logging in or signing up CROSSGRID VO SEC KD Lassie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 147 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: May 08, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project : Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project Jesús Marco CrossGrid WP4 (International Testbed) Instituto de Física de Cantabria Consejo Superior de Investigaciones Científicas, CSIC Santander, SPAIN http://www.eu-crossgrid.org The EU CrossGrid Project: The EU CrossGrid Project European Project ( ~5 M€, March 2002-2005) proposed to CPA9, 6th IST call, V FP Polish (Cracow & Poznan) / Spanish (CSIC & CESGA) / German (FZK) initiative with the support of CERN (thanks to Fab!) CYFRONET (Cracow) is the coordinator of the project (Michal Turala, project leader) Objectives: Extension of GRID in Europe, assuring interoperability with DataGrid Interactive Applications (“human in the loop”): Environmental fields (meteorology/air pollution, flooding) High Energy Physics (interactive analysis over distributed datasets) Medicine (vascular surgery preparation) Need: Develop corresponding middleware and tools Deploy on a pan-european testbed Partners: Poland (CYFRONET, PSNC, ICM, INP, INS), Spain (CSIC: IFCA, IFIC, RedIRIS, UAB, USC), Germany (FZK, USTUTT, TUM), Slovakia (II SAS), Ireland (TCD), Portugal (LIP), Austria (U.Linz), The Nederlands(UvA), Greece (DEMO, AuTH), Cyprus (UCY) Industry: Datamat (I), Algosystems (Gr)VO, SEC & KD in CrossGrid: VO, SEC & KD in CrossGrid CrossGrid interactive applications require: Complex but Secure Virtual Organizations CrossGrid middleware provides a framework for development Friendly secure use: Roaming Access Server (Portal/Migrating Desktop) Scheduling for collaborative work to VO resources CrossGrid testbed: Relies on local site support for management and security uses Globus basic grid security: GSI follows EU-DataGrid in deployment for interoperability: Certification Authorities Virtual Organization LDAP Next: VOMS Knowledge Discovery: Development of Grid-adapted Data Mining Techniques accessing Distributed Databases with published Metadata Catalogs Flood management: Flood management Goal: Flooding risk prediction Method: Cascade of simulations Meteorological Hydrological Hydraulic Virtual Organization Need Grid in interactive mode (simulation results for “what-if” ) seamlessly connect together experts, data and computing resources needed for quick decisions highly automated early warning system, based on hydro-meteorological (snowmelt) rainfall-runoff simulationsGrid Security Infrastructure (GSI): Grid Security Infrastructure (GSI) Globus Toolkit implements GSI protocols and APIs, to address Grid security needs GSI protocols extends standard well-known public key authentication protocols for authentication and message protection X.509 identity certificates SSL/TLS GSI supports standard API, GSSAPI, for supporting a number of applications SSH, GridFTPGrid Security Infrastructure (GSI): Grid Security Infrastructure (GSI) GSI is: PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-onEU-DataGrid Security Services: EU-DataGrid Security ServicesThe CrossGrid Testbed: The CrossGrid Testbed 16 sites (small & large) in 9 countries, connected through Géant + NReNs + Grid Services: EDG middleware (based on Globus) RB, VO, RC… UCY Nikosia DEMO Athens Auth Thessaloniki CYFRONET Cracow ICM & IPJ Warsaw PSNC Poznan CSIC IFIC Valencia UAB Barcelona CSIC-UC IFCA Santander CSIC RedIris Madrid LIP Lisbon USC Santiago TCD Dublin UvA Amsterdam FZK Karlsruhe GéantComputing resources: Computing resources Site testbed LCFG configuration server User Interface Gatekeeper (Computing Element) Worker Nodes Storage Element 16 sites: 115 CPUs (Worker Nodes) 4 TB (Storage Elements) Grid services (LIP) Information Index Top MDS Information Server, points to site Information Servers Resource Broker Matchmaking and load balancing scheduler Replica Catalogue Database for physical replica file location Certificate Proxy Server Short lived certificates for long lived processes, used by RB Virtual Organization Server Database for user authentication (CROSSGRID VO) Monitoring Mapcenter: network monitoring system