Title: Secure Distributed Objects for Grid Applications
1Secure Distributed Objects for Grid Applications
- Laurent Baduel, Arnaud Contes, Denis Caromel
- OASIS team http//www.inria.fr/oasis
- ProActive http//proactive.objectweb.org
2Outline
- Context
- ProActive overview
- Abstract Deployment model
- Security Model
- Security Entities
- Security Policies
- Example
- Conclusion
3The ProActive Middleware
- A Java API Tools for Parallel Distributed
Computing - A uniform framework Active Object (AO) pattern
- one thread, owns passive objects, remotely
accessible - Programming model
- groups, mobility, components, security
- A formal model
- Determinism, Insensitivity to deployment
4Deployment Model
- Virtual Nodes
- Identified as a string name, used in program
source, configured (mapped) in an XML descriptor
file - 2 distinct steps
Development Source Code
Deployment XML Descriptor
Active Objets ? VN VN ? Runtimes (JVMs) ?
Hosts
5A ProActive Application
6Multiple Deployment Issues
Different Deployments ? Different Security
Policies
One Host
Cluster
Grid
7Issues Goals
- Authentication of Computers, Users, and
Applications - Creation, connection to, and monitoring of
activities - Authentication, Integrity and Confidentiality
(AIC) of communications - Several levels of security policies users,
resource providers, administrators - Main objective Facilitate the use and the
management of security features by removing them
from the source code
8Outline
- Context
- ProActive overview
- Abstract Deployment model
- Security Model
- Security Entities
- Security Policies
- Example
- Conclusion
9Security Entity Model
- Generic definition, composed of a security
manager and a protected object - Subject of security policies
- Transparent for the protected object (meta object
protocol) - No supposition on the protected object (runtimes,
nodes, active objects, ) - Hierarchical structure
10Security Entities
Protected Object
11Application Authentication
- SPKI
- Certificate chain
- No Certificate Authority
Application certificate
User certificate
certificates for active objects, nodes
Certificate chain
12Hierarchical Security Policies
Administrator policy
- Security policy is defined according all matching
rules from - Domains / Runtime
- Virtual Node
- Active Object
Application-level policy
Final Security policy
Resource provider policy
13Security Rule
Entities -gt Entities Interactions Security
Attributes
- Attributes
- Authentication
- Integrity
- Confidentiality
- Each attribute can be
- Allowed
- Optional
- Disallowed
- Interactions
- JVMCreation
- NodeCreation
- CodeLoading
- ObjectCreation
- ObjectMigration
- Request
- Reply
- Listing
- Entities
- Domain
- User
- Virtual Node
- Object
14Descriptor Security Model
- A key principle
- Specify security policies in the XML deployment,
NOT IN SOURCE CODE ! - In program source
- Virtual Node (VN, a string name)
- In XML descriptors
- List of policy rules between virtual nodes,
runtimes, domains,
15Security Example
- 2 domains GridA GridB with security policies
- Domain GridA -gt Domain GridB Q,P,M
A,I,C - Domain GridB -gt Domain GridA Q,P,M
A,I,C - Application
- 2 Virtual Nodes (vn1,vn2)
- 2 Active objects
16 Descriptor with Security
- VirtualNodes vn1, vn2
- SECURITY
- VN vn1 -gt VN vn2 Q,P ?A,?I,?C
- VN vn1 -gt VN vn2 M Forbidden
- VN vn2 -gt VN vn1 Q,P ?A,?I,?C
- VN vn2 -gt VN vn1 M Forbidden
- Domain GridA -gt Domain GridB Q,P,M
A,I,C - Domain GridB -gt Domain GridA Q,P,M
A,I,C - Mapping
- vn1 --gt GridAComputers, GridBComputers
- vn2 --gt GridAComputers
- JVMs
- //
17Example std. code, no security
// proActiveDescriptor.activateMappings() vn1
proActiveDescriptor.getVirtualNode("vn1") vn2
proActiveDescriptor.getVirtualNode("vn2") // Flo
wer rose (Flower) ProActive.newActive(Flower.cla
ss,new
Object Rose , vn1.getNode() Flower daliah
(Flower) ProActive.newActive(Flower.class,new
Object Daliah ,
vn2.getNode() / next VN1 node inside the same
domain / rose.migrateTo(vn1) / communication
inside the same domain / rose.sayHelloTo(daliah)
/ next VN1 Node, other domain
/ rose.migrateTo(vn1) / communication with
another domain / rose.sayHelloTo(daliah) /
other virtual node, forbidden / rose.migrateTo(vn
2)
18Example
Domain GridA
Domain GridB
Policy rules database
VN1
Runtime
VN2
19Example
Domain GridA
Domain GridB
VN1
Policy rules database
Runtime
VN2
20Example
Domain GridA
Domain GridB
VN1
Policy rules database
Runtime
VN2
21Example
Domain GridA
Domain GridB
Migration - same VN - same domain
Can I migrate to the next VN1 node ?
VN1
Policy rules database
Runtime
VN2
22Example
Domain GridA
Domain GridB
Migration - same VN - same domain
1 - Retrieve VN policy 2 - migration allowed
VN1
Policy rules database
Runtime
VN2
23Example
Domain GridA
Domain GridB
Migration - same VN - same domain
VN1
Policy rules database
Runtime
VN2
24Example
Negotiated Policy Rose -gt Daliah ?A,?I,?C
Domain GridA
Domain GridB
Migration - same VN - same domain
Receive a method call Daliah -gt Rose
?A,?I,?C
Perform a method call Rose -gt Daliah ?A,?I,?C
VN1
Policy rules database
Runtime
VN2
25Example
Domain GridA
Domain GridB
Migration - same VN - same domain
VN1
Runtime
Policy rules database
VN2
26Example
Domain GridA
Domain GridB
Migration - same VN - other domain
Can I migrate to the next VN1 node on GridB
domain?
VN1
Policy rules database
Runtime
VN2
27Example
Domain GridA
Domain GridB
Migration - same VN - other domain
1- VN1 policy -gt none 2- GridA -gt GridB
A,I,C 3- migration with A,I,C
VN1
Policy rules database
Runtime
VN2
28Example
Domain GridA
Domain GridB
Migration - same VN - other domain
VN1
Policy rules database
Runtime
VN2
29Example
Negotiated Policy Rose -gt Daliah A,I,C
Domain GridA
Domain GridB
Method call - other VN - other domain From
Rose --gt Daliah
Receive a method call Daliah -gt Rose
A,I,C
Perform a method call Rose -gt Daliah A,I,C
VN1
Policy rules database
Runtime
VN2
30Example
Domain GridA
Domain GridB
Migration - other VN From Rose --gt Daliah
NO !
Migration to VN2 ? VN1 -gt VN2 -M
VN1
Policy rules database
Runtime
VN2
31Conclusion
- Transparent to application
- Take care of a hierarchy of security policies
- Security can be adapted to application deployment
32- Thank you for your time
- Questions ?
33Security Context Propagation
- Grid Applications are dynamic
- Acquire resources
- Create new entities on allocated resources
- Automatic security context propagation to
maintain application security context
34Hierarchical Domains
- A logical way to group entities that have the
same security needs. - Domains are Security Entities
- are hierarchical
- enforce policies to contained security entities