Russell Lock 11 February 2002 Abstract This report gives the reader an overview of the Globus iddleware platfor! ephasi"ing its uses! and the e#tent to which it provides the services re$uired for a grid architecture% It then describes the various coponents that go into aking the Globus Toolkit and its future as a grid building tool% Introduction to the Globus Toolkit 2 Russell Lock Contents Page &age 1 Introduction ' 1%1 The Globus toolkit ( 1%2 Globus and the real world ( 1%' Re$uireents of Grid based systes ) 2 *asic Globus +oncepts , 2%1 -obs , 2%2 GR./ 0 2%' .n overview of Globus coponents 10 ' G.11 11 ( /21 12 (%1 GRI1 12 (%2 GII1 12 ) 3*/ 1' , G1I 1( ,%1 Grid 1ecurity 4verview 1( ,%2 Globus Grid5ap file 1) ,%' 6ncryption 1, ,%'%1 The basic principle of encryption 1, ,%'%2 Globus and encryption 17 ,%'%' &ublic key encryption 17 ,%( 8%)09 certificates and +.:s 10 ,%) /utual .uthentication 19 ,%, 4ther security considerations 20 ,%,%1 &ro#ies 21 ,%,%2 1pecific G.11 server issues 21 ,%7 4verall Issues with the globus security odel 22 7 Running a siple -ob 2' 0 6#tending Globus ;1chedulers< 2) 9 +onclusions 2) 10 Glossary 2, 11 References 27 12 .ppendi# 20 Introduction to the Globus Toolkit ' Russell Lock 1 Introduction The Globus=1> toolkit is designed to enable people to create coputational grids% It has been developed over several years chiefly at the .rgonne ?ational Laboratory Illinois @1.% Globus is an open source initiative aied at creating new grids capable of the scale of coputing seen only in supercoputers up to now% .s an open source proAect any person can download the software! e#aine it! install it and hopefully iprove it% *y this constant strea of coents and iproveents! new versions of the software can be developed with increased functionality and reliability% In this way the Globus proAect itself will be on going with constant evolution of the toolkit% Grid coputing has been an active research area for several years and several systes e#ist that utili"e functional coputational grids% The ost notable of these is the ?.1. Inforation &ower Grid='> ;run on the Globus toolkit< and the new grid being constructed for analy"ing data fro the Large 3adron +ollider proAect at +ern=(> when it becoes operational% 1o far the leading grid iddleware syste has been the Globus Toolkit% The introduction of coputational grids has given developers a considerable nuber of e#tra probles to overcoe in order to ake the work correctly and reliably% +oputational grids are designed to ake better utili"ation of resources on people:s coputers% They do this by harnessing the resources not being used at the tie! to work on probles elsewhere% The ode this takes could be harvesting the process cycles of peoples achines or disk space etc% &riarily research at this stage is in creating coputational grids for university departents and for sall scale businesses! which ay need the use of a supercoputer but cannot afford the price! or the space in which to house one% It is also helping to break down barriers on how these resources are accessed by trying to build an architecture where any achine could potentially control a virtual supercoputer at any given tie% The average desktop achine in an office is only utili"ed at )B of its possible processing power% These revelations have led to an upsurge in interest for ethods of using this perceived waste of resources for a better purpose% It should be stressed that soe of the earlier attepts to put this power to a good use are not necessarily grid architectures in the strictest sense% For e#aple the 16TI progra=2> akes use of hoe and business achines with their setiChoe coputations% These have largely been successful ventures but apply a rigid definition on who subits Aobs% In the case of setiChoe the control coes fro the central server only% The Globus toolkit allows selected users to gain access to these unused resources via coputer networking! potentially aking every coputer a re$uest sender% Introduction to the Globus Toolkit ( Russell Lock 1.1 The Globus toolkit The Globus toolkit itself is ade fro a nuber of coponents% The design of the toolkit itself is very odular and has been developed in this way to ake alterations and iproveents easier! with less ipact on connected coponents% The toolkit is written in the + prograing language and the source is available for download% It is designed to work on a nuber of platfors! predoinantly that of Linu# but with liited support for /icrosoft proised in the future% Globus has also recently been ported for the 1olaris platfor% 1o far Globus has been a lead contender in the developent of grid coputing and is currently the only aAor effort with open source availability% The Toolkit itself is designed to work in research environents! predoinantly as an ipetus to be redesigned and iproved uponD however in theory any copany could install it and use it as a coputing tool% 1.2 Globus and the real world /any people suffer fro a isconception of why the Globus toolkit e#ists and what people can realistically e#pect to achieve with it% The Toolkit has been developed to provide a basic level of functionality for grid based systes% The ain proble stes fro the fact that the syste is of such a low level that it could never be considered a coplete solution for a business or other aAor venture% Reading the latest news articles and public announceents people could easily believe that the era of grid coputing is here right now! and that everyone either should be using grids or will be in a few years tie% 6very week it sees one of the tabloid newspapers is publici"ing the new successor to the internet! that of grid coputing% Eery few understand the ter however and widespread confusion sees to be coonplace on the issue% In order to try to clear up the isunderstandings shown in the press for the Globus initiative the following analogy is put forward% @sing the Toolkit by itself is analogous to driving a nuber of cars siultaneously% In theory you could do this! but it would re$uire an unfeasible aount of attention to ake it work% This is what Globus provides% It allows coplete control of a grid environent! but at the bare Toolkit level this would ean the user aking every decision% For e#aple in a finished syste if you were sending off a Aob to a achine it would be nice to know in advance whether the achine was busy or not% If it were! you ay wish to change your ind and send the re$uest to a different one% Globus supports this but it does not give you the inforation unless a< you ask e#plicitly for it! b< you have started the re$uisite services it needs beforehand% The fact that the user is propted to set things running! and to decide every decision that needs aking does not ake the syste flawed in any way% /any people who install the Toolkit will find it difficult to use! this is not through bad design but fro the inherent fact that Globus was designed to be ipleented and built upon by others% The Globus architecture has becoe the ipso facto standard for Grid coputing and has provided the basic building blocks to do ost of the things you would wish to when building a grid% /any copanies are working on products to operate coercial grid Introduction to the Globus Toolkit ) Russell Lock solutions based on the Globus architecture% Therefore though the Globus initiative is open source! the solutions used in your departent or office in the ne#t ten years will not be the basic Globus toolkit! but a properly supported! debugged ;to a relative e#tent< version installed by people trained to do so% .t its roots however will be the sae basic architecture that will be shown over the ne#t