OGF PGI – EDGI Security Use Case and Requirements

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
Chapter Five Users, Groups, Profiles, and Policies.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Brief Overview of Major Enhancements to PAWN. Producer – Archive Workflow Network (PAWN) Distributed and secure ingestion of digital objects into the.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
The EDGeS project receives Community research funding 1 Specific security needs of Desktop Grids Desktop Grids Desktop Grids EDGeS project EDGeS project.
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
The Data Grid: Towards an Architecture for the Distributed Management and Analysis of Large Scientific Dataset Caitlin Minteer & Kelly Clynes.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
The EDGI project receives Community research funding 1 EDGI Brings Desktop Grids To Distributed Computing Interoperability Etienne URBAH
© 2008 Open Grid Forum Independent Software Vendor (ISV) Remote Computing Primer Steven Newhouse.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Oleg LODYGENSKY Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay,
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
RUS: Resource Usage Service Steven Newhouse James Magowan
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
EGEE 3 rd conference - Athens – 20/04/2005 CREAM JDL vs JSDL Massimo Sgaravatto INFN - Padova.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
© 2006 Open Grid Forum PGI Use Cases: EGI, GROMACS, Data-intensive HTC Oxana Smirnova 26 October 2010, OGF30, Brussels.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
© 2008 Open Grid Forum Production Grid Infrastructure (PGI) 101 Morris Riedel, Balazs Konya, Moreno Marzolla OGF PGI Working Group Co-Chairs.
Implementation of GLUE 2.0 support in the EMI Data Area Elisabetta Ronchieri on behalf of JRA1’s GLUE 2.0 Working Group INFN-CNAF 13 April 2011, EGI User.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
How to integrate portals with EGI accounting system R.Graciani EGI TF 2012.
Using Use Case Diagrams
DGAS A.Guarise April 19th, Athens
UVOS and VOMS differences
Towards GLUE Schema 2.0 Sergio Andreozzi INFN-CNAF Bologna, Italy
A Model for Grid User Management
CREAM Status and Plans Massimo Sgaravatto – INFN Padova
EMI Interoperability Activities
Middleware independent Information Service
Active Directory Administration
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tweaking the Certificate Lifecycle for the UK eScience CA
THE STEPS TO MANAGE THE GRID
Update on EDG Security (VOMS)
Why does EDGeS need OGF PGI ?
Status and Future Steps
Database Management System (DBMS)
Network management system
The New Virtual Organization Membership Service (VOMS)
SAD ::: Spring 2018 Sabbir Muhammad Saleh
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
ACTORS DESCRIPTION PNF
EGEE Middleware: gLite Information Systems (IS)
SharePoint Online Authentication Patterns
Using Use Case Diagrams
Chapter 2: Operating-System Structures
EUDAT Site and Service Registry
DEPLOYING SECURITY CONFIGURATION
a middleware implementation
Introduction to OGF Standards
Chapter 2: Operating-System Structures
Presentation transcript:

OGF PGI – EDGI Security Use Case and Requirements Etienne URBAH urbah@lal.in2p3.fr LAL, Univ Paris-Sud, IN2P3/CNRS, Orsay, France The EDGI project receives Community research funding under grant agreement 261556

Summary Security Use Case Requirements for Information Requirements for Security Requirements for Application Repository Requirements for Accounting Requirements for Logging Requirements for Job Description Requirements for Job Management Requirements for the State Model Non Functional Requirements Author : E. Urbah

Security Use Case : Actors and System UserDomain Manager (VO Admin) CSIRT Security Engineer of a Site UserDomain (VOMS) Server Manages UserDomain (VO)  Provides Credentials (X509 or SAML)  Requests Credentials Accounting Logging & Bookkeeping Gives Accounting and Auditing Registration Authority (RA) Manages Site   Gives Activity Status  Log Info System Info System Info System   Log Publishes available Resources Publishes available Resources Grid User  Submits Activity with Credentials Grid Broker Site Computing Resource Knows User  Pushes Activity  Provides Results  Sends back Results Vets User  Accesses Data  with Credentials Signs Credentials   Accesses Data with Credentials Site Storage Resource The Trust Anchor (IGTF) publishes the Root CA Certificates Certificate Authority (RA) Author : E. Urbah

Mandatory Requirements for Information (permitting Service Discovery) 1 : All grid entities (if possible) MUST be described using the GLUE model. If not possible, extensions for the GLUE model are necessary. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS1 5 : The Execution Service MUST NOT expose detailed information about the GLUE entities which the Execution Service does not manage (all that are not expressed by the computing part of GLUE). For example, Storage Element GLUE entity NOT exposed by Execution Service, NO details about Storage entity. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS4 165 : For already finished Activities, the Information functionality SHOULD accept requests querying the Activity Status, but MAY return an error http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS9 172 : In order to prevent overloading the Execution Service (which has performance requirements for Activity Management), the Information functionality SHOULD be separated from the Execution Service http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqIS14 Author : E. Urbah

