos 5
– Standards: SSL/TLS, X.509 & CA, GSS-API
– Fails to meet requirements:
– Extensions for single sign-on and delegation
> Integration with various local security solutions
> User based trust model
Globus Toolkit reference implementation of GSI
Transport Layer Security (TLS/SSL)
– SSLeay/OpenSSL + GSS-API + SSO/delegation
– Fails to meet requirements:
– Tools and services to interface to local security
> Single sign-on
> Simple ACLs; SSLK5/PKINIT for access to K5, AFS; …
> Delegation
– Tools for credential management
> Login, logout, etc.
> Smartcards
> MyProxy: Web portal login and delegation
> K5cert: Automatic X.509 certificate creation
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 15 March 17, 2002 16
Page 8
Review of
Public Key Cryptography Public Key Based Authentication
User sends certificate over the wire.
Asymmetric keys
Other end sends user a challenge string.
– A private key is used to encrypt data.
– A public key can decrypt data encrypted User encodes the challenge string with
with the private key. private key
An X.509 certificate includes… – Possession of private key means you can
authenticate as subject in certificate
– Someone’s subject name (user ID)
Public key is used to decode the challenge.
– Their public key
– If you can decode it, you know the subject
– A “signature” from a Certificate Authority
(CA) that:
Treat your private key carefully!!
> Proves that the certificate came from the CA.
– Private key is stored only in well-guarded
> Vouches for the subject name
places, and only in encrypted form
> Vouches for the binding of the public key to the subject
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 17 March 17, 2002 18
Page 9
X.509 Proxy Certificate User Proxies
Defines how a short term, restricted Minimize exposure of user’s private key
credential can be created from a normal,
A temporary, X.509 proxy credential for use
long-term X.509 credential
by our computations
– A “proxy certificate” is a special type of
– We call this a user proxy certificate
X.509 certificate that is signed by the
– Allows process to act on behalf of user
normal end entity cert, or by another proxy
– User-signed user proxy cert stored in local file
– Supports single sign-on & delegation
– Created via “grid-proxy-init” command
through “impersonation”
Proxy’s private key is not encrypted
– Currently an IETF draft
– Rely on file system security, proxy certificate
file must be readable only by the owner
Guide to the Globus Toolkit™ Guide to the Globus Toolkit™
March 17, 2002 19 March 17, 2002 20
Page 10