Grid security in NAREGI project

NAREGI the Japanese national science grid project is doing research and development of grid middleware to create e-

Science infrastructure in CSI( Cyber Science Infrastructure) concept. This presentation will provide issues and future

plans regarding grid security including VO management for interoperability of grid projects.

APAN　 Grid-Middleware Workshop 2006

●

Publication of scientific results from academina

Human Resource Development and strong organization

NAREGI Middleware

Virtual OrganizationFor science

CyberScience Infrastructure for Advanced Science (by NII)CyberScience Infrastructure for Advanced Science (by NII) 　　

To Innovate Academia and Industry

UPKI

★

★

★★★

★★

☆

Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers

CyberScience Infrastructure

北海道大学

東北大学

東京大学ＮＩＩ

名古屋大学

京都大学

大阪大学

九州大学

（東京工業大学、早稲田大学、高エネルギー加速器研究機構等）

Scientific Repository

Ind

ustry L

iaison

and

So

cial B

enefit

Global C

ontribution

Super SINETprovides 10 Gbps Backbone

Grid for enabling Collaborative Computing

Researchers

Researchers

Experimental Devices

Super Computer

Data Base Server

Experiments using special

devices

Analysis using Super Computers

Search in Data Bases

Researchers

Overseas Lab BOverseas Lab BOverseas Lab BOverseas Lab B

University AUniversity AUniversity AUniversity A

Domestic Lab CDomestic Lab CDomestic Lab CDomestic Lab C

Super SINETSuper SINET

Security is a key issue to be solved!

A Virtual Organization

To realize heterogeneous large scale computational environmentTo share Large and expensive devices and data bases

Computing Centers & VOs

NII IMS KEK Univ. Centers

GlobusGlobus 4 / NAREGI 4 / NAREGI -- WSRF + Services CoreWSRF + Services Core

SuperSINET

Grid-Enabled Nano-Applications (WP6)

Grid PSE (WP3)Grid Programing

-Grid RPC

-Grid MPI

(WP2)

Grid Vis (WP3)

Grid VM (WP1)

Packag

ing

DistributedInformation Service

(WP1)

Grid Workflow (WP3)

Super Scheduler(WP1)

-High Performance & Secure Grid Networking (WP5)

Data G

rid(W

P4)

NAREGI Software Stack (Beta ver. 2006)

Computing ResourceComputing ResourceComputing ResourceComputing Resource

GridVMGridVM

Accounting

CIM

UR/RUS

GridVMGridVM

ResourceInfo.

Reservation, Submission,Query, Control…

ClientClient

ConcreteJSDL

ConcreteJSDL

Workflow

AbstractJSDL

SuperScheduler

InformationService

DAI

ResourceQuery

Reservation basedCo-Allocation

GridMPI

WFT, PSE, GVS, GridRPC

A Use Case : Job Submission with Reservation based Co-Allocation

Future issues

Current Issues to be solved

Developed NAREGI-CA to be deployed in UPKI

Security Requirements in AAA

• Authentication– PKI based user authentication– Compatible with GSI standards– Trust federation between CA’s

• Authorization– VO management for

Inter-organizational collaboration – Interoperable with other Grid projects

• Accounting– ID federation for authorization & traceability– With privacy protection!

Virtual Organization

user 1(VO Manager)

service_c

service_a

Services and Users are exposed in a Virtual Organization

Organization A

service_c

service_b

service_auser 2

user 3user 1

Contract A

service_x

service_y

user p

service_z

service_x

service_yuser p

user quser r

Organization B

Contract B

PKI domain

VO domain

Virtual Organization and Security Domain

Definition of VO on GGF　　・ CAS (Community Authorization Service)　　・ VOMS (Virtual Organization Membership Service)

A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.

User

CA/RA

VOMS

Proxy Cert+ VO

User Cert

CRL

Grid JobSubmission

VOMS-type VO Management

developed in EGEE

DN,VO, Group, roll, capability

GRAM

MK-gridmapfile

Gridmapfile

GACL

LCAS

EGEE Grid site

DN > pseudo accounts

User

CA/RA

VOMS

GRAM

Proxy Cert+ VO

User Cert

CRL

Grid JobSubmission

Managed by the Super Scheduler

Account Mapping

Gridmapfile

Policyfile

NAREGI Grid site

VOMS-type VO Management adopted in NAREGI

DN,VO info

Grid VM

Information Service

Certificates handling is too hard for users

Job Submission mechanismin NAREGI Middleware version

VOMSVOMS

MyProxyMyProxyVOMSProxy

Certificate

VOMSProxy

Certificate

User Management Server(UMS)

User Management Server(UMS)

VOMSProxy

Certificate

VOMSProxy

Certificate

UserCertificate

PrivateKey

Client EnvironmentClient Environment

Portal Services

WFT

PSE

GVS

VOMSProxy

Certificate

VOMSProxy

Certificate

SS

clie

ntThe Super

Scheduler (SS)VOMSProxy

Certificate

VOMSProxy

Certificate

GridVM

GridVM

GridVM

WF Credential

Repository

WF Credential

RepositoryVOMSProxy

Certificate

VOMSProxy

Certificate

Users

Integrated and easy handling of VOMS and My

Proxy

Log inWorkflow(WF)

WF Credential is a user proxy cert passed through to the SS with the delegation protocol

delegation

delegation

Grid Jobsdelegation

delegation

The SS receives WF and deploys Grid jobs

VO and User Management Service

• Adoption of VOMS for VO management– Using proxy certificates with VO attributes for the interoperability

with EGEE– GridVM is used instead of LCAS/LCMAPS

• Integration of MyProxy and VOMS servers– with UMS (User Management Server) to realize one-stop service

at the NAREGI Grid Portal– using gLite implemented at UMS to connect VOMS server

• Workflow Credential Repository– As Workflow Credential a User Proxy Cert is used to realize safet

y delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy.

– The Super Scheduler receives Workflow (BPEL) and reserves resources to deploy Grid jobs with GSI interface.

Current Issues and the Future Plan

• Current Issues on VO management– VOMS platform

• gLite is running on GT2, while NAREGI middleware on GT4

– GridVM• Interoperability of authorization policy with other Grid projects is to be

realized.

– Proxy certificate renewal• Need to invent a new mechanism

• Future plan– Cooperation with GGF security area members to realize interoper

ability with each other.– A new proposal of VO management methodology and trial of refer

ence implementation.

MyProxy

User

CA/RA

Web Server

VO Management

Policy Enforcement Point

Authentication &Authorization

Service

Proxy Certof User

User Cert

SAML+XACML

CRL

Log inGrid JobSubmission

Policy Decision Point

Policy Information Point

OCSP/XKMS

LDAP

AuthN&AuthZ Services in the future

Super Scheduler GRAM (Grid VM)

Summery

• NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project.

• VO management was the second target and VOMS has been adopted for interoperability with EGEE.

• NAERGI commits to OGSA and will contribute standardization of VO management in Grid community.

• ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.