Flexible session management in a distributed environment
Abstract
Many secure communication libraries used by distributed systems, such as SSL, TLS, and Kerberos, fail to make a clear distinction between the authentication, session, and communication layers. In this paper we introduce CEDAR, the secure communication library used by the Condor High Throughput Computing software, and present the advantages to a distributed computing system resulting from CEDAR's separation of these layers. Regardless of the authentication method used, CEDAR establishes a secure session key, which has the flexibility to be used for multiple capabilities. We demonstrate how a layered approach to security sessions can avoid round-trips and latency inherent in network authentication. The creation of a distinct session management layer allows for optimizations to improve scalability by way of delegating sessions to other components in the system. This session delegation creates a chain of trust that reduces the overhead of establishing secure connections and enables centralized enforcement of system-wide security policies. Additionally, secure channels based upon UDP datagrams are often overlooked by existing libraries; we show how CEDAR's structure accommodates this as well. As an example of the utility of this work, we show how the use of delegated security sessions and other techniques inherent in CEDAR's architecture enables US CMSmore »
- Authors:
- Publication Date:
- Research Org.:
- Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 983372
- Report Number(s):
- FERMILAB-CONF-10-228-CD
TRN: US1004458
- DOE Contract Number:
- AC02-07CH11359
- Resource Type:
- Conference
- Journal Name:
- J.Phys.Conf.Ser.219:042017,2010
- Additional Journal Information:
- Conference: Prepared for 17th International Conference on Computing in High Energy and Nuclear Physics (CHEP 09), Prague, Czech Republic, 21-27 Mar 2009
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; ARCHITECTURE; CHAINS; COMMUNICATIONS; ENFORCEMENT; FLEXIBILITY; MANAGEMENT; NUCLEAR PHYSICS; SECURITY; Computing
Citation Formats
Miller, Zach, /Wisconsin U., Madison, Bradley, Dan, /Wisconsin U., Madison, Tannenbaum, Todd, /Wisconsin U., Madison, Sfiligoi, Igor, and /Fermilab. Flexible session management in a distributed environment. United States: N. p., 2010.
Web. doi:10.1088/1742-6596/219/4/042017.
Miller, Zach, /Wisconsin U., Madison, Bradley, Dan, /Wisconsin U., Madison, Tannenbaum, Todd, /Wisconsin U., Madison, Sfiligoi, Igor, & /Fermilab. Flexible session management in a distributed environment. United States. https://doi.org/10.1088/1742-6596/219/4/042017
Miller, Zach, /Wisconsin U., Madison, Bradley, Dan, /Wisconsin U., Madison, Tannenbaum, Todd, /Wisconsin U., Madison, Sfiligoi, Igor, and /Fermilab. 2010.
"Flexible session management in a distributed environment". United States. https://doi.org/10.1088/1742-6596/219/4/042017. https://www.osti.gov/servlets/purl/983372.
@article{osti_983372,
title = {Flexible session management in a distributed environment},
author = {Miller, Zach and /Wisconsin U., Madison and Bradley, Dan and /Wisconsin U., Madison and Tannenbaum, Todd and /Wisconsin U., Madison and Sfiligoi, Igor and /Fermilab},
abstractNote = {Many secure communication libraries used by distributed systems, such as SSL, TLS, and Kerberos, fail to make a clear distinction between the authentication, session, and communication layers. In this paper we introduce CEDAR, the secure communication library used by the Condor High Throughput Computing software, and present the advantages to a distributed computing system resulting from CEDAR's separation of these layers. Regardless of the authentication method used, CEDAR establishes a secure session key, which has the flexibility to be used for multiple capabilities. We demonstrate how a layered approach to security sessions can avoid round-trips and latency inherent in network authentication. The creation of a distinct session management layer allows for optimizations to improve scalability by way of delegating sessions to other components in the system. This session delegation creates a chain of trust that reduces the overhead of establishing secure connections and enables centralized enforcement of system-wide security policies. Additionally, secure channels based upon UDP datagrams are often overlooked by existing libraries; we show how CEDAR's structure accommodates this as well. As an example of the utility of this work, we show how the use of delegated security sessions and other techniques inherent in CEDAR's architecture enables US CMS to meet their scalability requirements in deploying Condor over large-scale, wide-area grid systems.},
doi = {10.1088/1742-6596/219/4/042017},
url = {https://www.osti.gov/biblio/983372},
journal = {J.Phys.Conf.Ser.219:042017,2010},
number = ,
volume = ,
place = {United States},
year = {Fri Jan 01 00:00:00 EST 2010},
month = {Fri Jan 01 00:00:00 EST 2010}
}