few sections% 1.3 Requirements o Grid based s!stems Fundaentally a nuber of services are needed in order to build a working grid based syste% *ecause this issue could span a report all of its own! only consideration to aAor areas is givenF Gou need to be able to allow a person on a given achine to subit a Aob to a achine elsewhere% Gou re$uire a way to onitor a Aobs progress and to give you back the results if necessary% The user needs to be able to find out details about different achines! to ake an infored choice as to what achine to place a given Aob on% .t a basic level this eans soe sort of resource discovery! at a ore advanced level the load on a given achine! its eory capacity etc% Gou need to ensure that if any part of the syste fails it can recover% Gou need to be able to support Aobs that re$uire resources at their e#ecution achine over and above that of the actual progra itself% Gou need to secure the whole package so that only the people who should get in do get in% ?ow that the any facets of a typical grid have been listed it would see prudent that Globus was split into a nuber of coponents% *efore delving into how the various parts workD an e#planation of soe of the ore basic services is described in the ne#t section! then a basic diagra is shown in section '%' showing the naes of the various coponents in Globus! and a key to show what their role is in the syste% Introduction to the Globus Toolkit , Russell Lock 2 "asic Globus Conce#ts In order to understand the way in which the Globus toolkit interacts with the various services! it is essential that the reader understands the basic principles behind what the syste is actually sending between achines! and what happens when it gets there% These points are shown in the section below% 1ection 2%' then shows an overall view of the Globus syste with the following chapters e#plaining the coponents in ore detail% 2.1 $obs For the purposes of the Globus syste a Aob can be defined as a progra;s< that a user wishes to e#ecute on a known reote achine% The Aob itself cannot however Aust be transitted to the reote achine in $uestion% The reason for this being that the Aob has to be validated! and any additional resources needed for the Aob noted by the reote achine% Therefore a Aob is sent with a Aob re$uest which can specify a nuber of things! the ain of which are listed below% ?ae of progra;s< to subit /achine;s< to subit to /ethod of result retrieval H ;3as default< .ccess to files re$uired H /a#iu e#ecution tie H /iniuI/a#iu eory H 4ptional J H Globus supports a variety of ways of retrieving results once a Aob has copleted% The default being that results should be sent back to the screen of the user who sent the re$uest% 3owever a nuber of alternatives are available! soe of which are listed below% 1end to screen at local achine 1end to file at local achine 1tore in file at reote ftp I http server Kait till retrieve coand is given fro local achine 2on:t do anything with results Introduction to the Globus Toolkit 7 Russell Lock The re$uest itself can be ade in one of two ways% The first and ost siple is using the globus5Aob5run% This ethod only allows a user to send off one re$uest at a tie and is used only to cover siple cases for e#ecution% For e#aple the e#aple below shows a siple re$uest% globus5Aob5run egcsky00001)%lancs%ac%uk IbinIecho LhelloL To ake things easier to understand the above e#aple has been spaced out a little% This stateent would be typed in fro the basic coand propt of the subitting achine% The first stateent is the nae of the re$uest progra to run! in this case globus5Aob5run% The second stateent lists the full nae of the achine that the user wishes to e#ecute the progra on% The third stateent lists the progra to e#ecute% In this case the installation of globus was on a Linu# syste! IbinIecho is the nae of a siple linu# coand% This illustrates that the progra itself can be any acceptable e#ecutable% The echo coand siply takes an arguent and prints it back to the screen% The arguent in this e#aple is shown in the fourth stateent% 1o to suari"e! this re$uest will send the echo coand to the reote achine! e#ecute it and return the results% The results are returned autoatically by default though this can be altered in the re$uest% For the purpose of this e#aple the results will siply appear on the local user:s terinal screen! the sae one that they sent the re$uest fro% The second way in which the re$uest can be ade is by using a ore powerful re$uest syste called globus5run% @nlike globus5Aob5run! it is designed to allow ultiple re$uests to be sent to ultiple achines if necessary in one action% In order to ake this as straight forward as possible the progra akes use of a specific language to forulate the re$uest% The re$uest is written in a R1L ;Resource 1pecification Language<% The Globus R1L is $uite cople# in design! and can be difficult to understand at first% The synta# of the Globus R1L is beyond the scope of this report as it would take any pages to get across even the basic synta#% It is unlikely that ost people would need to use this ore advanced version of re$uest progra anually% It will be of ore use once the synta# itself can be autoated so that actual users do not coe into contact with it% &referably the progra itself needs to be written in the + prograing language% Though in theory any binary e#ecutable could be used! if it needs to interact with Globus it needs to be able to use Globus:s .&I:s written for the + prograing language% This can be achieved fro ost prograing languages but the ipleentation can cause probles% +MM is supposedly copatible with + but Globus does not guarantee coplete copatibility% .n e#aple whereby a progra ay wish to interact with Globus could be one where access to additional files was needed% It is also notable that support for interactive Aobs is still incoplete% The idea of an interactive Aob is one which re$uires user direction at soe point% . nuber a Globus:s copetitors! the ost noticeable being 1un=)> have already dealt with this issue% It is iportant to note that although Globus provides no active support for interactive progras! it does not stop the progra fro contacting another achine if it sets up the relevant sockets itself% 2ue to the useful Introduction to the Globus Toolkit 0 Russell Lock nature of this facility ore active support for it will no doubt be added in the future though% This will ake the creation of viable progras far sipler and ore standardi"ed% 2.2 GRA% GR./ is the nae given to the Globus Resource .llocation /anager% Its Aob is to anage Aob re$uests and to e#ecute and onitor the on reote achines% GR./ is in overall control of all the other services listed in the sections below% It is responsible for setting up and taking down services provided by Globus when it believes a user needs the% It also acts as the anager that all inforation about re$uests or status reports feed back into% 4ne of the ain part:s of GR./ is the gatekeeper% In order to e#ecute a given progra on another achine a nuber of checks needs to be ade% Therefore you cannot siply take coplete control of a reote achine and run the progra in $uestion% The interaction between achines has to be carefully onitored% The reasoning for this stes fro the unknown nature of people Aoining grid networks% The whole concept of grids is that of achines coing and going! that they can Aoin dynaically when they wish% In order to onitor interaction at a reote achine a gatekeeper is run on the e#ecution achine% It is constantly waiting for new re$uests to coe in% The gatekeeper waits on a defined standardi"ed port! this allows users to contact