Grid Security: Authentication • Most Grids rely on a Public Key Infrastructure system for issuing credentials.• Users are issued long term public and private keys (~ 1 year or more) that are signed by

a recognized Certificate Authority.– You can run your own CA and determine your own policy for issuing credentials.– You decide which CAs to trust.

• The long term keys are used to issue short term user certificates (~12 hours)– MyProxy is online certificate issuing software.– Short term certificates are used to authenticate to both pre-Web Service Globus daemons (GRAM,

GridFTP, etc) as well as Globus (and other) Web Services.• Typically, both pre- and Web Service Globus tools are used to provide direct access to

remote computers.– Access user file systems, launches jobs on supercomputers through queuing systems, etc.

• Single sign-on (SSO): – once you get a certificate, you can access all machines in the grid – subject to access controls.

• Delegation: in connection with SSO– delegated credentials are created on remote resources as the user asks for them. – These credentials can also be used to access resources (now twice removed from the original

certifcate) – Are traceable back to the original owner.

Authorization

• Authorization determines what you are allowed to do after you are authenticated.

• Several Grid authorization systems exist.– CAS: introduces in Globus Toolkit 3,

• Usually associated with non-Web Service Globus tools.

– WS AA: part of the Globus Toolkit 4. • Based on SAML

– PERMIS: a certificate-based system describing policy – Shibboleth: normally used in US academic institutions

• Users can request resources anonymously to support privacy laws• Must federate (i.e. “all Big 10 students are allowed to see each other’s online

libraries”)• Work currently going on to couple this to Grid authentication.

• PERMIS and Shibboleth are part of the NMI EDITS software suite.

Web Service Security and Grids• Web Services have two sorts of security:

– Transport layer: SSL or TLS for point-to-point security.– Message-level security: for securing the message itself, regardless of

the transport.• Message-level security is defined by WS-Security

specification.– See extensive notes here:

http://grids.ucs.indiana.edu/ptliupages/presentations/WStutorialjuly04/• WS-SecureConversation: used to speed up multiple message

exchanges by establishing symmetric secret keys and security contexts.

• SAML: XML markup language used to exchange security attributes.– Typically attributes describe authorization permissions.

Globus Toolkit 4 Overview

• GT4 is a Web Services based framework for deploying and managing services.

• GT 4 downloads include– A Web Service container that extends Apache Axis.– Several service implementations, described on next slide.– Legacy, non-Web Service (but still popular) tools from GT 2.– Command line client tools and libraries.– Security mechanisms based on Public Key Infrastructure, Web

Service security, and internet standards.

Code Execution Services

• Grid Resource Allocation and Management (GRAM) can be used to launch and manage one or more jobs.

• An XML job description language allows you to specify a sequence of command and file operations.

• Coupled with the Reliable File Transfer service for increased fault tolerance in multi-step jobs.

• Uses WS-Addressing, WS-Notification, and WSRF to manage state long-lived command operations.

• Can be extended with plugins to support batch queuing systems– PBS, LSF, Sun Grid Engine, etc.

• GRAM can also be coupled with Condor for more sophisticated “meta-scheduling” on several machines.

• GRAM uses several security mechanisms

Data Management

• GridFTP is a high performance data transfer system that couples to the local file system.– Can be used to upload, download, and crossload data between several

machines.– GridFTP is pre-Web Service

• Reliable File Transfer Service is a Web Service that builds on GridFTP to support batch file transfers.– Uses WS-Addressing, WS-Notification, and WSRF to manage state long-

lived file transfer operations.– See upcoming slides.

• OGSA-DAI is a related project of the UK e-Science program that provides uniform access to XML and relational data bases.– Uses document oriented Web Services to exchange “activity” documents

that can specify data base interaction workflows.

Resource Monitoring

• GT4 implements Web Service specifications (Web Services Resource Framework and WS-Notification).– Spec writing led by IBM and Globus– These specs are going through the OASIS standardization process.

• Resources and services publish XML-based descriptions of themselves.

• Other entities can obtain information on resources (and changes in their status) by two means– Querying the service – Subscribing to notifications from the service

Building New Services

• Globus provides Java, C, and Python web service containers.

• You can write and deploy services in the container of your choice.

• Globus containers implement WS-I compliant support for WSDL, SOAP, and WS-Security.

• They also implement WS-Addressing, WS-Notification, and WSRF.– Note that the last two are their own specs– And WS-Addressing changes frequently so there are

compatibility concerns.

Writing Clients

• Globus provides some tool support to simplify client development.– Client stub generation tools for Globus service WSDL.

• The Java COG kit also provides client tools that interact with most known versions of the Globus toolkit– Primarily GT 2 and GT 4.

– GT 3 bindings exist but are likely to be deprecated.

Condor Overview

• Condor is a workload/scheduling system.– Schedulers for Linux clusters, similar to PBS

and LSF– “Cycle scavengers” for heterogeneous

collections of idle workstations.

• Concentrates on “high throughput computing” – Getting the most jobs through the system in a

week rather than most FLOPS.

Condor and Globus

• The Globus Grid Resource Allocation and Management (GRAM) service is a general way to interact with remote operating systems.– Unix fork, various schedulers like PBS and LSF.

• Condor has a scheduler plug-in for GRAM.– Use GRAM to launch Condor jobs.– Use GRAM job description languages to specify your job.– So Globus users can use Condor

• Condor and GRAM interactions can also be reversed.– “Condor-G”– Use Condor to launch GRAM jobs.– Use Condor job description mechanisms (“classads”).– So Condor users can use Globus.