A Security Architecture for Computational Grids*Ian Foster* Carl Kessekan2 Gene Tsudik2 Steven Tueckel1 Mathematics and Computer Science2 hformation Sciences hstituteArgonne National LaboratoryUniversity of Southern CAforniaArgonne, IL 60439Marina del Rey, CA 90292{foster,tuecke} @mcs.anl.gov~ {carl,gts}@isi.eduAbstractState-of-the-art and emerging scientific applications requirefast access to large quantities of data and commensuratelyfast computational resources. Both resources and data areoflen distributed in a wide-area network with componentsadministered locally and independently. Computations mayinvolve hundreds of processes that must be able to acquire re-sources dynamically and communicate efficiently. This pa-per analyzes the unique security requirements of large-scaledistributed (grid) computing and develops a security policyand a corresponding security architecture. An implemen-tation of the architecture within the Globus metacomputingtoolkit is discussed.1 IntroductionLarge-scale distributed computing environments, or ‘com-putationfl grids” as they are sometties termed [4], cou-ple computers, storage systems, and other devices to enableadvanced apphcations such as distnbut ed supercomputirtg,teleimmersion, computer-enhanced instruments, and d~tri-buted data mining [2]. Grid applications are distinguishedfromtraditiond chent-server apphcations by their simulta-neous use of large numbers of r=ources, dynamic resourcerequirements, use of resources from mdtiple administrativedomains, complex communication structures, and stringentperformance requirements, among others.WMe scdabtity, performance and heterogeneity are desirable go~ for any distributed system, the characteristicsof comput ationd grids lead to security problems that are notthat collectively span many administrative domains. Fur-thermore, the dynamic nature of the grid can make it iru-possible to =tabkh trust relationships between sites priorto apphcation execution. Fmdy, the interdomaiu securitysolutions used for grids must be able to irtteroperate with,rather than replace, the diverse intradomti accms controltechnologies inevitably encountered in individud domains.In this paper, we describe new techniques that overcomemany of the cited Mculties. We propose a security pol-icy for grid systems that tidresses requirements for singlesign-on, interoperabfity with local pohcies, and dyttarnicflyvarying resource requirements. This pohcy focuses on au-thentication of users, resources, and processes and supportsuser-t~resource, resourc~t ~ttser, process-t-resource, andproces%t~process authentication. We &o describe a se-curity architecture and associated protocok that implementthis pohcy. Fittdy, we present a concrete implementation ofthis architecture and discuss our experiences deploying thisarchitecture on a large grid testbed spanning a diverse col-lection of resources at some 20 sites around the world. ThEimplement ation is performed in the centext of the Globussystem [5], which provides a tooMt, testbed, and set of apphcations that can be used to evaluate our approach. How-ever, we betieve that the proposed techniques are generalenough to make them apphcable outside the Globus con-text.In summary, this paper makes four contributions to ourunderstandirtg of distributed system security:1. it provides au in-depth analysis of the security problemin comput ationd grid systems and app~cations;addres~ed by eti~ig security tech~o~ogies for distributedsystems. For example, par~el computations that acquire2. it includes the first dettied formation of a securitypoticy for grid systems;mdtiple computational resources introduce the need to e-tabkh security relationships not simply between a chent3. it proposes solutions to specific techrticd issues raisedand a server, but among potentifly hundreds of processes by this poEcy, including Iocd heterogeneity and scd-● This work was supported in part by the Mathematical, Inform a-abfity; andtion, and Computational Sciences Division subpro~ of the Officeof Computational and Technology -search, U.S. Department of En-4. it d=cribes a security architecture that uses these s~erg, under Contract \V-31-l 09-Eng-38; by the Defense Advanced Wlutions to implement the security pohcy, and it demon-search Projects fl.gency under contract N66001-9&G852~ and by theNational Science Foundation.strates - via larg~scde deployment - that th~ archi-tecture is workable.Permission[clmakedigitalorhardcopiesof allorpartof thisworkforpersonalorclassroomuseisgranted~vithoutfeeprovidedthatcopies2 The Grid Security Problemarenotmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationonthefirstpage.TocopyWe introduce the grid security problem with au exampleothen~,ise.torepublish,topostonsemersortoredistributetolists,tiustrated in Figure 1. This example, although somewhatrequirespriorspecificpermissionantiorafee.contrived, captures import ant elements of red apphcations,jth Conferenceon Computer& CommunicationsSecuritySanFranciscoCA USAsuch as those discussed in Chapters 2-5 of [4].Copfight ACM199S1-581134074/98/1 1...S5.0083--—..-.sin~e, ffly connected logical entity, Iow-levd commu-nication connections (e.g., TCP/IP sockets) may becreated and destroyed dynamicdy during program ex-ecution.Resources may require Merent authentication and au-thorization mechanisms and pohcies, which we @have Wted abtity to change. In Figure 1, we indi-cate this situation by showing the local access controlpohcies that apply at the Merent sites. These includeKerberos, plaintext passwords, Secure Socket Library(SSL), and secure sh&.An individual user@ be associated with Merent lG●I.-&d@ .,..........’...........‘ k-”~”,.....-..........,....,.-.....— .. ....”’...●cd name spaces, credenti&, or accounts, at differentsites, for the purposes of accounting and access con-trol. At some sites, a user may have a regtiar account(“ap~ ‘physicist: etc.). At others, the user may usea dynamicdy assigned guest account or simply an ac-count created for the cotiaboration.Resources and users may be located in Merent coun-tries.To summatie, the problem we face is providing securitysolutions that can flow computations, such as the one justdescribed, to coordinate diverse access control pohcies andto operate securely in heterogeneous environments.●Figure 1: ExamDle of a lar~escde distributed commutation:us~rinitiates a ~omputatio~ that accesses data and-comput-ing resourc= at