9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK

Slides:



Advertisements
Similar presentations
CERN STAR TAP June 2001 Status of the EU DataGrid Project Fabrizio Gagliardi CERN EU-DataGrid Project Leader June 2001
Advertisements

An open source approach for grids Bob Jones CERN EU DataGrid Project Deputy Project Leader EU EGEE Designated Technical Director
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
CERN The European DataGrid Project Technical status Bob Jones (CERN) Deputy Project Leader.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Security Mechanisms The European DataGrid Project Team
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Grid Projects: EU DataGrid and LHC Computing Grid Oxana Smirnova Lund University October 29, 2003, Košice.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
The European DataGrid Project Team The EU DataGrid.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
DataGrid WP6/CA CA Trust Matrices Trinity College Dublin (TCD) Brian Coghlan CERN DEC-2002.
Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK
Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.
GridPP Presentation to AstroGrid 13 December 2001 Steve Lloyd Queen Mary University of London.
The Grid approach for the HEP computing problem Massimo Sgaravatto INFN Padova
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team
The European DataGrid Project Fabrizio Gagliardi EU DataGrid Project Leader CERN
Introduction to GRID computing and overview of the European Data Grid The European DataGrid Project
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
1 P.Kunszt Openlab Lessons learned from Data Management in the EU DataGrid Peter Kunszt CERN IT/DB EU DataGrid Data Management
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
WP7 Security Coordination 23/24 Jan 2002 David Kelsey CLRC/RAL, UK
LHC Computing, SPC-FC-CC-C; H F Hoffmann1 CERN/2379/Rev: Proposal for building the LHC computing environment at CERN (Phase 1) Goals of Phase.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
All-sky search for continuous gravitational waves: tests in a grid environment Cristiano Palomba INFN Roma1 Plan of the talk: Computational issues Computing.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK
David Kelsey CLRC/RAL, UK
The European DataGrid Project
David Kelsey CCLRC/RAL, UK
DataGrid WP6/CA CA Trust Matrices
General Project Manager
Grid related projects CERN openlab LCG EDG F.Fluckiger
Presentation transcript:

9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK

9-Jul-02D.P.Kelsey, DataGrid Security2 Overview GridPP/DataGrid DataGrid Security - Introduction Authentication Authorisation Deployment Summary

9-Jul-02D.P.Kelsey, DataGrid Security4 GridPP Provide architecture and middleware Use the Grid with simulated data Use the Grid with real data Future LHC Experiments Running US Experiments £17M PPARC project to Build Grid for UK PP Sep 01 – Aug 04

9-Jul-02D.P.Kelsey, DataGrid Security5 Main Partners CERN – International (Switzerland/France) CNRS - France ESA/ESRIN – International (Italy) INFN - Italy NIKHEF – The Netherlands PPARC - UK

9-Jul-02D.P.Kelsey, DataGrid Security6 Research and Academic Institutes CESNET (Czech Republic) Commissariat à l'énergie atomique (CEA) – France Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) Consiglio Nazionale delle Ricerche (Italy) Helsinki Institute of Physics – Finland Institut de Fisica d'Altes Energies (IFAE) - Spain Istituto Trentino di Cultura (IRST) – Italy Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany Royal Netherlands Meteorological Institute (KNMI) Ruprecht-Karls-Universität Heidelberg - Germany Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands Swedish Research Council - Sweden Assistant Partners Industrial Partners Datamat (Italy) IBM-UK (UK) CS-SI (France)

9-Jul-02D.P.Kelsey, DataGrid Security7 Project Scope 9.8 M Euros EU funding over 3 years (Jan 01 – Dec 03) 90% for middleware and applications (HEP, EO and biology) Three year phased developments & demos ( ) Possible extensions (time and funds) on the basis of first successful results: –DataTAG ( ) –CrossGrid ( ) –…

9-Jul-02D.P.Kelsey, DataGrid Security8 Programme of work Middleware –WP1 Grid Workload Management F. Prelz/INFN –WP2 Grid Data Management P. Kunszt/CERN –WP3 Grid Monitoring services S. Fisher/RAL –WP4 Fabric Management O. Barring/CERN –WP5 Mass Storage Management J. Gordon/RAL Testbed –WP6 Testbed Integration F. Etienne/CNRS –WP7 Network Services C. Michau/CNRS Scientific Applications –WP8 HEP Applications F. Carminati/CERN –WP9 Earth Observation ApplicationsL. Fusco/ESA-ESRIN –WP10 Biology Applications C. Michau/CNRS Dissemination WP11M. Lancia/CNR Project Management WP12F. Gagliardi/CERN

9-Jul-02D.P.Kelsey, DataGrid Security9 DataGrid Security Introduction No single Work Package (security is everywhere!) –3 sub-groups Authentication, Authorisation, & Co-ordination Based on Globus GSI –But adding our own extra functionality Security Requirements and first implementation –Document (D7.5) distributed to STF Security Design and 2 nd implementation (Jan 2003) Many topics not covered today!