National Certification Authority machines CrossGrid CA page: CrossGrid CA pageWorking on RA procedure : Working on RA procedure VO server in CrossGrid: VO server in CrossGrid Overview of VOMS: Overview of VOMS MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert proxy cert proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request request focus is on VOMSdetails are in D7.6 Security DesignVOMS Overview: VOMS Overview Provides info about the user’s relationship with his VO(‘s) groups, roles (admin, student, ...), capabilities (free form string), temporal bounds Features single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; security: all client-server communications are secured and authenticated.VOMS Architecture: VOMS Architecture DB JDBC GSI https vomsd voms-proxy-init mkgridmap DBI https VOMS server soap + SSL MySQL db – with history and audit records User query server and client (C++) Java Web Service based administration interface Perl client (batch processing) Web browser client (generic administrative tasks) Web server interface for mkgridmapUser’s Authorization in EDG 2.x: User’s Authorization in EDG 2.x VO-VOMS authentication & authorization info user cert (long life) VO-VOMS VO-VOMS VO-VOMS host cert (long life) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration registration LCAS edg-java-securityLocal Site Authorization: Local Centre Authorization Service (LCAS) Handles authorization requests to local fabric authorization decisions based on proxy user certificate and job specification; supports grid-mapfile mechanism. Plug-in framework (hooks for external authorization plugins) allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db) plugin for VOMS (to process authorization data) Local Credential Mapping Service (LCMAPS) provides local credentials needed for jobs in fabric mapping based on user identity, VO affiliation, local site policy Local Site AuthorizationKnowledge Discovery: Knowledge Discovery Will CrossGrid VO “export” or “discover” knowledge ? Likely for Meteo applications Partially only for HEP applications First step: extending KDD to the Grid environment: Data-mining on distributed databases (task 1.3-1.4, HEP & Meteo large databases) Distributed query using: Metadata + Replica catalogs Interactive Database Server modules (i.e. O/R DBMS, PAW) Queries in XML format Distributed via MPICH-G2 in master-slave scheme Mid-Large size databases, o(TB) Data-mining algorithms adapted to the Grid: Distributed Neural Network training Self-Organizing Maps Distributed also using MPICH-G2 Tests started ! Encouraging first results! Modeling, benchmarking, performance prediction (CrossGrid WP2 tools) Architecture: Architecture Challenging issues to be discussed with other projects: Challenging issues to be discussed with other projects On-line Authentication mechanisms? Proxy use for portals/roaming access User understanding of Virtual Organizations: Membership features Permanent storage (personal/group/vo/external) Optimal use (from accounting, scheduling to replication and resilience) Active Security Policies (Grid-patrols) Metadata publication for distributed databases Transition to OGSA/OGSI: Adapting current middleware OGSA-DAI use Distributed mechanisms (MPICH-G3?) New knowledge discovery mechanismsSummary: Summary Virtual Organizations & Security are key points in the CrossGrid project Experience from real working testbed, thanks to the use of Globus GSI and EU-DataGrid middleware Considerable effort on deployment (CA,RA,VO, Sites management): an interoperable pan-european community (CrossGrid + DataGrid) VOMS (EDG) opens new possibilities for VO CrossGrid will make clear to the user the VO possibilities but also the security issues to assure a friendly environment: Portal proxy-based secure access also to be “almost transparent” User group and roles together with resource discovery and monitoring Knowledge discovery can be seen as a final ideal environment for specific application users, progressing along this direction: Data Mining on Distributed Databases prototypes being tested on a realistic Grid environment You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
