Access Control in Grid Computing Environments

By By Jason Hogg, Program Manager, and Blair Dillaway, Software Architect, Microsoft Corp.

May 7, 2007

Large-scale grid computing environments are complicated, involving many users, data and computational resources, network channels and administrative domains. This complexity makes it hard, if not impossible, to describe all of the entities and relationships required to provide access control using existing approaches which lack formal mechanisms for describing and evaluating security policies. To date, there has not been a simple, flexible language available to navigate these complex security issues associated with distributed computing environments.

Microsoft has recently focused on this problem and developed a solution called the Security Policy Assertion Language (SecPAL). The project — undertaken by the advanced technology incubation group of Microsoft’s Chief Research and Strategy Officer and Microsoft Research Cambridge — resulted in a declarative, logic-based language providing comprehensive support for:

  • Describing  trust relationships both within and across organizational boundaries.
  • Expressing principal identities and attributes capable of being authenticated.
  • Creating  access policies which help describe the desired access to a variety of services and resources.
  • Controlling delegation of rights, allowing one principal to allow another to exercise a subset of their rights in a specific context.
  • Expressing audit policies which can capture critical security decisions and support forensic analysis.

To help demonstrate the unique SecPAL approach and the capabilities above, we have outlined a simple use-case below in which we describe the policies necessary to allow a user from within a virtual organization (called Research Grid VO) to submit grid jobs to a computational cluster in an external organization (called the Center for High-Performance Computing). The scenario is illustrated in Figure 1.

Figure 1
Figure 1: Example multi-organizational scenario 

A fundamental concept within SecPAL is the security assertion, a statement made by a principal that may: define a binding between a principal and an attribute; specify a principal’s permissions to operate on a resource; express a trust or delegation policy; express an authorization policy; revoke a prior assertion; or declare principal identifier alias relationships.

In our example, the Master Scheduler could establish a trust-relationship directly with our end-user Bob. However, this interaction quickly becomes unmanageable for any sizable environment. Rather, the common practice is for CHPC to establish a trust relationship with an authority, such as the Research Grid Security Token Service (STS), responsible for certifying grid users.

Example 1 illustrates such a policy whereby the CHPC administrator expresses that he trusts the VO-ResearchGrid-STS to make assertions about the grid’s users. In this case, he trusts the STS to identify grid users and their rfc822 email names (certifying those are true for up to one year). Here, we use a SecPAL simplified English grammar for readability. The Microsoft implementation also supports serializing such policies as XML for cross-platform interoperability.

CHPCAdmin says VO-ReseachGrid-STS can say %p possesses %a (from %t1 until %t2) where

       %t2 – %t1 <= "366.00:00:00",
       %t1 <= CurrentTime() <= %t2,
       %a matches rfc822Name:”.*@contoso.edu”

Example 1: Policy establishing a trust relationship between CHPC and the Research Grid Virtual Organization

This policy includes variables, another important concept within SecPAL. Variables are substituted for concrete values at policy evaluation time. In this policy, variable “%a” represents an attribute which must match the given rfc822 e-mail name pattern, the %p variable represents any principal, and the variables %t1 and %t2 represent date-time values which are constrained to represent a time-span of no more than 366 days.

The CHPC master scheduler would have a local authorization policy controlling who may use the job management services. This typically will rely on the organizational trust policy because the scheduler service administrator typically won’t be responsible for cross-organizational relationships. Given the above trust policy, the scheduler administrator could write the local authorization policy to restrict access based on the rfc822 names of principal’s requesting use of the job management services. It would only believe such names if they are certified by an authority trusted by the CHPC  administrator. For example, if only users with rfc822 names in the contoso.edu domain are authorized, the policy would look like:

CHPCAdmin says %p can execute service:”http://www.chpc.org/scheduleJob” if

       %p possesses %a
 where
       %a matches rfc822Name:” .*@contoso.edu “

Example 2: Policy restricting access to the job scheduler

For our user Bob to schedule a job, he first needs to obtain an identity token from the Research Grid STS, which contains his e-mail name. This might require he authenticate using a Contoso-supplied authentication credential (such as an X.509 certificate, Kerberos token or SAML token), which is accepted by grid services. The grid token obtained from the STS would contain the assertion:

VO-ReseachGrid-STS says Bob possesses rfc822Name:”[email protected]
        (from “2007-01-01” until “2007-12-31”)

Example 3: SecPAL token used by Bob for authentication

Now Bob can submit a request to initiate a job on the CHPC cluster by sending an authenticated message containing his SecPAL token along with the job information needed by the CHPC master scheduler. The scheduler can then formulate a SecPAL query similar to that shown in Example 4, which would evaluate Bob’s credentials against the CHPC security policies, thus allowing the scheduler to allow Bob’s job to be scheduled.

