Presentation is loading. Please wait.

Presentation is loading. Please wait.

Placeholder ES 1 CERN IT EGI Technical Forum, 2011-09-21 Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

Published byBlanche Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "Placeholder ES 1 CERN IT EGI Technical Forum, 2011-09-21 Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN."— Presentation transcript:

1 placeholder ES 1 CERN IT EGI Technical Forum, 2011-09-21 Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN

2 placeholder ES 2 CERN IT EGI Technical Forum, 2011-09-21 Outline Current AAI usage in WLCG –WLCG VOs: ALICE, ATLAS, CMS, LHCb Issues and wishes Conclusions

3 placeholder ES 3 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (1) X509 proxies with VOMS extensions –LHCb also include further extensions for their DIRAC data analysis services Certificates are obtained from national and HEP-specific CAs –Some institutes already use SLCS certificates linked to local or national identities A catch-all CA exists for LHC experiment members who do not have a national CA in IGTF yet

4 placeholder ES 4 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (2) A user is affiliated with an institute that participates in an LHC experiment –Vetting through CERN HR DB The user registers in the VOMS server of the experiment –Acquires attributes corresponding to the user’s responsibilities The user can be suspended or removed from the VO by a VO admin –Hampered by use of multi-day VOMS proxies –Grid-mapfiles are updated every 6 hours

5 placeholder ES 5 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (3) VOMS hierarchies of ATLAS and CMS have groups for various participating countries –Users can apply for membership of such groups A resource provider in such a country could give preferential treatment to affiliated users –When the country’s group appears in the proxy As primary FQAN –When the DN is recognized as a member of that group

6 placeholder ES 6 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (4) Grid authorization methods –VOMS, grid-mapfile equivalents Resources accessed through the grid –Computing and storage elements –Catalogs, possibly other databases –Workload and data management services –Information, monitoring and messaging systems BDII is world-readable –Proxy renewal services, VO agent nodes, … MyProxy only requires trusted CA

7 placeholder ES 7 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (5) Authorization for resources outside the grid –Local user or service account identity Resources accessed outside the grid –Computing and storage elements Local batch submission Local, possibly insecure “backdoor” data access –Catalogs, databases DB account + password in configuration file –…

8 placeholder ES 8 CERN IT EGI Technical Forum, 2011-09-21 Current AAI usage (6) Authorization (if needed) for web resources –User certificate  grid-mapfile, or trusted CA –User name + password, or SSO Web resources –Catalogs, databases –Workload and data management portals –Information and monitoring systems –Operations, ticketing and accounting portals –Documentation, conferencing, …

9 placeholder ES 9 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (1) VOMS lifetime may differ from proxy lifetime –VOMS renewal differs from proxy renewal Concurrent activities by the same user with different groups/roles can be tricky to manage –Beware not to use/overwrite the wrong proxy –“/tmp” is not shared across an interactive cluster

10 placeholder ES 10 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (2) Conflicting uses of primary FQANs –To get the right treatment on the CE (queue/ priority/share) the primary FQAN is decisive –That FQAN may be undesirable for data operations Need to grant artificial privileges for such FQANs in storage elements, catalogs, … Regenerate proxy on WN for correct FQAN  fragile –Pilot systems may avoid such conflicts –Roles/groups could be associated with services Each service applies what it recognizes

11 placeholder ES 11 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (3) Web browsers cannot import VOMS proxies –Web services are limited to a grid-mapfile equivalent to regulate access Short-lived tokens should be used to access a service repeatedly  reduce AA overhead Standard OpenSSL/GSSAPI should be used instead of Globus –Avoid conflicting versions, reduce dependencies

12 placeholder ES 12 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (4) Users would like not to worry about proxy expiration Migration to a new certificate can be a hassle –Certificate validity could be increased to 3-5 years People who left should be faster removed from their VO –DN change should be needed only exceptionally Proxy/token support at “OS” level might help –That looks far away

13 placeholder ES 13 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (5) Consistent implementation of shares and permissions across sites is difficult –Storage quotas essentially absent –VO super users desirable for data management Access rights synchronization across storage elements and catalogs is cumbersome –Consistency service demonstrator available for DPM and LFC

14 placeholder ES 14 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (6) Service authorization ought to be improved –A valid host DN does not imply a valid service –Service certificates should be better supported Support for multi user pilot jobs should be simplified –The use of gLExec in setuid mode is cumbersome and fragile –This matter will be reassessed by the WLCG Technical Evolution Group on Security Middleware wishes might come afterwards

15 placeholder ES 15 CERN IT EGI Technical Forum, 2011-09-21 Issues and wishes (7) Incoherence in service security models –Variety of libraries and configurations –Algorithm for deciding mapping or ACLs VOMS, DN –Logging Formats, contents –Banning Impossible or awkward on some services –Testing/debugging/forensics tools Available for some scenarios on some services There may be other issues not listed here

16 placeholder ES 16 CERN IT EGI Technical Forum, 2011-09-21 Conclusions The existing AAI schemes do allow the LHC experiments to use the WLCG infrastructure quite successfully Users and resource providers are not really satisfied with how grid security works today Various issues and wishes have been outlined on the preceding pages –Priorities to be assessed in the WLCG Technical Evolution Group on Security

Download ppt "Placeholder ES 1 CERN IT EGI Technical Forum, 2011-09-21 Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Blueprint Meeting Notes Feb 20, 2009. Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org EGEE and gLite are registered trademarks Security and Job Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB, 2013-02-12.

Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB,

Similar presentations

Ads by Google