reote achines knowing only that achine:s I& address% It is vital that as little inforation as possible is needed to counicate between achines to enhance the usability of the syste% The gatekeeper also ensures that only valid re$uests are accepted and dutifully sends back results when they are produced% If a achine is already running a Aob it will wait till the current Aob has copleted before running a new one% The ain reason for this is the si"e of the Aobs! which would norally prohibit ore than one running at once on a resource% It also helps reduce the chance of overloading individual achines with re$uests fro different -obs at a given tie% Generally gatekeepers are used to allow e#ecution on reote achines fro a local one% 3owever if for soe reason you wish to e#ecute re$uests on the local achine yourself you can set up a personal gatekeeper which will do Aust this function% This ay see a soewhat bi"arre notion but the ain application for this type of e#ecution is for testing the setting up of Globus coponents on a given achine% The overall echanis for -obs and Gatekeepers is shown in Fig 1% Introduction to the Globus Toolkit 9 Russell Lock 2.3 An o&er&iew o Globus com#onents 2ue to the cople# way in which the different services interact an overall view of the syste is shown on the ne#t page% Though a reader will undoubtedly not understand all the services involved at this point! it does give an overall feel for the syste% This should enable the reader to understand how the key services fit in as they read through the sections% Re$uest sent for e#ecution Re$uest * waits Re$uest . runs * sends re$uest after . sends re$uest first + 1ets up gatekeeper /achine . /achine * /achine + Gatekeeper Fig 1 Introduction to the Globus Toolkit 10 Russell Lock An o&er&iew o Globus com#onents File .ccess Inforation Re$uests I updates Inforation Re$uests I updates /achine . ;Globus< G1I Gatekeeper G1I /achine * ;Globus< GIIS G.11 -ob Re$uest -ob Results GRIS GRIS GRIS GRIS NeyF G1I F The G1I controls all the security arrangeents ;authori"ation etc< /21 F The /21 is in charge of distributing inforation about achines Gatekeeper F The gatekeeper controls interactions between achine and the Aobs G.11 F The G.11 server can be set up to provide access to other files during Aobs GR./ F Globus Resource .llocation /anager %'( GRA% Introduction to the Globus Toolkit 11 Russell Lock 3 GA(( The Globus syste is used for ore than siple e#ecutable progras% /any of the Aobs it runs re$uire additional resources in order to run% For e#aple the transferring of data files fro a reote achine to the place where the Aob is e#ecuting! so that the Aob can access the% The way in which this is done is $uite siple! though soe of the security precautions involved are not% If a Aob re$uires additional resources they will be listed in the Aob re$uest sent to the e#ecution achine% 4n receiving that re$uest the gatekeeper will e#aine the re$uest and! if it deterines that additional resources are re$uired! it will set up a G.11 server on that achine to deal with any re$uests the progra will ake% The G.11 server itself allows users to put files in a local cache accessible to the Aob running at the tie% .ny file can be transferred as long as it resides on an FT& or 3TT& server on an accessible network% .llowing a user to access files re$uires a user to be authori"ed to access the reote resource% Therefore in order to coply with re$uests for inforation the G.11 server has to ake use of the G1I to ake sure the achines involved can be authenticated% .t present it is not possible for any Aobs to share the sae cache% This would obviously lead to security probles as only certain people should have access to a given file% .s such once the progra that is running finishes! the G.11 server will delete the cache and shut down the server% It is iportant to note that the use of G.11 and the cache is the only way to access files for use in e#ecution% Local files at present cannot be accessed in any other way% .s with ost progras there are ways to ake life easier% /any grid enabled applications ake use of huge datasets which would be soewhat cubersoe to copy into the cache% In this case those files could be stored in the cache peranently if necessary% The G.11 server will only delete what it has placed into the cache when it shuts down% It will only delete the cache directory itself if it is epty% This works because the G.11 sever will always set up the cache in the sae place unless instructed by the resource owner differently% The overall interaction for this part of the syste is shown in Fig 2% File Re$uests -ob 6#ecutes Gatekeeper starts G.11 G.11 .ccesses cache /achine . /achine * G.11 +ache FT& 1erver * Gatekeeper . sends a re$uest to * Fig 2 Introduction to the Globus Toolkit 12 Russell Lock ) %'( The /eta 2ata 1ervice controls all inforation pertaining to the different achines on a grid% It holds inforation of both dynaic and static nature% 6#aples of the sort of things held could include achine I2! average load! eory capacity etc% Though the /21 is designed to hold various types of inforation it is e#tensively odifiable% This helps ake Globus easier for developers to build applications for% For e#aple to build an effective scheduler on top of Globus it ay be helpful for a re$uest about a achine to indicate who has authori"ation to use it% The /21 consists of two different types of server% The servers GRI1 and GII1 are outlined in sections (%1 and (%2 respectively% ).1 GRI( GRI1 servers can be located at various points across a grid% They are designed to hold inforation about any achine that has been registered with the% The inforation in $uestion could be either static or dynaic! and the architecture of the GRI1 server is designed to be easily e#tendable to provide a holding space for data of any kind about individual achines% Inforation is uploaded to GRI1 servers anually by the user unless ore advanced support is built upon it% ?o single GRI1 contains the details of every achine on a given network% This allows liited protection against failure of a given server and allows faster retrieval ties with less load at a given point of a network% *ecause different achines are listed with different GRI1 servers at could be difficult for a given user to find out about a given achine% In theory they would need to know the location of every GRI1 server to poll the individually% Luckily Globus provides a second type of server to deal with this eventuality which is e#plained in the ne#t section% ).2 GII( .ll GRI1 servers are registered with a separate Grid Inde# Inforation 1ervice (GII1< server% .ll GRI1 servers register with this one GII1 server when they are activated% .ll the GII1 server has to store is the location of each GRI1 aking the re$uest load considerably ore anageable% The GII1 server can also be prograed to know the nae of each achine registered to that GRI1% In this way a user can find out inforation without the hassle of contacting every GRI1 server on the grid% The diagra in section 2%' showed the relationship between GRI1 and GII1 servers with the ain bo#! arked /21 representing the ain aggregate directory GII1 and the bo#es leading off fro it representing the GRI1 servers% ?ote that the diagra showed that the two achines . and * were linked off one of the GRI1 server bo#es% This indicates that inforation pertaining to those achines could be found on that particular GRI1% GII1 servers can be prograed to store only the details of GRI1 locations! or can be prograed to hold any piece of data already held by the individual GRI1 servers% GII1 servers obviously could