security and performance enhancements to ogsa-dai for grid
TRANSCRIPT
www.InteliGrid.com
Data Management in GridVLDB’06 Conference
Security and Performance Enhancements to OGSA-DAI for Grid Data Virtualization
Marcin Admaski, Michal Kulczewski,
Krzysztof Kurowski, Jarek Nabrzyski, Ally [email protected]
Poznan Supercomputing and Networking Center, Poland
EPCC The University of Edinburgh, Scotland
www.inteligrid.com
www.InteliGrid.com
Agenda inteliGrid vision & challenges
Data management problems/issues within a fabric Grid layer
Data management problems/issues within inteliGrid middleware layer
Data management problems/issues within business interoperability layer
InteliGrid VO development and deployment Security and Performance Tests Summary and future steps
2005
2006
2007
www.InteliGrid.com
InteliGrid in numbers 6th Framework STREP project Budget ~2.5 m€ 360 person months, Duration 2.5 years 1.9.2004 – 28.2.2007 Partners
LJU (coord), TUD, PSNC, VTT EPM, Conject, Sofistik OPB, ESoCE PSNC
www.InteliGrid.com
inteliGrid vision and challenges InteliGrid = interoperability of virtual organizations on a complex semantic
grid = Grid + Semantic + VO
One of the main goals in the inteliGrid project is to provide secure, flexible, and easy to use solutions for interoperability between distributed data resources, services and application tools required by various business processes within Virtual Organizations (VOs).
But… end users or service providers do not want to expose databases, services, capability providers to all people (including hackers :-) in the Internet, but only to people they trust (e.g. from the same VO).
Some InteliGrid requirements and scenarios: people, services, resources may join and leave the VO for a few days (not years) support the access to various types of resources and services (both computing and
data resources), enable to define multiple collaborative groups within the VO, support multiple credentials (originating from various trusted parties), be as much as possible transparent to end users and applications, use the existing security mechanisms, wherever possible, be able to handle fine grained security privileges in a platform independent manner
(such privileges can range from single objects to multiple grid resources and entities of separate administrative domains)
www.InteliGrid.com
VOs in Architecture, Engineering and Construction (AEC) sector
TODAY: INFORMATION CHAOS TOMORROW'S GOAL: INTEROPERABILITY(one central VO server / service)
PAST: WITHOUT IT ;-)
www.InteliGrid.com
InteliGrid approach
From the security perspective, a VO is a collection of individuals and institutions that are defined according to a set of resource or data sharing policy rules. In other words, the VO is a dynamic collection of individuals, institutions and distributed resources (data, processors, storage, information, applications, etc.).
In order to fulfill strict security requirements based on real business VO scenarios, all inteliGrid products must allow users and service/resource owners to define a dynamic global security policies within VOs and enforcing them through a consistent Authentication, Authorization and Accounting (AAA) infrastructure
Check out the following webpage: http://testbed.inteligrid.com
www.InteliGrid.com
TUDPSNC
SOFISTIK
LJU
VO Administrator
Dynamic InteliGrid Collaborative Environments And Workspaces (Virtual Organizations)
InteliGrid dream (December 2004 ;-)
networked VOs and on demand AEC services
www.InteliGrid.com
InteliGrid Physical Grid Resources
OGSA-DAI
OGSA-DAI OGSA-DAI
OGSA-DAI
Open Network (Internet)
www.InteliGrid.com
Heterogeneous data resources in InteliGrid…
Distributed resources within InteliGrid Different Databases
PostgreSQL MySQL File systems Object oriented databases (e.g. EPM)
Business Service Providers* (e.g. Conject, EPM) Various legacy applications* and AEC modules require and
generate input/output files
* Running on both Linux and Win platforms
www.InteliGrid.com
Why do we use existing open source solutions?
We did not want to develop everything from scratch We did not have enough time, money and resources We wanted to use and integrate widely accepted and
mature grid technologies and standards Some grid-related projects have developed already a
lot of useful infrastructure services and data management tools, in particular: Globus Pre-WS/GT4 (www.globus.org) OGSA-DAI (www.ogsadai.org.uk) GridLab grid middleware services: GAS (www.gridlab.org)
We had to add new features and capabilities to meet inteliGrid requirements and use cases, also for data management (dynamic/secure VO scenarios)
www.InteliGrid.com
InteliGrid architecture
www.InteliGrid.com
OGSA-DAI
OGSA-DAI services can be used as the basic primitives for creating sophisticated higher-level services that offer capabilities such as data federation, distributed query processing, etc…
The OGSA-DAI middleware layer can abstract away concerns such concerns as database driver technology, data formatting techniques and delivery mechanisms, etc.
www.InteliGrid.com
Authentication
OGSA-DAI
OGSA-DAI OGSA-DAI
OGSA-DAI
Open Network (Internet)
Communication between multi-domains over the Internet (various OGSA-DAI services) within a networked VO must be well protected: Many grid environments utilize a public key or asymmetric cryptography for
authentication of users, resources and service (SSL/GSI). According to the basics of PKI cryptography, each resources on the Grid
has a key pair, a public and a private key (for users and OGSA-DAI services).