CROSSGRID VO SEC KD Lassie Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 147 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: May 08, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project : Virtual Organizations, Security and Knowledge Discovery in the CrossGrid Project Jesús Marco CrossGrid WP4 (International Testbed) Instituto de Física de Cantabria Consejo Superior de Investigaciones Científicas, CSIC Santander, SPAIN http://www.eu-crossgrid.org The EU CrossGrid Project: The EU CrossGrid Project European Project ( ~5 M€, March 2002-2005) proposed to CPA9, 6th IST call, V FP Polish (Cracow & Poznan) / Spanish (CSIC & CESGA) / German (FZK) initiative with the support of CERN (thanks to Fab!) CYFRONET (Cracow) is the coordinator of the project (Michal Turala, project leader) Objectives: Extension of GRID in Europe, assuring interoperability with DataGrid Interactive Applications (“human in the loop”): Environmental fields (meteorology/air pollution, flooding) High Energy Physics (interactive analysis over distributed datasets) Medicine (vascular surgery preparation) Need: Develop corresponding middleware and tools Deploy on a pan-european testbed Partners: Poland (CYFRONET, PSNC, ICM, INP, INS), Spain (CSIC: IFCA, IFIC, RedIRIS, UAB, USC), Germany (FZK, USTUTT, TUM), Slovakia (II SAS), Ireland (TCD), Portugal (LIP), Austria (U.Linz), The Nederlands(UvA), Greece (DEMO, AuTH), Cyprus (UCY) Industry: Datamat (I), Algosystems (Gr)VO, SEC & KD in CrossGrid: VO, SEC & KD in CrossGrid CrossGrid interactive applications require: Complex but Secure Virtual Organizations CrossGrid middleware provides a framework for development Friendly secure use: Roaming Access Server (Portal/Migrating Desktop) Scheduling for collaborative work to VO resources CrossGrid testbed: Relies on local site support for management and security uses Globus basic grid security: GSI follows EU-DataGrid in deployment for interoperability: Certification Authorities Virtual Organization LDAP Next: VOMS Knowledge Discovery: Development of Grid-adapted Data Mining Techniques accessing Distributed Databases with published Metadata Catalogs Flood management: Flood management Goal: Flooding risk prediction Method: Cascade of simulations Meteorological Hydrological Hydraulic Virtual Organization Need Grid in interactive mode (simulation results for “what-if” ) seamlessly connect together experts, data and computing resources needed for quick decisions highly automated early warning system, based on hydro-meteorological (snowmelt) rainfall-runoff simulationsGrid Security Infrastructure (GSI): Grid Security Infrastructure (GSI) Globus Toolkit implements GSI protocols and APIs, to address Grid security needs GSI protocols extends standard well-known public key authentication protocols for authentication and message protection X.509 identity certificates SSL/TLS GSI supports standard API, GSSAPI, for supporting a number of applications SSH, GridFTPGrid Security Infrastructure (GSI): Grid Security Infrastructure (GSI) GSI is: PKI (CAs and Certificates) SSL/ TLS Proxies and Delegation PKI for credentials SSL for Authentication And message protection Proxies and delegation (GSI Extensions) for secure single Sign-onEU-DataGrid Security Services: EU-DataGrid Security ServicesThe CrossGrid Testbed: The CrossGrid Testbed 16 sites (small & large) in 9 countries, connected through Géant + NReNs + Grid Services: EDG middleware (based on Globus) RB, VO, RC… UCY Nikosia DEMO Athens Auth Thessaloniki CYFRONET Cracow ICM & IPJ Warsaw PSNC Poznan CSIC IFIC Valencia UAB Barcelona CSIC-UC IFCA Santander CSIC RedIris Madrid LIP Lisbon USC Santiago TCD Dublin UvA Amsterdam FZK Karlsruhe GéantComputing resources: Computing resources Site testbed LCFG configuration server User Interface Gatekeeper (Computing Element) Worker Nodes Storage Element 16 sites: 115 CPUs (Worker Nodes) 4 TB (Storage Elements) Grid services (LIP) Information Index Top MDS Information Server, points to site Information Servers Resource Broker Matchmaking and load balancing scheduler Replica Catalogue Database for physical replica file location Certificate Proxy Server Short lived certificates for long lived processes, used by RB Virtual Organization Server