A user-level secure grid file system

A grid-wide distributed file system provides convenient data access interfaces that facilitate fine-grained cross-domain data sharing and collaboration. However, existing widely-adopted distributed file systems do not meet the security requirements for grid systems. This paper presents a Secure Grid File System (SGFS) which supports GSI-based authentication and access control, end-to-end message privacy, and integrity. It employs user-level virtualization of NFS to provide transparent grid data access leveraging existing, unmodified clients and servers. It supports user and application-tailored security customization per SGFS session, and leverages secure management services to control and configure the sessions. The system conforms to the GSI grid security infrastructure and allows for seamless integration with other grid middleware. A SGFS prototype is evaluated with both file system benchmarks and typical applications, which demonstrates that it can achieve strong security with an acceptable overhead, and substantially outperform native NFS in wide-area environments by using disk caching.

[1]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[2]  Mark Carson,et al.  NIST Net: a Linux-based network emulation tool , 2003, CCRV.

[3]  Renato J. O. Figueiredo,et al.  Supporting application-tailored grid file system sessions with WSRF-based services , 2005, HPDC-14. Proceedings. 14th IEEE International Symposium on High Performance Distributed Computing, 2005..

[4]  Peter J. Braam,et al.  The Coda Distributed File System , 1998 .

[5]  P. Honeyman,et al.  GridNFS: global storage for global collaborations , 2005, 2005 IEEE International Symposium on Mass Storage Systems and Technology.

[6]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1987, SOSP '87.

[7]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[8]  David Mazières,et al.  A Toolkit for User-Level File Systems , 2001, USENIX Annual Technical Conference, General Track.

[9]  Ben Y. Zhao,et al.  Awarded Best Student Paper! - Pond: The OceanStore Prototype , 2003 .

[10]  Magnus Karlsson,et al.  Taming aggressive replication in the Pangaea wide-area file system , 2002, OPSR.

[11]  José A. B. Fortes,et al.  PUNCH: An architecture for Web-enabled wide-area network-computing , 2004, Cluster Computing.

[12]  Mike Eisler,et al.  LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM , 2000, RFC.

[13]  Andrew S. Grimshaw,et al.  A Flexible Security System for Metacomputing Environments , 1999, HPCN Europe.

[14]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[15]  Brent Callaghan,et al.  NFS Version 3 Protocol Specification , 1995, RFC.

[16]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[17]  Andrew S. Grimshaw,et al.  Wide-Area Computing: Resource Sharing on a Large Scale , 1999, Computer.

[18]  William I. Nowicki,et al.  NFS: Network File System Protocol specification , 1989, RFC.

[19]  Ian T. Foster,et al.  Condor-G: A Computation Management Agent for Multi-Institutional Grids , 2004, Cluster Computing.

[20]  Y. Charlie Hu,et al.  Kosha: A Peer-to-Peer Enhancement for the Network File System , 2004, Proceedings of the ACM/IEEE SC2004 Conference.

[21]  Ben Y. Zhao,et al.  Pond: The OceanStore Prototype , 2003, FAST.

[22]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[23]  Rodney Thayer,et al.  A Stream Cipher Encryption Algorithm 'Arcfour' , 1999 .

[24]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[25]  Ben Y. Zhao,et al.  OceanStore: an architecture for global-scale persistent storage , 2000, SIGP.

[26]  Tim Polk,et al.  Internet X.509 Public Key Infrastructure Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates , 1999 .

[27]  Miron Livny,et al.  Condor-a hunter of idle workstations , 1988, [1988] Proceedings. The 8th International Conference on Distributed.

[28]  D. Giaretta,et al.  The Digital Curation Centre: a vision for digital curation , 2005, 2005 IEEE International Symposium on Mass Storage Systems and Technology.

[29]  John Linn,et al.  Generic Security Service Application Program Interface , 1993, RFC.

[30]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[31]  Xiaomin Zhu,et al.  From virtualized resources to virtual computing grids: the In-VIGO system , 2005, Future Gener. Comput. Syst..

[32]  Renato J. O. Figueiredo,et al.  Seamless Access to Decentralized Storage Services in Computational Grids via a Virtual File System , 2004, Cluster Computing.

[33]  Lin Ling,et al.  RPCSEC_GSS Protocol Specification , 1997, RFC.

[34]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[35]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[36]  Ian T. Foster,et al.  Data management and transfer in high-performance computational grid environments , 2002, Parallel Comput..

[37]  Vincent Cate,et al.  Alex - a Global Filesystem , 1992 .

[38]  Mahadev Satyanarayanan,et al.  Scalable, secure, and highly available distributed file access , 1990, Computer.

[39]  John Linn,et al.  The Kerberos Version 5 GSS-API Mechanism , 1996, RFC.

[40]  Renato J. O. Figueiredo,et al.  Application-Tailored Cache Consistency for Wide-Area File Systems , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[41]  Jeremy L. Jacob,et al.  Security specifications , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[42]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[43]  David Mazières,et al.  Decentralized user authentication in a global file system , 2003, SOSP '03.

[44]  Marty Humphrey,et al.  From Legion to Legion-G to OGSI.NET: object-based computing for Grids , 2003, Proceedings International Parallel and Distributed Processing Symposium.

[45]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[46]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[47]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[48]  M. Humphrey,et al.  LegionFS: A Secure and Scalable File System Supporting Cross-Domain High-Performance Applications , 2001, ACM/IEEE SC 2001 Conference (SC'01).

[49]  Renato J. O. Figueiredo,et al.  Distributed File System Virtualization Techniques Supporting On-Demand Virtual Machine Environments for Grid Computing , 2006, Cluster Computing.