PPDG for CHEP031 Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG SiteAAA Project CHEP03 March 25, 2003 PPDG Work Supported.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

GT 4 Security Goals & Plans Sam Meder

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

Grid Security. Typical Grid Scenario Users Resources.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

Password?. Project CLASP: Common Login and Access rights across Services Plan

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1 Directory related work in the Global Grid Forum 3rd TF-LSD Meeting in Antalya Peter Gietz

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

CHEP2000 February 2000 Impact of Software Review and Inspection Doris Burckhart CERN ATLAS DAQ/EF-1 Back-end software.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Digital Object Architecture

Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Open Science Grid & its Security Technical Group ESCC22 Jul 2004 Bob Cowles

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

The New Virtual Organization Membership Service (VOMS)

Leigh Grundhoefer Indiana University

Presentation transcript:

PPDG for CHEP031 Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG SiteAAA Project CHEP03 March 25, 2003 PPDG Work Supported by the SciDAC Project of the US Dept. of Energy

PPDG for CHEP032 Summary Site-AAA evaluated current GRID toolkits with respect to Resource Provider needs Sites took on specific integration tasks as concrete tests of how well they could work with existing toolkits. Project advanced both site understanding of GRID infrastructure and developers’ understanding of Resource Providers’ needs. Significant follow-up work remains and should be included in the various Grid projects.

PPDG for CHEP033 Tasks Evaluated

PPDG for CHEP034 Community Large HEP Labs represented Integration efforts included working with “friendly” University groups. GRID scale integration tests just now beginning Clash of world views yet to be resolved Site policies Sponsor policies Legal requirements

PPDG for CHEP035 Operational Context Testbed efforts with kludged solutions Some eye to operational needs but mostly from reliability aspects, little analysis of efficiency measures.

PPDG for CHEP036 From Development to Production The GRID is protocols not implementations Time to begin standardization Integration work hampered by lack of documented standards for interfaces, protocols, libraries, etc. de facto touchstone is interoperability with Globus Toolkit.

PPDG for CHEP037 Reliability Most components still finding bugs in serious testing. CMS/D0 had many problems with GridFTP Default accept in GridFTPd non-root Weak encryption tending for grid-proxy-init Need to focus effort (integrators, distributors and developers) to eliminate bugs at appropriate point. When? We found proper bug reporting to be tedious

PPDG for CHEP038 Exception Handling Currently systems are operated assuming competence and goodwill (and that errors aren't costly). Need some level of validation effort at appropriate time The method for dealing with Exceptions needs to be specified as part of a Grid definition. Incident Handling Accreditation Service Level Agreements

PPDG for CHEP039 Outstanding Issues Authentication for Long Running Jobs Condor-G proposal looks promising (initial contender) Relies on Proxy Generation Service Standardize ● MyProxy (NCSA product) ● KCA (NMI product and FNAL project) ● VSC (Virtual Smart Card) (SLAC project) Authorization for Long Running Jobs No agreement on whether or how this is done.

PPDG for CHEP0310 Federation of Identity Who needs to know which PKI identities correspond to the same individual ? Resources that need to map different identities to same local account. Virtual Organizations that need to map different identities to same member and/or roles. Relying parties that want to correlate actions and/or block access to an individual. Accounting system for chargeback mechanisms ? What are the privacy issues ? Who holds the federation ?

PPDG for CHEP0311 Incident Response Real-time incident response expected through authorization control. Investigation, resolution, and feedback channels unclear. Who “owns” an investigation ?

PPDG for CHEP0312 Migration to OGSA Web Services is a new framework with richer communications. Some current methods should be re-implemented in new framework. Expect same level of integration testing/feedback will be needed.

PPDG for CHEP0313 Services GRID Level Services provide: Standards GGF working hard to transform into an IETF for GRIDs. Need to document specifications independent of a toolkit. National Level Services provide: Clarification of identity & privacy requirements. Integration with National ID systems ( is this planned ? )

PPDG for CHEP0314 Grid Instance Level Services Provide: Standards GGF standards allow for non-interoperable choices. Minimum standards required for interoperability de facto standard is Globus Toolkit Need: Software components (applications, libraries, etc.)

PPDG for CHEP0315 VO Level Services Provides VO membership and roles management Registration Service (for Resource Providers) Resource Brokering Needs Standard method of asserting authorizations Standard interfaces with Resource Providers Registration Standard Resource Descriptions (incl. Authorization requirements

PPDG for CHEP0316 Resource Provider Services Provides Minimum standard policy requirements Local Policy Enforcement Point of Contact for Incident Response Needs Policy description schema Local Policy Enforcement Callout Points of contact for VOs and CAs Authentication Method Description

PPDG for CHEP0317 GRID Resource Services Provide Fine-grained access control Accounting information Grid transaction support Need Attribute information Authorization services

PPDG for CHEP0318 Transaction Services Provide Error handling Need Authorization Services

PPDG for CHEP0319 Expected Community Growth Growth of Current Communities Current active PKI community is ~few 100s in HEP Expect 10X demand within year Interested Parties LHC collaborations Current Large Collaborations (BaBar, CDF, D0) Current Distributed Collaborations (SDSS, LIGO, AUGER,...)

PPDG for CHEP0320 Trust Relationships Timescale Negotiations contain a good deal of detailed discussion, terminology checks, and verification. Start in pair-wise fashion and allow 6 months Establishing Bona Fides Peer review process has been very helpful in understanding community practices and consensus solutions Maintenance Agreements will tend to decay and periodic checks against “as built” implementations are required. Method of establishing personal contacts

PPDG for CHEP0321 eCommerce Parallels eCommerce relies on 2 key aspects: Requestor provides identity that can be billed charges appropriate to the request. Credit card company insures resource providers against loss. What are possible losses in Grids ? Loss of Grid Resource consumables Liability for misuse Manpower for troubleshooting

PPDG for CHEP0322 Conclusions Requirements exercise useful earlier in development Integration testing useful about now in development Written Specifications and Standards needed. Most items needed for Production quality are also needed to handoff code to vendors. Problems largely due to (anticipated) success.

PPDG for CHEP0323 What needs to be done next? Authorization framework definitions Push Globus/EDG/PRIMA/FNAL collab Interface definitions Globus and GGF drive Virtual Organizations remain virtual EDG and BNL projects Authentication refresh (long running jobs) Push Condor-G/MyProxy collab Incident handling What forum ? Who drives ? Private Key management for the masses KCA/VCS/MyProxy activities are interesting Restricted execution environment