represent a centrali"ed point of failure within a grid environent% Therefore in order to help alleviate this proble a nuber of shadow GII1 servers can be set up! which can take over if for any reason the ain GII1 is inaccessible% Introduction to the Globus Toolkit 1' Russell Lock * +"% The 3eart *eat /onitor ;3*/< is designed to provide siple fault onitoring for reote achines% Reporting faults is a difficult task as failures can occur for any different reasons% .s with all grid services the 3*/ has to be set running e#plicitly by the user% It is priitive in nature! consisting of a very siple echanis of polling to detect failure% 4f course this could be very process intensive for both achines depending on the tie between polls% The 3*/ onitors processes on reote achines but is also used to show network failure% In this case the onitor registers the lack of a response rather than a report of actual failure% 1o in effect if for e#aple a network breakdown stopped a reote achine fro sending a signal back! it would be assued that the achine in $uestion had gone down% .s with ost parts of the Globus Toolkit the 3*/ re$uires substantial user intervention to set running! and in ost cases this would stop anyone fro anually using it% .t present the future of the 3*/ is in doubt as it has been deprecated as a service% 3*/ has not been reoved ainly due to the custoer base already using it% .s developent has now alost copletely ceased on this part of the syste! its use in future releases is not guaranteed% The 3*/ itself contains three ain coponents which are described below% 3eart *eat /onitor +lient Library ;3*/5+L< The ain function of the 3*/5+L is to provide a way to register processes for onitoring% The re$uest generated by the 3*/5+L:s globusOhbOclientOregister;< progra is passed onto the 3*/5L/ which is described in the paragraph below% 3eart *eat /onitor Local /onitor ;3*/5L/< The 3*/5L/ is run on any achine that onitors processes% Its Aob is to accept re$uests for Aobs to be onitored fro the 3*/5+L! and to onitor the based on a siple tier echanis% It then reports back all pertinent inforation gained to the 3*/52+ which is described below% For e#aple if it received a 3*/5+L re$uest for the stoppage of onitoring of a specific Aob it would report this fact back to the 3*/52+ the ne#t tie it transitted% 3eart *eat /onitor 2ata +ollector ;3*/52+< The 3*/52+ is a centrally located server responsible for collecting inforation fro individual 3*/5L/:s around a network and to provide inforation at re$uest on the status of those Aobs% It is ultiately responsible for onitoring the fre$uency of replies fro various reote 3*/5L/:s% If for any e#aple one stopped reporting the achine would be assued inaccessible% Introduction to the Globus Toolkit 1( Russell Lock , G(I The Globus toolkit contains a sophisticated security architecture designed to ake the software as secure as possible% The following sections discuss the ethods Globus eploys to do this% ,.1 Grid (ecurit! -&er&iew Throughout the developent of coputing any probles have eerged in the seeingly siple task of aking a syste secure% 2espite progress on this over the last thirty years there is not! and never likely to be a perfect security syste% The arrival of Grid based systes opens up new probles because of its e#tensive use of networks% The physical networks theselves are norally out of the hands of the people using the and as such cannot be secured by user actions% 4f course the level of risk entailed by this depends on the si"e of the network itself and the area it encopasses% For e#aple this would be less of a proble in an office building on a ilitary base! than it would be for a fir encopassing two sites on opposite ends of the country aking use of civilian fiber optic networks% Therefore in order to provide any degree of security the inforation travelling along the network has to be secured itself in soe way% @nfortunately at this point confusion can occur! soe copanies siply ignore the possibility or consider it to be too costly to fi#% 4thers consider the situation and say the answer is encryption% @nfortunately encryption is a word used soewhat liberally with little thought for how it should be ipleented% For e#aple how do you stop a person fro as$uerading as soeone else and aking use of grid resourcesP 3ow do you ake sure that a person using the syste legally is not accessing or doing things they should not% These could be ore broadly tered insider Aobs% The probles do not even end there! and any books have been written solely on the subAect of security=,!7>% .s such it should be clear that the scope and probles associated with grid security are significant! and need to be addressed if this technology is ever to be used e#tensively% The following sections outline soe of the technologies that have been used to ake the Globus syste ore secure% It is iportant to note however! that the subAect of security is forever ongoing and the solutions outlined below do not represent a secure syste for grid technologies in the future! due to the any unresolved issues in the area% Introduction to the Globus Toolkit 1) Russell Lock ,.2 The Globus Grid.ma# ile 4ne of the ost iportant considerations on the security odel of Globus is that only users who are authori"ed to use a achine can do so% The first line of defense therefore that Globus wields is that of the grid5ap file% This file! created by the owner of each grid achine specifies which coputers they allow re$uests to coe fro% @nless an entry is listed they would not be allowed access% .n e#aple entry on a grid5ap file is shown below with an e#planation of each section% "/O=Grid/O=Globus/OU=lancs.ac.uk/CN=John Smith " jons LI4JGridI . standard introductory part specifying that it represents a grid% 6ntries of this type are used by any types of software therefore this is a necessary part% I4JGlobusI This specifies that not only is it a grid! it run Globus software% 4@Jlancs%ac%ukI The doain nae under which the coputer operates% I+?J-ohn 1ith The nae of the person who is authori"ed to ake re$uests jons The local persons user nae% This is encoded into the certificate to stop people using it without being logged in as the right person% This first part ay see surplus to re$uireents but the entry itself is derived fro and tested against a part of the syste which is covered in section '%( This therefore allows a user to be validated! ie unless they gave the correct inforation they would not be peritted to re$uest resources% In a perfect world only this would be re$uired! however the inforation itself is secured only by the local achines own security precautions% 1o the inforation of what users are allowed in is only secure if nobody ever finds out what it is% +learly this is inade$uate given what is at stake% .t a ore basic level you also have the proble of soeone lying as to who they clai to be% Therefore it is essential that a person be able to prove who they are to other users% There are any ways that this could be accoplished! but all have draw backs of soe nature% For e#aple you could use personal key cards or photographic identification% *ut both of these would suffer fro the aount of hardware re$uired to ake the work and are by no eans perfect% The ethod that the Globus platfor akes use of is encryption! which is seen as a coon way in which to secure data! but also to prove identities with a ethod called utual authentication ;see section '%)<% Introduction to the Globus Toolkit 1, Russell Lock ,.3 /ncr!