Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002.

Slides:

Advertisements

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Advertisements

Introduction of Grid Security

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

VOStore meetings, Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Why Web services should care about grid security Taavi Hupponen, CSC.

MyProxy: A Multi-Purpose Grid Authentication Service

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.

A Computation Management Agent for Multi-Institutional Grids

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Mechanisms to Secure x.509 Grid Certificates Andrew Hanushevsky Robert Cowles Stanford Linear Accelerator Center.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

A PPARC funded project AstroGrid: new technology for the virtual observatory SC2004 Pittsburgh, PA November 2004 Guy Rixon AstroGrid Technical Architect.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Network/Security Talking Points ECI Workshop NSF 6-7 Dec 2004.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

By: Nikhil Bendre Gauri Jape.  What is Identity?  Digital Identity  Attributes  Role  Relationship.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

The DZero/PPDG Test Bed Test bed composition as of Feb 2002: 3 PC at Fermilab (sammy, samadams, sameggs) Contact: Gabriele Garzoglio 1 PC at Imperial College.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Grid technology Security issues Andrey Nifatov A hacker.

Stateful Services and Identified Usage: Fallout from AstroGrid’s Architecture Guy Rixon Institute of Astronomy and AstroGrid.

A user-friendly approach to grid security Bruce Beckles University of Cambridge Computing Service A user-friendly approach to grid security “Grid ‘security’?

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

AstroGrid & VO Structure NeSC, Edinburgh 21-March-2003 UK Astronomical Data Centres.

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Presentation transcript:

Authentication and Authorization Architecture for AstroGrid and the VO Guy Rixon Tony Linde Elizabeth Auden Nic Walton TIVO, June 2002

Why have access control?  High value features ex use cases all require Identity, Authentication and Authorization

Desirable features  Transparent to end-users: single sign-on.  Globally-unique identities  Secure against misuse  Resource providers (data-centres) retain control of their assets  Users retain control of their private data  Encourage collaboration via sharing of access rights.  Allow one service to call another (transparent composition of jobs). …sounds like the Grid model!

X.509 for identification  Distinguished names (ex Grid) for users, e.g.: /C=UK/O=es-grid/OU=ast.cam.ac.uk/CN=Guy Rixon  Also works for software agents  X509 certificates encode the DNs for machine use.  Certificates issued, digitally-signed and managed by Grid organizations.  Certificates include authentication tokens => reduced use of passwords.  Can use one certificate to make another: “proxies”.

GSI for authentication  Grid Security Infrastructure (Globus project) is a way to authenticate use of X.509 certificates.  Based on Public Key Cryptography  Authentication without passwords!  Allows services to call other services on user’s behalf.

Community based Authorization  Managing access rights is a big job: ~10 3 users, ~10 7 resources, ~10 kinds of permission.  Don’t want to load up data centres with user-management.  Want data-centres to carry on managing data.  (Almost) all access rights come from position in community…  …so manage the users and their relationships as communities, centrally: avoid duplicate work…  …but data-centres still set permissions on data-sets.  Possible community: “Astronomers funded by PPARC” – access rights tend to follow funding arrangements.  Based on Community Access Server from Globus.

Partitioning the community  Community is sub-divided into groups of users and group of resources.  Resource providers define resource-groups, grant access on resource groups to appropriate user groups.  Individual members hold rights on private data.  Users can create sub-groups for collaborations.  Access rights can be shared between collaborators.

Using access rights with CAS

Pragmatic approach  Don’t add restrictions where they’re not needed.  Don’t add security where there are no restrictions.  Pairs of services: –Simple services: anonymous, no security –Full-function services: identified access  System can tell from context which kind of service to call.