SlideShare a Scribd company logo

Xrootd proxies Andrew Hanushevsky

Information Security Awareness Group
Information Security Awareness Group

Andrew Hanushevsky gave a presentation on using xrootd proxies to provide scalable and secure remote access to data. Proxies allow clients outside a firewall to access data servers behind the firewall. Proxy clusters provide load balancing and redundancy. Authentication between proxies and servers can be handled through a security transformation that establishes a shared session key. This simplifies key management in large clustered systems and allows access across multiple firewalls. xrootd was designed with security in mind through features like support for security transforms and easy administration of clustered proxies.

Technology
1 of 20
Download to read offline
xrootd Proxies Andrew Hanushevsky (SLAC) Middleware Security Group Meeting 5-6 June 2006 http://xrootd.slac.stanford.edu xrootd is largely funded by the US Department of Energy Contract DE-AC02-76SF00515 with Stanford University
Outline xrootd Architecture Overview Terms and Concepts Clustering Proxies Single and double firewalls Proxy clusters for scalability Security transformations Conclusions & Acknowledgements MWSG 5-6 June 2006 2: http://xrootd.slac.stanford.edu
xrootd Plugin Architecture authentication (gsi, krb5, etc) Protocol Driver (XRD) Protocol (1 of n) (xrootd) lfn2pfn prefix encoding authorization (name based) File System Storage System (ofs, sfs, alice, etc) (oss, drm/srm, etc) Clustering (olbd) MWSG 5-6 June 2006 3: http://xrootd.slac.stanford.edu
Acronyms, Entities & Relationships xrootd olbd Control Network Managers, Supervisors & Servers (resource info, file location) Redirectors olbd M Data Network (redirectors steer clients to data Data servers provide data) ctl xrootd Data Clients MWSG 5-6 June 2006 olbd S data xrootd Data Servers 4: http://xrootd.slac.stanford.edu
Cluster Architecture A manager is an optionally replicated xrootd/olbd pair functioning as a root node Up to 64 servers or cells can connect to a manager Server A server is an xrootd/olbd pair leaf node that delivers data A cell is 1-to-64 entities (servers or cells) clustered around a cell manager called a supervisor MWSG 5-6 June 2006 5: http://xrootd.slac.stanford.edu
Single Level Switch A open file X Redirectors Cache file location 2nd open X go to C open f ile X Client Who has file X? go to C Redirector (Head Node) I ha B ve C Data Servers Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 6: http://xrootd.slac.stanford.edu
Two Level Switch Client oh Wh open file X open file X go to C X? (Head Node) go to F A Data Servers I ha Redirector open file X ile as f B ve ? ile X sf o ha ve Wh I ha C Supervisor I ha (sub-redirector) D E ve F Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 7: http://xrootd.slac.stanford.edu
SLAC Configuration kan01 kan02 kan03 bbr-olb03 kan04 bbr-olb04 client machines MWSG 5-6 June 2006 8: http://xrootd.slac.stanford.edu kanxx kanolb-a
Extending Access Easy clustered local access Everyone sees everyone Simple configuration Low human overhead to maintain Remote access Difficult because of connection constraints Want to make it humanly administrable Critical to minimize cross-domain knowledge Utilize the peer-to-peer nature of xrootd MWSG 5-6 June 2006 9: http://xrootd.slac.stanford.edu
Proxies I (single firewall) data01 data02 data03 data04 IN2P3 olbd 2 Firewall 3 proxy xrootd INDRA 1 client machines MWSG 5-6 June 2006 10: http://xrootd.slac.stanford.edu
Scaling Proxies Need to provide more than one proxy Selection criteria for proxies? Utilize natural rooted clustering Create proxy clusters Automatically load balance No practical limit on number MWSG 5-6 June 2006 11: http://xrootd.slac.stanford.edu
Proxy Clusters (single firewall) data01 data02 data03 data04 olbd 5 4 proxy server xrootd olbd 2 proxy manager xrootd 1 Firewall 3 client machines MWSG 5-6 June 2006 12: http://xrootd.slac.stanford.edu
Dealing With Lockdowns Double Firewalls Reality sets in. Incoming and outgoing traffic limited Utilize peer-to-peer nature of rooted Maintains practical simplicity Alternative not particularly appealing Application controlled firewall LBL and ANL models for gridFTP. Could use xrootd’s for this as well, though. MWSG 5-6 June 2006 13: http://xrootd.slac.stanford.edu
Proxies II (double firewall, simplified) data01 data02 olbd data03 data04 4 3 remote proxy xrootd 2 Firewalls local proxy xrootd 1 client machines MWSG 5-6 June 2006 14: http://xrootd.slac.stanford.edu
N-to-M Authentication issues Clusters of proxies on each side Random server-server connections Authentication key management issues Complex because of size and interactions Would like to simplify key distribution Use a security transformation GSI to global session key MWSG 5-6 June 2006 15: http://xrootd.slac.stanford.edu
Scalable Proxy Security SLAC PROXY 1 RAL PROXY 2 2 Data Servers Data Servers 3 1 Authenticate & develop session key 2 Distribute session key to authenticated subscribers 3 Servers can log into each other using session key MWSG 5-6 June 2006 16: http://xrootd.slac.stanford.edu
Extending Security Transforms xrootd protocol allows security transforms Redirect can pass along a CGI string Anyone can redirect! No practical redirect limit. Allows security framework substitutions Minimizes GSI intra-cluster overhead MWSG 5-6 June 2006 17: http://xrootd.slac.stanford.edu
Security Transforms data01 data02 data03 olbd 3 GSI “proxy” xrootd data04 4 x-auth xrootd 1 2 client machines MWSG 5-6 June 2006 18: http://xrootd.slac.stanford.edu
Conclusion xrootd has a security enabling architecture Protocol was designed with security in mind Accommodates security transforms Server-to-server Client-server Very easy to administer Critical for maintaining security MWSG 5-6 June 2006 19: http://xrootd.slac.stanford.edu
Acknowledgements Software collaborators INFN/Padova: Fabrizio Furano, Alvise Dorigao Root: Fons Rademakers, Gerri Ganis Alice: Derek Feichtinger, Guenter Kickinger, Andreas Peters Cornell: Gregory Sharp SLAC: Jacek Becla, Tofigh Azemoon, Wilko Kroeger, Bill Weeks Princeton: Pete Elmer Operational collaborators BNL, CNAF, FZK, INFN, IN2P3, RAL, SLAC MWSG 5-6 June 2006 20: http://xrootd.slac.stanford.edu

