globus grid tutorial part 1: security and remote process creation
DESCRIPTION
Globus Grid Tutorial Part 1: Security and Remote Process Creation. Goals of this Tutorial. Learn how to start a process on a remote resource Examples of applications that use this operation Desktop supercomputing applications (e.g., ECCE’, Cactus, WebFlow) - PowerPoint PPT PresentationTRANSCRIPT
Globus Grid TutorialPart 1:
Security and Remote Process Creation
Security and Remote Process Creation 2
Goals of this Tutorial
Learn how to start a process on a remote resource
Examples of applications that use this operation Desktop supercomputing applications
(e.g., ECCE’, Cactus, WebFlow) Network enabled servers
(e.g., NEOS, NetSolve)
Security and Remote Process Creation 3
Desktop Supercomputing Seamlessly, from the desktop
Sign-on once Locate available computers Start computation on an appropriate
system Monitor progress Get [subsampled] output files Manipulate locally
E.g., astrophysics, chemistry, environmental models
Also WebFlow, LSA, others
Security and Remote Process Creation 4
WebFlow Grid Interface Dataflow computing
interface to grid computing Fox, Haupt: Syracuse
Globus services for Authentication Process creation and
management Applications include
nanomaterials
Security and Remote Process Creation 5
??
Application
Backend
Resourcebroker
code expertise
“Solver X, problem Y, cost 100, time 20 secs”
Network-Enabled Servers
Seamless access of remote resources Examples: NEOS,
NetSolve, Nimrod Issues
Scheduling for real-time & high-throughput
Code management & security
Algorithm design
Security and Remote Process Creation 6
Problems
Security How do we authenticate ourselves at the
remote site? Resource specification
How do we locate and request a resource? Staging of code and data
How do we stage a user’s executables and data to the remote resource?
Computation How do we start & manage computation?
Security and Remote Process Creation 7
The Globus Advantage
Single sign-on for all resources No need to keep track of accounts and
passwords at multiple sites No plaintext passwords
Uniform interface to various local scheduling mechanisms LSF, NQE, LoadLeveler, fork, etc. No need to learn and remember obscure
command sequences at different sites Support for staging, etc., also: see later
Security and Remote Process Creation 8
Authentication Model
Authentication is done on a “user” basis Single authentication step allows access to all
grid resources No communication of plaintext passwords Most sites will use conventional account
mechanisms You must have an account on a resource to use
that resource Sites may use “generic” Grid accounts
Not common, but Globus can deal with it
Security and Remote Process Creation 9
Grid Security Infrastructure
Based on public key technology Standard X.509 certificate, same as certificates
used for the Web Each user has:
a Grid user id (called a Subject Name) a private key (like a password) a certificate signed by a Certificate Authority
(CA) A “gridmap” file at each site specifies
grid-id to local-id mapping
Security and Remote Process Creation 10
Certificate Based Authentication User has a certificate, signed by a trusted
“certificate authority” (CA) Certificate contains users name and public key Globus project operates a CA
User’s private key is used to encode a challenge string
Public key is used to decode the challenge If you can decode it, you know the user
Treat your private key carefully!! Private key is stored in encrypted form
Security and Remote Process Creation 11
User Proxies
Minimize exposure of user’s private key A temporary credential for use by our
computations We call this a user proxy certificate Allows process to act on behalf of user User-signed user proxy certificate stored in local
file Proxy’s private key is not encrypted
Rely on file system security, proxy certificate file must be readable only by the owner
Security and Remote Process Creation 12
Delegation
Remote creation of a user proxy Allows remote process to act on behalf of
the user Avoids sending passwords or private keys
across the network
Security and Remote Process Creation 13
Single sign-onvia “grid-id”
User
User Proxy
GlobusGlobusCredentialCredential
Site 1
Kerberos
GRAM Process
Process
ProcessGSI
TicketTicket
Site 2
Public Key
GRAM
GSI
CertificateCertificate
Process
Process
Process
Authenticatedinterprocess
communication
CREDENTIAL
GSSAPI:multiplelow-level
mechanisms
Mutualuser-resourceauthentication
Mappingto local ids
Assignment of credentials to“user proxies”
Security and Remote Process Creation 14
Installing Globus
Before you can use Globus, you need to install the Globus client-side software Installation and administration of server-
side software is discussed later Ftp the Globus software from:
ftp://ftp.globus.org/pub/globus Follow the installation instructions at:
http://www.globus.org/software
Security and Remote Process Creation 15
Globus Authentication Setup
Before you can run Globus applications: Obtain a Grid certificate and key Set up your environment so Globus knows
where to find certificates and keys Contact sites to set up local accounts and
