45
Mitglied der Helmholtz-Gemeinschaft Introduction to UNICORE 07.07.2009 Rebecca Breu
| Date post: | 11-May-2015 |
| Category: |
Education |
| Upload: | issgc-summer-school |
| View: | 291 times |
| Download: | 0 times |
Mit
glie
dd
erH
elm
hol
tz-G
emei
nsc
haf
t
Introduction to UNICORE
07.07.2009 Rebecca Breu
Outline
Security issues
UNICORE server components and how they interact
Bastian Demuth: server internals
Sessions 11 and 12: UNICORE clients, workflow basics
07.07.2009 Slide 2
Security Issues
Grid resources communicate via internet → no firewalls toprotect from outside world
Intruders may . . .
read messages between resources
alter messages between resources
connect to two resources and relay messages between them:man-in-the-middle attack
flood resources with messages: denial-of-service attack
07.07.2009 Slide 3
Encryption
Symmetric encryption:
Same key used to encrypt and decrypt a message
Disadvantage: Every pair of users must exchangekeys
Asymmetric encryption:
Each user owns a pair of private and public key
Public keys can be exchanged openly
Sender encrypts message with the receiver’s public key
Receiver decrypts message with his own private key
07.07.2009 Slide 4
Digital Signing
Encryption:
Messages can’t be read or altered by intruders
How do we now where a message really comes from?
Digital signing:
Sender encrypts a message with his private key
Receiver decrypts the message with the sender’s public key
Main issue: Get sender’s public key from a trusted source
07.07.2009 Slide 5
Certification Authorities
How do we know who is the real person behind a key?
→ Certification Authority (CA), e.g. GILDA, CA-Cert, . . .
User creates private key and a matching certificate request
User sends certificate request to a CA
CA checks user’s identity and signs the certificate request
CA sends user their signed public key (certificate)
Each key contains info about user (real name, email) and signer(CA).
07.07.2009 Slide 6
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Hello
Server
Here’s my public key
Do I trustthe signer?
Do I trustthe signer?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Hello
Server
Here’s my public key
Do I trustthe signer?
Do I trustthe signer?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Hello
Server
Here’s my public key
Do I trustthe signer?
Do I trustthe signer?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Here’s my public key
Server
Here’s my public key
Do I trustthe signer?
Do I trustthe signer?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Hello
Server
Here’s my public key
Do I trustthe signer?
Do I trustthe signer?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Please decrypt: Dx8Gwo
Server
Please decrypt: k3oAS2
Encrypt withserver key
Encrypt withclient key
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Please decrypt: Dx8Gwo
Server
Please decrypt: k3oAS2
Decrypt andcheck
Decrypt andcheck
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Please decrypt: Dx8Gwo
Server
Please decrypt: k3oAS2
Decript withprivate key
Decrypt withprivate key
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Decrypted: i7Uay4
Server
Decrypted: PgD9mt
Decrypt andcheck
Decrypt andcheck
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
SSL
Secure network communication via private/public keys.
Client
Please decrypt: Dx8Gwo
Server
Please decrypt: k3oAS2
Does itmatch?
Does itmatch?
07.07.2009 Slide 7
SSL (Secure Sockets Layer)
Client connects to server
Server sends client its public key
Client checks if it trusts the signer of the server’s key
Server requests client’s public key
Server checks if it trusts the signer of the client’s key
Server and client check if the counterpart owns the privatekey belonging to the public key
Exchange of random messages encrypted with the counterpart’spublic keyCounterpart mut decrypt message with its private keyDecrypted message must equal the original message
07.07.2009 Slide 8
Security in UNICORE
UNICORE has a strong security concept:
Each user has their own private key
Each server component has its own private key
Connections between user’s clients and UNICORE servers useSSL
UNICORE server components use the user’s keys forauthentication and authorisation
UNICORE server components use SSL to connect to eachother
07.07.2009 Slide 9
UNICORE Architecture
Global registry:Central point of a UNICORE gridKeeps track of all available services
Gateway:”Door to outside world” in firewallmay serve several resources behind one firewall
unicorex:Central point for job processing and managingChecks user certificate with XUUDB
XUUDB (UNICORE user database):Mapping between user certificates, user logins, roles
TSI (Target System Interface):Submits jobs to batch system
Components use SSL connections
07.07.2009 Slide 11
The Registry
The Registry:
Provide clients with information about services
Two kinds: global / local
Global or central registry:
Serves as a ‘Grid’Knows all target systems and workflow servicesServices dynamically register with (one or more) registries
Local registry per service container (e.g. unicorex)
For registering service instances
Full WS-RF Service
UNICORE Registry in Gilda:https://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Registry?res=default_registry
07.07.2009 Slide 12
The Global Registry
What resources do you know?list of resourcescontact publish
07.07.2009 Slide 13
The Global Registry
What resources do you know?list of resourcescontact publish
07.07.2009 Slide 13
The Global Registry
publishlist of resourcescontactWhat resources do you know?
