EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

Slides:



Advertisements
Similar presentations
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks PPS All sites Meeting: Introduction & Agenda.
Enabling Grids for E-sciencE EGEE-III INFSO-RI Using DIANE for astrophysics applications Ladislav Hluchy, Viet Tran Institute of Informatics Slovak.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Angela Poschlad (PPS-FZK), Antonio Retico.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Service Availability Monitoring – Status.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
EGEE-III INFSO-RI Enabling Grids for E-sciencE Antonio Retico CERN, Geneva 19 Jan 2009 PPS in EGEEIII: Some Points.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Using GStat 2.0 for Information Validation.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Communication tools between Grid Virtual.
EGEE-III INFSO-RI Enabling Grids for E-sciencE SA3 All Hands Meeting 'Cluster of Competence' Experience SA3 INFN Cyprus May 7th-8th.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The LCG interface Stefano BAGNASCO INFN Torino.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Regional Nagios Emir Imamagic /SRCE EGEE’09,
EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MSA3.4.1 “The process document” Oliver Keeble.
INFSO-RI Enabling Grids for E-sciencE gLite Test and Certification Effort Nick Thackray CERN.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE Operations: Evolution of the Role of.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid is a Bazaar of Resource Providers and.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Status of ARGUS support Peter Solagna – EGI.eu.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks CYFRONET site report Marcin Radecki CYFRONET.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks CREAM: current status and next steps EGEE-JRA1.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Nagios Grid Monitor E. Imamagic, SRCE OAT.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Argus EMI Authorization Integration
Trygve Aspelien and Yuri Demchenko
gLite Security Overview
Global Banning List and Authorization Service
Argus Authorization Service Security Training
Argus: General Introduction
Argus The EMI Authorization Service
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status Update GDB October 14, 2009 Christoph Witzig, SWITCH

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Outline Introduction Short Motivation and Description for the New Service Deployment Proposal Current Status Appendix: –A: More detailed motivation –B: Feature list of the service

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Introduction Argus: gLite authorization service Institutions involved: –CNAF –HIP –NIKHEF –SWITCH Plan: –1st year EGEE-III: Software design and development –2nd year EGEE-III: certification, initial deployment (PPS, production) Note abbreviation: authZ = authorization

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB A New Service - Why? Support for authorizing multi-user pilot jobs Simple operation through CLI Contains simple debugging tool for authorization decisions Supports global banning lists –Only if configured at the site (site autonomy!) –OSCT wants to offer this service to the sites Monitoring of the service through Nagios plug-ins Roadmap for integrating other gLite Services exist –Prospect of having one centralized authorization service for all services at a given site  WN, (one or several) CE, (one or several) SE  WMS See appendix A and B for further information and feature list

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Initial Deployment at a Site (1/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Initial Deployment at a Site (2/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Initial Deployment at a Site (3/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Proposed Deployment Plan Deployment during EGEE-III Adoption during EGEE-III

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB CLI Operation All operational commands from command line –(Un-)banning a user:  pap-admin ban subject  Pap-admin un-ban subject –(Un-)banning an FQAN  pap-admin ban fqan /switch/test  pap-admin un-ban fqan /switch/test –Debugging authorization decisions:  pepcli -p -c /tmp/x509up_u964 -r res_nok -a my_action Decision: Deny  pepcli -p -s -f /switch -f /switch/test -r test -a test Decision: Permit Username=testb002 UID=5101 GID=5100 Secondary GIDs=5300

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Deployment Options Initial deployment:  All components on one single host using YUM and configured with YAIM Flexibility of the service allows different deployment models Options: –Alternate deployment options are initially supported by authZ development team on a case-by-case basis –Duplicate installations of individual components –Next release: Multiple installation of the service across several hosts  No need for a shared file system

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Load and Aging Tests Load and aging tests were done before submitting to certification Load tests: –Service Host: 1x 2.33GHz CPU, 1gig ram –client recreated - simulates what glexec would do  ~60 req/sec, ~160ms –client reused - simulates what CREAM/WMS would do  ~240 req/sec, ~120ms –client reused, repeat request - simulates pilot jobs  ~1000 req/sec, ~37.6ms Aging tests: –Test operation over several days with several mio requests –Memory usage: stable Further tests by SA3 - see their report

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Long Term Support Argus was always considered as the long term solution for authorization in gLite Support from multiple institutions –CNAF, HIP, NIKHEF, SWITCH –Organized as a “product team” Will be part of EMI proposal –Interest from ARC and UNICORE Uses proven third party software –OpenSAML, JBossCache, Jetty –Adapted concepts proven by Shibboleth (~20-30 mio users worldwide)

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Current Status Complete documentation: Argus service: currently in certification gLexec with LCMAPS Argus plug-in: submitted to certification gridFTP integration: developed and tested CREAM: –Phase 1: re-factoring authorization mechanism: done  Reduction in number of authorization steps in CREAM –Phase 2: integration of Argus: Q4 –Planned release: January 2010 Data management: –Initial talks with DPM, dCache and StoRM  Will interface to Argus once deployment guaranteed

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Next Steps (as Argus team sees it) Finish certification of Argus  Incl. LCMAPS plug-in for Argus (for gLExec on WN)  --> Ready for initial deployment Now looking for sites that are willing to –Deploy Argus for gLExec on WN use-case –Use OSCT global banning lists  6 sites expressed interest –Argus now needs first exposure to initial deployments !!! Any volunteers? Support: –Mailing list: –GGUS at later stage

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Further Information Wiki: About the service: –authZ service design document: –Deployment plan: –Testing plan: General EGEE grid security: –Authorization study: –gLite security: architecture: EGEE09 presentations:  

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Outline Appendix A: More detailed motivation

