Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab Grid Coordination Meeting Sep 25, 2007 Overview Grid Services Tactical Plan VO Services Activities ReSS and Other Activities

Sep 25, 20072/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Tactical Plan 1.Develop features and improve robustness of the VO Services infrastructure […]. 2.Extend deployment of and support the VO Services infrastructure […] 3.Integrate standard authorization call-out libraries, […] in order to enable interoperability […]. 4.Integrate support for emerging standards and increasingly complex use cases in the VO Service infrastructure. […] 5.Provide maintenance and support for the ReSS WMS […]. Understand operational needs for the infrastructure. Support and Improvement of the “base” infrastructure Authorization Interoperability Next Generation Storage AuthZ Models Privilege Policy Management Other Activities Tactical PlanThis Talk

Sep 25, 20073/5 Grid Services Activities on Security Gabriele Garzoglio VO Services VO user membership management and fine-grained authorization to Grid resources Vision / Driving Forces for Phase III ( Status report at ) –keeping the pace with new security paradigms –providing excellent support for the current infrastructure –reducing overall maintenance Stakeholders –USCMS, OSG, FNAL VOs (Astronomy, Run II, …), FermiGrid, Storage at FNAL –Representatives contacted: Burt Holzman, Ian Fisk, Mine Altunay, John Weigand, Doug Benjamin, Jim Annis, Timur Perelmutov Base Infrastructure –PRIMA, GUMS, VOMRS – VO Services proj. –gLexec – VO Services proj. See Igor’s talk –gPlazma – Interfacing with dCache proj. Effort –FNAL 1.1 FTE (0.6 CD CMS); Total 1.6 FTE (FNAL BNL)

Sep 25, 20074/5 Grid Services Activities on Security Gabriele Garzoglio VO Services Activities 1 Support and Improvement of the “base” infrastructure (High Priority) –Ongoing. FNAL 0.6 FTE –Foci: (1) Robustness and Usability; (2) VOMRS vital features –Stakeholders: FermiGrid, BNL, USCMS, OSG VO’s, OSG Facility ? Authorization Interoperability (Medium Priority) –Enables Middleware developed in the US (e.g. SRM) to use EU Authorization infrastructure and vice versa. Collaboration with EGEE and Globus –Stakeholders: USCMS, Software Providers (Globus, OSG group, dCache, Condor ?, …) –Milestones: Date (activity) (FTE) Aug 07 (alpha; met) (0.1) – Dec 07 (beta) (0.2) – Feb 08 (beta Integration) (0.5) – Apr 08 (v1) (0.2) – Jun 08 (v1 Int.) (0.5)

Sep 25, 20075/5 Grid Services Activities on Security Gabriele Garzoglio VO Services Activities 2 Support Storage Groups in Defining Next Generation Storage AuthZ Models (Medium Priority) –Interaction with storage projects at FNAL (SRM/dCache, OSG Ext. and VDT) –Stakeholders: OSG, USCMS –VO Service 0.1 FTE (Consulting Role) upon request Privilege Policy Management (Medium Priority) –Allows VO’s to express privileges directly; Sites to implement and verify privileges. Evaluation and prototypical work. Collaboration with TechX, funded via SBIR Phase I –Stakeholders: OSG –FNAL ~ 0.1 FTE from VO Service Proj. (Customer / Stakeholder role) –Plan in progress. Duration 9 months. –Deliverables: Policy schema/language (3 0.2? FNAL) Policy tools (6 0.1? FNAL)

Sep 25, 20076/5 Grid Services Activities on Security Gabriele Garzoglio Other Activities Requests from VO Service Proj. Stakeholders. May lack available effort. (Low Priority) –Attribute Certificate Validation at Resource Gateway Depends on acceptance and deployment of new VOMS –Broaden / Standard AuthZ call-out Interfaces Needed for Accounting. May lower overall maintenance. –Site Validation Service (Authentication Service) –Integrating Shibboleth Attribute Authority –End-to-end security / Epensys (see Igor) Authenticate Client Access to ReSS central services (Low Priority) –Once a user community is formed (during OSG 0.8.0), restrict access to providers and requesters of information