Recommended

MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External Authentication
Jason Terpko
 
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisMongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
Jason Terpko
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDB
Antonios Giannopoulos
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 
Sharded cluster tutorial
Sharded cluster tutorialSharded cluster tutorial
Sharded cluster tutorial
Antonios Giannopoulos
 
Using Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataUsing Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider Data
Rob Gardner
 
Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1
Shaojun Xie
 
Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006
Paolo Missier
 

Recommended

MongoDB - External Authentication
MongoDB - External AuthenticationMongoDB - External Authentication
MongoDB - External Authentication
Jason Terpko
 
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to RedisMongoDB: Comparing WiredTiger In-Memory Engine to Redis
MongoDB: Comparing WiredTiger In-Memory Engine to Redis
Jason Terpko
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDB
Antonios Giannopoulos
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 
Sharded cluster tutorial
Sharded cluster tutorialSharded cluster tutorial
Sharded cluster tutorial
Antonios Giannopoulos
 
Using Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider DataUsing Ceph for Large Hadron Collider Data
Using Ceph for Large Hadron Collider Data
Rob Gardner
 
Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1Sfu ngs course_workshop tutorial_2.1
Sfu ngs course_workshop tutorial_2.1
Shaojun Xie
 
Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006Paper presentation @ CGW ‘06 workshop, 2006
Paper presentation @ CGW ‘06 workshop, 2006
Paolo Missier
 
fermilab-conf-12-398-cd
fermilab-conf-12-398-cdfermilab-conf-12-398-cd
fermilab-conf-12-398-cdJosephine Palencia
 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at Netflix
Brendan Gregg
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Markus Michalewicz
 
Jim Basney
Jim BasneyJim Basney
Jim Basneyprensacespi
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Guenadi JILEVSKI
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
Sematext Group, Inc.
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
ssuserf8b8bd1
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
smattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
Nikhil Kumar
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareNikhil Kumar
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Jimmy He
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
marpierc
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylight
SDN Hub
 
Rock Overview
Rock OverviewRock Overview
Rock Overview
Sylvain Joyeux
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
Paul Marden
 
Rac 12c optimization
Rac 12c optimizationRac 12c optimization
Rac 12c optimization
Riyaj Shamsudeen
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstackJeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
Jeff Yang
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
Lucidworks (Archived)
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
lilyco
 
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Information Security Awareness Group
 