Database for user authentication (CROSSGRID VO) Monitoring Mapcenter: network monitoring system National Certification Authority machines CrossGrid CA page: CrossGrid CA pageWorking on RA procedure : Working on RA procedure VO server in CrossGrid: VO server in CrossGrid Overview of VOMS: Overview of VOMS MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert proxy cert proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request request focus is on VOMSdetails are in D7.6 Security DesignVOMS Overview: VOMS Overview Provides info about the user’s relationship with his VO(‘s) groups, roles (admin, student, ...), capabilities (free form string), temporal bounds Features single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; security: all client-server communications are secured and authenticated.VOMS Architecture: VOMS Architecture DB JDBC GSI https vomsd voms-proxy-init mkgridmap DBI https VOMS server soap + SSL MySQL db – with history and audit records User query server and client (C++) Java Web Service based administration interface Perl client (batch processing) Web browser client (generic administrative tasks) Web server interface for mkgridmapUser’s Authorization in EDG 2.x: User’s Authorization in EDG 2.x VO-VOMS authentication & authorization info user cert (long life) VO-VOMS VO-VOMS VO-VOMS host cert (long life) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration registration LCAS edg-java-securityLocal Site Authorization: Local Centre Authorization Service (LCAS) Handles authorization requests to local fabric authorization decisions based on proxy user certificate and job specification; supports grid-mapfile mechanism. Plug-in framework (hooks for external authorization plugins) allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db) plugin for VOMS (to process authorization data) Local Credential Mapping Service (LCMAPS) provides local credentials needed for jobs in fabric mapping based on user identity, VO affiliation, local site policy Local Site AuthorizationKnowledge Discovery: Knowledge Discovery Will CrossGrid VO “export” or “discover” knowledge ? Likely for Meteo applications Partially only for HEP applications First step: extending KDD to the Grid environment: Data-mining on distributed databases (task 1.3-1.4, HEP & Meteo large databases) Distributed query using: Metadata + Replica catalogs Interactive Database Server modules (i.e. O/R DBMS, PAW) Queries in XML format Distributed via MPICH-G2 in master-slave scheme Mid-Large size databases, o(TB) Data-mining algorithms adapted to the Grid: Distributed Neural Network training Self-Organizing Maps Distributed also using MPICH-G2 Tests started ! Encouraging first results! Modeling, benchmarking, performance prediction (CrossGrid WP2 tools) Architecture: Architecture Challenging issues to be discussed with other projects: Challenging issues to be discussed with other projects On-line Authentication mechanisms? Proxy use for portals/roaming access User understanding of Virtual Organizations: Membership features Permanent storage (personal/group/vo/external) Optimal use (from accounting, scheduling to replication and resilience) Active Security Policies (Grid-patrols) Metadata publication for distributed databases Transition to OGSA/OGSI: Adapting current middleware OGSA-DAI use Distributed mechanisms (MPICH-G3?) New knowledge discovery mechanismsSummary: Summary Virtual Organizations & Security are key points in the CrossGrid project Experience from real working testbed, thanks to the use of Globus GSI and EU-DataGrid middleware Considerable effort on deployment (CA,RA,VO, Sites management): an interoperable pan-european community (CrossGrid + DataGrid) VOMS (EDG) opens new possibilities for VO CrossGrid will make clear to the user the VO possibilities but also the security issues to assure a friendly environment: Portal proxy-based secure access also to be “almost transparent” User group and roles together with resource discovery and monitoring Knowledge discovery can be seen as a final ideal environment for specific application users, progressing along this direction: Data Mining on Distributed Databases prototypes being tested on a realistic Grid environment