The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.

The National Grid Service and OGSA-DAI Mike Mineter

VO Support and directions in OMII-UK Steven Newhouse, Director.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Accounting for the Grid Usage Records and a Resource Usage Service.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem,

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

1 All-Hands Meeting 2-4 th Sept 2003 e-Science Centre The Data Portal Glen Drinkwater.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Campus grids: e-Infrastructure within a University Mike Mineter National e-Science Centre 14 February 2006.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Ad Hoc VO Akylbek Zhumabayev Images. Node Discovery vs. Registration VO Node Resource User discover register Resource.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

Status of Globus activities Massimo Sgaravatto INFN Padova for the INFN Globus group

The National Grid Service Mike Mineter.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Welcome Grids and Applied Language Theory Dave Berry Research Manager 16 th October 2003.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Campus grids: e-Infrastructure within a University Mike Mineter National e-Science Centre 22 February 2006.

Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.

StoRM: a SRM solution for disk based storage systems

UVOS and VOMS differences

Update on EDG Security (VOMS)

Presentation transcript:

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London

2 The Grid Diverse Resources –Dynamic –Unreliable –Shared Administrative Issues –Security –Multiple Organisations –Coordinated Problem Solving

3 A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) * = Existing IETF standards Others are GGF & IETF drafts

4 How to define access to these resources? Current policy is through the ‘GridMap’ file “/C=UK/O=eScience/OU=Imperial/L=LeSC/CN=steven newhouse” sjn5 “/C=US/O=Globus/CN=ian foster” ifoster Advantages: –Resource owner has clear policy control Disadvantage: –Scalability: M users on N resources need co-ordination –Expressiblity: Policy is implemented locally

5 Solutions to scalability Group Accounts –Adopted by EUDG –X.509 DN is mapped to a set of local accounts Policy Server –Central server that issues ‘policy tokens’ –Tokens define access to resources

6 CAS 1. CAS request, with resource names and operations Example Collective Service: Community Authorization Does the collective policy authorize this request for this user? user/group membership resource/collective membership collective policy information Resource Is this request authorized for the CAS? Is this request authorized by the capability? local policy information 4. Resource reply User 3. Resource request, authenticated with capability 2. CAS reply, with and resource CA info capability Laura Pearlman, Steve Tuecke, Von Welch, others

7 CAS Testbed Funded JISC Project (Due to start Jan ‘03) Evaluate and contribute to CAS Investigators –Steven Newhouse (LeSC) –David Colling (IC-HEP) –Rob Allan (GSC-DL) –Stephen Pickles (MC)

8 Project Goals Deploy and evaluate current CAS release –CAS server at IC –CAS enabled gatekeepers & GridFTP servers CAS enabled web server –Integrate CAS policy with web access control CAS management portal –Secure web-based interface to CAS –Definition of CAS policy language

9 CAS enabled GridFTP Provides community access to data retrieval Specify access to files & directories –read –lookup –write –create –chdir Apply actions to a user or a group of users Extend (& restrict) model to web server

10 CAS enabled Gatekeeper Prototyped within US Fusion Colaboratory project Introduction of ‘Policy Enforcement Points’ –Has the user permission to submit to this queue? –Can they request 128 processors? Focus on RSL restrictions during job initiation Rights embedded in the user’s restricted proxy issued by CAS

11 CAS enabled Job Control Once a job is running we might want to: –Halt/restart the job –Raise/lower job priority Provide policy driven job control –Supervisor/PI may have rights over user’s job –Project/user may have higher priority Define usage scenarios & requirements

12 Virtual Organisation Management Portal (VOM) Tackle the VO Authorisation problem Use role based authorisation model Management of distributed ‘gridmap’ files Web based for distributed management Part of Centre’s OSCAR-G project Use GSC’s X.509 certificates for identification GSI enabled web services

13 VO Portal: Enrollment

14 VO Portal: Management As VO Manager: –Approve pending user requests –Assign users to roles (and therefore resources) As Resource Manager: –Define mapping between VO user and local UNIX account –Download and combine gridmap files from multiple VOM portals

15 GridMap Client Resource Manager defines configuration file –Identity for GSI operations –VOM portals to retrieve data –Local gridmap entries Gridmap Client invoked from cron job –Use GSI enabled web service to validate client identity –Iff all lookups successful write out new gridmap file –Iff new non-zero length file replace existing gridmap file

16 Accounting Use a wrapper script to around job execution: –Extract DN from environment –Log start & end events –Attempt immediate update to database –Need to map DN to VO but a DN may be in several VO’s (!!!) –If update fails dump to local file for later action Usage info can be browsed at a later date.

17 Summary CAS project will provide UK/US engagement –Deployment experience –Feedback to Globus team Look at policy specification for e-science resources –Definition through VOM –Implementation within CAS Contribute experience to Grid building efforts –UK Level 2 Grid –Global Grid Forum