A Security Architecture for Computational Grids

By
Ian Foster Carl Kesselman Gene Tsudik Steven Tuecke

Outline

Introduction The goal of the paper Example of a large scale distributed computation Distinctive characteristics of the grid computing environment

Some terminology of Grid Security policy

Proposed security policy Discussion about some protocols Conclusion

Introduction

Grid applications are distinguished from traditional client-server applications by

simultaneous use of large numbers of resources dynamic resource requirements use of resources from multiple administrative domains complex communication structures

cont...

The characteristics of computational grids lead to security problems that are not addressed by existing security technologies for distributed systems The dynamic nature of the grid can make it impossible to establish trust relationships between sites

The goal of the paper

It provides an in-depth analysis of the security problem in computational grid systems and applications It includes the detailed formulation of a security policy for grid systems It proposes solutions to specific technical issues raised by this policy It describes a security architecture that uses these solutions to implement the security policy

Example of a large-scale distributed computation

Distinctive characteristics of the grid computing environment

The user population is large and dynamic

The resource pool is large and dynamic

A computation may acquire, start processes on, and release resources dynamically during its execution Resources may require different authentication and authorization mechanisms and policies

cont...

An individual user will be associated with different local name spaces, credentials, or accounts, at different sites, for the purposes of accounting and access control

Resources and users may be located in different countries

Security Requirements

This Architecture

provide authentication solutions that allow a user, the processes that comprise a users computation allow local access control mechanisms to be applied without change

Satisfy some constraints

Single sign-on Protection of credentials (password) Can work with local security solutions Uniform credentials/certication infrastructure Support for secure group communication

Support for multiple implementations

Some terminology of Grid Security policy

A subject is a participant in a security operation (user) A credential is a piece of information that is used to prove the identity of a subject (password) Authentication is the process by which a subject proves its identity to a requestor An object is a resource that is being protected by the security policy Authorization is the process by which we determine whether a subject is allowed to access an object

A trust domain is a collection of both subjects and objects governed by single administration and a single security policy

Proposed Security policy

The grid environment consists of multiple trust domains Operations that are done to a single trust domain are subject to local security policy only Both global and local subjects exist Operations between entities located in different trust domains require mutual authentication

Contd...

An authenticated global subject mapped into a local subject is assumed to be equivalent to being locally authenticated as a local subject All access control decisions are made locally on the basis of the local subject A program or process is allowed to act on behalf of a user Processes running on behalf of the same subject within the same trust domain may share a single set of credentials

Computational Grid Security Architecture

Thick lines represent the protocols The dashed lines represent authenticated inter-process communication The subjects are users and processes

The objects in the architecture are resources

User Proxy

It is frequently impractical for the user to interact directly with each resource for the purposes of authentication A user proxy is a session manager process given permission to act on behalf of a user for a limited period of time

Acts as a stand-in for the user Has its own credentials

Resource Proxy

Serving as the interface between the grid security architecture and the local security architecture A resource proxy is an agent used to translate between inter-domain security operations and local intradomain mechanism

User Proxy Creation Protocol

A user could enable a user proxy by giving the appropriate credentials Disadvantages:

increased risk a temporary credential for proxy, CUP the user indicates permission by signing this credential with a secret

Solution:

Resource Allocation Protocol

Two ways

allocation of resources by a user proxy allocation of resources by a process A user proxy requiring to get the identity of the resource proxy for that resource Issues a request to the appropriate resource proxy

Procedure:

If the request is successful, the resource is allocated

A process created on that resource

Resource Allocation from a Process Protocol

The process and its user proxy authenticate each other The process issues a signed request to its user proxy

If the user proxy decides to honor the request, it initiates a resource allocation request to the specified resource proxy using Resource Allocation protocol

Implementation of the Grid Security Architecture (GIS)

GSI was developed as part of the Globus project The goal

understand the basic infrastructure required to support the execution of wide range of computational grid applications build prototype implementations of this infrastructure evaluate applications on large-scale

Conclusions

The introduction of a user proxy

single sign-on and avoids the need to communicate with user credentials able to work with local security policy can translate between inter-domain and intra-domain security policy all resource allocation requests must pass via the user proxy is a potential bottleneck

The resource proxy

Future work

Thank you