More Related Content

Similar to Xrootd proxies Andrew Hanushevsky

YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at Netflix
Brendan Gregg
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Markus Michalewicz
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Guenadi JILEVSKI
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
Sematext Group, Inc.
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
ssuserf8b8bd1
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
smattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
Nikhil Kumar
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareNikhil Kumar
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Jimmy He
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
marpierc
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylight
SDN Hub
 
Rock Overview
Rock OverviewRock Overview
Rock Overview
Sylvain Joyeux
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
Paul Marden
 
Rac 12c optimization
Rac 12c optimizationRac 12c optimization
Rac 12c optimization
Riyaj Shamsudeen
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstackJeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
Jeff Yang
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
Lucidworks (Archived)
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
lilyco
 

Similar to Xrootd proxies Andrew Hanushevsky (20)

fermilab-conf-12-398-cd
fermilab-conf-12-398-cdfermilab-conf-12-398-cd
fermilab-conf-12-398-cd
 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at NetflixYOW2018 Cloud Performance Root Cause Analysis at Netflix
YOW2018 Cloud Performance Root Cause Analysis at Netflix
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
 
Jim Basney
Jim BasneyJim Basney
Jim Basney
 
Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...Oracle Clusterware and Private Network Considerations - Practical Performance...
Oracle Clusterware and Private Network Considerations - Practical Performance...
 
Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2Side by Side with Elasticsearch & Solr, Part 2
Side by Side with Elasticsearch & Solr, Part 2
 
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
[발표자료] 오픈소스 기반 고가용성 Pacemaker 소개 및 적용 사례_20230703_v1.1F.pptx
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
 
Upgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 ClusterwareUpgrade 11gR2 to 12cR1 Clusterware
Upgrade 11gR2 to 12cR1 Clusterware
 
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...Con1741 mcintosh top 10 database performance tips for sparc systems running o...
Con1741 mcintosh top 10 database performance tips for sparc systems running o...
 
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial IntroOGCE TeraGrid 2010 Science Gateway Tutorial Intro
OGCE TeraGrid 2010 Science Gateway Tutorial Intro
 
Introduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylightIntroduction to the Helium release of OpenDaylight
Introduction to the Helium release of OpenDaylight
 
Rock Overview
Rock OverviewRock Overview
Rock Overview
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
 
Rac 12c optimization
Rac 12c optimizationRac 12c optimization
Rac 12c optimization
 
20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
 

More from Information Security Awareness Group

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Information Security Awareness Group
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Information Security Awareness Group
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Information Security Awareness Group
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
Information Security Awareness Group
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
Information Security Awareness Group
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Information Security Awareness Group
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
Information Security Awareness Group
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
Information Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
Information Security Awareness Group
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Information Security Awareness Group
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
Information Security Awareness Group
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
Information Security Awareness Group
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
Information Security Awareness Group
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
Information Security Awareness Group
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram Andem
Information Security Awareness Group
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
Information Security Awareness Group
 

More from Information Security Awareness Group (20)

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram Andem
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
 

Recently uploaded

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 

Recently uploaded (20)

