1 1 1 how grid security works in geo sciences n. yamamoto, y. tanaka, i. kojima, s. sekiguchi aist...
TRANSCRIPT
1
1
http://www.geogrid.org/
www.geogrid.org
1
How Grid Security works How Grid Security works in GEO Sciencesin GEO Sciences
N. Yamamoto, Y. Tanaka, I. Kojima, S. SekiguchiAIST
Oct. 28, 2009 GEO Workshop / PRAGMA17Hanoi
22
http://www.geogrid.org
2
What is Grid SecurityWhat is Grid Security
Who am I? / Who are they?Grid Security Infrastructure (GSI)
What can I do? / What can they do?Virtual Organization Membership Service (VOMS)
33
http://www.geogrid.org
3
GEO Grid VO DesignGEO Grid VO Design
Identity
44
http://www.geogrid.org
4
RequirementsRequirements
Credential Management:Non-secure users often manage their private keys for PKI / GSI credentials without careful planning.
Authentication methods:Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.
Portal Development:Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc.
55
http://www.geogrid.org
5
Tsukuba-GAMATsukuba-GAMA
Tsukuba-GAMA Authentication Flow for PKI / GSITsukuba-GAMA Authentication Flow for PKI / GSI
User
usernameand
password
VOMS
CredentialRepositoryMy Proxy
Repository
Online CA
VO Management
CredentialManagement
OpenID
usercredential
VO Portal
PHP,Perl,
Python, etc...
VOMSProxyCertificate
End EntityCertificate
My Proxy CA
VO attribute
Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language.
Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning.
Manages user credentials on the server side, instead of leaving it to inexperienced users.
Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.
Generates Grid credentials from any method.
Proxy CertificateOUR SOLUTION:OUR SOLUTION:TSUKUBA-GAMATSUKUBA-GAMA
77
http://www.geogrid.org
7
http://www.geogrid.org/
DEMO 1:DEMO 1:TSUKUBA-GAMATSUKUBA-GAMA
LOGIN LOGIN PRAGMA VOPRAGMA VO PORTAL PORTAL(GRIDSPHERE)(GRIDSPHERE)
88
http://www.geogrid.org
8
Demo Environments - loginDemo Environments - login
CredentialRepository
PRAGMA VOMS
PRAGMA VO portalhttp://gfm49.apgrid.org/gridsphere/
USER
vomsproxy cert
2. generategloubsproxy certificate
1. input username and pass of user cert
3. add voms attribute
4. register proxy cert
99
http://www.geogrid.org
9
Identity
Attribute
1010
http://www.geogrid.org
10
http://www.geogrid.org/
DEMO 2:DEMO 2:TSUKUBA-GAMATSUKUBA-GAMA
LOGIN LOGIN TESTVOTESTVO PORTAL PORTAL(GRIDSPHERE)(GRIDSPHERE)
1111
http://www.geogrid.org
11
Same Identity
Different Attribute
1212
http://www.geogrid.org
12
GEO Grid VO DesignGEO Grid VO Design
PRAGMA VO TEST VO
I’m here
1313
http://www.geogrid.org
13
GSI w/ VOMSGSI w/ VOMS
PRAGMA VO Portal(GridSphere,
Perl, PHP, Java etc.)
PRAGMA VO Portal(GridSphere,
Perl, PHP, Java etc.)
TEST VO PortalTEST VO Portal
Credential Repository(MyProxy Repository)Credential Repository(MyProxy Repository)
Online-CA(MyProxy CA)
Online-CA(MyProxy CA)
PRAGMA-VO(VOMS)
PRAGMA-VO(VOMS)
GHZ-VO(VOMS)GHZ-VO(VOMS)
Sign Certificate
VO membermanagement
ShareAccount
1515
http://www.geogrid.org
15
http://www.geogrid.org/
EXAMPLE SCENARIO:EXAMPLE SCENARIO:SATELLITE DATABASE SATELLITE DATABASE
FEDERATIONFEDERATION
1616
http://www.geogrid.org
16
OGSA-DAI
Demo environmentDemo environment
ASTER@Japan
PALSAR@Japan
MODIS@Japan
Formosat2@Taiwan
/PRAGMA/Geo/PRAGMA/Geo/TESTVO /GHZ NONE (FREE)
1717
http://www.geogrid.org
17
http://www.geogrid.org/
DEMO 3: SIMSDEMO 3: SIMSSATELLITE DATABASE SATELLITE DATABASE
FEDERATIONFEDERATION
1818
http://www.geogrid.org
18
Database Server(Sybase)
FORMOSAT-2
Application Server OGSA-
DAI
Globus
SQLw/ JDBC
NSPO@TW
Database Server(PostgreSQL)
ASTER MODIS
OGSA-DAI
SQLw/ JDBC
OGSA-DAI
Globus
AIST@JP
AIST
OGSA-DAI Client
Integration Frameworkwith OGSA-DAI
Java Program
SQ
L
SQ
L
SQL SQL SQL
SIMS portlet - query data - create web page which shows thumbnail images
VOMSVOMS VOMSVOMS
SIMSSIMS
1919
http://www.geogrid.org
19
SIMS – Search ResultsSIMS – Search Results
MODISFORMOSAT-2
ASTER
2020
http://www.geogrid.org
20
http://www.geogrid.org/
DEMO 4:DEMO 4:LANGUAGE FREELANGUAGE FREE
PORTAL DEVELOPMENTPORTAL DEVELOPMENT
2121
http://www.geogrid.org
21
http://www.geogrid.org/
DEMO 4-1:DEMO 4-1:PORTAL DEVELOPMENTPORTAL DEVELOPMENT
(OPENLAYERS)(OPENLAYERS)
2222
http://www.geogrid.org
22
https://portal/OGCProxy?\ URL=https://gridsite/..../service
https://gridsite/..../service
User
ContentsACL: /testvo.geogrid.org/aster
GridSite
VOMS Proxy
VO Name Group
OGCProxyOGCProxy
OGCProxy is a broker portlet
forwarding users' requests to backend OGC services.providing freely development environment of client application.
