EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

Slides:



Advertisements
Similar presentations
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE is a project funded by the European Union under contract IST Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
EGEE is a project funded by the European Union under contract IST Gap Analysis JRA3 12/7/2015
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Grid Authorization Landscape and Futures Von Welch NCSA
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
Security Middleware Andrew McNab University of Manchester.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, Security Expert, NIKHEF EGEE 1.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE is a project funded by the European Union under contract IST R-GMA Security Stephen Hicks UK Cluster Security Middleware Security Group.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
GridSite status Andrew McNab University of Manchester.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Mehran Ahsant, PDC, Joni Hahkala, HIP on behalf of JRA3
Third Party Transfers & Attribute URI ideas
DJRA3.1 issues Olle Mulmo.
A gLite Authorization Framework
Update on EDG Security (VOMS)
Presentation transcript:

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What we want/need Immediate decisions Policies (XACML) and VOMS Limitation and Revocation Future

EGEE Security Area 13 May 2004 Stakeholders LCG Security Group (chair D. Kelsey) – Emphasis on written policies, AUPs etc EGEE Site Security Group – Details still being sorted EGEE JRA3 – Northern Europe (NL, FI, SE) INFN/CERN – VOMS GridPP – GACL / GridSite

EGEE Security Area 13 May 2004 JRA3 Middleware Core is provided by Northern Europe Cluster – Helsinki Institute of Physics, Foundation for Fundamental Research of Matter in Utrecht, University of Amsterdam, University of Bergen, Royal institute of Technology in Stockholm Also forming agreement with INFN for – continued support of VOMS service – (VOMS admin interface to be supported by JRA3) GridPP has undertaken to continue various pieces related to GridSite and GACL – Currently, GACL and GACL-in-XACML – Delegation (G-HTTPS becoming Delegation Service)

EGEE Security Area 13 May 2004 Architecture (incomplete) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors process space “sudo” Diagrams from David Groep / Joni Hahkala / Olle Mulmo

EGEE Security Area 13 May 2004 What we have (Unix native) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxyVOMS LCAS GACL Gsoap process space “sudo” snort(*) GRAM + LCMAPS (*) Almost there G-HTTPS httpg

EGEE Security Area 13 May 2004 What we have (Java) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxy (client) CAS EDG AuthZ(*) Axis various SAML(*) XACML(*) (*) Almost there GT, EDG Java process space “sudo” GRAM

EGEE Security Area 13 May 2004 What we want (incomplete) Intrusion Cred store Proxy cert VOMS service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors Policy based authZ ??? Audit Site policy Access control Revo- cation Trust anchors Provisioning

EGEE Security Area 13 May 2004 Immediate decisions Will start with Transport Layer Security – ie SOAP over GSI HTTPS for web services – that is HTTPS with GSI proxy certificates This is because XML Security is currently too slow For C/C++ can use globus_gss_assist() – (or GridSite library / mod_gridsite and gSOAP) For Java use Axis with CoG Will rapidly develop a WS delegation portType – We will do this in C/C++ (based on grst-proxy.cgi) – JRA3 will do this for Java (based on EDG java sec)

EGEE Security Area 13 May 2004 Policies Need to combine multiple policy sources Move towards XACML  Subset of XACML relevant to us needs to be defined  GridPP developing GACL XACML translator  XACML java tools are being tried out in NIKHEF  Policy combination to be defined Policy handling still needs a lot of thought  In conceptual, architechtural and implementation level  Name space issues need to be solved

EGEE Security Area 13 May 2004 VOMS Server maintained and developed by IT/CZ cluster VOMS admin interface maintained by JRA3 for now  LCG will continue development  JRA3 involvement in development to be decided Light weight VOMS  Operation centers required to host many VOs Java client needed (portals?) VOMS AC parsing needs to be added to java library

EGEE Security Area 13 May 2004 Limitation / Revocation Will carry on using MyProxy to extend ~12hr GSI proxies for long running jobs Will add support for Online Certifcate Status Protocol to check status of user/service certificates  Stop distributing Certificate Revocation Lists  OCSP service can allow revocation in ~minutes (One possibility, which isn't included, is using OCSP to allow users to revoke their own GSI proxies too  ie can kill a 12 hr proxy wherever it is on the Grid)

EGEE Security Area 13 May 2004 Future Iterate all this with Applications and Sites groups Implementation of access policies at site/resource level to be more integrated Move (almost) everything to Web Services protocols Mutual authorization, not just authentication – Resources certified by VO's? – Machine-readable operational policy statements, signed AUPs for users and services

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.