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

Xrootd proxies Andrew Hanushevsky

  • 1. xrootd Proxies Andrew Hanushevsky (SLAC) Middleware Security Group Meeting 5-6 June 2006 http://xrootd.slac.stanford.edu xrootd is largely funded by the US Department of Energy Contract DE-AC02-76SF00515 with Stanford University
  • 2. Outline xrootd Architecture Overview Terms and Concepts Clustering Proxies Single and double firewalls Proxy clusters for scalability Security transformations Conclusions & Acknowledgements MWSG 5-6 June 2006 2: http://xrootd.slac.stanford.edu
  • 3. xrootd Plugin Architecture authentication (gsi, krb5, etc) Protocol Driver (XRD) Protocol (1 of n) (xrootd) lfn2pfn prefix encoding authorization (name based) File System Storage System (ofs, sfs, alice, etc) (oss, drm/srm, etc) Clustering (olbd) MWSG 5-6 June 2006 3: http://xrootd.slac.stanford.edu
  • 4. Acronyms, Entities & Relationships xrootd olbd Control Network Managers, Supervisors & Servers (resource info, file location) Redirectors olbd M Data Network (redirectors steer clients to data Data servers provide data) ctl xrootd Data Clients MWSG 5-6 June 2006 olbd S data xrootd Data Servers 4: http://xrootd.slac.stanford.edu
  • 5. Cluster Architecture A manager is an optionally replicated xrootd/olbd pair functioning as a root node Up to 64 servers or cells can connect to a manager Server A server is an xrootd/olbd pair leaf node that delivers data A cell is 1-to-64 entities (servers or cells) clustered around a cell manager called a supervisor MWSG 5-6 June 2006 5: http://xrootd.slac.stanford.edu
  • 6. Single Level Switch A open file X Redirectors Cache file location 2nd open X go to C open f ile X Client Who has file X? go to C Redirector (Head Node) I ha B ve C Data Servers Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 6: http://xrootd.slac.stanford.edu
  • 7. Two Level Switch Client oh Wh open file X open file X go to C X? (Head Node) go to F A Data Servers I ha Redirector open file X ile as f B ve ? ile X sf o ha ve Wh I ha C Supervisor I ha (sub-redirector) D E ve F Cluster Client sees all servers as xrootd data servers MWSG 5-6 June 2006 7: http://xrootd.slac.stanford.edu
  • 8. SLAC Configuration kan01 kan02 kan03 bbr-olb03 kan04 bbr-olb04 client machines MWSG 5-6 June 2006 8: http://xrootd.slac.stanford.edu kanxx kanolb-a
  • 9. Extending Access Easy clustered local access Everyone sees everyone Simple configuration Low human overhead to maintain Remote access Difficult because of connection constraints Want to make it humanly administrable Critical to minimize cross-domain knowledge Utilize the peer-to-peer nature of xrootd MWSG 5-6 June 2006 9: http://xrootd.slac.stanford.edu
  • 10. Proxies I (single firewall) data01 data02 data03 data04 IN2P3 olbd 2 Firewall 3 proxy xrootd INDRA 1 client machines MWSG 5-6 June 2006 10: http://xrootd.slac.stanford.edu
  • 11. Scaling Proxies Need to provide more than one proxy Selection criteria for proxies? Utilize natural rooted clustering Create proxy clusters Automatically load balance No practical limit on number MWSG 5-6 June 2006 11: http://xrootd.slac.stanford.edu
  • 12. Proxy Clusters (single firewall) data01 data02 data03 data04 olbd 5 4 proxy server xrootd olbd 2 proxy manager xrootd 1 Firewall 3 client machines MWSG 5-6 June 2006 12: http://xrootd.slac.stanford.edu
  • 13. Dealing With Lockdowns Double Firewalls Reality sets in. Incoming and outgoing traffic limited Utilize peer-to-peer nature of rooted Maintains practical simplicity Alternative not particularly appealing Application controlled firewall LBL and ANL models for gridFTP. Could use xrootd’s for this as well, though. MWSG 5-6 June 2006 13: http://xrootd.slac.stanford.edu
  • 14. Proxies II (double firewall, simplified) data01 data02 olbd data03 data04 4 3 remote proxy xrootd 2 Firewalls local proxy xrootd 1 client machines MWSG 5-6 June 2006 14: http://xrootd.slac.stanford.edu
  • 15. N-to-M Authentication issues Clusters of proxies on each side Random server-server connections Authentication key management issues Complex because of size and interactions Would like to simplify key distribution Use a security transformation GSI to global session key MWSG 5-6 June 2006 15: http://xrootd.slac.stanford.edu
  • 16. Scalable Proxy Security SLAC PROXY 1 RAL PROXY 2 2 Data Servers Data Servers 3 1 Authenticate & develop session key 2 Distribute session key to authenticated subscribers 3 Servers can log into each other using session key MWSG 5-6 June 2006 16: http://xrootd.slac.stanford.edu
  • 17. Extending Security Transforms xrootd protocol allows security transforms Redirect can pass along a CGI string Anyone can redirect! No practical redirect limit. Allows security framework substitutions Minimizes GSI intra-cluster overhead MWSG 5-6 June 2006 17: http://xrootd.slac.stanford.edu
  • 19. Conclusion xrootd has a security enabling architecture Protocol was designed with security in mind Accommodates security transforms Server-to-server Client-server Very easy to administer Critical for maintaining security MWSG 5-6 June 2006 19: http://xrootd.slac.stanford.edu
  • 20. Acknowledgements Software collaborators INFN/Padova: Fabrizio Furano, Alvise Dorigao Root: Fons Rademakers, Gerri Ganis Alice: Derek Feichtinger, Guenter Kickinger, Andreas Peters Cornell: Gregory Sharp SLAC: Jacek Becla, Tofigh Azemoon, Wilko Kroeger, Bill Weeks Princeton: Pete Elmer Operational collaborators BNL, CNAF, FZK, INFN, IN2P3, RAL, SLAC MWSG 5-6 June 2006 20: http://xrootd.slac.stanford.edu