Access Control in Grid Computing Environments

By By Jason Hogg, Program Manager, and Blair Dillaway, Software Architect, Microsoft Corp.

May 7, 2007

Large-scale grid computing environments are complicated, involving many users, data and computational resources, network channels and administrative domains. This complexity makes it hard, if not impossible, to describe all of the entities and relationships required to provide access control using existing approaches which lack formal mechanisms for describing and evaluating security policies. To date, there has not been a simple, flexible language available to navigate these complex security issues associated with distributed computing environments.

Microsoft has recently focused on this problem and developed a solution called the Security Policy Assertion Language (SecPAL). The project — undertaken by the advanced technology incubation group of Microsoft’s Chief Research and Strategy Officer and Microsoft Research Cambridge — resulted in a declarative, logic-based language providing comprehensive support for:

  • Describing  trust relationships both within and across organizational boundaries.
  • Expressing principal identities and attributes capable of being authenticated.
  • Creating  access policies which help describe the desired access to a variety of services and resources.
  • Controlling delegation of rights, allowing one principal to allow another to exercise a subset of their rights in a specific context.
  • Expressing audit policies which can capture critical security decisions and support forensic analysis.

To help demonstrate the unique SecPAL approach and the capabilities above, we have outlined a simple use-case below in which we describe the policies necessary to allow a user from within a virtual organization (called Research Grid VO) to submit grid jobs to a computational cluster in an external organization (called the Center for High-Performance Computing). The scenario is illustrated in Figure 1.

Figure 1
Figure 1: Example multi-organizational scenario 

A fundamental concept within SecPAL is the security assertion, a statement made by a principal that may: define a binding between a principal and an attribute; specify a principal’s permissions to operate on a resource; express a trust or delegation policy; express an authorization policy; revoke a prior assertion; or declare principal identifier alias relationships.

In our example, the Master Scheduler could establish a trust-relationship directly with our end-user Bob. However, this interaction quickly becomes unmanageable for any sizable environment. Rather, the common practice is for CHPC to establish a trust relationship with an authority, such as the Research Grid Security Token Service (STS), responsible for certifying grid users.

Example 1 illustrates such a policy whereby the CHPC administrator expresses that he trusts the VO-ResearchGrid-STS to make assertions about the grid’s users. In this case, he trusts the STS to identify grid users and their rfc822 email names (certifying those are true for up to one year). Here, we use a SecPAL simplified English grammar for readability. The Microsoft implementation also supports serializing such policies as XML for cross-platform interoperability.

CHPCAdmin says VO-ReseachGrid-STS can say %p possesses %a (from %t1 until %t2) where

       %t2 – %t1 <= "366.00:00:00",
       %t1 <= CurrentTime() <= %t2,
       %a matches rfc822Name:”.*@contoso.edu”

Example 1: Policy establishing a trust relationship between CHPC and the Research Grid Virtual Organization

This policy includes variables, another important concept within SecPAL. Variables are substituted for concrete values at policy evaluation time. In this policy, variable “%a” represents an attribute which must match the given rfc822 e-mail name pattern, the %p variable represents any principal, and the variables %t1 and %t2 represent date-time values which are constrained to represent a time-span of no more than 366 days.

The CHPC master scheduler would have a local authorization policy controlling who may use the job management services. This typically will rely on the organizational trust policy because the scheduler service administrator typically won’t be responsible for cross-organizational relationships. Given the above trust policy, the scheduler administrator could write the local authorization policy to restrict access based on the rfc822 names of principal’s requesting use of the job management services. It would only believe such names if they are certified by an authority trusted by the CHPC  administrator. For example, if only users with rfc822 names in the contoso.edu domain are authorized, the policy would look like:

CHPCAdmin says %p can execute service:”http://www.chpc.org/scheduleJob” if

       %p possesses %a
 where
       %a matches rfc822Name:” .*@contoso.edu “

Example 2: Policy restricting access to the job scheduler

For our user Bob to schedule a job, he first needs to obtain an identity token from the Research Grid STS, which contains his e-mail name. This might require he authenticate using a Contoso-supplied authentication credential (such as an X.509 certificate, Kerberos token or SAML token), which is accepted by grid services. The grid token obtained from the STS would contain the assertion:

VO-ReseachGrid-STS says Bob possesses rfc822Name:”[email protected]
        (from “2007-01-01” until “2007-12-31”)

Example 3: SecPAL token used by Bob for authentication

Now Bob can submit a request to initiate a job on the CHPC cluster by sending an authenticated message containing his SecPAL token along with the job information needed by the CHPC master scheduler. The scheduler can then formulate a SecPAL query similar to that shown in Example 4, which would evaluate Bob’s credentials against the CHPC security policies, thus allowing the scheduler to allow Bob’s job to be scheduled.