OGCProxy
2323
http://www.geogrid.org
23
ASTER + Formosat2 / OpenLayersASTER + Formosat2 / OpenLayers
ASTER / Japan
Formosat2 / Taiwan
2424
http://www.geogrid.org
24
http://www.geogrid.org/
DEMO 4-2:DEMO 4-2:PORTAL DEVELOPMENTPORTAL DEVELOPMENT
(PHP, PERL, ...)(PHP, PERL, ...)
2525
http://www.geogrid.org
25
Web Portal DevelopmentWeb Portal Development
apache_ahtn_myproxy modulePHP, Perl, Phython, etc.
Servlet basic authentication moduleJava Servlet
GridSphere authentication module
2626
http://www.geogrid.org
26
http://www.geogrid.org/
DEMO 5:DEMO 5:INDEPENDENCE FROM INDEPENDENCE FROM
AUTHENTICATION AUTHENTICATION METHODSMETHODS
2727
http://www.geogrid.org
27
http://www.geogrid.org/
DEMO 5-1:DEMO 5-1:INDEPENDENCE FROM INDEPENDENCE FROM
AUTHENTICATION AUTHENTICATION METHODS:METHODS:(OPENID)(OPENID)
2828
http://www.geogrid.org
28
User
Passwordfor OpenID
OpenID Server
VO memberDB
VOMS server
MyProxy CA
- Account DB- Credential Repository
Web Portal
Request short-livedcredential
VOMS proxy
OpenID URL
OpenID authentication moduleOpenID authentication module
2929
http://www.geogrid.org
29
http://www.geogrid.org/
DEMO 5-1:DEMO 5-1:INDEPENDENCE FROM INDEPENDENCE FROM
AUTHENTICATION AUTHENTICATION METHODS:METHODS:
(CREDENTIAL)(CREDENTIAL)
3030
http://www.geogrid.org
30
Credential LoginCredential Login
Tsukuba-GAMA Authentication Flow for PKI / GSITsukuba-GAMA Authentication Flow for PKI / GSI
User
usernameand
password
VOMS
CredentialRepositoryMy Proxy
Repository
Online CA
VO Management
CredentialManagement
OpenID
usercredential
VO Portal
PHP,Perl,
Python, etc...
VOMSProxyCertificate
End EntityCertificate
My Proxy CA
VO attribute
Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language.
Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning.
Manages user credentials on the server side, instead of leaving it to inexperienced users.
Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc.
Generates Grid credentials from any method.
3131
http://www.geogrid.org
31
Compare IdentityCompare Identity
Identity
Same VO
Credential Login
OpenID Login
3232
http://www.geogrid.org
32
ConclusionsConclusions
Tsukuba-GAMA Authentication Flow for PKI / GSITsukuba-GAMA Authentication Flow for PKI / GSI
User
usernameand
password
VOMS
CredentialRepositoryMy Proxy
Repository
Online CA
VO Management
CredentialManagement
OpenID
usercredential
VO Portal
PHP,Perl,
Python, etc...
VOMSProxyCertificate
End EntityCertificate
My Proxy CA
VO attribute
Language Free Portal Development: - GridSphere / Satellite database federation - Geographical portal / OpenLayers - PHP, Perl
Credential Management: - User does not need to manage their credentials
Independencefrom Authentication methods: - Username and Password - OpenID - Globus credential
3333
http://www.geogrid.org
33
http://www.geogrid.org/
THANK YOUTHANK YOU
To be released NEXT month!
3434
http://www.geogrid.org
34
http://www.geogrid.org/
DEMO 6:DEMO 6:ACCOUNT CREATIONACCOUNT CREATION
3535
http://www.geogrid.org
35
Account CreationAccount Creation
Account DB(GAMA)
VO(VOMS)
VO portalhttp://testvo.geogrid.org/gridsphere/
Account Portalhttp://testvo.geogrid.org:9443/gridsphere
USER
1. Request an account
Account Admin
2. Approve
3. Activate an account
VO Admin
4. Register the user to the VO
4. Import the user’s account information to the VO