1 / 30

Globus Grid Tutorial Part 1: Security and Remote Process Creation

Globus Grid Tutorial Part 1: Security and Remote Process Creation. Goals of this Tutorial. Learn how to start a process on a remote resource Examples of applications that use this operation Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow)

alexa
Download Presentation

Globus Grid Tutorial Part 1: Security and Remote Process Creation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Globus Grid TutorialPart 1:Security and Remote Process Creation

  2. Goals of this Tutorial • Learn how to start a process on a remote resource • Examples of applications that use this operation • Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow) • Network enabled servers (e.g., NEOS, NetSolve)

  3. Desktop Supercomputing • Seamlessly, from the desktop • Sign-on once • Locate available computers • Start computation on an appropriate system • Monitor progress • Get [subsampled] output files • Manipulate locally • E.g., astrophysics, chemistry, environmental models • Also WebFlow, LSA, others

  4. WebFlow Grid Interface • Dataflow computing interface to grid computing • Fox, Haupt: Syracuse • Globus services for • Authentication • Process creation and management • Applications include nanomaterials

  5. Seamless access of remote resources Examples: NEOS, NetSolve, Nimrod Issues Scheduling for real-time & high-throughput Code management & security Algorithm design Network-Enabled Servers ?? “Solver X, problem Y, cost 100, time 20 secs” Application Backend Resource broker expertise code

  6. Problems • Security • How do we authenticate ourselves at the remote site? • Resource specification • How do we locate and request a resource? • Staging of code and data • How do we stage a user’s executables and data to the remote resource? • Computation • How do we start & manage computation?

  7. The Globus Advantage • Single sign-on for all resources • No need to keep track of accounts and passwords at multiple sites • No plaintext passwords • Uniform interface to various local scheduling mechanisms • LSF, NQE, LoadLeveler, fork, etc. • No need to learn and remember obscure command sequences at different sites • Support for staging, etc., also: see later

  8. Authentication Model • Authentication is done on a “user” basis • Single authentication step allows access to all grid resources • No communication of plaintext passwords • Most sites will use conventional account mechanisms • You must have an account on a resource to use that resource • Sites may use “generic” Grid accounts • Not common, but Globus can deal with it

  9. Grid Security Infrastructure • Based on public key technology • Standard X.509 certificate, same as certificates used for the Web • Each user has: • a Grid user id (called a Subject Name) • a private key (like a password) • a certificate signed by a Certificate Authority (CA) • A “gridmap” file at each site specifiesgrid-id to local-id mapping

  10. Certificate Based Authentication • User has a certificate, signed by a trusted “certificate authority” (CA) • Certificate contains users name and public key • Globus project operates a CA • User’s private key is used to encode a challenge string • Public key is used to decode the challenge • If you can decode it, you know the user • Treat your private key carefully!! • Private key is stored in encrypted form

  11. User Proxies • Minimize exposure of user’s private key • A temporary credential for use by our computations • We call this a user proxy certificate • Allows process to act on behalf of user • User-signed user proxy certificate stored in local file • Proxy’s private key is not encrypted • Rely on file system security, proxy certificate file must be readable only by the owner

  12. Delegation • Remote creation of a user proxy • Allows remote process to act on behalf of the user • Avoids sending passwords or private keys across the network

  13. Single sign-onvia “grid-id” User User Proxy Site 1 Process Process GRAM GRAM GSI GSI Process Process Ticket Process Process Public Key Kerberos CREDENTIAL Assignment of credentials to “user proxies” Globus Credential Mutual user-resource authentication Site 2 Mapping to local ids Authenticated interprocess communication GSSAPI: multiple low-level mechanisms Certificate

  14. Installing Globus • Before you can use Globus, you need to install the Globus client-side software • Installation and administration of server-side software is discussed later • Ftp the Globus software from: • ftp://ftp.globus.org/pub/globus • Follow the installation instructions at: • http://www.globus.org/software