CHPCAdmin can execute service:”http://www.chpc.org/scheduleJob”?

Example 4: Authorization Query generated by CHPC Scheduler to verify access rights

Bob also can take advantage of SecPAL to formulate a delegation of his rights to access a data file on a server at Birch University, where the job data may reside. For example, the right for the master scheduler to delegate the right to read “jobData” can be expressed as the first policy in Example 5, which Bob can supply with his job request. The scheduler can then delegate that specific access to the job when it’s run as in the second assertions. The file service at Birch University can then use the second assertion in Example 5 to authorize Bob-Job to read the file because it can deduce Bob has authorized the delegation of this right.

Bob says Scheduler can say %p read file://BirchFileShare/jobData (from %t1` tio %t2) if %t2-%t1<5 days Scheduler says Bob-Job read file://BirchFileShare/jobData [from 2007-04- 28 to 2007-05-01]?

Example 5: Simple delegation of a single user access right

This example demonstrates some of the power and flexibility of SecPAL to address important grid security needs in a straightforward manner. Independent assessment and experimentation is now an important next step in SecPAL’s development to ensure it will meet the industry’s needs for a flexible, robust and high-assurance security solution. Professors Martin Humphrey of the University of Virginia and Panos Periorellis of University of Newcastle Upon Tyne (England) have begun investigating the benefits of SecPAL. Initial results indicate SecPAL enables a fine-grained, dynamic and delegation-aware mechanism capable of easily coping across organizations with a wide variety of different security policies, and further enabling increased interoperability in distributed computing environments.

Microsoft is now making its implementation available to other researchers to experiment with the SecPAL approach to addressing grid security requirements. Researchers interested in evaluating SecPAL can go to http://research.microsoft.com/projects/secpal for more project information. The .NET implementation, sample code for a number of common authorization patterns and community site facilitating discussions about the use of SecPAL can be found at www.codeplex.com/secpal. Microsoft hopes to collaborate with grid computing communities to develop a viable and comprehensive security solution for grid computing that promotes continued interoperability.

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

Top500: US Maintains Performance Lead; Arm Tops Green500

November 18, 2019

The 54th Top500, revealed today at SC19, is a familiar list: the U.S. Summit (ORNL) and Sierra (LLNL) machines, offering 148.6 and 94.6 petaflops respectively, remain in first and second place. The only new entrants in t Read more…

By Tiffany Trader

ScaleMatrix and Nvidia Launch ‘Deploy Anywhere’ DGX HPC and AI in a Controlled Enclosure

November 18, 2019

HPC and AI in a phone booth: ScaleMatrix and Nvidia announced today at the SC19 conference in Denver a joint offering that puts up to 13 petaflops of Nvidia DGX-1 compute power in an air conditioned, water-cooled ScaleMa Read more…

By Doug Black

HPE and NREL Collaborate on AI Ops to Accelerate Exascale Efficiency and Resilience

November 18, 2019

The ever-expanding complexity of high-performance computing continues to elevate the concerns posed by massive energy consumption and increasing points of failure. Now, the AI Ops collaboration between Hewlett Packard En Read more…

By Oliver Peckham

Intel Debuts New GPU – Ponte Vecchio – and Outlines Aspirations for oneAPI

November 17, 2019

Intel today revealed a few more details about its forthcoming Xe line of GPUs – the top SKU is named Ponte Vecchio and will be used in Aurora, the first planned U.S. exascale computer. Intel also provided a glimpse of Read more…

By John Russell

SC19: Welcome to Denver

November 17, 2019

A significant swath of the HPC community has come to Denver for SC19, which began today (Sunday) with a rich technical program. As is customary, the ribbon cutting for the Expo Hall opening is Monday at 6:45pm, with the Read more…

By Tiffany Trader

AWS Solution Channel

Making High Performance Computing Affordable and Accessible for Small and Medium Businesses with HPC on AWS

High performance computing (HPC) brings a powerful set of tools to a broad range of industries, helping to drive innovation and boost revenue in finance, genomics, oil and gas extraction, and other fields. Read more…

IBM Accelerated Insights

Data Management – The Key to a Successful AI Project

 

Five characteristics of an awesome AI data infrastructure

[Attend the IBM LSF & HPC User Group Meeting at SC19 in Denver on November 19!]