Encryption is performed using the public key while decryption and digital signature is performed with the private key.
InteliGrid provides X.509 certificates for identification and authentication purposes for all operation performed on OGSA-DAI services and underlying data resources (relational and XML databases, file systems, etc. )
SSO must be supported
www.InteliGrid.com
Basic OGSA-DAI authorization model
Advantages Closed system
Disadvantages Very static model
No dynamic VO support
Only internal authorization possible
Authentication and encryption
based on GSI/SSL
Authorization based on a flat
mapper file
Example: imagine a federation of 1000 databases
www.InteliGrid.com
OGSA-DAI PUSH authorization model (e.g. CAS, VOMS)
Advantages VO support
Fast model
Disadvantages Static model (as long
as proxy is valid)
Consistent polices required in two places: CAS and Rolemapper
Specific user security policy for OGSA-DAI can be seen by various system components
www.InteliGrid.com
OGSA-DAI PULL authorization model
(InteliGrid approach)
Advantages VO support Dynamic model Full security control in
one place GAS (no changes in OGSA-DAI required)
Real RBAC model (admin can change roles dynamically during execution)
We did not modify sources of OGSA-DAI
Disadvantages Slow model (many
iterations required) DoS attacks possible
Authorization based on security decisions taken
from GAS
VO Administrator
www.InteliGrid.com
GAS: Gridge Authorization Service
GAS is an authorization service which provides a universal way of defining the security policy for the whole networked VO, independently of technologies used at lower levels. GAS is able to
Add/Modify VO security policies within GAS by using a nice web-based administrative interface
generate the authorization decision for users or inteliGrid middleware services (including OGSA-DAI) – PULL authorization model
generate part of the security policy for users or inteliGrid middleware services – PUSH authorization model
OGSA-DAIOGSA-DAIOGSA-DAI
-Cash services-Replication services- …
www.InteliGrid.com
Dynamic on-line policy authorization control and enforcement in VOs
InteliGrid users
OGSA-DAI Resources(MySQL, PostrgreSQL, Oracle, etc)
Users who have access rights to
OGSA-DAI resources
www.InteliGrid.com
Accounting Accounting has close ties to authentication and authorization
because of the certainty in which they identify the entity to be associated with the accounting data.
This is particularly important in the areas of security audits, intrusion detection, etc.
On the other hand, by using the accounting statistics we may introduce various billing or charging policies, e.g. pay-per-use
Please observe that, in contrast to access control and authorization, which are binary, charging or billing in the VO could be quantitative; so the question then becomes how much access to grant a user to a resource, rather than simply whether to grant access or not
Commercialization process of InteliGrid next year… hopefully ;-)
www.InteliGrid.com
Performance tests (1) The performance of every OGSA-DAI query was measured in
two ways: after the container restart (marked with the grey color) and while the container was running for some time. Average values of different security mechanisms used by Tomcat and Globus Toolkit 4 containers are presented below:
www.InteliGrid.com
Performance tests (2) In our tests an example SQL statement has been
used to query to the MySQL database to deliver 10 000 rows in the CSV format as a file transferred over SOAP attachments.
4.3
www.InteliGrid.com
Performance tests (3) Performance among different OGSA-DAI
authorization mechanisms are presented.
www.InteliGrid.com
Summary
So many different views on virtual organizations… There are both advantages and disadvantages of AAA, but
dynamic and fine-grained security control and management are key issues in networked VOs
InteliGrid solutions and problems are generic and will be available for free
Metadata, semantics and ontologies within/over OGSA-DAI to simplify and speed up the integration of distributed business processes
Push from commercial partners to use new security protocols, e.g. SAML and XACLM (GAS provides SAML2.0 compliant interfaces, DRMAA Service Provider supports SAML2.0/Liberty Alliance) to deal with SSO scenarios
Push from commercial partners to adopt accounting mechanisms and come up with new business models
Online demo… ;-)