SlideShare ist ein Scribd-Unternehmen logo

Xrootd proxies Andrew Hanushevsky

Information Security Awareness Group
Information Security Awareness Group

Xrootd proxies Andrew Hanushevsky

Technologie
1 von 20
Downloaden Sie, um offline zu lesen
xrootd Proxies Andrew Hanushevsky (SLAC) Middleware Security Group Meeting 5-6 June 2006 http://xrootd.slac.stanford.edu xrootd is largely funded by the US Department of Energy Contract DE-AC02-76SF00515 with Stanford University
Outline xrootd Architecture Overview Terms and Concepts Clustering Proxies Single and double firewalls Proxy clusters for scalability Security transformations Conclusions & Acknowledgements MWSG 5-6 June 2006 2: http://xrootd.slac.stanford.edu
xrootd Plugin Architecture authentication (gsi, krb5, etc) Protocol Driver (XRD) Protocol (1 of n) (xrootd) lfn2pfn prefix encoding authorization (name based) File System Storage System (ofs, sfs, alice, etc) (oss, drm/srm, etc) Clustering (olbd) MWSG 5-6 June 2006 3: http://xrootd.slac.stanford.edu
Acronyms, Entities & Relationships xrootd olbd Control Network Managers, Supervisors & Servers (resource info, file location) Redirectors olbd M Data Network (redirectors steer clients to data Data servers provide data) ctl xrootd Data Clients MWSG 5-6 June 2006 olbd S data xrootd Data Servers 4: http://xrootd.slac.stanford.edu
Cluster Architecture A manager is an optionally replicated xrootd/olbd pair functioning as a root node Up to 64 servers or cells can connect to a manager Server A server is an xrootd/olbd pair leaf node that delivers data A cell is 1-to-64 entities (servers or cells) clustered around a cell manager called a supervisor MWSG 5-6 June 2006 5: http://xrootd.slac.stanford.edu
Single Level Switch A open file X Redirectors Cache file location 2nd open X go to C open f ile X Client Who has file X? go to C Redirector (Head Node) I ha B ve C Data Servers Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 6: http://xrootd.slac.stanford.edu
Two Level Switch Client oh Wh open file X open file X go to C X? (Head Node) go to F A Data Servers I ha Redirector open file X ile as f B ve ? ile X sf o ha ve Wh I ha C Supervisor I ha (sub-redirector) D E ve F Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 7: http://xrootd.slac.stanford.edu
SLAC Configuration kan01 kan02 kan03 bbr-olb03 kan04 bbr-olb04 client machines MWSG 5-6 June 2006 8: http://xrootd.slac.stanford.edu kanxx kanolb-a
Extending Access Easy clustered local access Everyone sees everyone Simple configuration Low human overhead to maintain Remote access Difficult because of connection constraints Want to make it humanly administrable Critical to minimize cross-domain knowledge Utilize the peer-to-peer nature of xrootd MWSG 5-6 June 2006 9: http://xrootd.slac.stanford.edu
Proxies I (single firewall) data01 data02 data03 data04 IN2P3 olbd 2 Firewall 3 proxy xrootd INDRA 1 client machines MWSG 5-6 June 2006 10: http://xrootd.slac.stanford.edu
Scaling Proxies Need to provide more than one proxy Selection criteria for proxies? Utilize natural rooted clustering Create proxy clusters Automatically load balance No practical limit on number MWSG 5-6 June 2006 11: http://xrootd.slac.stanford.edu
Proxy Clusters (single firewall) data01 data02 data03 data04 olbd 5 4 proxy server xrootd olbd 2 proxy manager xrootd 1 Firewall 3 client machines MWSG 5-6 June 2006 12: http://xrootd.slac.stanford.edu
Dealing With Lockdowns Double Firewalls Reality sets in. Incoming and outgoing traffic limited Utilize peer-to-peer nature of rooted Maintains practical simplicity Alternative not particularly appealing Application controlled firewall LBL and ANL models for gridFTP. Could use xrootd’s for this as well, though. MWSG 5-6 June 2006 13: http://xrootd.slac.stanford.edu
Proxies II (double firewall, simplified) data01 data02 olbd data03 data04 4 3 remote proxy xrootd 2 Firewalls local proxy xrootd 1 client machines MWSG 5-6 June 2006 14: http://xrootd.slac.stanford.edu
N-to-M Authentication issues Clusters of proxies on each side Random server-server connections Authentication key management issues Complex because of size and interactions Would like to simplify key distribution Use a security transformation GSI to global session key MWSG 5-6 June 2006 15: http://xrootd.slac.stanford.edu
Scalable Proxy Security SLAC PROXY 1 RAL PROXY 2 2 Data Servers Data Servers 3 1 Authenticate & develop session key 2 Distribute session key to authenticated subscribers 3 Servers can log into each other using session key MWSG 5-6 June 2006 16: http://xrootd.slac.stanford.edu
Extending Security Transforms xrootd protocol allows security transforms Redirect can pass along a CGI string Anyone can redirect! No practical redirect limit. Allows security framework substitutions Minimizes GSI intra-cluster overhead MWSG 5-6 June 2006 17: http://xrootd.slac.stanford.edu
Security Transforms data01 data02 data03 olbd 3 GSI “proxy” xrootd data04 4 x-auth xrootd 1 2 client machines MWSG 5-6 June 2006 18: http://xrootd.slac.stanford.edu
Conclusion xrootd has a security enabling architecture Protocol was designed with security in mind Accommodates security transforms Server-to-server Client-server Very easy to administer Critical for maintaining security MWSG 5-6 June 2006 19: http://xrootd.slac.stanford.edu
Acknowledgements Software collaborators INFN/Padova: Fabrizio Furano, Alvise Dorigao Root: Fons Rademakers, Gerri Ganis Alice: Derek Feichtinger, Guenter Kickinger, Andreas Peters Cornell: Gregory Sharp SLAC: Jacek Becla, Tofigh Azemoon, Wilko Kroeger, Bill Weeks Princeton: Pete Elmer Operational collaborators BNL, CNAF, FZK, INFN, IN2P3, RAL, SLAC MWSG 5-6 June 2006 20: http://xrootd.slac.stanford.edu