AI is powered by data

While neural networks seem to get all the glory, data is the unsung hero of AI projects – data lies at the heart of everything from model training to tuning to selection to validation. Read more…

SC19’s HPC Impact Showcase Chair: AI + HPC a ‘Speed Train’

November 16, 2019

This year’s chair of the HPC Impact Showcase at the SC19 conference in Denver is Lori Diachin, who has spent her career at the spearhead of HPC. Currently deputy director for the U.S. Department of Energy’s (DOE) Exascale Computing Project (ECP), Diachin is also... Read more…

By Doug Black

Top500: US Maintains Performance Lead; Arm Tops Green500

November 18, 2019

The 54th Top500, revealed today at SC19, is a familiar list: the U.S. Summit (ORNL) and Sierra (LLNL) machines, offering 148.6 and 94.6 petaflops respectively, Read more…

By Tiffany Trader

ScaleMatrix and Nvidia Launch ‘Deploy Anywhere’ DGX HPC and AI in a Controlled Enclosure

November 18, 2019

HPC and AI in a phone booth: ScaleMatrix and Nvidia announced today at the SC19 conference in Denver a joint offering that puts up to 13 petaflops of Nvidia DGX Read more…

By Doug Black

Intel Debuts New GPU – Ponte Vecchio – and Outlines Aspirations for oneAPI

November 17, 2019

Intel today revealed a few more details about its forthcoming Xe line of GPUs – the top SKU is named Ponte Vecchio and will be used in Aurora, the first plann Read more…

By John Russell

SC19: Welcome to Denver

November 17, 2019

A significant swath of the HPC community has come to Denver for SC19, which began today (Sunday) with a rich technical program. As is customary, the ribbon cutt Read more…

By Tiffany Trader

SC19’s HPC Impact Showcase Chair: AI + HPC a ‘Speed Train’

November 16, 2019

This year’s chair of the HPC Impact Showcase at the SC19 conference in Denver is Lori Diachin, who has spent her career at the spearhead of HPC. Currently deputy director for the U.S. Department of Energy’s (DOE) Exascale Computing Project (ECP), Diachin is also... Read more…

By Doug Black

Cray, Fujitsu Both Bringing Fujitsu A64FX-based Supercomputers to Market in 2020

November 12, 2019

The number of top-tier HPC systems makers has shrunk due to a steady march of M&A activity, but there is increased diversity and choice of processing compon Read more…

By Tiffany Trader

Intel AI Summit: New ‘Keem Bay’ Edge VPU, AI Product Roadmap

November 12, 2019

At its AI Summit today in San Francisco, Intel touted a raft of AI training and inference hardware for deployments ranging from cloud to edge and designed to support organizations at various points of their AI journeys. The company revealed its Movidius Myriad Vision Processing Unit (VPU)... Read more…

By Doug Black

IBM Adds Support for Ion Trap Quantum Technology to Qiskit

November 11, 2019

After years of percolating in the shadow of quantum computing research based on superconducting semiconductors – think IBM, Rigetti, Google, and D-Wave (quant Read more…

By John Russell

Supercomputer-Powered AI Tackles a Key Fusion Energy Challenge

August 7, 2019

Fusion energy is the Holy Grail of the energy world: low-radioactivity, low-waste, zero-carbon, high-output nuclear power that can run on hydrogen or lithium. T Read more…

By Oliver Peckham

Using AI to Solve One of the Most Prevailing Problems in CFD

October 17, 2019

How can artificial intelligence (AI) and high-performance computing (HPC) solve mesh generation, one of the most commonly referenced problems in computational engineering? A new study has set out to answer this question and create an industry-first AI-mesh application... Read more…

By James Sharpe

Cray Wins NNSA-Livermore ‘El Capitan’ Exascale Contract

August 13, 2019

Cray has won the bid to build the first exascale supercomputer for the National Nuclear Security Administration (NNSA) and Lawrence Livermore National Laborator Read more…

