Supporting Secure and Scalable GAN Collaborations Deb Agarwal
Supporting Secure and Scalable GAN Collaborations Deb Agarwal (DAAgarwal@lbl. gov) Marcia Perry and Mary Thompson Collaboration Technologies Group Lawrence Berkeley National Laboratory GAN – 8/26/02
Grid • Integrated distributed computing middleware — Public key-based security — Security infrastructure — Proxy certificates — Directory services — Resource scheduling — Web services (Open grid services architecture) — Secure file transfer — Uniform compute job submission — Job tracking • DOE Science Grid • Global Grid Forum GAN – 8/26/02
Typical Security Requirements • • Limit participation to authorized people Specify and enforce participant access capabilities Single sign-on into environment Create and enforce authorization policy for dynamic components • Dynamically change authorization policy • Identify participant actions (particularly for auditing and logging) GAN – 8/26/02
Security Terminology/Mechanisms • Authentication – identify users — PKI Certificates — Attribute certificates — Username/password • Authorization – figure out what users are allowed to do — Access Control Lists — Authorization servers • policy • capability certificates • Privacy — Private Network (virtual or actual) — Encryption • Data integrity — Message Authentication Codes (hash) GAN – 8/26/02
Grid Security Infrastructure (GSI) • X. 509 Public Key Infrastructure (PKI)-based identity certificates — Contains the public key issued and signed by a certificate authority — Used with the private key to provide authentication of users (SSL/TLS) — A defined set of certificate authorities are trusted to issue identity certificates • Focuses on control of static resources accessed by a well defined set of users • Authorization policy is controlled, administered, and enforced at the local resources — Grid-mapfile is used to map from identities to local authorization entities — Designed to control access to computers GAN – 8/26/02
GSI - Proxy Certificates • Motivation —Processes need to be able to act on the user’s behalf —Do not want to hand out the user’s private key —Want to support single sign-on • Proxy certificates derived from the user’s identity certificate • New credential —Stored locally unencrypted (no pass phrase) —Short-lived (~12 -24 hrs) —Created by calling grid-proxy-init • Used by processes to act on the user’s behalf GAN – 8/26/02
Some Existing and Planned Tools • Grid Security Infrastructure (GSI and OGSI) — my. Proxy • Authorization servers — Akenti — Community Authorization Service (CAS) • Secure Group Communication • Existing technologies — Kerberos — SSL/TLS — Simple Authentication Security Layer — PGP GAN – 8/26/02
Pervasive Collaborative Computing Environment (PCCE) Goals • Collaboratory centered around a shared computational workflow • Support ‘continuous’ collaboration • Target daily tasks and base connectivity • Web-based interface available for ease of use/installation • Collaborative workflow tools • Leverage off of existing components when possible • Leverage off the Grid services —security —directory services —job submission and tracking • Standards-based components GAN – 8/26/02
Remote Instrument Access • Advanced Light Source – LBNL — Remotely controllable cameras/videoconferencing at the beamline — Transmission of machine parameters and settings to all participants — Control handoff via a token — Collaboration communication infrastructure integrated into existing control system GAN – 8/26/02
Collaborative Collaboration Tools • Security – authentication and authorization — single point of login — group and individual authorization • Communication — communicate easily between components — scalable to large groups — flexible delivery models (e. g. reliability and order) • Logging – ability to record all that occurred in a session • Events – notifications between tools • Search capabilities • Collaboration context awareness • Presence information GAN – 8/26/02
- Slides: 11