Empfohlen

MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External AuthenticationJason Terpko
 
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisMongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisJason Terpko
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDBAntonios Giannopoulos
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6Positive Hack Days
 
Sharded cluster tutorial
Sharded cluster tutorialSharded cluster tutorial
Sharded cluster tutorialAntonios Giannopoulos
 
Using Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataUsing Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataRob Gardner
 
Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Shaojun Xie
 
Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paolo Missier
 

Empfohlen

MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External AuthenticationJason Terpko
 
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisMongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisJason Terpko
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDBAntonios Giannopoulos
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6Positive Hack Days
 
Sharded cluster tutorial
Sharded cluster tutorialSharded cluster tutorial
Sharded cluster tutorialAntonios Giannopoulos
 
Using Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataUsing Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataRob Gardner
 
Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Shaojun Xie
 
Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paolo Missier
 
fermilab-conf-12-398-cd
fermilab-conf-12-398-cdfermilab-conf-12-398-cd
fermilab-conf-12-398-cdJosephine Palencia
 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixBrendan Gregg
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Markus Michalewicz
 
Jim Basney
Jim BasneyJim Basney
Jim Basneyprensacespi
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Guenadi JILEVSKI
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Sematext Group, Inc.
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptxssuserf8b8bd1
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoonsmattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareNikhil Kumar
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Jimmy He
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intromarpierc
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightSDN Hub
 
Rock Overview
Rock OverviewRock Overview
Rock OverviewSylvain Joyeux
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldPaul Marden
 
Rac 12c optimization
Rac 12c optimizationRac 12c optimization
Rac 12c optimizationRiyaj Shamsudeen
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstackJeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...Jeff Yang
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceLucidworks (Archived)
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009lilyco
 
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 

Weitere ähnliche Inhalte

Ähnlich wie Xrootd proxies Andrew Hanushevsky

YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixBrendan Gregg
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Markus Michalewicz
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Guenadi JILEVSKI
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Sematext Group, Inc.
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptxssuserf8b8bd1
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoonsmattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareNikhil Kumar
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Jimmy He
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intromarpierc
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightSDN Hub
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldPaul Marden
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstackJeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...Jeff Yang
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceLucidworks (Archived)
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009lilyco
 

Ähnlich wie Xrootd proxies Andrew Hanushevsky (20)

fermilab-conf-12-398-cd
fermilab-conf-12-398-cdfermilab-conf-12-398-cd
fermilab-conf-12-398-cd
 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at Netflix
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
 
Jim Basney
Jim BasneyJim Basney
Jim Basney
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 Clusterware
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylight
 
Rock Overview
Rock OverviewRock Overview
Rock Overview
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
 
Rac 12c optimization
Rac 12c optimizationRac 12c optimization
Rac 12c optimization
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
 

Mehr von Information Security Awareness Group

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Information Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Information Security Awareness Group
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...Information Security Awareness Group
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Information Security Awareness Group
 

Mehr von Information Security Awareness Group (20)

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram Andem
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Xrootd proxies Andrew Hanushevsky