globusmap entries Create proxy certificate for each application
run Documentation
http://www.globus.org/security
Security and Remote Process Creation 16
Obtaining a Certificate
The program grid-cert-request is used to create an public/private key pair and unsigned certificate in ~/.globus/: usercert_request.pem: Unsigned certificate file userkey.pem: Encrypted private key file
Must be readable only by the owner
Mail usercert_request.pem to [email protected] Receive a Globus-signed certificate
Place in ~/.globus/usercert.pem NCSA & NASA will use different approaches
Security and Remote Process Creation 17
Your New CertificateCertificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21:50 1998 GMT Not After : Apr 22 19:21:50 1999 GMT Subject: C=US, O=Globus, O=NACI, OU=SDSC, CN=Richard Frost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: <snip> b4:e1:54:e7:87:57:b7:d0:61 Exponent: 65537 (0x10001)Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: <snip> 8d:cd:7c:7e:49:68:15:7e:5f:24:23:54:ca:a2:27:f1:35:17:
NTP is highly
recommended
Security and Remote Process Creation 18
-----BEGIN CERTIFICATE-----MIICAzCCAWygAwIBAgIBCDANBgkqhkiG9w0BAQQFADBHMQswCQY
<snip>u5tX5R1m7LrBeI3dFMviJudlihloXfJ2BduIg7XOKk5g3JmgauK4-----END CERTIFICATE-----
Sample usercert.pem:
-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,1E924694DBA7D9D1+W4FEPdn/oYntAJPw2tfmrGZ82FH611o1gtvjSKH79wdFxzKhnz474Ijo5Bl
<snip>et5QnJ6hAO4Bhya1XkWyKHTPs/2tIflKn0BNIIIYM+s=-----END RSA PRIVATE KEY-----
Sample userkey.pem:
Certificate and Key Data
Security and Remote Process Creation 19
“Logging” onto the Grid
To run programs, authenticate to Globus:
% grid-proxy-init
Enter PEM pass phrase: ****** Creates a temporary, short-lived credential for use
by our computations
Private key is not exposed past grid-proxy-init Options for grid-proxy-init:
-hours <lifetime of credential>
-bits <length of key>
-help
Security and Remote Process Creation 20
Grid Sign-On With grid-proxy-init
User certificate file
Private Key(Encrypted)
PassPhrase
User Proxycertificate file
Security and Remote Process Creation 21
Proxy Information
To get proxy information run grid-proxy-info
% grid-proxy-info -subject/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster
Options for printing proxy information-subject -issuer-type -timeleft-strength -help
Options for scripting proxy queries-exists -hours <lifetime of credential>-exists -bits <length of key> Returns 0 status for true, 1 for false:
Security and Remote Process Creation 22
Sample Gridmap File
# Distinguished name Local# username"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Rich Gallup” rpg"/C=US/O=Globus/O=NPACI/OU=SDSC/CN=Richard Frost” frost"/C=US/O=Globus/O=USC/OU=ISI/CN=Carl Kesselman” u14543"/C=US/O=Globus/O=ANL/OU=MCS/CN=Ian Foster” itf
Gridmap file maintained by Globus administrator
Entry maps Grid-id into local user name(s)
Security and Remote Process Creation 23
Remote Startup Mechanism
key
cert
gatekeeperclient
1. Exchange certificates, authenticate, delegate
2. Check gridmap file
3. Lookup service
4. Run service program (e.g. jobmanager)
jobmanager
key
cert
1.
2.
map
4.
services3.
Security and Remote Process Creation 24
Simple job submission
globus-job-run provides a simple RSH compatible interface% grid-proxy-init Enter PEM pass phrase: *****% globus-job-run host program [args]
Security and Remote Process Creation 25
1. Lookup Contact String2. Build RSL string3. Startup GASS server4. Submit to request
jobmanager
gatekeeperMDS
program
Host name
Contactstring
RSLstring
globus-job-run: Beneath the coversstdout
GASSserver
3.
1.
2.
4.
Security and Remote Process Creation 26
Exercise 1Sign-On & Remote Process Creation
Use grid-proxy-init to create a proxy certificate:
% grid-proxy-initEnter PEM pass phrase:......................................+++++.....+++++
Use grid-proxy-info to query proxy:% grid-proxy-info -subject
Use globus-job-run to start remote programs:
% globus-job-run jupiter.isi.edu /usr/bin/ls -l /tmp
Security and Remote Process Creation 27
Globus Components Being Used
GRAM: Globus Resource Allocation Manager Create process on remote resource, deal with
local resource managers MDS: Metacomputing Directory Service
Map machine name into GRAM contact string GSI: Grid Security Infrastructure
Authenticate to remote system GASS: Global Access to Secondary Storage
Redirect standard output
Security and Remote Process Creation 28
Globus Components in Action
globus-job-run
jobmanager
fork
P1 P2
gatekeeper
jobmanager
LSF
P1 P2
gatekeeper
jobmanager
LoadLeveler
P1 P2
gatekeeper
GRAM
Security and Remote Process Creation 29
Summary
Grid security provides single sign-on capability
globus-job-run can be used to create a remote process Difference between schedulers managed by
Globus Strong authentication provided
Remote process creation can be added to applications by using Globus services
Security and Remote Process Creation 30
Changes from 1.0 to 1.1
Tools are renamed globus-proxy-{init,destroy} is now
grid-proxy-{init,destroy} globus-{cert,certreq} is now
grid-cert-{info,request} Tools are added
grid-proxy-info grid-cert-renew grid-mapfile-{add,delete}-entry