CHPCAdmin can execute service:”http://www.chpc.org/scheduleJob”?

Example 4: Authorization Query generated by CHPC Scheduler to verify access rights

Bob also can take advantage of SecPAL to formulate a delegation of his rights to access a data file on a server at Birch University, where the job data may reside. For example, the right for the master scheduler to delegate the right to read “jobData” can be expressed as the first policy in Example 5, which Bob can supply with his job request. The scheduler can then delegate that specific access to the job when it’s run as in the second assertions. The file service at Birch University can then use the second assertion in Example 5 to authorize Bob-Job to read the file because it can deduce Bob has authorized the delegation of this right.

Bob says Scheduler can say %p read file://BirchFileShare/jobData (from %t1` tio %t2) if %t2-%t1<5 days Scheduler says Bob-Job read file://BirchFileShare/jobData [from 2007-04- 28 to 2007-05-01]?

Example 5: Simple delegation of a single user access right

This example demonstrates some of the power and flexibility of SecPAL to address important grid security needs in a straightforward manner. Independent assessment and experimentation is now an important next step in SecPAL’s development to ensure it will meet the industry’s needs for a flexible, robust and high-assurance security solution. Professors Martin Humphrey of the University of Virginia and Panos Periorellis of University of Newcastle Upon Tyne (England) have begun investigating the benefits of SecPAL. Initial results indicate SecPAL enables a fine-grained, dynamic and delegation-aware mechanism capable of easily coping across organizations with a wide variety of different security policies, and further enabling increased interoperability in distributed computing environments.

Microsoft is now making its implementation available to other researchers to experiment with the SecPAL approach to addressing grid security requirements. Researchers interested in evaluating SecPAL can go to http://research.microsoft.com/projects/secpal for more project information. The .NET implementation, sample code for a number of common authorization patterns and community site facilitating discussions about the use of SecPAL can be found at www.codeplex.com/secpal. Microsoft hopes to collaborate with grid computing communities to develop a viable and comprehensive security solution for grid computing that promotes continued interoperability.

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industry updates delivered to you every week!

MLPerf Inference 4.0 Results Showcase GenAI; Nvidia Still Dominates

March 28, 2024

There were no startling surprises in the latest MLPerf Inference benchmark (4.0) results released yesterday. Two new workloads — Llama 2 and Stable Diffusion XL — were added to the benchmark suite as MLPerf continues Read more…

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing power it brings to artificial intelligence.  Nvidia's DGX Read more…

Call for Participation in Workshop on Potential NSF CISE Quantum Initiative

March 26, 2024

Editor’s Note: Next month there will be a workshop to discuss what a quantum initiative led by NSF’s Computer, Information Science and Engineering (CISE) directorate could entail. The details are posted below in a Ca Read more…

Waseda U. Researchers Reports New Quantum Algorithm for Speeding Optimization

March 25, 2024

Optimization problems cover a wide range of applications and are often cited as good candidates for quantum computing. However, the execution time for constrained combinatorial optimization applications on quantum device Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at the network layer threatens to make bigger and brawnier pro Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HBM3E memory as well as the the ability to train 1 trillion pa Read more…

MLPerf Inference 4.0 Results Showcase GenAI; Nvidia Still Dominates

March 28, 2024

There were no startling surprises in the latest MLPerf Inference benchmark (4.0) results released yesterday. Two new workloads — Llama 2 and Stable Diffusion Read more…

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing po Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HB Read more…

Nvidia Looks to Accelerate GenAI Adoption with NIM

March 19, 2024

Today at the GPU Technology Conference, Nvidia launched a new offering aimed at helping customers quickly deploy their generative AI applications in a secure, s Read more…

The Generative AI Future Is Now, Nvidia’s Huang Says

March 19, 2024

We are in the early days of a transformative shift in how business gets done thanks to the advent of generative AI, according to Nvidia CEO and cofounder Jensen Read more…

Nvidia’s New Blackwell GPU Can Train AI Models with Trillions of Parameters

March 18, 2024

Nvidia's latest and fastest GPU, codenamed Blackwell, is here and will underpin the company's AI plans this year. The chip offers performance improvements from Read more…

Nvidia Showcases Quantum Cloud, Expanding Quantum Portfolio at GTC24

March 18, 2024

Nvidia’s barrage of quantum news at GTC24 this week includes new products, signature collaborations, and a new Nvidia Quantum Cloud for quantum developers. Wh Read more…

Alibaba Shuts Down its Quantum Computing Effort

November 30, 2023

In case you missed it, China’s e-commerce giant Alibaba has shut down its quantum computing research effort. It’s not entirely clear what drove the change. Read more…

Nvidia H100: Are 550,000 GPUs Enough for This Year?

