A Security Architecture for

Computational Grids
Foster, Kesselman, Tsudik, and
Tuecke
Presented by Mike Copenhafer
March 3, 2000
3.2.00

Motivation
Grids have unique characteristics:
large number of heterogeneous resources
dynamic resource requirements
multiple administrative domains

3.2.00

An Example

3.2.00

The Problem
How do we permit these computations to
operate in a secure and transparent fashion?
Methodology:
requirements => policy => architecture

3.2.00

Requirements

Single sign-on
Interoperability with local security
Exportability
Secure group communication
Flexible policy

3.2.00

Grid Security Policy

A few definitions:

A resource
A resource

A resource

A resource
A resource

Subject

3.2.00

Object

Trust Domain

Grid Security Policy (2)

No influence over the local security policy
Access control decisions are made locally
No additional security operations are imposed
on local operations

Operations b/w subjects and objects requires

mutual authentication (different domains)
A resource

Trust Domain 1
3.2.00

A resource

Trust Domain 2
7

Grid Security Policy (3)

A process can act on behalf of a user
Both global and local subjects exist (*)
Global Subjects
Global => Local

Trust Domain
A resource
A resource

A resource

3.2.00

Grid Security Policy (4)

Processes may share a single set of
credentials provided they also share:
Trust domain
" Parent" subject

3.2.00

Grid Security Architecture

Refine the security policy:
Specific set of subjects and objects
User proxy
Resource proxy

Set of four protocols that control object and

subject interaction

3.2.00

10

User Proxy
A process which acts in place of the user
Uses its own credentials
Lifetime controlled by user

Addresses the single sign-on requirement

Hides user credentials

3.2.00

11

Resource Proxy
Translates interdomain security operations
to local security operations and vice versa
A resource

RP

A resource

Plaintext->SSL
Domain 1 (Plaintext)

Domain 2 (SSL)

Provides interoperability between local

security policies
3.2.00

12

The Protocols
Support for authentication only
No encrypted channels (exportable)

3.2.00

13

Protocol 1: User Proxy Creation

CUP = CU{user-id, validity interval,
{host names}, {target sites}}
UP

Discussion:
Determining validity interval, set of hosts?
Implications of temporary credential
3.2.00

14

Protocol 2a: Resource Allocation

UP

CUP

CRP

RP

UP

Alloc Request

RP

UP

{user, resource}

RP

UP

CP{user, resource}

RP

RP
3.2.00

p1

CP
p2

Discussion: same
credential
p3

15

Protocol 2b: Resource Allocation

From a process
Generalization of protocol 2a:

Process and its UP exchange CP and CUP

Process issues a signed request to UP
If OK, UP initiates protocol 2a
Process handle signed by UP and returned

Discussion: single user proxy

3.2.00

16

Protocol 3: Mapping Registration

Maps global subjects -> local subjects
User provides RP with credentials for both
global and local objects

3.2.00

17

Implementation
Globus Security Infrastructure (GSI)
All security algorithms coded in GSS
Standard API for obtaining credentials (only
passwords and certificates)

Deployed in GUSTO
Limited experience report

3.2.00

18

Lingering Concerns
Authentication only == no privacy
Requires knowledge of grid resources?
Global -> local mapping
User proxy contains set of target hosts

3.2.00

19