Mandatory Requirements for Security (Authentication, Authorization, Delegation) 9 : If server authentication to clients, then it must be done with X.509 certificates on TLS (as mandatory option, allowing also other mechanisms additionally) http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA1 11 : Each Service MUST publish the Authentication and Authorization methods accepted by its Endpoints in conformance with GLUE recommendations http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA2 32 : There must be a mechanism which allows users to manage Activities submitted by other users (access control lists/methods/policies). In order to authorize (or not) an request on an Activity, each instance of the Execution Service MUST enforce a consistent authorization method. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAA9 Author : E. Urbah

Mandatory Requirements for Application Repository 34 : WITH FOLLOWING TITLE : There MAY exist Application Repositories containing applications or pre-configured / pre-installed software, and publishing them according to GLUE. - JSDL SHOULD be extended according to GLUE so that a client is able to easily require an Application stored inside a Repository w/o specifying location details. - The Execution Service SHOULD then honor Job Descriptions referencing an Application stored inside a Repository. Specifications of the Execution Service SHOULD describe only how it retrieves the Application files from the Application Repository (but MUST NOT try to address ALL the aspects and implications of Application Repositories, in particular queries and rights to store Applications) http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAR1 Author : E. Urbah

Mandatory Requirements for Accounting 36 : The Execution Service SHOULD provide Accounting records for each managed Activity. e.g. OGF Usage Records, for tracking resource usage. Most likely improving UR in terms of network and storage resource tracking and improvements of compute parts of multi-core-business. Grid-level attributes (for example: start-time on Grid vs. in batch-system). http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAc2 173 : In order to prevent overloading the Execution Service (which has performance requirements for Activity Management), the Accounting functionality MUST be separated from the Execution Service http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqAc1 Author : E. Urbah

Mandatory Requirements for Logging 37 : WITH FOLLOWING TITLE : In order to permit efficient Log analysis and Security audit, some Logging and Bookkeeping functionality MUST secure persistence at the grid level of Activity logs from various logging systems and MUST permit Client access to these Activity logs, even after Activities have finished. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqLB1 Author : E. Urbah

Mandatory Requirements for Job Description 100 : The Job Description document MUST reference all grid entities in conformance to the GLUE specification http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJD3 101 : The Job Description document specification MUST permit the Client to request automatic data stage-in and stage-out http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJD4 107 : Job Description should be only used for Job Description not for any kind of feedback. Job status information should not be communicated with a 'changed JSDL' http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJD11 Author : E. Urbah

Mandatory Requirements for Activity Management 45 : On creation of an Activity, the Execution Service MUST return to the Client an Activity ID permitting the Client to perform subsequent actions (Query, Cancel, ...) on this precise Activity http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJM4 62 : The Execution Service MUST log enough grid information inside logging systems (which MAY vary during the lifetime of the Activity), in order to permit efficient Log analysis and Security audit http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJM6 67 : If a Client queries for an already finished Activity, the Execution Service MAY response with an error http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJM6.8 74 : The execution service MUST NOT expose activity information when queried for resource information http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJM6.16 94 : Requirement to have a purge (maybe called wipe) operation. Removing all presence (except logs & usage records) of the activity (when it is not longer active or once finished). This functionality is only allowed on any final state according to the PGI state model. The functionality is not supposed to kill Activities, that is why its only allowed on final states. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqJM20 Author : E. Urbah

Mandatory Requirements for the State Model 119 : The Execution service MUST support a common state model http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqSM1 131 : The Execution service MUST perform the transition between Activity states requested by the Client ONLY if it makes sense. Otherwise, the Execution service MUST return an error to the Client. http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqSM10.1 Author : E. Urbah

Mandatory non functional Requirements 146 : Software components (Services and Clients) MUST ease traceability of the original author of a request http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF3 147 : Software components (Services and Clients) MUST generate adequate logs http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF4 148 : Software components (Services and Clients) MUST generate and propagate meaningful error messages, including context description http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF5 149 : Specifications SHOULD prevent the occurrence of SPOFs and bottlenecks http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF7 154 : Basic SW Engineering basic principles - implementation encapsulation, separation of policies, construction by composition, don't re-invent new mechanisms when some existing http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF12 160 : Execution Service MUST NOT try to provide ALL grid functionalities, but MUST have a well defined scope, and MUST work together with other grid services : Security, Accounting, Data (Storage, Movement, Catalog, ...), perhaps Information, Logging and Bookkeeping http://forge.gridforum.org/sf/wiki/do/viewPage/projects.pgi-wg/wiki/ReqNF13 Author : E. Urbah

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.