Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008
15 Sep 08IPG AAAA summary, Kelsey2 AAAA Documents submitted DEISA: “DEISA AAA Policies” OSG: “OSG AAAA” and many linked policies TeraGrid: “TeraGrid Certificate Management and Authorization Policy” (TG5), “Policy Framework” (TG1) & “Core Services” (wiki) EGEE: “EGEE Security Policies” (summary document with all policies in appendix) NAREGI –Not yet in production –New task force to discuss technical/operational issues –No documents to share yet
15 Sep 08IPG AAAA summary, Kelsey3 Authentication In common –All use X.509 PKI –All except TeraGrid rely on IGTF to define trusted CAs Differences –TeraGrid defines its own list of CAs (some are IGTF accredited) –TeraGrid policy document states general responsibilities Similar to EGEE top-level security policy document User must accept TeraGrid User Responsibility form prior to certificate issue –TeraGrid PI requests host/service certs for external resources –DEISA has policies which partners have to obey (and also local policy) –OSG and EGEE (will) have different policies for CA removal –TeraGrid has many detailed requirements for CAs Important input for IGTF (not always compliant with IGTF profiles) E.g. CRL must be issued every 24 hours –OSG and EGEE have defined high-level requirements on IGTF
15 Sep 08IPG AAAA summary, Kelsey4 Authorisation In common –EGEE/OSG use VOMS and have similar approaches Also working on VO registration and VO membership management policies –DEISA/TeraGrid have similar approaches AuthZ relies on X.509 authentication and mapping into local databases DEISA have additional user attributes in their LDAP database Differences (particularly in the security model) –EGEE/OSG delegate User Registration to VO –DEISA/TeraGrid: User Registration at Sites (& “Home”) “Project PI” has similar role to “VO Manager” –Local (Site) versus Global (VO) Authorisation –EGEE/OSG have AuthZ policies related to operation of VOs
15 Sep 08IPG AAAA summary, Kelsey5 Accounting In common –No policy documents but accounting is used! –OSG and EGEE sharing accounting data for WLCG Vos –DEISA/TeraGrid have standards based accounting With access control Differences –OSG has a Data Privacy policy –JSPG working on Accounting Data policy Data privacy concerns relates to User-level accounting (required by VOs)
15 Sep 08IPG AAAA summary, Kelsey6 Auditing In common –No common auditing polices –But OSG/EGEE share a common Incident Response policy –TeraGrid has a well defined incident handling workflow (DEISA?) Differences –EGEE has policy on Traceability and Logging Requires middleware to produce appropriate logs Sites and Service providers must keep logs –In a site central server –For at least 90 days Details defined by Operational Security Coord Team –Including some core logs which must be kept for 180 days
AUP In common –Grid User AUP EGEE and OSG identical wording –Accepted by user during registration with VO DEISA uses slightly modified version OGF GIN also uses slightly modified –OSG/EGEE: VO AUP belongs to the VO Different –TeraGrid has an AUP per site (so does DEISA) Accepted by user during registration 15 Sep 08IPG AAAA summary, Kelsey7
Other Policies TeraGrid –Policy Framework (TG1) Process for agreeing policy JSPG has a top-level Security Policy JSPG, EGEE, OSG –Site Registration, Site Operation –VO Registration, VO Operation, VO Membership –Pilot Jobs 15 Sep 08IPG AAAA summary, Kelsey8
Policy precedence OSG defines an order of precedence –Site then VO then Workspace then OSG EGEE: –Each Site has its own local policies –EGEE policy augments local policies by setting out additional Grid-specific requirements –And has an exceptions handling process DEISA/TeraGrid? 15 Sep 08IPG AAAA summary, Kelsey9
IGTF – new work EUGridPMA Authorisation WG –Tackling scaling problem: Build trust between large number of both VOs and Grids –Working on document defining minimum requirements for running an Attribute Authority service (e.g. VOMS). Accreditation process TBD. VO responsibilities defined in JSPG document: VO Membership Management Policy 15 Sep 08IPG AAAA summary, Kelsey10
JSPG future work JSPG currently working on –VO registration, VO membership, Accounting Data, & Grid Portals Once that is all complete –Plan to revise and simplify all policies Working towards EGI and many NGIs –To produce simple and general policies To augment the NGI local policies Establish trust for international Grid interoperation 15 Sep 08IPG AAAA summary, Kelsey11
Issues for discussion Standardise the Grid AUP? Agree on IGTF for AuthN? –With possibility to add other CAs if needed Can we use common language for manager of the User Database? –“VO” versus “Resource Provider/Site”? JSPG revision of all policies –It would be highly desirable to get IPG input Input also welcome to IGTF AuthZ WG 15 Sep 08IPG AAAA summary, Kelsey12
Longer term issues Accounting –If we share VOs and/or users, accounting data exchange is very likely to be needed We do need policy here, particularly for Privacy concerns Auditing –If we share users, we are likely to share security incidents (e.g. recent ssh attacks) –Audit logs important – need for common policy here? Coordinated incident handling is highly desirable OSG has a “peer Grid” contact list OSG/TeraGrid/EGEE is discussing high-level communication –To avoid n*n communication paths 15 Sep 08IPG AAAA summary, Kelsey13