using nmi components in mgrid: a campus grid infrastructure andy adamson center for information...
TRANSCRIPT
![Page 1: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/1.jpg)
Using NMI Components in MGRID: A Campus Grid Infrastructure
Andy AdamsonCenter for Information Technology Integration
University of Michigan, USA
![Page 2: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/2.jpg)
Outline
• MGRID: Background and Motivation
• MGRID Architecture
• NTAP: A Grid Application
• Distributed Authorization Issues
• What's Next
![Page 3: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/3.jpg)
MGRID
• Michigan Grid Research and Infrastructure Development is a collaborative effort of many parts of the University of Michigan focused on developing and deploying grid computing for the University of Michigan.– Characterize and optimize the UM network
– Assist in the development of Grid security middleware
– Determine the requirements for a production Grid site within the UM
– Develop and test Grid Applications
![Page 4: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/4.jpg)
Why MGRID
• Multiple Grid efforts at the U of M– Clusters
– Automated network configuration and testing
– Remote instrument operation
• Middleware issues are difficult– Single solution
– Leverage existing security services
• Potentially large user base for Grid services
![Page 5: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/5.jpg)
U of M Security Services
• Uniqname– Unique campus wide user name and UID
• Kerberos V5 (multiple cells)
• KX509
• Group Services– AFS PTS
– LDAP (email groups)
![Page 6: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/6.jpg)
MGRID Architecture
mod ssl
mod kx509
mod kct
CHEF
Apache
Tomcat
KCT
GateKeeper
Service
Grid Service
KCA
Browser
kx509
libpkcs11
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
Grid-Mapfile
LDAPSASL
Web Server
1
2
3
4
5
6
7
6
Group Services
Resource MngAuthorization
8
mod jk
mod php
![Page 7: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/7.jpg)
MGRID Portal
• Proxy KX509 credentials, keep the Globus client off workstations
• Ease of use for U of M faculty, staff, and students– Kerberos + kx509 + browser = Grid access
• Single point for PKI management– CA self-signed keys
– CA policy files
• Single entry point for MGRID services
![Page 8: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/8.jpg)
MGRID Portal
• User workstation– KX509 to obtain user X509 credentials
– KX509 Certificate available to browser
• Additions to OpenSSL, required on Web Server– SSL handshake recorded
• Web server SSL configured to require user X509 credentials
![Page 9: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/9.jpg)
MGRID Portal
• SSL Handshake transcript– Contains all packets exchanged
– Allows KCT to repeat user certificate verification
– Handshake time stamp used
• Apache module, mod_kct– Sends ssl handshake transcript to KCT service
– Requests KCA Kerberos service ticket
![Page 10: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/10.jpg)
MGRID Portal
• Apache module, mod_kx509– Uses the KCA TGS
– Obtains user proxy KX509 credentials
– Places them in a ticket file
• Apache module, mod_php – Creates RSL, uses KX509 credentials
• CHEF runs in Tomcat– Communicates with Apache through mod_jk
– Creates RSL, uses KX509 or MyProxy credentials
![Page 11: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/11.jpg)
MGRID Architecture
mod ssl
mod kx509
mod kct
CHEF
Apache
Tomcat
KCT
GateKeeper
Service
Grid Service
KCA
Browser
kx509
libpkcs11
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
Grid-Mapfile
LDAPSASL
Web Server
1
2
3
4
5
6
7
6
Group Services
Resource MngAuthorization
8
mod jk
mod php
![Page 12: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/12.jpg)
MGRID NTAP Project
• NTAP: Network Testing and Performance• Globus Service to run network test and
performance tools• Purpose: Help build and maintain a secure and
functional network at UMICH
• Runs on multi homed nodes placed in a VLANed network
![Page 13: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/13.jpg)
MGRID NTAP Architecture
Web Portal
Router 1
Host A
Router 2 Router 3
Host B
NTAP 1 NTAP 2 NTAP 3
GSI GSI GSI
Group Services
![Page 14: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/14.jpg)
MGRID NTAP Project
• Based on GARA: General-purpose Architecture for Reservation and Allocation
• GARA bandwidth reservation – Adds and removes configuration stanza's in network
hardware
– Includes scheduler for future reservations
• Security of communications and the ability to support roles is required
![Page 15: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/15.jpg)
MGRID NTAP Project
• Added fine grained authorization
• Added signed group membership RSL payload
• Extended bandwidth reservation to be able to run arbitrary programs at a Grid service endpoint
• Designed to easily add functionality
• Network testing tools being run
– Iperf, traceroute, ping, owamp, etc
![Page 16: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/16.jpg)
MGRID NTAP Architecture
Web Portal
Router 1
Host A
Router 2 Router 3
Host B
NTAP 1 NTAP 2 NTAP 3
GSI GSIGSI
Group Services
Local Domain
![Page 17: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/17.jpg)
Cross-domain Authorization
• Implemented with Policy based software
• Policy engine makes authorization decision– Input <attribute name, value> are matched against
resource specific policy rules
– Input attribute names are matched to policy attribute names by a string compare
• Cross-domain attribute name space is therefore required
![Page 18: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/18.jpg)
Cross-domain Authorization
• Attributes include– Group membership from group services
– Resource request parameters: bandwidth, number of CPU's, etc from RSL
– Environment parameters: time of day, CPU load, etc
• Use of existing local group services is required– U of M has 100,000+ active uniqnames to manage– Avoid replicating data and management tasks
![Page 19: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/19.jpg)
Cross-domain Authorization
• Our first design in use today uses a modular group membership call-out and the KeyNote Policy Engine
• Group membership determined by– Secure RX call to AFS PTS
• Fine-grained authorization expressed in KeyNote policy rules
• Works across U of M campus
![Page 20: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/20.jpg)
MGRID Architecture
mod ssl
mod kx509
mod kct
CHEF
Apache
Tomcat
KCT
GateKeeper
Service
Grid Service
KCA
Browser
kx509
libpkcs11
kinit
User Workstation
KDC
Kerberos V5
SSL – Client Certificate required
GSI
Kerberos
Kerberos
Grid-Mapfile
LDAPSASL
Web Server
1
2
3
4
5
6
7
6
Group Services
Resource MngAuthorization
8
mod jk
mod php
![Page 21: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/21.jpg)
Authorization: Where?
• Earlier is better
• At the portal– RSL, group membership, and some
environment attributes available
– Can remove load from Grid Service
• At the Grid Service– Needed when policy has components that can
only be satisfied at end service
• Both (divided policy)
![Page 22: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/22.jpg)
PERMIS
• Similar functionality to KeyNote
– Attributes and policy rules
• Follows XACML standard
• Signed policy stored in LDAP
• Signed user attributes stored in LDAP
– Current design requires new database of users
![Page 23: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/23.jpg)
MGRID: Whats Next?
• Use XACML to exchange authorization data– XACML front end to existing UMICH group services
• Replace grid-mapfile with LDAP call out– Central administration
– Dynamic local cluster accounts
• Investigate NFSv4 as a grid file system
![Page 24: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/24.jpg)
Summary
• Kx509, CHEF, and PERMIS (XACML) NMI components are being integrated and tested by MGRID
• We would like mod_kct and mod_kca to be considered for NMI-5
• Construction and management of a shared attribute name space is the largest problem facing cross-domain authorization
![Page 25: Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA](https://reader035.vdocuments.us/reader035/viewer/2022062222/56649eda5503460f94be9541/html5/thumbnails/25.jpg)
http://mgrid.umich.edu
Any Questions?