21-25 May 2012
New York City, NY, USA
US/Eastern timezone

Certified Grid Job Submission in the ALICE Grid Services

22 May 2012, 13:30
4h 45m
Rosenthal Pavilion (10th floor) (Kimmel Center)

Rosenthal Pavilion (10th floor)

Kimmel Center

Poster Distributed Processing and Analysis on Grids and Clouds (track 3) Poster Session

Speaker

Mr Steffen Schreiner (CERN, CASED/TU Darmstadt)

Description

Grid computing infrastructures need to provide traceability and accounting of their users’ activity and protection against misuse and privilege escalation, where the delegation of privileges in the course of a job submission is a key concern. This work describes an improved handling of multi-user Grid jobs in the ALICE Grid Services. A security analysis of the ALICE Grid job model is presented with derived security objectives, followed by a discussion of existing approaches of unrestricted delegation based on X.509 proxy certificates and the Grid middleware gLExec. Unrestricted delegation has severe security consequences and limitations, most importantly allowing for identity theft and forgery of jobs and data. These limitations are discussed and formulated, both in general and with respect to an adoption in line with multi-user Grid jobs. A new general model of mediated definite delegation is developed and formulated, allowing a broker to assign context-sensitive user privileges to agents while providing strong accountability and long-term traceability. A prototype implementation allowing for certified Grid jobs is presented including a potential interaction with gLExec. The achieved improvements regarding system security, malicious job exploitation, identity protection, and accountability are emphasized, followed by a discussion of non-repudiation in the face of malicious Grid jobs.

Summary

This contribution will demonstrate an in-depth security analysis and discussion of proxy certificate based authentication and authorization of multi-user pilot jobs and present a new model of delegation as a proposed solution. The model's implementation in a prototype and its performance testing will be shown as a proof of concept.

Primary author

Mr Steffen Schreiner (CERN, CASED/TU Darmstadt)

Co-authors

Presentation Materials