PDC Enabling Science Grid Security Research Olle Mulmo.

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Grids for Complex Problem Solving, 29 January 2003 Grid based collaborative working in large distributed organisations
GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Understanding Active Directory
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
PaN-data WP4 - Users Gordon Brown STFC-e-Science Alun Ashton DLS Bill Pulford DLS.
Dr. Raimund Ege: Research Summary  Security in the Mobile Context Trust and Access control models Peer-to-peer delivery networks  Opportunities for student.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Using RADIUS as a AAA backbone for Windows networks Kostas Kalevras NTUA Network Operations Centre.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
Scalable Grid system– VDHA_Grid: an e-Science Grid with virtual and dynamic hierarchical architecture Huang Lican College of Computer.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
26/05/2005 Research Infrastructures - 'eInfrastructure: Grid initiatives‘ FP INFRASTRUCTURES-71 DIMMI Project a DI gital M ulti M edia I nfrastructure.
7. Grid Computing Systems and Resource Management
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Michał Jankowski, Paweł Wolniewicz, Jiří Denemark, Norbert Meyer,
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Access Control for Dynamic Virtual Organisations Duncan Russell, Peter Dew & Karim Djemame University of Leeds.
GraDS MacroGrid Carl Kesselman USC/Information Sciences Institute.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Laura Perini1 EGI Operation Scenarios Introduction to panel discussion.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Chapter 6 Server Management: Domains Workgroup Domain Trust Relationship Examples.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
Module 1: Introduction to Windows 2000 and Networking.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
INFSO-RI Enabling Grids for E-sciencE Grid & Cloud Computing Introduction
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
Grid Account Management: A Case Study GGF 9 PGM-RG Chicago, IL October 5-8, 2003 Doru Marcusiu Assistant Director Grid and Security.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
EGI-Engage Engaging the EGI Community towards an Open Science Commons
Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
Intrinsic Security in the SORCER Grid
Presentation transcript:

PDC Enabling Science Grid Security Research Olle Mulmo

PDC Enabling Science Trust Mismatch Cross “Certification” Issue Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust

PDC Enabling Science Grid Solution: Virtual Organizations Certification Domain A common mechanism Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust

PDC Enabling Science VO management VOs today = 100s of users DOE Science Grid, European Data Grid Centrally kept, highly secure, repository Databases, LDAP directories, additional software, … Research groups today = 10s of users Administration = pain Current VO software too heavy-weight Mismatch

PDC Enabling Science Different trust models for dynamic VOs Look at peer-to-peer models Sociological web-of-trust models “Simple secret” based security model Group creation based on invitation (One-time passwd) Common problem: traceability Who invited whom? Can models above be extended? Grid & P2P is a “hot topic”

PDC Enabling Science Account management AAAccounting == accountability Who did what at what time? Accounting == billing Who consumed what resources, for how long, at what price? Distributed quota problem 6000 CPUh == 1*6000 CPUh or 6*1000 CPUh (Swegrid needs at least a short-term solution)

PDC Enabling Science Account management (cont.) Mapping each individual into unique user account… Doesn’t scale Need dynamics Existing quotas and scheduler limits must apply Other initiatives to watch/interact with Slashgrid (UK E-Science) Large-site AAA (GGF) EGEE proposal

PDC Enabling Science Authorization Policy Tightly related to quota management The “You have access” part of the “You have access to this piece of the pie” problem Same software, different authority Current implementations are based on group membership Either you’re in, or you’re out Support for expressiveness is missing “access between 8am and 5pm” “only if CPU load is less than 50%” Large portion of a policy needs dynamic information from runtime context

PDC Enabling Science Authorization Policy (cont.) Another Grid and OGSA “hot topic” But emphasis on integration of old software Opportunity to ignore and do real and relevant work Does not need to start from scratch – may reuse an existing framework

PDC Enabling Science Proposed VR-IT research Authentication and distributed file system technologies Credential translation / mapping Privilege inflation Prototype implementation (AFS) Authorization, Accounting and Policy Develop dynamic trust models Develop scalable models for user account mgmt Develop expressiveness of authorization policy