#tion The Globus syste akes use of encryption to ensure authentication of users% The sections below outline! first the basic principles of encryption! and then how Globus akes use of it within its security architecture% For those readers who know the basics of siple encryption section ,%'%1 can be skipped% ,.3.1 The "asic Princi#le o /ncr!#tion 6ncryption is used e#tensively in the Globus syste to authenticate users and re$uests% 6ncryption is the taking of soe piece of inforation! for e#aple your edical files and applying soe for of cipher to the so that they are no longer readable% They can then be sent to their destination in the knowledge that anybody who intercepts the would not be able to read the% They can then be decrypted with the cipher at the other end% The cipher is in fact a atheatical algorith designed purely to encrypt and decrypt essages% .s designing ciphers is no easy business the sae cipher ay be used by any people for encrypting Aust about anything% To ake the cipher work you ust enter a key! ;the noral level of protection currently being a key 102( bits long<% That sae key is then entered into the cipher at the other end to decrypt the essage% This eans that though any people use the sae cipher! they cannot all decrypt each others essages unless they hold the key it was encrypted with% The basic preise outlined above is that of private key encryption where the sae key is used to encrypt and decrypt inforation% There are any varieties of encryption but all basically boil down to the above e#planation at soe level or another% The thing that ost people do not see to grasp is that encryption is not absolute% 2epending on the length of the keys used a syste could be ore or less secure% .nother consideration is the $uality of the encryption algoriths theselves! which all have a relative strength based on how flawed they are ;there is no such thing as a perfect algorith<% . diagra e#plaining the basic principal is shown in Fig '% &lain Te#t QQQQ QQQQ QQQQ .lgorith Ney 6ncrypted Te#t QQQQ QQQQ QQQQ Fig ' Introduction to the Globus Toolkit 17 Russell Lock ,.3.2 Globus and /ncr!#tion The Globus syste akes use of encryption in order to validate users to each other when aking re$uests% The actual inforation that is passed between achines after this point however ;the raw data the coputers are working on< is not encrypted in any way% This eans that although you can validate who you are dealing with! you cannot stop the work you are sending fro being intercepted% This is based on the theory that soeone intercepting traffic could not gain any eaningful content fro it% Khether this is true reains to be seen% The reason this coproise has been ade is due to the tie that it takes to encrypt large files% +onsidering the applications that ake use of grids data sets could be gigabytes in si"e! the overhead on encrypting every piece of inforation would to a large e#tent negate the advantage in utili"ing the achines in the first place% To show how fast technology is oving the +ern Large 3adron +ollider will generate sets of &etabytes in si"e! which would akes the proble Aust plain insurountable% Globus therefore concentrates on aking sure that the person aking a re$uest is the person that they say they are! and that they are authori"ed to do so% Iproveents in encryption speeds ay one day alleviate this security loop hole! but until that tie ost grids will probably not be totally encrypted for logistical reasons% ,.3.3 Public ke! encr!#tion Globus akes use of public key encryption% This is slightly ore cople# than the private key encryption e#plained above but the principle is the sae% &ublic key encryption reoves the need to distribute the sae key to two people in order for the to encrypt data% 4bviously distributing two keys is tedious and potentially opens security holes% The ain reason for this is the increasing difficulty faced when ore and ore people know the sae secret% &ublic key encryption uses asyetric keys% These are slightly different fro the types of key that were discussed above% They are based on algoriths which only work one way with a key! ie that need a different key to decrypt data% These two keys are tered public and private keys% Therefore a public key can be distributed without fear! so that anybody can send a essage to soeone encrypted! but only the intended person can decrypt essages sent to the using their private key% This can in fact work in reverse! eaning that soething encrypted in a private key can be decrypted with that persons public key by soeone else! thus proving they were the person to send the essage% ;?obody else has their private key! and only that key could have been used to encrypt the essage<% It is iportant to bear in ind that the way in which this works in reality is a little ore cople# than has been ade out here% 3owever it should give the gist of what is eant by public key encryption% Introduction to the Globus Toolkit 10 Russell Lock ,.) 0.*12 Certiicates 3 CA4s The way in which Globus akes use of public key encryption is by the use of certificates% These certificates were not invented for the use of GlobusD they were originally designed by the IT@=0> ;International Telecounications @nion<% They are widely used in the internet at large and go soe way towards providing secure authentications% In order to understand how Globus akes use of these certificates it is necessary to e#plain the role of the +. ;+ertification .uthority<% +ertification authorities are used to try to itigate the probles fro people lying as to who they clai to be% This is a aAor proble! as could be seen if only the grid5ap file were used to secure the syste% *y finding out the contents of that file they could easily ipersonate the people listed in the file% Therefore a body that could vouch for the person in $uestion would be advantageous% This third party is called a +.% .t this point soething entioned earlier can be ade clearer! recall that an entry in a grid5ap file has the structure seen below% "/O=Grid/O=Globus/OU=lancs.ac.uk/CN=John Smith " jons The fields in this entry are set out in this way because they are a direct apping of the inforation stored in a 8%)09 certificate% Therefore an 8%)09 certificate contains ;aongst other things<! the nae! usernae! doain and organi"ation of the person using the certificate% 4bviously anybody could ake one of these up! therefore in order for it to be valid you have to send a re$uest to a +. subitting your details in uch the sae way as is listed in the grid5ap file% These details can then be checked and the returning certificate signed by the +. Eery careful consideration has to be given to who you would trust to be a +.% If your coputer knows to trust a certain +. it will trust all the certificates that are issued fro it% Therefore it is vital that any +. you trust has checked sufficiently that the person is who they say they are% If for e#aple a copany had )0 achines running Globus it would probably set up its own +. for security reasons% .nother option could be to use a coercial +. which originates outside your copany% For any Globus! however! is Aust an e#periental syste that they will be evaluating in soe way% To aid in this the Globus tea have set up a siple test +. which you can get certificates fro% It is iportant to note that the only thing that this test certificate authority checks is the doain fro which the re$uest was sent being e$ual to the doain listed in the re$uest% Therefore beyond this as long as the re$uest is correctly foratted it will be certified% Therefore in order to do serious work you would need to set up your own +.