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Motivation Which Problems Are We Trying to Solve? Different Services use different authorization mechanisms Some services even use internally more than one authorization framework Site administrators do not have simple debugging tools to check and understand their authorization configuration Site administrators must configure the authorization for each service at their site separately –Consequence 1: At a site, there is no single point to ban users/groups of users for the entire site –Consequence 2: many site administrators don’t know how to ban users –There should be a command line tool for banning and un- banning users at a site

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Motivation Which Problems Are We Trying to Solve? There is no central grid-wide banning list to be used during incidents –Consequence: Urgent ban cannot be taken for granted during incidents Sites cannot publish their complete authorization policy to the outside world –Currently only assignment of FQANS (experience of DENY tags) –Note: Fixing this problem does not mean that sites MUST publish their authorization policy No monitoring on authorization decisions

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Motivation Benefits of the Authorization Service (1/2) Main benefit within EGEE-III: –Addressing the above list of short-comings In addition: –Resistance to failure and simple means for scaling the service  Flexible deployment model  No dependency on a shared file system  High availability option –Client component is very lightweight  Small amount of code  Few dependencies (especially on WN)  Portability: support on other OS and languages easy

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Motivation Benefits of the Authorization Service (2/2) In addition (cont.): Enables/eases various authorization tasks: –Banning of users (VO, WMS, site, or grid wide) –Composition of policies – CERN policy + experiment policy + CE policy + OCST policy + NGI policy=> Effective policy –Support for authorization based on more detailed information about the job, action, and execution environment –Support for authorization based on attributes other than FQAN –Support for multiple credential formats (not just X.509) –Support for multiple types of execution environments –Virtual machines, workspaces, … –Nagios plug-ins provided for monitoring of service

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Outline Appendix B: Feature list of the service

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Feature List 1.Policy examples 2.Architectural features 3.Implementation features 4.Deployment features 5.Operational features (for a site admin) Note: Prio1 = within EGEE-III Prio2 = beyond EGEE-III Label: +, -, o for advantage, skeptic, neutral Some of it are features by design, others features that are aimed at

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Policy Examples: Banning (1/3) Banning users for a site (prio 1) –+ easy banning of users for a CE site administrator –+ banning groups of users, entire VOs, CAs, …. –o single banning point for a site (site-wide banning)  + possible  - needs integration into DM Grid-wide banning (prio 1) –+ OSCT maintains a grid-wide ban list –o sites must trust external policy VO-banning of users (prio 2) –+ VOs can ban the user without deregistering him Regional banning (prio 2) –+ regions/federations/nations can enforce banning rules

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Policy Examples: VO policies (2/3) VO policies (prio2) –- sites may oppose remote policies that they don’t understand –+ VO have a consistent means to communicate their policies to sites authZ users to run certain applications (prio2) –+ VOMS groups/roles are very limiting and don’t consider different types of applications (only admin role) –+ who is allowed to submit pilot/payload jobs + easy integration into VO specific services (prio2) –o VO schedulers? o Decoupling FQAN-shares (prio2) –Less important now (pilot jobs) –Deferred topic - how relevant is it really today?

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Policy Examples: DM (3/3) + use case of banning –- implementation TBD –- performance TBD –- different SE implementations (DPM, dCache, CASTOR,…) o quota –Open issue

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Policy Examples: Other (4/4) + Better sharing of resources (prio2) –E.g.access based on time + Better separation of responsibilities across Grid stakeholders (prio2) –+ combining different policies from the different stakeholders –+ adding new policies in a scalable way + Support for complex sites –Ex: CERN site policy vs site specific VO policy vs running 20+ CEs

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Architectural Features + Exposes policy of a site to the outside –+ Pre-requisite for a consistent authorization infrastructure across services –+ other services/users don’t have to second guess whether the job will be accepted –+ site has possibility for private policies –+ option of publishing policy or remote PDP invocation + High availability –+ extremely robust –+ every service component has HA –+ no single point of failure –+ no shared file system needed

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Implementation Features + Thin PEP client –+ no dependencies on WN ! –+ adding other language bindings is easy –+ easy to integrate into other services + Standard compliant –+ use of a powerful authZ language (XACML) (+extendable) –+ SAML2-XACML2 profile –+ support for SAML assertions built-in from the beginning  + credentials beyond PKI, VOMS SAML asssertions o Complexities of XACML hidden  + CLI tools + Good performance  o hard to get real requirements  + aim for several hundred invocations per second + Several institutions are involved –+ long-term support

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Deployment Features + Flexible deployment models –Service can be deployed in various modes –Default deployment model assumes installation of all components on one single host (supported by YAIM) + Gradual introduction into production infrastructure –+ no big bang –+ more services can use authZ service depending on their development cycle –+ no requirement that all sites make switch to use authZ simultaneously

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB Operational Features (for site admin) + easy to use (command line interface) + consistent logging, support for incident handling  As defined in security command line tools + easy and simple monitoring interface  Easy to find out whether all service components work and what it does (Nagios plug-ins will be delivered as part of the service)  Command line interface + easy to troubleshoot + nagios plug-ins provided for service monitoring

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB EES + Consistent handling authZ - scheduling within a CE + Consistent way to add new execution environments + Support for new execution environments –Virtual machines –Workspaces Is a BIG job –Hasn’t really been started yet

Enabling Grids for E-sciencE EGEE-II INFSO-RI GDB rd Party Code Used OpenSAML / OpenWS: –Source: Shibboleth development team –User base: Shibboleth project (~20-30mio users), Danish e-gov, OpenLiberty, ClaritySecurity (National Ass. Of Realtors) Jetty: –Source: Mortbay –User base: one of the three major open source servlet containers JBossCache: (in-memory replication) –Source: JBoss / Red Hat –User base: JBoss, Shibboleth 1.3