  15. Globus Authentication Setup • Before you can run Globus applications: • Obtain a Grid certificate and key • Set up your environment so Globus knows where to find certificates and keys • Contact sites to set up local accounts and globusmap entries • Create proxy certificate for each application run • Documentation • http://www.globus.org/security

  16. Obtaining a Certificate • The programgrid-cert-request is used to create an public/private key pair and unsigned certificate in ~/.globus/: • usercert_request.pem: Unsigned certificate file • userkey.pem: Encrypted private key file • Must be readable only by the owner • Mail usercert_request.pem to ca@globus.org • Receive a Globus-signed certificate Place in ~/.globus/usercert.pem • NCSA & NASA will use different approaches

  17. NTP is highly recommended Your New Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21:50 1998 GMT Not After : Apr 22 19:21:50 1999 GMT Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: <snip> b4:e1:54:e7:87:57:b7:d0:61 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: <snip> 8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:

  18. Sample usercert.pem: Sample userkey.pem: -----BEGIN CERTIFICATE----- MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY <snip> u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4 -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1 +W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl <snip> et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s= -----END RSA PRIVATE KEY----- Certificate and Key Data

  19. “Logging” onto the Grid • To run programs, authenticate to Globus: % grid-proxy-init Enter PEM pass phrase: ****** • Creates a temporary, short-lived credential for use by our computations Private key is not exposed past grid-proxy-init • Options for grid-proxy-init: -hours <lifetime of credential> -bits <length of key> -help

  20. Grid Sign-On With grid-proxy-init User certificate file User Proxy certificate file Private Key (Encrypted) Pass Phrase

  21. Proxy Information • To get proxy information run grid-proxy-info % grid-proxy-info -subject /C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster • Options for printing proxy information-subject -issuer-type -timeleft-strength -help • Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key> • Returns 0 status for true, 1 for false:

  22. Sample Gridmap File • Gridmap file maintained by Globus administrator • Entry maps Grid-id into local user name(s) # Distinguished name Local # username "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg "/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost "/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543 "/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf

  23. jobmanager key key services map cert cert Remote Startup Mechanism 1. Exchange certificates, authenticate, delegate 2. Check gridmap file 3. Lookup service 4. Run service program (e.g. jobmanager) 4. 2. 3. 1. client gatekeeper

  24. Simple job submission • globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]

  25. program stdout jobmanager globus-job-run: Beneath the covers 1. Lookup Contact String 2. Build RSL string 3. Startup GASS server 4. Submit to request 3. GASS server 2. Host name Contact string RSL string 4. 1. gatekeeper MDS

  26. Exercise 1Sign-On & Remote Process Creation • Use grid-proxy-init to create a proxy certificate: % grid-proxy-init Enter PEM pass phrase: ......................................+++++ .....+++++ • Use grid-proxy-info to query proxy:% grid-proxy-info -subject • Use globus-job-run to start remote programs:% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp

  27. Globus Components Being Used • GRAM: Globus Resource Allocation Manager • Create process on remote resource, deal with local resource managers • MDS: Metacomputing Directory Service • Map machine name into GRAM contact string • GSI: Grid Security Infrastructure • Authenticate to remote system • GASS: Global Access to Secondary Storage • Redirect standard output

  28. gatekeeper gatekeeper gatekeeper jobmanager jobmanager jobmanager LSF LoadLeveler fork P2 P1 P2 P1 P2 P1 Globus Components in Action globus-job-run GRAM

  29. Summary • Grid security provides single sign-on capability • globus-job-run can be used to create a remote process • Difference between schedulers managed by Globus • Strong authentication provided • Remote process creation can be added to applications by using Globus services

  30. Changes from 1.0 to 1.1 • Tools are renamed • globus-proxy-{init,destroy} is nowgrid-proxy-{init,destroy} • globus-{cert,certreq} is nowgrid-cert-{info,request} • Tools are added • grid-proxy-info • grid-cert-renew • grid-mapfile-{add,delete}-entry

More Related