% 4ne of the ain drawbacks of this syste is the setting up of a new +. which is not a siple process% .s ost people testing the syste only re$uire rudientary security at this level the test +. suffices in ost cases% Khilst the syste creates a re$uest for a certificate it also creates a private 102( bit key for your future use when dealing with authori"ations% The certificate you receive back could be one of two types ;depending on what you ask the +. for<% It could be a host certificate enabling a coputer to be used by others! or a user certificate! which enables you to send Aobs to others% Therefore to do both you would need both certificates% The ain difference between the two certificates is the fact that in order to get a host Introduction to the Globus Toolkit 19 Russell Lock certificate aongst the other details sent to the +. you also need to send your achines full nae% For e#aple As%lancs%ac%uk% This ensures that the ore security conscious role of e#ecuting Aobs is tied down to definite achines to help ake security ore coplete% Khichever certificates you have they contain your public key which can be used by other people to counicate with you and to provide utual authentication% It is very iportant to reali"e that the private keys created all depend on the level of local security on the achine to keep the secure% Therefore careful consideration has to be given in order to ake the syste as secure as possible% ,.* %utual Authentication In order to send Aobs between coputers it is essential that both are utually authenticated so that both know who they are dealing with% Globus copletes utual authentication for every Aob re$uest it receives% The way in which they authenticate is listed as a series of points below% 1< /achine . sends its certificate to /achine * 2< /achine * responds by sending its certificate to /achine . .t this point both know who they are supposedly talking to and both certificates are e#ained to ake sure that the +. that signed the can be trusted% @nfortunately so far it has only been proven that those people had the certificates and that the certificates are valid% There are no guarantees yet that the people sending those certificates are not bogus% '< /achine . creates a essage for * encrypted in .:s own private key asking soe $uestion% For e#apleF add )0 and '0% (< /achine * decrypts the essage fro . using .:s public key% . +ert /achine . /achine * * +ert Fig ( * decrypts using &ublic;.< &rivate;.< M Ruestion /achine . /achine * Fig ) Introduction to the Globus Toolkit 20 Russell Lock /achine * now knows that /achine . is telling the truth about its identity% The reason for this is sipleD that the essage had to have been created using .:s private key! known only to .% @nfortunately achine . has no such guarantees about achine *% )< /achine * copletes the $uestion and encrypts the answer using its own private key and sends to .% ,< /achine . decrypts the essage using *:s public key and e#aines the answer% /achine . now knows that achine * is genuine because the essage had to have been created using *:s private key% Thus both achines have authenticated each other and can start sending Aobs between each other% .n iportant thing to note about this for of utual authentication is that even these security considerations can be foiled% For e#aple if the +. were not checking details correctly or was indeed bogus% 4r if the security of a given achines private key were in $uestion% 3owever as with all security echaniss the $uestion is what level of security you can afford to ipleent% In the case of Globus! with the other parts of the security architecture in place this level of security should be sufficient for ost applications% ,., -ther (ecurit! Considerations Though not strictly speaking a security consideration! usability is iportant within a syste% .ny user who regularly sends off hundreds of Aobs will $uickly tire of having to enter their pass phrase for every single one% Therefore it was iportant that ethods were developed to try to ease this proble% 1ection ,%,%1 shows one such ethod that if used with care can still retain a degree of security within the syste% 4ther probles occur when attepting to send ore cople# Aobs which re$uire added security precautions% The section ,%,%2 outlines Globus:s response to these probles% . decrypts using &ublic;*< &rivate;*< M .nswer /achine . /achine * Fig , Introduction to the Globus Toolkit 21 Russell Lock ,.,.1 Pro5ies 2epending on how you used a syste it could see tedious constantly having to retype in your password to the syste in order to send a re$uest% 3owever it is very iportant that the achine you are using is not left open to isuse% 4ne solution would be to log in to a session whereby you could send all the re$uests you want% There is one iportant drawback with this approachD that once logged in a user would probably never bother to log out% 1ecurity is breached ainly due to these sorts of events% It is not the fault of the syste that the users do not use it correctly% 3owever it is the fault of the designer if they fail to take into account the way in which people use these systes% The logging in approach is one way of ipleenting what is technically know as Ssingle sign onT% For grid coputing to be successful a workable approach to this proble is needed% The solution to this proble! or at least one of the! is to use a pro#y% . pro#y is created in the sae way that you validate yourself for a re$uest! ie by using your pass phrase% The re$uest creates a new pro#y certificate which is then used during authentication sessions% The pro#y certificate itself can be traced back to the original user who created it to help identification% The basic preise for this is that the pro#y certificate contains the digital signature fro the +. pointing out that the user can be trusted% The user then signs the pro#y certificate to ake clear that it is that person% Fro this point the pro#y will then operate in uch the sae way as if you then had a logged in! but with the critical difference that the pro#y is of liited lifespan% *y default this is 12 hours% Therefore the user does not have to reeber to logout and can leave the security to the coputer% &ro#y certificates rely solely on a achines security precautions! and reoving the user fro the final stage of verification is a security risk! but this can be itigated at least in part by allowing the users to create pro#ies of different si"es% It is worth pointing out that though it is now using a pro#y certificate the utual authentication procedure is not affected at all% The process of gaining a pro#y is shown in Fig 7 below% ?ew certificate generated generated &assphrase verified Re$uest for pro#y /achine &ro#y 1ervice &ro#y certificate Fig 7 Introduction to the Globus Toolkit 22 Russell Lock ,.,.2 (#eciic GA(( ser&er issues .s was discussed in section ' G.11 servers play an iportant role in allowing access to files held at reote locations% G.11 has very specific security issues and the level of access allowed by the G.11 syste is very uch dependant on the liited security iposed% +urrently G.11 servers do not allow ultiple users access to the sae cache% The reasons for this is obvious% .nyone who is authori"ed to e#ecute on a given achine is allowed to set things up in the cache% The cache itself is by default always stored in the sae location% .s such it would be a security proble if that cache were not deleted each tie it were used% It would also be a security risk if ore than one process were allowed to run on a reote achine at the sae tie% ?either of these things are ever allowed to occur though% In theory you could add things peranently to a cache as was suggested in section '% 3owever this security liitation eans that if you choose to do this that file has to be available to everyone% ?o active way of restricting access is available within the Globus security echanis% 1o though the syste is secure in this respect! it liits the way in which access can occur% The current level of access based on caches and ftp servers does not allow free access to local achines files% Though this would obviously be a security risk this could be itigated to a large e#tent by a list of users allowed access to certain directories% .t present Globus does not support this though% 1ecure ftp servers can be utili"ed only if they accept Globus certificates! as the G1I echanis will only perfor utual authentication using theD this could conceivably cause a proble in soe environents% 4verall the G.11 syste causes substantial security probles and the level of support for file access is severely restricted because of it%
