Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

Slides:



Advertisements
Similar presentations
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Advertisements

Delivering User Needs: A middleware perspective Steven Newhouse Director.
Building Portals to access Grid Middleware National Technical University of Athens Konstantinos Dolkas, On behalf of Andreas Menychtas.
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
MyProxy Jim Basney Senior Research Scientist NCSA
March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Abstraction Layers Why do we need them? –Protection against change Where in the hourglass do we put them? –Computer Scientist perspective Expose low-level.
GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter
Supporting the UK e-Science community and their international collaborators Steven Newhouse.
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
VO Support and directions in OMII-UK Steven Newhouse, Director.
OMII-UK Steven Newhouse, Director. © 2 OMII-UK aims to provide software and support to enable a sustained future for the UK e-Science community and its.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
UK Campus Grid Special Interest Group Dr. David Wallom University of Oxford.
VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
CGW 2009 Vine Toolkit A uniform access and portal solution to existing grid middleware services P.Dziubecki, T.Kuczynski, K.Kurowski, D.Szejnfeld, D.Tarnawczyk,
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Software Engineering Steven Newhouse. © Activity Within OMII Bugs Regression Tests Testing Functional Specifications Sources Development Teams Priority.
DAME Collaborative Workflow & Access Control Duncan Russell University of Leeds.
UNICORE UNiform Interface to COmputing REsources Olga Alexandrova, TITE 3 Daniela Grudinschi, TITE 3.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
1 OMII Release 1 Steven Newhouse, Peter Henderson Stephen Crouch & Karen Ng Presented by Mike Mineter for the NGS Induction Course
Globus 4 Guy Warner NeSC Training.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
User requirements for and concerns about a European e-Infrastructure Steven Newhouse, Director.
Web: OMII-UK Campus Grid Toolkit NW-GRID Campus Grids Workshop 31 st October 2007 University of Liverpool Tim Parkinson.
Software from Science for Science Steven Newhouse, Director.
The OMII Overview, Product and Roadmap. © University of Southampton omii OMII_1 Delivering a secure, reliable, web services infrastructure for grid applications.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
The EDGI project receives Community research funding 1 EDGI Brings Desktop Grids To Distributed Computing Interoperability Etienne URBAH
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
COMP3019 Coursework: Introduction to GridSAM Steve Crouch School of Electronics and Computer Science.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
Javascript Cog Kit By Zhenhua Guo. Grid Applications Currently, most grid related applications are written as separate software. –server side: Globus,
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
OGSA-UK: Putting the users first Steven Newhouse OMII Deputy Director.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Middleware for Campus Grids Steven Newhouse, ETF Chair (& Deputy Director, OMII)
Testing Grid Software on the Grid Steven Newhouse Deputy Director.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.
The National Grid Service Mike Mineter.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
UK Grid Operations Support Centre All slides stolen by P.Clarke from a talk given by: Dr Neil Geddes CCLRC Head of e-Science Director of the UK Grid Operations.
Working with OGSA Steven Newhouse Director, OMII-UK.
Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
OGF PGI – EDGI Security Use Case and Requirements
Grid accounting system
Grid Systems: What do we need from web service standards?
Presentation transcript:

Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

© OMII-UK A partnership between projects: my Grid at Manchester (Carole Goble - Chair) OGSA-DAI at Edinburgh (Malcolm Atkinson) OMII at Southampton (Dave De Roure) Started January 2006 Manchester – Expanded Engineering activity Southampton – Expanded Community activity Edinburgh – Continuation of OGSA-DAI team All funded for 3 years

© Objectives of OMII-UK To distribute a sustained, well-engineered, interoperable, documented and supported set of easily-used integrated composable services, components and tools To engage proactively with user communities in defining and developing this software To maintain a leading international role in advanced e-Infrastructure provision

© Current Container Security Only consider a Web Service Primarily Authentication through WS-Security Digital Signature on a signed message Signature MUST be signed by a certificate from a known CA Authentication data available to the service Outgoing message signed

© OMII-UK Job Authorisation OMII 1.x: Application execution from GRIA Defined model enforced by PBAC PBAC: Process Based Application Control User registration & account (quota) creation Resource allocation for compute and data Data in  Application execution  Data out. Application needs to be installed on the machine

© PBAC: Process Based Access Control Specify server side workflow Need to have performed Action Z on Service A before Action Y on Service B Check authorisation policy rather than interaction state State interaction captured within a ‘conversation’ Authorisation action is related to a particular conversation Client interaction is planned & context dependent

© OMII-UK Job Authorisation OMII 2.x: GridSAM SAM: Job Submission and Job Monitoring Uses JSDL to define the ‘job’ Various back end environments ‘DRMConnector’ Service specific Authorisation gridmap like Connector specific Authorisation WS Management Interface: submit, status, terminate, …

© Need to do better… An Authorisation policy that can be applied across consistently across all services Within a hosting environment A network of hosting environments (e.g. VO) A solution that can be reused: Portlets Service specific policies: Data tables within a database Queues or processor/memory limits within a job Standards driven

© Current Prototype PERMIS: Generate Attribute Certs & Policy Authz Service: SAML 1.1 Assertion port type WS Request/ Response WS Container AXIS Handlers TestService OMIIAuthz OpenSAML LDAP PERMIS Management GUIs PEP = Policy Enforcement Point

© Authorising Service Access Handler in the request chain Authorisation decision based on: Requesting entity (user) Target (service) Action (operation) Great for job creation… but it is static Same policy for job creation as termination, etc.

© Dynamic Service Authorisation On job creation create a job specific policy Steven’s job – he can manipulate & delete it But, the administrator can also delete it. But Steven may also want to allow Erwin to be able to manipulate the job Provide an interface to manipulate policies Reuse the same Authorisation Service Requesting entity (user) Target (service) Action (operation)

© Other gaps… The third ‘A’ – Accounting Looking at RUS & UR options Account (quota) solution from GRIA Applying for an account (e.g. GAMA, PURSe) The silent ‘A’ – Audit Attribute Management VOMS Standards?

© Summary Mange authorisation policies across services Accounting (use against quota) is important Pick up on existing standards & tools Authorisation infrastructure User registration & account generation Currently a non-GSI world But out-of bound use through MyProxy Emerging need for dynamic policies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.