August 17, 2023

The GPU Squeeze continues to place a premium on Nvidia H100 GPUs. In a recent Financial Times article, Nvidia reports that it expects to ship 550,000 of its lat Read more…

Shutterstock 1285747942

AMD’s Horsepower-packed MI300X GPU Beats Nvidia’s Upcoming H200

December 7, 2023

AMD and Nvidia are locked in an AI performance battle – much like the gaming GPU performance clash the companies have waged for decades. AMD has claimed it Read more…

DoD Takes a Long View of Quantum Computing

December 19, 2023

Given the large sums tied to expensive weapon systems – think $100-million-plus per F-35 fighter – it’s easy to forget the U.S. Department of Defense is a Read more…

Synopsys Eats Ansys: Does HPC Get Indigestion?

February 8, 2024

Recently, it was announced that Synopsys is buying HPC tool developer Ansys. Started in Pittsburgh, Pa., in 1970 as Swanson Analysis Systems, Inc. (SASI) by John Swanson (and eventually renamed), Ansys serves the CAE (Computer Aided Engineering)/multiphysics engineering simulation market. Read more…

Choosing the Right GPU for LLM Inference and Training

December 11, 2023

Accelerating the training and inference processes of deep learning models is crucial for unleashing their true potential and NVIDIA GPUs have emerged as a game- Read more…

Intel’s Server and PC Chip Development Will Blur After 2025

January 15, 2024

Intel's dealing with much more than chip rivals breathing down its neck; it is simultaneously integrating a bevy of new technologies such as chiplets, artificia Read more…

Baidu Exits Quantum, Closely Following Alibaba’s Earlier Move

January 5, 2024

Reuters reported this week that Baidu, China’s giant e-commerce and services provider, is exiting the quantum computing development arena. Reuters reported � Read more…

Leading Solution Providers

Contributors

Comparing NVIDIA A100 and NVIDIA L40S: Which GPU is Ideal for AI and Graphics-Intensive Workloads?

October 30, 2023

With long lead times for the NVIDIA H100 and A100 GPUs, many organizations are looking at the new NVIDIA L40S GPU, which it’s a new GPU optimized for AI and g Read more…

Shutterstock 1179408610

Google Addresses the Mysteries of Its Hypercomputer 

December 28, 2023

When Google launched its Hypercomputer earlier this month (December 2023), the first reaction was, "Say what?" It turns out that the Hypercomputer is Google's t Read more…

AMD MI3000A

How AMD May Get Across the CUDA Moat

October 5, 2023

When discussing GenAI, the term "GPU" almost always enters the conversation and the topic often moves toward performance and access. Interestingly, the word "GPU" is assumed to mean "Nvidia" products. (As an aside, the popular Nvidia hardware used in GenAI are not technically... Read more…

Shutterstock 1606064203

Meta’s Zuckerberg Puts Its AI Future in the Hands of 600,000 GPUs

January 25, 2024

In under two minutes, Meta's CEO, Mark Zuckerberg, laid out the company's AI plans, which included a plan to build an artificial intelligence system with the eq Read more…

Google Introduces ‘Hypercomputer’ to Its AI Infrastructure

December 11, 2023

Google ran out of monikers to describe its new AI system released on December 7. Supercomputer perhaps wasn't an apt description, so it settled on Hypercomputer Read more…

China Is All In on a RISC-V Future

January 8, 2024

The state of RISC-V in China was discussed in a recent report released by the Jamestown Foundation, a Washington, D.C.-based think tank. The report, entitled "E Read more…

Intel Won’t Have a Xeon Max Chip with New Emerald Rapids CPU

December 14, 2023

As expected, Intel officially announced its 5th generation Xeon server chips codenamed Emerald Rapids at an event in New York City, where the focus was really o Read more…

IBM Quantum Summit: Two New QPUs, Upgraded Qiskit, 10-year Roadmap and More

December 4, 2023

IBM kicks off its annual Quantum Summit today and will announce a broad range of advances including its much-anticipated 1121-qubit Condor QPU, a smaller 133-qu Read more…

  • arrow
  • Click Here for More Headlines
  • arrow
HPCwire