,.6 -&erall Issues with Globus securit! The security odel of Globus has proven ade$uate during sall scale testing% 3owever a nuber of issues have arisen during developent% It relies too heavily on the level of security provided by end users% 6ssential ites like the grid5ap file and trusted +. lists could be vulnerable% The anual way in which the grid5ap file and others are anipulated akes syste wide security anageent very difficult% For e#aple if a certain person had to be reoved fro the grid5ap file lists of every achine! this would $uite literally have to be done by every user on every achine% The official docuentation on the Globus website does not lay sufficient ephasis on the level of security a user would need to provide to effectively use the security odel% The installation of Globus itself is disturbingly coplicated and sall errors could for e#aple! copletely disable parts of the security echaniss% In its $uest to allow achines to be individually set to accept Aob re$uests fro specific achinesD it lacks any ability for centrally allocated security provisions% Khile a pro#y facility ay be essential it is also one of the biggest security loopholes in the syste% The use of public key encryption and 8%)09 certificates provides a fle#ible if soewhat slow authentication syste% It is believed that with large Aobs this overhead Introduction to the Globus Toolkit 2' Russell Lock will cease to be an issue but that reains to be seen% /ost of the security within Globus relies on utual authentication! though once authenticated Globus does not stop the eavesdropping of raw data passing between achines% This unprotected transfer of data could also be a cause for concern in soe situations! especially where the content of the data is of a sensitive nature! be that coercially or ilitarily% Given the increases in coputer processing and the speed with which odern cryptography can be carried out! in a few years tie all counications ay end up with soe for of encryption% Therefore work needs to be copleted on this area soon% The level of support for ore cople# Aobs which re$uire local resources is an ongoing area of research% .t present support for this is soewhat patchy and little evidence is available to show any security changes ade to accoodate the% For e#aple a useful feature such as the ability of any users to access the sae cache is planned! though no work on how they are going to secure this echanis is available% 6 Running a sim#le $ob ?ow that all the aAor sections of the syste have been covered it is possible to understand the nuber of steps needed to ake a Aob run! and the eaning of those steps% Therefore in order to ake e#actly clear what happens when these Aobs are run! and to fully understand the nuber of actions it takes! the following e#aple is given% In order to run a Aob 1< *oth parties re$uire Globus certificates ;see section ,%(<% 2< The e#ecution host ust have authori"ed use of their achine by the user in $uestion by an entry in the grid5ap file% ;1ee section ,%2< '< The user ust have ade a re$uest to the e#ecution achine! logging in using their passphrase at the tie of subission! or by setting up a pro#y beforehand% ;see section ,%,%1< (< The e#ecution achine ust be running a gatekeeper to receive the re$uest )< /utual authentication using the Globus certificates ust then take place% ;see section ,%)< ,< The Aob can now run If access to additional resources is needed by the progra it ay also be necessary to set up a G.11 server ;see section '<% It is easy to see that setting up the syste to do a siple Aob is by no eans a siple feat% .ssuing a user was prepared to do these steps there are also a nuber of optional Introduction to the Globus Toolkit 2( Russell Lock services they could run% . few of these are listed below with soe of the aAor steps re$uired to set the up% If an inforation server was to be used 1< . achine for a GII1 would need to be picked and set up% &lus any nuber of shadow GII1 2< .t least one GRI1 server would need to be set up '< The GII1 ay need to be adapted for any additional inforation that needs storing (< The GRI1 server would have to register with the GII1 server and any other shadow GII1% )< The achine running the e#ecution gatekeeper needs to register with the GRI1 after finding an appropriate one fro the known GII1 host% ,< .t this point a local achine could re$uest inforation about the location of a reote achine% If a 3*/ were to be used 1< First a 3*/5L/ would have to be picked and started up 2< . 3*/52+ would also have to be picked and started up '< The 3*/5L/ would have to register with the 3*/52+ (< The user could then register a Aob with its nearest 3*/5L/ )< In order to find out about a given Aob the user would then have to re$uest inforation fro the 3*/52+ .s can be seen fro these siple e#aples using Globus re$uires a nuber of user actions to take place in order to accoplish any given task% This is the reason that Globus is rarely considered to work without a further level of abstraction above it% This issue is covered in depth in the ne#t section% Introduction to the Globus Toolkit 2) Russell Lock 7 /5tending Globus 8schedulers9 Fro what has been said over the last few sections it should be clear that although Globus can achieve a nuber of things! it does have its weaknesses% It re$uires too any user actions to perfor a given task% This is the point at which other copanies and products coe into play% Globus provides the roots re$uired to build coputational grids but allows any different services to be built above it% For e#aple a particularly useful feature would be to add a G@I with the ability to see other users and their resources at the click of a button% +ouple this with the ability to send re$uests and you get a scheduler% *y creating a new level above Globus any of the tasks that were difficult and tedious can be autoated% 4ne such e#aple of a siple scheduler would be that of +ondor=9>% +ondor however does not utili"e a G@I and offers only the ost basic scheduling functions% It also needs re$uests subitted to it in its own language which is different fro Globus:s% This stes fro +ondor:s history as a cluster scheduler before being e#tended to work with Globus% . new breed of add5ons for Globus will no doubt eerge in the ne#t few years however! and they should address any of the issues that people have with Globus at the oent% The .ppendi# contains ore details on the +ondor scheduler% 2 Conclusions In conclusion therefore it is easy to see that Globus has treendous potential to build useful coputational grids% Globus is by no eans a closed finished product however! and that ust be taken into account when using it% Its fle#ibility is hapered especially by its security echaniss though! which need to take into account the varied activities that people are working on using grid technology% In the ne#t few years different copanies will use the Globus platfor to build ore powerful tools which will have proper support echaniss% It is at this point that grid coputing will finally take off properly% In the ean tie the Globus Toolkit is available for those with developent interests or siple curiosity about grids and their nature! to download and e#aine% Introduction to the Globus Toolkit 2, Russell Lock 11 Glossar! +. 