  • 1. xrootd Proxies Andrew Hanushevsky (SLAC) Middleware Security Group Meeting 5-6 June 2006 http://xrootd.slac.stanford.edu xrootd is largely funded by the US Department of Energy Contract DE-AC02-76SF00515 with Stanford University
  • 2. Outline xrootd Architecture Overview Terms and Concepts Clustering Proxies Single and double firewalls Proxy clusters for scalability Security transformations Conclusions & Acknowledgements MWSG 5-6 June 2006 2: http://xrootd.slac.stanford.edu
  • 3. xrootd Plugin Architecture authentication (gsi, krb5, etc) Protocol Driver (XRD) Protocol (1 of n) (xrootd) lfn2pfn prefix encoding authorization (name based) File System Storage System (ofs, sfs, alice, etc) (oss, drm/srm, etc) Clustering (olbd) MWSG 5-6 June 2006 3: http://xrootd.slac.stanford.edu
  • 4. Acronyms, Entities & Relationships xrootd olbd Control Network Managers, Supervisors & Servers (resource info, file location) Redirectors olbd M Data Network (redirectors steer clients to data Data servers provide data) ctl xrootd Data Clients MWSG 5-6 June 2006 olbd S data xrootd Data Servers 4: http://xrootd.slac.stanford.edu
  • 5. Cluster Architecture A manager is an optionally replicated xrootd/olbd pair functioning as a root node Up to 64 servers or cells can connect to a manager Server A server is an xrootd/olbd pair leaf node that delivers data A cell is 1-to-64 entities (servers or cells) clustered around a cell manager called a supervisor MWSG 5-6 June 2006 5: http://xrootd.slac.stanford.edu
  • 6. Single Level Switch A open file X Redirectors Cache file location 2nd open X go to C open f ile X Client Who has file X? go to C Redirector (Head Node) I ha B ve C Data Servers Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 6: http://xrootd.slac.stanford.edu
  • 7. Two Level Switch Client oh Wh open file X open file X go to C X? (Head Node) go to F A Data Servers I ha Redirector open file X ile as f B ve ? ile X sf o ha ve Wh I ha C Supervisor I ha (sub-redirector) D E ve F Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 7: http://xrootd.slac.stanford.edu
  • 8. SLAC Configuration kan01 kan02 kan03 bbr-olb03 kan04 bbr-olb04 client machines MWSG 5-6 June 2006 8: http://xrootd.slac.stanford.edu kanxx kanolb-a
  • 9. Extending Access Easy clustered local access Everyone sees everyone Simple configuration Low human overhead to maintain Remote access Difficult because of connection constraints Want to make it humanly administrable Critical to minimize cross-domain knowledge Utilize the peer-to-peer nature of xrootd MWSG 5-6 June 2006 9: http://xrootd.slac.stanford.edu
  • 10. Proxies I (single firewall) data01 data02 data03 data04 IN2P3 olbd 2 Firewall 3 proxy xrootd INDRA 1 client machines MWSG 5-6 June 2006 10: http://xrootd.slac.stanford.edu
  • 11. Scaling Proxies Need to provide more than one proxy Selection criteria for proxies? Utilize natural rooted clustering Create proxy clusters Automatically load balance No practical limit on number MWSG 5-6 June 2006 11: http://xrootd.slac.stanford.edu
  • 12. Proxy Clusters (single firewall) data01 data02 data03 data04 olbd 5 4 proxy server xrootd olbd 2 proxy manager xrootd 1 Firewall 3 client machines MWSG 5-6 June 2006 12: http://xrootd.slac.stanford.edu
  • 13. Dealing With Lockdowns Double Firewalls Reality sets in. Incoming and outgoing traffic limited Utilize peer-to-peer nature of rooted Maintains practical simplicity Alternative not particularly appealing Application controlled firewall LBL and ANL models for gridFTP. Could use xrootd’s for this as well, though. MWSG 5-6 June 2006 13: http://xrootd.slac.stanford.edu
  • 14. Proxies II (double firewall, simplified) data01 data02 olbd data03 data04 4 3 remote proxy xrootd 2 Firewalls local proxy xrootd 1 client machines MWSG 5-6 June 2006 14: http://xrootd.slac.stanford.edu
  • 15. N-to-M Authentication issues Clusters of proxies on each side Random server-server connections Authentication key management issues Complex because of size and interactions Would like to simplify key distribution Use a security transformation GSI to global session key MWSG 5-6 June 2006 15: http://xrootd.slac.stanford.edu
  • 16. Scalable Proxy Security SLAC PROXY 1 RAL PROXY 2 2 Data Servers Data Servers 3 1 Authenticate & develop session key 2 Distribute session key to authenticated subscribers 3 Servers can log into each other using session key MWSG 5-6 June 2006 16: http://xrootd.slac.stanford.edu
  • 17. Extending Security Transforms xrootd protocol allows security transforms Redirect can pass along a CGI string Anyone can redirect! No practical redirect limit. Allows security framework substitutions Minimizes GSI intra-cluster overhead MWSG 5-6 June 2006 17: http://xrootd.slac.stanford.edu
  • 19. Conclusion xrootd has a security enabling architecture Protocol was designed with security in mind Accommodates security transforms Server-to-server Client-server Very easy to administer Critical for maintaining security MWSG 5-6 June 2006 19: http://xrootd.slac.stanford.edu
  • 20. Acknowledgements Software collaborators INFN/Padova: Fabrizio Furano, Alvise Dorigao Root: Fons Rademakers, Gerri Ganis Alice: Derek Feichtinger, Guenter Kickinger, Andreas Peters Cornell: Gregory Sharp SLAC: Jacek Becla, Tofigh Azemoon, Wilko Kroeger, Bill Weeks Princeton: Pete Elmer Operational collaborators BNL, CNAF, FZK, INFN, IN2P3, RAL, SLAC MWSG 5-6 June 2006 20: http://xrootd.slac.stanford.edu