07.07.2009 Slide 13
The Global Registry
publishcontactWhat resources do you know?list of resources
07.07.2009 Slide 13
The Global Registry
publishWhat resources do you know?list of resourcescontact
07.07.2009 Slide 13
Registry Entries
Registry entries as seen with the Eclipe Client (expert view):
07.07.2009 Slide 14
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
When a job is being submitted . . .
Client
Gateway
unicorex
XUUDB
TSI
Client establishes SSL-Connection to Gateway
Client contacs unicorex via Gateway
Client sends signed abstract job to unicorex
unicorex asks XUUDB if the user belonging tothe certificate is allowed job execution
unicorex gets login from XUUDB
unicorex translates abstract job intomachine-dependent script
unicorex sends machine dependent script to TSI
07.07.2009 Slide 15
Jobs
Abstract job definitions:
Given in JSDL (Job Submission Description Language)
XML specification from the Global Grid Forum
Contain for example:
Job name, descriptionResource requirements (RAM, numer of CPUs needed, . . . )Information about transferring of files before or after executionAn application name and version
Each job has a life time – after that it’s data is deleted from theserver
07.07.2009 Slide 16
The Gateway
The Gateway:
Gateway talks to clients and servers located on other sites
All communication from server components of this sites goesvia Gateway
Gateway must trust the CAs of users
Users must trust the CA of the Gateway
UNICORE Gateway of Gilda:https://gilda-lb-01.ct.infn.it:8080
The UNICORE Registry of Gildahttps://gilda-lb-01.ct.infn.it:8080/REGISTRY/services/Registry?res=default_registry
A unicorex of Gilda:https://gilda-lb-01.ct.infn.it:8080/REGISTRY/GILDA-CATANIA
07.07.2009 Slide 17
The unicorex
unicorex:
Authorises requests using the authorisation service XUUDB
Translates abstract job into concrete job for target system viathe IDB
Provides storage resources
Provides file transfer services
Provides job management services
07.07.2009 Slide 18
The XUUDB
XUUDB:
Maps user certificates to logins on that machine
Assigns roles (user, admin, . . . )
Nr|GcID |Xlogin |Role |Projects |DN
---------------------------------------------------------------------------
1 |OMII_EI |rbreu |user | |CN=Rebecca Breu , OU=JSC , OU=Forschungszentrum Juelich GmbH , O=GridGermany , C=DE
2 |OMII_EI |sandra |user | |EMAILADDRESS=s.bergmann@fz -juelich.de , CN=Sandra Bergmann , OU=ZAM , O=Research Center Juelich , L=Juelich , ST=NRW , C=DE
07.07.2009 Slide 19
The TSI
The TSI . . .
forks a process which runs with the user’s ID
creates a temporary directory on the target system (uspace)
changes current working directory to uspace
submits job to local batch system
Input and ouput:
all input needed for job has to be copied into the uspace
all output that is to survive the end of job execution has to becopied elsewhere
Terms used:
File import: File tranfer from somewhere into uspace
File export: File tranfer from uspace to somewhere
07.07.2009 Slide 20
The Uspace
07.07.2009 Slide 21
IDB: Incarnation Database
The IDB is a file with rules for translating abstract jobs intoexecutable scripts.
<idb:IDBApplication >
<idb:ApplicationName >Bash shell</idb:ApplicationName >
<idb:ApplicationVersion >3.1.16 </idb:ApplicationVersion >
<jsdl:POSIXApplication xmlns:jsdl="http: // schemas.ggf.org/jsdl /2005/11/ jsdl -posix">
<jsdl:Executable >/bin/bash</jsdl:Executable >
<jsdl:Argument >--debugger$DEBUG?</jsdl:Argument >
<jsdl:Argument >-v$VERBOSE?</jsdl:Argument >
<jsdl:Argument >$ARGUMENTS?</jsdl:Argument >
<jsdl:Argument >$SOURCE?</jsdl:Argument >
</jsdl:POSIXApplication >
</idb:IDBApplication >
07.07.2009 Slide 23
UNICORE Quickstart
Easy installation and usageof UNICORE servercomponents with theQuickstart bundlecontaining:
all needed servercomponents
demo certificates
easy to use graphicalinstaller
07.07.2009 Slide 24
UNICORE LiveCD
The UNICORE LiveCD contains
complete Linux system
automatically starting server components
pre-configured clients
07.07.2009 Slide 25
Visit UNICORE on the internet
Downloads, information, documentation, . . . :
http://www.unicore.eu
07.07.2009 Slide 26