5 . +ertificate .uthority% The trusted party re$uired to vouch for 8%)09 certificates% +ertificate 5 . file containing a users public key and their details% +ipher 5 . atheatical algorith designed to encrypt data given a key% FT& server 5 server designed to allow access to files hosted on it% 3*/ 5 3eart *eat /onitor% &olls achines for failure G.11 5 Globus .ccess to 1econdary 1torage% Gatekeeper 5 . service running on a receiving achine capable of handling re$uests% GII1 5 Grid Inde# Inforation 1ervice% The aggregated directory holding details of GRI1 servers Globus 5 . iddleware grid solution designed at .rgonne ?ational Laboratories and +hicago @niversity% grid5ap file 5 . file containing a list of users peritted to use that achine once authentication has taken place% GRI1 5 Globus Resource Inforation 1ervice% 3olds details of achines% G1I 5 Globus 1ecurity Infrastructure% Ney 5 . uni$ue string of bits ;typically 102(< used in conAunction with the cipher to encrypt data% /21 5 /eta 2ata 1ervice% This is used to keep track of details about achines% /iddleware 5 1oftware designed to work between client and server levels to provide additional functionality% &assphrase 5 . siple password used to validate a user to create a pro#y or send a re$uest% private key 5 . key held only by a single individual used to encrypt essages to prove who they are and to decrypt essages encrypted using its public key% &ro#y 5 . ethod of autoatically authori"ing the sending of re$uests without having to re5enter the passphrase every tie% public key 5 . key held by potentially any people used to encrypt private essages to a person for decryption using their private key% R1L 5 Resource 1pecification language% Globus uses this to forulate Aob re$uests Introduction to the Globus Toolkit 27 Russell Lock 11 Reerences 1< Globus 5 http://www.globus.org 2< setiChoe - http://setiathome.ssl.berkeley.edu/ '< ?.1. I&G 5 http ://www.nas.nasa.gov/About/IPG/ipg.html (< +ern 5 http://wwwlh.ern.h/ )< 1un 5 http://www.sun.om ,< *ruce 1% 1ecrets and Lies F 2igital 1ecurity in a ?etworked Korld! -ohn Kiley U 1onsD I1*?F 0(712)'111 7< *ruce 1% .pplied +ryptography 2 nd 6dition! -ohn Kiley U 1onsD I1*?F 0(71117099 0< IT@ 5 http://www.itu.int/home/inde!.html 9< +ondor 5 http://www.s.wis.edu/ondor/ Introduction to the Globus Toolkit 20 Russell Lock 12 A##endi5 Condor.g A brie -&er&iew :hat is Condor.g; +ondor5g is a Task 1cheduler designed to work with the Globus /iddleware platfor% It was designed to act as a first generation brokering syste for grid coputing% .s such it works at a very low level! in uch the sae way that Globus does% +ondor5g is also designed to e#tend the functionality of Globus to integrate 2.G scheduling and a better grasp of which achines are running at a given tie% 4ne of the probles with Globus is that Aobs are subitted and then run iediatelyD condor gives greater fle#ibility by running progras when it can and keeping track of the state of e#ecution on the reote achines% +ow does Globus it in with this; The purpose of Globus is to provide the basic software to enable inter5doain counications! security and Aob e#ecution etc% The +ondor5g broker then provides the added functionality for scheduling Aobs on achines% In this way a coplete syste can be offered which allows the subission and security of Aobs to a#ii"e the level of feedback to the user% (o how does it all it together; +ondor5g interfaces with the basic Globus services! predoinantly with the Globus gatekeepers on the reote achines% It also tries to ensure that the grid pro#ies! which the Globus syste akes e#tensive use of! are going to be valid for the duration of the Aob% The +ondor5g broker is represented by a Spersonal +ondorT the Aob of which is to handle the scheduling and to interface with the Globus gatekeeper% -obs theselves are subitted via a subission file that has to be written before the subission takes place% &rincipally this lists the achine that the progra is to be run on and the details of where the progra resides% There are also options to interpret the file as a 2.G ;2irect .cyclic Graph< re$uest% There are of course other options but the ain ones have been listed above% Problems with the Condor.g (!stem +ondor5g is a research progra which is solely supported and run fro the @niversity of Kisconsin @1.% The code for which is not open source and only represents a side interest for the university% The developent of +ondor5g has therefore been a slow one! and any iportant issues need to be dealt with% The ost iportant of these would appear to be that of having to write a subission file in order to ake a re$uest of the +ondor5g syste% The subission language is different fro that of Globus re$uests due ainly to its previous history as a cluster scheduler before being e#tended for use with Globus% The progras for finding out inforation are also all te#tual coand line interfaces% .s +ondor5g is designed to e#tend the functionality of Globus it would be Introduction to the Globus Toolkit 29 Russell Lock prudent to do soething about its lack of usability and its user friendlessness% This in itself is not a big enough proble to stop people using the progra but it would appear there are other concerns% Though the scheduler has been used in the field for a few years now! so far the testing has been on a sall scale% Kith products such as the 1un Grid 6ngine also trying to gain acceptance in the arketplace it is unlikely that +ondor5g at least in its present for will survive as a viable brokering client% 4ther issues which +ondor ay have to address include that fact that it will not arbitrarily allocate achines to resources% This surely represents one of the ost iportant issues concerning a scheduler% It would appear that although the syste will provide users with ore inforation! it also e#pects the to ake the decisions as to what to do with it% Though +ondor5g supports 2.G! it does so in a very low level way% . different subission file has to be written for each node aking the allocation of this type of re$uest to +ondor5g a very tedious one% The $uestion of how well +ondor5g copes with heavy workloads is an unknown% 3owever it is a fact that if a istake is adeD For e#aple subitting a achine to soewhere incorrectly! stopping the scheduler fro resubitting the re$uest when it sees fit! or canceling the Aob entirely is needlessly coplicated% For e#aple even when Aobs are arked for deletion they do not disappear fro the scheduler interface% The overhead when using Globus akes sall e#ecutables pointless to send% It is presued that given uch larger and longer progras this overhead will cease to becoe a real proble! though it should not be forgotten% The overhead for a typical progra of a less than a second of running tie could take )5, sec to run even on the local achine% 4n a reote achine this is slightly though not by a great deal longer% In Conclusion +ondor5g is a useful add5on to the Globus platfor% It provides basic scheduling functionality to e#tend upon Globus:s basic grid functionality% 3owever it is only useful at a very low level and could becoe overshadowed by new schedulers rapidly given the current Grid cliate%