Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Published byBeverly Shannon Wilkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London."— Presentation transcript:

1 The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London

2 2 The Grid Diverse Resources –Dynamic –Unreliable –Shared Administrative Issues –Security –Multiple Organisations –Coordinated Problem Solving

3 3 A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) * = Existing IETF standards Others are GGF & IETF drafts

4 4 How to define access to these resources? Current policy is through the ‘GridMap’ file “/C=UK/O=eScience/OU=Imperial/L=LeSC/CN=steven newhouse” sjn5 “/C=US/O=Globus/CN=ian foster” ifoster Advantages: –Resource owner has clear policy control Disadvantage: –Scalability: M users on N resources need co-ordination –Expressiblity: Policy is implemented locally

5 5 Solutions to scalability Group Accounts –Adopted by EUDG –X.509 DN is mapped to a set of local accounts Policy Server –Central server that issues ‘policy tokens’ –Tokens define access to resources

6 6 CAS 1. CAS request, with resource names and operations Example Collective Service: Community Authorization Does the collective policy authorize this request for this user? user/group membership resource/collective membership collective policy information Resource Is this request authorized for the CAS? Is this request authorized by the capability? local policy information 4. Resource reply User 3. Resource request, authenticated with capability 2. CAS reply, with and resource CA info capability Laura Pearlman, Steve Tuecke, Von Welch, others

7 7 CAS Testbed Funded JISC Project (Due to start Jan ‘03) Evaluate and contribute to CAS Investigators –Steven Newhouse (LeSC) –David Colling (IC-HEP) –Rob Allan (GSC-DL) –Stephen Pickles (MC)

8 8 Project Goals Deploy and evaluate current CAS release –CAS server at IC –CAS enabled gatekeepers & GridFTP servers CAS enabled web server –Integrate CAS policy with web access control CAS management portal –Secure web-based interface to CAS –Definition of CAS policy language

9 9 CAS enabled GridFTP Provides community access to data retrieval Specify access to files & directories –read –lookup –write –create –chdir Apply actions to a user or a group of users Extend (& restrict) model to web server

10 10 CAS enabled Gatekeeper Prototyped within US Fusion Colaboratory project Introduction of ‘Policy Enforcement Points’ –Has the user permission to submit to this queue? –Can they request 128 processors? Focus on RSL restrictions during job initiation Rights embedded in the user’s restricted proxy issued by CAS

11 11 CAS enabled Job Control Once a job is running we might want to: –Halt/restart the job –Raise/lower job priority Provide policy driven job control –Supervisor/PI may have rights over user’s job –Project/user may have higher priority Define usage scenarios & requirements

12 12 Virtual Organisation Management Portal (VOM) Tackle the VO Authorisation problem Use role based authorisation model Management of distributed ‘gridmap’ files Web based for distributed management Part of Centre’s OSCAR-G project Use GSC’s X.509 certificates for identification GSI enabled web services

13 13 VO Portal: Enrollment

14 14 VO Portal: Management As VO Manager: –Approve pending user requests –Assign users to roles (and therefore resources) As Resource Manager: –Define mapping between VO user and local UNIX account –Download and combine gridmap files from multiple VOM portals

15 15 GridMap Client Resource Manager defines configuration file –Identity for GSI operations –VOM portals to retrieve data –Local gridmap entries Gridmap Client invoked from cron job –Use GSI enabled web service to validate client identity –Iff all lookups successful write out new gridmap file –Iff new non-zero length file replace existing gridmap file

16 16 Accounting Use a wrapper script to around job execution: –Extract DN from environment –Log start & end events –Attempt immediate update to database –Need to map DN to VO but a DN may be in several VO’s (!!!) –If update fails dump to local file for later action Usage info can be browsed at a later date.

17 17 Summary CAS project will provide UK/US engagement –Deployment experience –Feedback to Globus team Look at policy specification for e-science resources –Definition through VOM –Implementation within CAS Contribute experience to Grid building efforts –UK Level 2 Grid –Global Grid Forum

Download ppt "The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.

- CAS - Role-based Auth (25mar03 - UCSD) Using CAS to Manage Role-Based VO Sub-Groups Shane Canon (LBNL), Steve Chan (LBNL), Doug.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
15th January, 2007 1 NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.

15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.

Similar presentations

Ads by Google