By Tiffany Trader

DARPA Looks to Propel Parallelism

September 4, 2019

As Moore’s law runs out of steam, new programming approaches are being pursued with the goal of greater hardware performance with less coding. The Defense Advanced Projects Research Agency is launching a new programming effort aimed at leveraging the benefits of massive distributed parallelism with less sweat. Read more…

By George Leopold

AMD Launches Epyc Rome, First 7nm CPU

August 8, 2019

From a gala event at the Palace of Fine Arts in San Francisco yesterday (Aug. 7), AMD launched its second-generation Epyc Rome x86 chips, based on its 7nm proce Read more…

By Tiffany Trader

D-Wave’s Path to 5000 Qubits; Google’s Quantum Supremacy Claim

September 24, 2019

On the heels of IBM’s quantum news last week come two more quantum items. D-Wave Systems today announced the name of its forthcoming 5000-qubit system, Advantage (yes the name choice isn’t serendipity), at its user conference being held this week in Newport, RI. Read more…

By John Russell

Ayar Labs to Demo Photonics Chiplet in FPGA Package at Hot Chips

August 19, 2019

Silicon startup Ayar Labs continues to gain momentum with its DARPA-backed optical chiplet technology that puts advanced electronics and optics on the same chip Read more…

By Tiffany Trader

Crystal Ball Gazing: IBM’s Vision for the Future of Computing

October 14, 2019

Dario Gil, IBM’s relatively new director of research, painted a intriguing portrait of the future of computing along with a rough idea of how IBM thinks we’ Read more…

By John Russell

Leading Solution Providers

ISC 2019 Virtual Booth Video Tour

CRAY
CRAY
DDN
DDN
DELL EMC
DELL EMC
GOOGLE
GOOGLE
ONE STOP SYSTEMS
ONE STOP SYSTEMS
PANASAS
PANASAS
VERNE GLOBAL
VERNE GLOBAL

Intel Confirms Retreat on Omni-Path

August 1, 2019

Intel Corp.’s plans to make a big splash in the network fabric market for linking HPC and other workloads has apparently belly-flopped. The chipmaker confirmed to us the outlines of an earlier report by the website CRN that it has jettisoned plans for a second-generation version of its Omni-Path interconnect... Read more…

By Staff report

Kubernetes, Containers and HPC

September 19, 2019

Software containers and Kubernetes are important tools for building, deploying, running and managing modern enterprise applications at scale and delivering enterprise software faster and more reliably to the end user — while using resources more efficiently and reducing costs. Read more…

By Daniel Gruber, Burak Yenier and Wolfgang Gentzsch, UberCloud

Dell Ramps Up HPC Testing of AMD Rome Processors

October 21, 2019

Dell Technologies is wading deeper into the AMD-based systems market with a growing evaluation program for the latest Epyc (Rome) microprocessors from AMD. In a Read more…

By John Russell

Rise of NIH’s Biowulf Mirrors the Rise of Computational Biology

July 29, 2019

The story of NIH’s supercomputer Biowulf is fascinating, important, and in many ways representative of the transformation of life sciences and biomedical res Read more…

By John Russell

Cray, Fujitsu Both Bringing Fujitsu A64FX-based Supercomputers to Market in 2020

November 12, 2019

The number of top-tier HPC systems makers has shrunk due to a steady march of M&A activity, but there is increased diversity and choice of processing compon Read more…

By Tiffany Trader

Xilinx vs. Intel: FPGA Market Leaders Launch Server Accelerator Cards

August 6, 2019

The two FPGA market leaders, Intel and Xilinx, both announced new accelerator cards this week designed to handle specialized, compute-intensive workloads and un Read more…

By Doug Black

When Dense Matrix Representations Beat Sparse

September 9, 2019

In our world filled with unintended consequences, it turns out that saving memory space to help deal with GPU limitations, knowing it introduces performance pen Read more…

By James Reinders

With the Help of HPC, Astronomers Prepare to Deflect a Real Asteroid

September 26, 2019

For years, NASA has been running simulations of asteroid impacts to understand the risks (and likelihoods) of asteroids colliding with Earth. Now, NASA and the European Space Agency (ESA) are preparing for the next, crucial step in planetary defense against asteroid impacts: physically deflecting a real asteroid. Read more…

By Oliver Peckham

  • arrow
  • Click Here for More Headlines
  • arrow
Do NOT follow this link or you will be banned from the site!
Share This