9-Jul-02D.P.Kelsey, DataGrid Security10 Globus Security Grid Security Infrastructure (GSI) today PKI (X.509 certificates) Users, hosts and services are authenticated (both directions) Single sign-on –Delegation via Proxy credential (limited lifetime) Authorisation via “Grid Mapfile” –Maps certificate DN to local user (Unix, Kerberos) –Authorisation via local security mechanisms

9-Jul-02D.P.Kelsey, DataGrid Security11 Authentication 13 approved National Certificate Authorities –includes Registration Authorities – check identity CNRS (France) acts as “catch-all” CA –With appropriate RA mechanisms Matrix of “Trust” (work ongoing) – much work! –WP6 CA Mgrs check each other against agreed list of minimum requirements –Software being developed to aid this process (see next slide) Cross-Domain Authentication between Grid projects –USA (DOE) and CrossGrid are members of the CA group and Trust matrix

9-Jul-02D.P.Kelsey, DataGrid Security12 Authentication (2) DataGrid CA Features matrix

9-Jul-02D.P.Kelsey, DataGrid Security13 Authentication issues Don’t mix Authentication and Authorisation –But authentication often includes some implicit authorisation How to define list of “trusted” CA’s? –CP/CPS important –Audit of CA procedures – 3 rd party? (not done yet) –GGF GridCP and CA-Operations WG’s important here Scaling problems –How many CA’s can we cope with? (we will reach ~20) –Or should the VO’s issue Authentication certs? –Or use Kerberos at the site and generate certs online Authorisation is where the real identity checks need to be made –We should avoid (too) heavy-weight Authentication –Is MS.NET passport good enough?

9-Jul-02D.P.Kelsey, DataGrid Security14 Authorisation Testbed 0 (2000) –Based on Globus GSI and Grid Mapfile Maps certificate DN to one UNIX user account No groups or roles Unix UID/GID-based access control Testbed 1 (2001) –DataGrid “Virtual Organisation” (VO) support Tools to manage grid mapfile automation –> groups Leasing of dynamic user accounts –mods to Globus mapping code

9-Jul-02D.P.Kelsey, DataGrid Security15 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

9-Jul-02D.P.Kelsey, DataGrid Security16 Authorisation (2) Original Globus CAS –Community certificate, signed by CAS Also contains authorisation capabilities –All access control centralised in CAS DataGrid model (for Testbed 2 – 2002) –Authenticate with personal certificate –Virtual Organisation Membership Service VOMS “adds” role(s) and group(s) –As requested by user New Globus CAS going this way (AC-like) –Grid ACL’s local to resource Continue to look at other technology (CAS, PERMIS, …)

9-Jul-02D.P.Kelsey, DataGrid Security17 SlashGrid & GACL (McNab – HEP Manchester) Framework for creating “Grid-aware” filesystems –different types of filesystem provided by dynamically loaded plugins –Uses CMU Coda kernel module –Source, binaries and API notes: GACL –a C library for manipulating Grid Access Control Lists, written in XML-based Access Control Languages. – n.b. also GridSite for certificate-base web authorisation

9-Jul-02D.P.Kelsey, DataGrid Security18 Authorisation issues Moving towards more functionality –Users with more than one allowed role –Move away from Unix uid based security –Applicable to all Grid services Users may belong to multiple VO’s –Authorisation may need to be based on “joins” Global vs Local authorisation mechanisms –need to negotiate policy – Global/VO/Local

9-Jul-02D.P.Kelsey, DataGrid Security19 Grid Deployment - issues Legal, political, site security policies, etc. –The user does not (need to) know where the jobs will run Cannot sign registration forms everywhere –Acceptable Use policies (Rules) What is needed for User Registration? –We have a solution for EDG Testbed But not yet for full production –What is acceptable to Site Security Officers? PPDG “Grid Site AA” project working on this –An extremely important area – could kill the Grid!

9-Jul-02D.P.Kelsey, DataGrid Security20 US PPDG-SiteAA Particle Physics Data Grid –Using Globus GSI US DOE Science Grid CA now in operation “Grid Site AA” project - extension to PPDG –Examine/evaluate the impact of GSI on local site security –Important area not yet tackled by DataGrid

9-Jul-02D.P.Kelsey, DataGrid Security21 Issues – Deployment (2) VO’s need to manage their members and sites/resource providers negotiate with VO’s –Only system which will scale Sites cannot manage large number of Grid users –Not just a technical problem! –Must develop procedures to allow this to happen –VO’s not used to managing resources –Will Computer Centres give up (full) control?

9-Jul-02D.P.Kelsey, DataGrid Security22 Deployment – a personal view Today –Computer centres register users (lots of rules and checks) but then allow them to do almost anything! In the (GRID) future –Computer centres will register VO’s VO’s manage their users –“Trust” established between VO’s and Sites –The applications could (will?) be tightly controlled Using e.g. Community restricted delegation and signed apps –The actual user does not matter (but must have audit trail) Control the “What” and not the “Who”

9-Jul-02D.P.Kelsey, DataGrid Security23 Summary – lessons learned Authentication –Cross-Domain Trust is the big problem How to scale? Authorisation –The IMPORTANT area This is where the identity and rights need to be checked –Technology is immature Many operational and legal deployment issues to be solved –To establish Trust between Sites/VO’s/users

9-Jul-02D.P.Kelsey, DataGrid Security24 Web links GridPPhttp:// DataGridhttp:// DataGrid Security Requirements document d7.5.pdf d7.5.pdf PPDGhttp://

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.